-
Notifications
You must be signed in to change notification settings - Fork 432
/
07041b.316.min.js
1 lines (1 loc) · 155 KB
/
07041b.316.min.js
1
(window.webpackJsonp=window.webpackJsonp||[]).push([[316,8],{820:function(e){e.exports=JSON.parse('{"T1595":{"Name":"Active Scanning","姓名":"主动扫描","Description":"Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.","描述":"对手可能会执行主动侦察扫描以收集可在渗透期间使用的信息。主动扫描是对手通过网络流量探测受害者基础设施的扫描,而不是其他不涉及直接交互的侦察形式。"},"T1592":{"Name":"Gather Victim Host Information","姓名":"收集受害者主机信息","Description":"Adversaries may gather information about the victim\'s hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).","描述":"攻击者可能会收集有关受害者主机的信息,这些信息可以在渗透期间使用。有关主机的信息可能包括各种详细信息,包括管理数据(例如:名称、分配的 IP、功能等)以及有关其配置的详细信息(例如:操作系统、语言等)。"},"T1589":{"Name":"Gather Victim Identity Information","姓名":"收集受害者身份信息","Description":"Adversaries may gather information about the victim\'s identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.","描述":"攻击者可能会收集有关受害者身份的信息,这些信息可以在渗透期间使用。有关身份的信息可能包括各种详细信息,包括个人数据(例如:员工姓名、电子邮件地址等)以及凭据等敏感详细信息。"},"T1590":{"Name":"Gather Victim Network Information","姓名":"收集受害者网络信息","Description":"Adversaries may gather information about the victim\'s networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.","描述":"攻击者可能会收集有关受害者网络的信息,这些信息可以在渗透期间使用。有关网络的信息可能包括各种细节,包括管理数据(例如:IP 范围、域名等)以及有关其拓扑和操作的细节。"},"T1591":{"Name":"Gather Victim Org Information","姓名":"收集受害者组织信息","Description":"Adversaries may gather information about the victim\'s organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.","描述":"攻击者可能会收集有关受害者组织的信息,这些信息可以在渗透期间使用。有关组织的信息可能包括各种详细信息,包括部门/部门的名称、业务运营的具体情况以及关键员工的角色和职责。"},"T1598":{"Name":"Phishing for Information","姓名":"信息网络钓鱼","Description":"Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from Phishing in that the objective is gathering data from the victim rather than executing malicious code.","描述":"攻击者可能会发送网络钓鱼消息以获取可在渗透期间使用的敏感信息。信息网络钓鱼是企图诱使目标泄露信息、经常是凭据或其他可操作信息。信息网络钓鱼不同于网络钓鱼因为目标是从受害者那里收集数据,而不是执行恶意代码。"},"T1597":{"Name":"Search Closed Sources","姓名":"搜索封闭源","Description":"Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.","描述":"攻击者可能会从封闭来源搜索并收集有关受害者的信息,这些信息可在渗透期间使用。可以从信誉良好的私人来源和数据库购买有关受害者的信息,例如付费订阅技术/威胁情报数据源。攻击者还可能从声誉较差的来源购买信息,例如暗网或网络犯罪黑市。"},"T1596":{"Name":"Search Open Technical Databases","姓名":"搜索开放技术数据库","Description":"Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.","描述":"攻击者可以搜索免费可用的技术数据库,以获取可在渗透期间使用的有关受害者的信息。有关受害者的信息可能在在线数据库和存储库中可用,例如域/证书的注册以及从流量和/或扫描中收集的网络数据/工件的公共集合。"},"T1593":{"Name":"Search Open Websites/Domains","姓名":"搜索打开的网站/域","Description":"Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.","描述":"攻击者可能会搜索免费可用的网站和/或域,以查找可在渗透期间使用的有关受害者的信息。有关受害者的信息可能在各种在线网站上提供,例如社交媒体、新网站或托管有关业务运营信息的网站,例如招聘或请求/奖励合同。"},"T1594":{"Name":"Search Victim-Owned Websites","姓名":"搜索受害者拥有的网站","Description":"Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: Email Addresses). These sites may also have details highlighting business operations and relationships.","描述":"攻击者可能会在受害者拥有的网站上搜索可在渗透期间使用的信息。受害者拥有的网站可能包含各种详细信息,包括部门/部门的名称、实际位置以及有关关键员工的数据,例如姓名、角色和联系信息(例如:电子邮件地址)。这些网站也可能有突出业务运营和关系的详细信息。"},"T1583":{"Name":"Acquire Infrastructure","姓名":"获取基础设施","Description":"Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Additionally, botnets are available for rent or purchase.","描述":"攻击者可能会购买、租赁或租用可在渗透期间使用的基础设施。存在各种各样的基础设施来托管和编排对手的操作。基础架构解决方案包括物理或云服务器、域和第三方 Web 服务。此外,僵尸网络可供出租或购买。"},"T1586":{"Name":"Compromise Accounts","姓名":"入侵账户","Description":"Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. Establish Accounts), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.","描述":"攻击者可能会使用可在渗透期间使用的服务来破坏帐户。对于包含社会工程的操作,在线角色的使用可能很重要。而不是创建和培养帐户(即建立账户),攻击者可能会破坏现有帐户。如果潜在受害者与受损的角色有关系或了解他们,则利用现有的角色可能会对他们产生一定程度的信任。"},"T1584":{"Name":"Compromise Infrastructure","姓名":"入侵基础设施","Description":"Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle. Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.","描述":"攻击者可能会破坏可在渗透期间使用的第三方基础设施。基础架构解决方案包括物理或云服务器、域以及第三方 Web 和 DNS 服务。对手可能会破坏基础设施并在对手生命周期的其他阶段使用它,而不是购买、租赁或租用基础设施。此外,攻击者可能会破坏许多机器以形成他们可以利用的僵尸网络。"},"T1587":{"Name":"Develop Capabilities","姓名":"发展能力","Description":"Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.","描述":"攻击者可能会构建可在渗透期间使用的能力。攻击者可以在内部开发自己的能力,而不是购买、免费下载或窃取能力。这是识别开发需求和构建解决方案(例如恶意软件、漏洞利用和自签名证书)的过程。攻击者可能会开发能力以在攻击者生命周期的多个阶段支持他们的操作。"},"T1585":{"Name":"Establish Accounts","姓名":"建立账户","Description":"Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.","描述":"攻击者可能会创建和培养具有可在渗透期间使用的服务的帐户。攻击者可以创建可用于构建角色以进行进一步操作的帐户。角色发展包括公共信息、存在、历史和适当从属关系的发展。这种发展可以应用于社交媒体、网站或其他公开可用的信息,这些信息可以在使用该角色或身份的操作过程中被引用和审查其合法性。"},"T1588":{"Name":"Obtain Capabilities","姓名":"获取组建","Description":"Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.","描述":"攻击者可能会购买和/或窃取可在渗透期间使用的能力。攻击者可能会购买、免费下载或窃取它们,而不是在内部开发自己的功能。购买的能力包括获取恶意软件、软件(包括许可证)、漏洞利用、证书和与漏洞相关的信息。攻击者可以获得在攻击者生命周期的多个阶段支持其操作的能力。"},"T1608":{"Name":"Stage Capabilities","姓名":"筹划能力","Description":"Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed (Develop Capabilities) or obtained (Obtain Capabilities) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Capabilities can also be staged on web services, such as GitHub or Pastebin.","描述":"攻击者可能会上传、安装或以其他方式设置可在渗透期间使用的功能。为了支持他们的行动,对手可能需要利用他们开发的能力(发展能力 或获得 (获得能力 并将它们放在他们控制的基础设施上。这些功能可以在攻击者之前购买/租用的基础设施上进行(获取基础设施 或被他们以其他方式入侵 (入侵基础设施)。功能也可以在 GitHub 或 Pastebin 等 Web 服务上进行。"},"T1189":{"Name":"Drive-by Compromise","姓名":"路过式攻击","Description":"Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user\'s web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.","描述":"攻击者可能通过用户正常浏览过程来获取系统访问权限。使用这种技术,用户的 Web 浏览器通常会成为攻击目标,但攻击者也可能会使用受感染的网站进行非攻击行为,例如获取应用程序访问令牌."},"T1190":{"Name":"Exploit Public-Facing Application","姓名":"利用公开应用","Description":"Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services. Depending on the flaw being exploited this may include Exploitation for Defense Evasion.","描述":"攻击者可能会试图利用面向 Internet 的计算机或程序中的弱点,使用软件、数据或命令来导致意外或意外行为。系统中的弱点可能是错误、故障或设计漏洞。这些应用程序通常是网站,但可以包括数据库(如 SQL)、标准服务(如 SMB 或 SSH)、网络设备管理和管理协议(如 SNMP 和 Smart Install),以及任何其他具有 Internet 可访问开放套接字的应用程序,例如Web 服务器和相关服务。根据被利用的缺陷,这可能包括防御规避利用."},"T1133":{"Name":"External Remote Services","姓名":"外部远程服务","Description":"Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.","描述":"攻击者可能会利用面向外部的远程服务来初始访问和/或在网络中持续存在。 VPN、Citrix 和其他访问机制等远程服务允许用户从外部位置连接到内部企业网络资源。通常有远程服务网关来管理这些服务的连接和凭据身份验证。服务如Windows 远程管理和VNC也可以外用。"},"T1200":{"Name":"Hardware Additions","姓名":"硬件添加","Description":"Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. Replication Through Removable Media), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.","描述":"攻击者可能会将计算机附件、网络硬件或其他计算设备引入系统或网络中,这些设备可用作获取访问权限的媒介。而不仅仅是通过可移动存储(即通过可移动媒体进行复制),更强大的硬件添加可用于将新功能和/或特性引入系统,然后可能会被滥用。"},"T1566":{"Name":"Phishing","姓名":"网络钓鱼","Description":"Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.","描述":"攻击者可能会发送网络钓鱼消息以访问受害系统。所有形式的网络钓鱼都是以电子方式传递的社会工程。网络钓鱼可以成为目标,称为鱼叉式网络钓鱼。在鱼叉式网络钓鱼中,特定的个人、公司或行业将成为攻击者的目标。更一般地说,攻击者可以进行非目标网络钓鱼,例如大规模恶意软件垃圾邮件活动。"},"T1091":{"Name":"Replication Through Removable Media","姓名":"通过可移动媒体进行复制","Description":"Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media\'s firmware itself.","描述":"通过将恶意软件复制到可移动媒体并在媒体插入系统并执行时利用自动运行功能,攻击者可能会进入系统,可能是那些在断开或气隙网络上的系统。在横向移动的情况下,这可能通过修改存储在可移动媒体上的可执行文件或通过复制恶意软件并将其重命名为看起来像合法文件以诱骗用户在单独的系统上执行它来发生。在初始访问的情况下,这可能通过手动操作媒体、修改用于初始格式化媒体的系统或修改媒体固件本身来实现。"},"T1195":{"Name":"Supply Chain Compromise","姓名":"供应链入侵","Description":"Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.","描述":"攻击者可能会在最终消费者收到之前操纵产品或产品交付机制,以破坏数据或系统。"},"T1199":{"Name":"Trusted Relationship","姓名":"信任关系","Description":"Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.","描述":"对手可能会破坏或以其他方式利用可以接触到目标受害者的组织。通过受信任的第三方关系进行访问会利用现有的连接,该连接可能不受保护或受到的审查少于获得网络访问权限的标准机制。"},"T1078":{"Name":"Valid Accounts","姓名":"有效账户","Description":"Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.","描述":"攻击者可能会获取和滥用现有帐户的凭据,作为获得初始访问权限、持久性、权限升级或防御规避的手段。受损凭据可用于绕过对网络内系统上各种资源的访问控制,甚至可用于对远程系统和外部可用服务(例如 VPN、Outlook Web Access 和远程桌面)的持久访问。被泄露的凭证还可能授予对手增加特定系统的特权或访问网络的受限区域。攻击者可能会选择不将恶意软件或工具与这些凭据提供的合法访问结合使用,以使其更难检测到它们的存在。"},"T1059":{"Name":"Command and Scripting Interpreter","姓名":"命令和脚本解释器","Description":"Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.","描述":"攻击者可能滥用命令和脚本解释器来执行命令、脚本或二进制文件。这些接口和语言提供了与计算机系统交互的方式,并且是许多不同平台的共同特征。大多数系统都带有一些内置的命令行界面和脚本功能,例如,macOS 和 Linux 发行版包含一些Unix 外壳而 Windows 安装包括Windows 命令外壳和电源外壳."},"T1609":{"Name":"Container Administration Command","姓名":"容器管理命令","Description":"Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.","描述":"攻击者可能滥用容器管理服务在容器内执行命令。容器管理服务(例如 Docker 守护程序、Kubernetes API 服务器或 kubelet)可以允许在环境中远程管理容器。"},"T1610":{"Name":"Deploy Container","姓名":"部署容器","Description":"Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.","描述":"攻击者可以将容器部署到环境中以促进执行或规避防御。在某些情况下,攻击者可能会部署新容器来执行与特定映像或部署相关联的进程,例如执行或下载恶意软件的进程。在其他情况下,攻击者可能会部署一个没有网络规则、用户限制等配置的新容器,以绕过环境中的现有防御。"},"T1203":{"Name":"Exploitation for Client Execution","姓名":"利用客户端执行","Description":"Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.","描述":"攻击者可能会利用客户端应用程序中的软件漏洞来执行代码。由于可能导致意外行为的不安全编码实践,软件中可能存在漏洞。攻击者可以通过有针对性地利用某些漏洞来执行任意代码。通常,攻击性工具包最有价值的漏洞利用是那些可用于在远程系统上获取代码执行的漏洞,因为它们可用于访问该系统。用户希望看到与他们常用的工作应用程序相关的文件,因此它们是漏洞利用研究和开发的有用目标,因为它们具有很高的实用性。"},"T1559":{"Name":"Inter-Process Communication","姓名":"进程间通信","Description":"Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern.","描述":"攻击者可能会滥用进程间通信 (IPC) 机制来执行本地代码或命令。 IPC 通常被进程用来共享数据、相互通信或同步执行。 IPC 也常用于避免进程陷入循环等待模式时发生的死锁等情况。"},"T1106":{"Name":"Native API","姓名":"原生 API","Description":"Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.","描述":"攻击者可能与本机操作系统应用程序编程接口 (API) 交互以执行行为。本机 API 提供了一种在内核中调用低级 OS 服务的受控方式,例如那些涉及硬件/设备、内存和进程的服务。在系统启动期间(当其他系统组件尚未初始化时)以及在日常操作期间执行任务和请求时,操作系统会利用这些本机 API。"},"T1053":{"Name":"Scheduled Task/Job","姓名":"计划任务/作业","Description":"Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.","描述":"攻击者可能会滥用任务调度功能来促进恶意代码的初始或重复执行。所有主要操作系统中都有实用程序来安排程序或脚本在指定的日期和时间执行。如果满足适当的身份验证(例如:RPC 以及 Windows 环境中的文件和打印机共享),也可以在远程系统上安排任务。在远程系统上安排任务通常可能需要成为远程系统上的管理员或其他特权组的成员。"},"T1129":{"Name":"Shared Modules","姓名":"共享模块","Description":"Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API.","描述":"攻击者可能通过加载共享模块来执行恶意负载。可以指示 Windows 模块加载器从任意本地路径和任意通用命名约定 (UNC) 网络路径加载 DLL。此功能位于 NTDLL.dll 中,是 Windows 的一部分原生 API从函数中调用,例如创建过程,加载库等的 Win32 API。"},"T1072":{"Name":"Software Deployment Tools","姓名":"软件部署工具","Description":"Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).","描述":"攻击者可以访问和使用安装在企业网络中的第三方软件套件,例如管理、监控和部署系统,以在网络中横向移动。出于管理目的(例如,SCCM、HBSS、Altiris 等),可能会在网络环境中使用第三方应用程序和软件部署系统。"},"T1569":{"Name":"System Services","姓名":"系统服务","Description":"Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary execution.","描述":"攻击者可能滥用系统服务或守护程序来执行命令或程序。攻击者可以通过在本地或远程与服务交互或创建服务来执行恶意内容。许多服务设置为在启动时运行,这有助于实现持久性(创建或修改系统进程),但攻击者也可以滥用服务进行一次性或临时执行。"},"T1204":{"Name":"User Execution","姓名":"用户执行","Description":"An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.","描述":"攻击者可能会依赖用户的特定操作来获得执行。用户可能会受到社会工程的影响,以使他们通过例如打开恶意文档文件或链接来执行恶意代码。这些用户操作通常会被视为来自以下形式的后续行为网络钓鱼."},"T1047":{"Name":"Windows Management Instrumentation","姓名":"Windows 管理规范","Description":"Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM). Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.","描述":"攻击者可能会滥用 Windows Management Instrumentation (WMI) 来执行恶意命令和负载。 WMI 是一种管理功能,它提供了一个统一的环境来访问 Windows 系统组件。 WMI 服务支持本地和远程访问,尽管后者通过远程服务如分布式组件对象模型(DCOM)和Windows 远程管理(WinRM)。 DCOM 上的远程 WMI 使用端口 135 运行,而 WinRM 上的 WMI 在使用 HTTP 和 5986 用于 HTTPS 时通过端口 5985 运行。"},"T1098":{"Name":"Account Manipulation","姓名":"账户操纵","Description":"Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.","描述":"攻击者可能会操纵帐户以维持对受害者系统的访问。帐户操纵可能包括保留攻击者对受损帐户的访问权限的任何操作,例如修改凭据或权限组。这些操作还可能包括旨在破坏安全策略的帐户活动,例如执行迭代密码更新以绕过密码持续时间策略并保留受损凭据的生命周期。"},"T1197":{"Name":"BITS Jobs","姓名":"位工作","Description":"Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.","描述":"攻击者可能会滥用 BITS 作业在恶意负载后持续执行或清理。 Windows 后台智能传输服务 (BITS) 是一种低带宽、异步文件传输机制,通过组件对象模型(COM)。 BITS 通常被更新程序、信使和其他首选在后台运行(使用可用空闲带宽)而不中断其他联网应用程序的应用程序使用。文件传输任务被实现为 BITS 作业,其中包含一个或多个文件操作的队列。"},"T1547":{"Name":"Boot or Logon Autostart Execution","姓名":"引导或登录自动启动执行","Description":"Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.","描述":"攻击者可能会将系统设置配置为在系统启动或登录期间自动执行程序,以保持持久性或在受感染的系统上获得更高级别的权限。操作系统可能具有在系统启动或帐户登录时自动运行程序的机制。这些机制可能包括自动执行程序,这些程序放置在专门指定的目录中或由存储配置信息的存储库(例如 Windows 注册表)引用。攻击者可以通过修改或扩展内核的功能来实现相同的目标。"},"T1037":{"Name":"Boot or Logon Initialization Scripts","姓名":"引导或登录初始化脚本","Description":"Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.","描述":"攻击者可以使用在启动或登录初始化时自动执行的脚本来建立持久性。初始化脚本可用于执行管理功能,这些功能通常可以执行其他程序或将信息发送到内部日志服务器。这些脚本可能因操作系统以及本地或远程应用而异。"},"T1176":{"Name":"Browser Extensions","姓名":"浏览器扩展","Description":"Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser\'s app store and generally have access and permissions to everything that the browser can access.","描述":"攻击者可能会滥用 Internet 浏览器扩展来建立对受害系统的持久访问。浏览器扩展或插件是可以添加功能和自定义 Internet 浏览器方面的小程序。它们可以直接安装,也可以通过浏览器的应用商店安装,并且通常可以访问和许可浏览器可以访问的所有内容。"},"T1554":{"Name":"Compromise Client Software Binary","姓名":"侵入客户端二进制","Description":"Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.","描述":"攻击者可能会修改客户端软件二进制文件以建立对系统的持久访问。客户端软件使用户能够访问服务器提供的服务。常见的客户端软件类型有 SSH 客户端、FTP 客户端、电子邮件客户端和 Web 浏览器。"},"T1136":{"Name":"Create Account","姓名":"创建账户","Description":"Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.","描述":"攻击者可能会创建一个帐户来维持对受害系统的访问。通过足够的访问级别,创建此类帐户可用于建立不需要在系统上部署持久远程访问工具的辅助凭证访问。"},"T1543":{"Name":"Create or Modify System Process","姓名":"创建或修改系统进程","Description":"Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.","描述":"作为持久性的一部分,攻击者可能会创建或修改系统级进程以重复执行恶意负载。当操作系统启动时,它们可以启动执行后台系统功能的进程。在 Windows 和 Linux 上,这些系统进程称为服务。在 macOS 上,launchd 进程称为启动守护进程和启动代理运行以完成系统初始化并加载用户特定参数。"},"T1546":{"Name":"Event Triggered Execution","姓名":"事件触发执行","Description":"Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries.","描述":"攻击者可以使用基于特定事件触发执行的系统机制来建立持久性和/或提升特权。各种操作系统具有监视和订阅事件的方法,例如登录或其他用户活动,例如运行特定的应用程序/二进制文件。"},"T1574":{"Name":"Hijack Execution Flow","姓名":"劫持执行流","Description":"Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.","描述":"攻击者可能通过劫持操作系统运行程序的方式来执行他们自己的恶意负载。劫持执行流可能是为了持久性,因为这种劫持执行可能会随着时间的推移再次发生。攻击者也可能使用这些机制来提升特权或逃避防御,例如应用程序控制或其他执行限制。"},"T1525":{"Name":"Implant Internal Image","姓名":"植入内部图像","Description":"Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.","描述":"攻击者可能会在访问环境后植入带有恶意代码的云或容器映像,以建立持久性。亚马逊网络服务 (AWS) 亚马逊机器映像 (AMI)、谷歌云平台 (GCP) 映像和 Azure 映像以及流行的容器运行时(例如 Docker)可以被植入或后门。不像上传恶意软件,该技术侧重于攻击者将图像植入受害者环境中的注册表中。根据配置基础架构的方式,如果指示基础架构配置工具始终使用最新映像,则可以提供持久访问。"},"T1556":{"Name":"Modify Authentication Process","姓名":"修改认证过程","Description":"Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.","描述":"攻击者可能会修改身份验证机制和流程以访问用户凭证或启用对帐户的其他无根据的访问。身份验证过程由机制处理,例如 Windows 上的本地安全身份验证服务器 (LSASS) 进程和安全帐户管理器 (SAM),基于 Unix 的系统上的可插拔身份验证模块 (PAM),以及 MacOS 系统上的授权插件,负责用于收集、存储和验证凭据。通过修改身份验证过程,攻击者可能无需使用有效账户."},"T1137":{"Name":"Office Application Startup","姓名":"Office 应用程序启动","Description":"Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.","描述":"对手可能会利用基于 Microsoft Office 的应用程序在初创公司之间保持持久性。 Microsoft Office 是企业网络中基于 Windows 的操作系统上相当常见的应用程序套件。启动基于 Office 的应用程序时,有多种机制可用于 Office 的持久性;这可以包括使用 Office 模板宏和加载项。"},"T1542":{"Name":"Pre-OS Boot","姓名":"操作系统前引导","Description":"Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.","描述":"攻击者可能会滥用 Pre-OS Boot 机制作为在系统上建立持久性的一种方式。在计算机的启动过程中,固件和各种启动服务在操作系统之前被加载。这些程序在操作系统取得控制权之前控制执行流程。"},"T1505":{"Name":"Server Software Component","姓名":"服务器软件组件","Description":"Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.","描述":"攻击者可能会滥用服务器的合法可扩展开发特性来建立对系统的持久访问。企业服务器应用程序可能包括允许开发人员编写和安装软件或脚本以扩展主应用程序功能的功能。攻击者可能会安装恶意组件来扩展和滥用服务器应用程序。"},"T1205":{"Name":"Traffic Signaling","姓名":"交通信号","Description":"Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. Port Knocking), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.","描述":"攻击者可能会使用流量信号来隐藏开放端口或其他用于持久性或命令和控制的恶意功能。流量信号涉及使用必须发送到系统以触发特殊响应的魔术值或序列,例如打开关闭的端口或执行恶意任务。这可能采取在端口被打开之前发送一系列具有某些特征的数据包的形式,攻击者可以使用这些数据包进行命令和控制。通常这一系列数据包由尝试连接到预定义的关闭端口序列(即敲门),但可能涉及不寻常的标志、特定的字符串或其他独特的特征。序列完成后,打开端口可以通过基于主机的防火墙来完成,也可以通过定制软件来实现。"},"T1548":{"Name":"Abuse Elevation Control Mechanism","姓名":"滥用高程控制机制","Description":"Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.","描述":"攻击者可能会绕过旨在控制提升权限以获得更高级别权限的机制。大多数现代系统都包含本机提升控制机制,旨在限制用户可以在机器上执行的权限。必须将授权授予特定用户才能执行可能被认为具有较高风险的任务。攻击者可以执行多种方法来利用内置控制机制来提升系统的权限。"},"T1134":{"Name":"Access Token Manipulation","姓名":"访问令牌操作","Description":"Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.","描述":"攻击者可能会修改访问令牌以在不同的用户或系统安全上下文下运行,以执行操作并绕过访问控制。 Windows 使用访问令牌来确定正在运行的进程的所有权。用户可以操纵访问令牌以使正在运行的进程看起来好像它是不同进程的子进程或属于启动进程的用户以外的其他人。发生这种情况时,该过程还采用与新令牌关联的安全上下文。"},"T1484":{"Name":"Domain Policy Modification","姓名":"域策略修改","Description":"Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts.","描述":"攻击者可能会修改域的配置设置以逃避防御和/或提升域环境中的权限。域提供了一种集中方式来管理计算机资源(例如:计算机、用户帐户)如何在网络上运行并相互交互。域的策略还包括可以在多域/林环境中的域之间应用的配置设置。对域设置的修改可能包括更改域组策略对象 (GPO) 或更改域的信任设置,包括联合信任。"},"T1611":{"Name":"Escape to Host","姓名":"宿主机逃逸","Description":"Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.","描述":"攻击者可能会突破容器以访问底层主机。这可以允许攻击者从主机级别或主机本身访问其他容器化资源。原则上,容器化资源应提供应用程序功能的明确分离,并与主机环境隔离。"},"T1068":{"Name":"Exploitation for Privilege Escalation","姓名":"提权利用","Description":"Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.","描述":"攻击者可能会利用软件漏洞来提升权限。当攻击者利用程序、服务或操作系统软件或内核本身中的编程错误来执行攻击者控制的代码时,就会利用软件漏洞。诸如权限级别之类的安全结构通常会阻碍对信息的访问和某些技术的使用,因此攻击者可能需要执行权限升级以包括使用软件利用来规避这些限制。"},"T1055":{"Name":"Process Injection","姓名":"进程注入","Description":"Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process\'s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.","描述":"攻击者可能会向进程中注入代码,以逃避基于进程的防御以及可能提升权限。进程注入是一种在单独的活动进程的地址空间中执行任意代码的方法。在另一个进程的上下文中运行代码可能允许访问该进程的内存、系统/网络资源以及可能提升的权限。通过进程注入执行也可能逃避安全产品的检测,因为执行在合法进程下被屏蔽。"},"T1612":{"Name":"Build Image on Host","姓名":"在主机上构建映像","Description":"Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.","描述":"攻击者可能会直接在主机上构建容器镜像,以绕过监控从公共注册表检索恶意镜像的防御措施。一个遥控器建造请求可以发送到 Docker API,其中包含一个 Dockerfile,该文件从公共或本地注册表中提取一个普通的基础镜像,例如 alpine,然后在其上构建一个自定义镜像。"},"T1622":{"Name":"Debugger Evasion","姓名":"调试器规避","Description":"Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.","描述":"攻击者可能会采用各种手段来检测和避开调试器。防御者通常使用调试器来跟踪和/或分析潜在恶意软件有效负载的执行。"},"T1140":{"Name":"Deobfuscate/Decode Files or Information","姓名":"去混淆/解码文件或信息","Description":"Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.","描述":"对手可以使用混淆文件或信息从分析中隐藏入侵的伪影。他们可能需要单独的机制来解码或去混淆该信息,具体取决于他们打算如何使用它。这样做的方法包括恶意软件的内置功能或使用系统上存在的实用程序。"},"T1006":{"Name":"Direct Volume Access","姓名":"直接卷访问","Description":"Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools.","描述":"攻击者可以直接访问卷以绕过文件访问控制和文件系统监控。 Windows 允许程序直接访问逻辑卷。具有直接访问权限的程序可以通过分析文件系统数据结构直接从驱动器读取和写入文件。这种技术绕过了 Windows 文件访问控制以及文件系统监控工具。"},"T1480":{"Name":"Execution Guardrails","姓名":"执行护栏","Description":"Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.","描述":"攻击者可以使用执行护栏来根据攻击者提供的和预期将出现在目标上的环境特定条件来限制执行或动作。护栏确保有效载荷仅针对预期目标执行,并减少对手活动造成的附带损害。攻击者可以提供的关于目标系统或环境用作防护机制的值可能包括特定的网络共享名称、附加的物理设备、文件、加入的 Active Directory (AD) 域以及本地/外部 IP 地址。"},"T1211":{"Name":"Exploitation for Defense Evasion","姓名":"防御规避利用","Description":"Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.","描述":"攻击者可能会利用系统或应用程序漏洞绕过安全功能。当攻击者利用程序、服务或操作系统软件或内核本身中的编程错误来执行攻击者控制的代码时,就会利用软件漏洞。可用于禁用或规避它们的防御性安全软件中可能存在漏洞。"},"T1222":{"Name":"File and Directory Permissions Modification","姓名":"文件和目录权限修改","Description":"Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).","描述":"攻击者可能会修改文件或目录权限/属性以逃避访问控制列表 (ACL) 并访问受保护的文件。文件和目录权限通常由文件或目录所有者或具有适当权限的用户配置的 ACL 管理。文件和目录 ACL 实现因平台而异,但通常明确指定哪些用户或组可以执行哪些操作(读取、写入、执行等)。"},"T1564":{"Name":"Hide Artifacts","姓名":"隐藏工件","Description":"Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.","描述":"攻击者可能会试图隐藏与其行为相关的伪影以逃避检测。操作系统可能具有隐藏各种工件的功能,例如重要的系统文件和管理任务执行,以避免破坏用户工作环境并防止用户更改系统上的文件或功能。攻击者可能会滥用这些功能来隐藏文件、目录、用户帐户或其他系统活动等工件以逃避检测。"},"T1562":{"Name":"Impair Defenses","姓名":"削弱防御","Description":"Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.","描述":"攻击者可能恶意修改受害者环境的组件,以阻碍或禁用防御机制。这不仅涉及削弱防火墙和防病毒等预防性防御,还涉及防御者可用于审计活动和识别恶意行为的检测功能。这也可能涵盖本机防御以及用户和管理员安装的补充功能。"},"T1070":{"Name":"Indicator Removal on Host","姓名":"主机上的标记移除","Description":"Adversaries may delete or modify artifacts generated on a host system to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.","描述":"攻击者可能会删除或修改主机系统上生成的工件,以删除其存在的证据或阻碍防御。对手可能会创建各种人工制品,或者可以归因于对抗的行为的东西。通常,这些工件用作与受监控事件相关的防御指标,例如下载文件中的字符串、用户操作生成的日志以及防御者分析的其他数据。工件的位置、格式和类型(例如命令或登录历史)通常特定于每个平台。"},"T1202":{"Name":"Indirect Command Execution","姓名":"间接命令执行","Description":"Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts.","描述":"攻击者可能会滥用允许执行命令的实用程序来绕过限制命令行解释器使用的安全限制。各种 Windows 实用程序可用于执行命令,可能无需调用命令.例如,文件、程序兼容性助手 (pcalua.exe)、适用于 Linux 的 Windows 子系统 (WSL) 的组件以及其他实用程序可以从命令和脚本解释器,运行窗口,或通过脚本。"},"T1036":{"Name":"Masquerading","姓名":"伪装","Description":"Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.","描述":"攻击者可能会尝试操纵其工件的功能,以使它们对用户和/或安全工具显得合法或良性。当为了逃避防御和观察而操纵或滥用合法或恶意对象的名称或位置时,就会发生伪装。这可能包括操纵文件元数据、诱骗用户错误识别文件类型以及提供合法的任务或服务名称。"},"T1578":{"Name":"Modify Cloud Compute Infrastructure","姓名":"修改云计算基础设施","Description":"An adversary may attempt to modify a cloud account\'s compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.","描述":"攻击者可能会尝试修改云帐户的计算服务基础设施以逃避防御。对计算服务基础设施的修改可以包括创建、删除或修改一个或多个组件,例如计算实例、虚拟机和快照。"},"T1112":{"Name":"Modify Registry","姓名":"修改注册表","Description":"Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.","描述":"攻击者可能会与 Windows 注册表交互以隐藏注册表项中的配置信息、删除信息作为清理的一部分或作为其他技术的一部分以帮助持久性和执行。"},"T1601":{"Name":"Modify System Image","姓名":"修改系统映像","Description":"Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.","描述":"攻击者可能会对嵌入式网络设备的操作系统进行更改,以削弱防御并为自己提供新功能。在此类设备上,操作系统通常是单片的,并且大多数设备功能和能力都包含在单个文件中。"},"T1599":{"Name":"Network Boundary Bridging","姓名":"网络边界桥接","Description":"Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.","描述":"攻击者可以通过破坏外围网络设备或负责网络分段的内部设备来桥接网络边界。破坏这些设备可能使攻击者能够绕过对流量路由的限制,否则这些限制会分隔受信任和不受信任的网络。"},"T1027":{"Name":"Obfuscated Files or Information","姓名":"混淆文件或信息","Description":"Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.","描述":"攻击者可能试图通过加密、编码或以其他方式混淆系统或传输中的内容来使可执行文件或文件难以被查看或分析。这是可以跨不同平台和网络用来规避防御的常见行为。"},"T1647":{"Name":"Plist File Modification","姓名":"plist文件修改","Description":"Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the info.plist file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple\'s Core Foundation DTD. Plist files can be saved in text or binary format.","描述":"攻击者可能会修改属性列表文件(plist 文件)以启用其他恶意活动,同时还可能规避和绕过系统防御。 macOS 应用程序使用 plist 文件,例如信息列表文件,用于存储通知操作系统如何在运行时处理应用程序的属性和配置设置。 Plist 文件是基于 Apple 的 Core Foundation DTD 以 XML 格式格式化的键值对中的结构化元数据。 Plist 文件可以以文本或二进制格式保存。"},"T1620":{"Name":"Reflective Code Loading","姓名":"反射代码加载","Description":"Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).","描述":"攻击者可能会反射性地将代码加载到进程中,以隐藏恶意负载的执行。反射加载涉及直接在进程的内存中分配然后执行有效负载,即创建由磁盘上的文件路径支持的线程或进程。反射加载的有效负载可以是编译的二进制文件、匿名文件(仅存在于 RAM 中)或只是无文件可执行代码的怠慢(例如:与位置无关的 shellcode)。"},"T1207":{"Name":"Rogue Domain Controller","姓名":"流氓域控制器","Description":"Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.","描述":"攻击者可能会注册一个恶意域控制器以启用对 Active Directory 数据的操作。 DCShadow 可用于创建恶意域控制器 (DC)。 DCShadow 是一种通过注册(或重用非活动注册)和模拟 DC 的行为来操作 Active Directory (AD) 数据(包括对象和架构)的方法。注册后,恶意 DC 可能能够将更改注入和复制到任何域对象的 AD 基础架构中,包括凭据和密钥。"},"T1014":{"Name":"Rootkit","姓名":"Rootkit","Description":"Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.","描述":"攻击者可能会使用 rootkit 来隐藏程序、文件、网络连接、服务、驱动程序和其他系统组件的存在。 Rootkit 是通过拦截/挂钩和修改提供系统信息的操作系统 API 调用来隐藏恶意软件存在的程序。"},"T1553":{"Name":"Subvert Trust Controls","姓名":"颠覆信任控制","Description":"Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.","描述":"攻击者可能会破坏安全控制,这些控制会警告用户不受信任的活动或阻止执行不受信任的程序。操作系统和安全产品可能包含将程序或网站识别为具有某种程度的信任的机制。此类功能的示例包括允许运行的程序,因为它由有效的代码签名证书签名,程序提示用户警告,因为它具有从 Internet 下载的属性集,或者指示您即将连接到不受信任的站点。"},"T1218":{"Name":"System Binary Proxy Execution","姓名":"系统二进制代理执行","Description":"Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.","描述":"攻击者可以通过使用签名或以其他方式受信任的二进制文件代理恶意内容的执行来绕过基于进程和/或签名的防御。此技术中使用的二进制文件通常是 Microsoft 签名的文件,表明它们要么是从 Microsoft 下载的,要么已经是操作系统的本机文件。使用受信任的数字证书签名的二进制文件通常可以在受数字签名验证保护的 Windows 系统上执行。 Windows 安装中默认的几个 Microsoft 签名二进制文件可用于代理其他文件或命令的执行。"},"T1216":{"Name":"System Script Proxy Execution","姓名":"系统脚本代理执行","Description":"Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.","描述":"攻击者可能会使用受信任的脚本(通常使用证书签名)来代理恶意文件的执行。已从 Microsoft 下载或默认安装在 Windows 上的多个 Microsoft 签名脚本可用于代理其他文件的执行。攻击者可能会滥用此行为来执行恶意文件,从而绕过系统上的应用程序控制和签名验证。"},"T1221":{"Name":"Template Injection","姓名":"模板注入","Description":"Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.","描述":"攻击者可能会在用户文档模板中创建或修改引用以隐藏恶意代码或强制进行身份验证尝试。例如,Microsoft 的 Office Open XML (OOXML) 规范为 Office 文档(.docx、xlsx、.pptx)定义了一种基于 XML 的格式,以替换旧的二进制格式(.doc、.xls、.ppt)。 OOXML 文件打包在一起 ZIP 档案,其中包含各种 XML 文件(称为部分),包含共同定义文档呈现方式的属性。"},"T1127":{"Name":"Trusted Developer Utilities Proxy Execution","姓名":"受信任的开发者实用程序代理执行","Description":"Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.","描述":"攻击者可能会利用受信任的开发人员实用程序来代理恶意负载的执行。有许多用于软件开发相关任务的实用程序可用于执行各种形式的代码,以协助开发、调试和逆向工程。这些实用程序通常可能使用合法证书进行签名,允许它们在系统上执行并通过有效绕过应用程序控制解决方案的受信任进程代理执行恶意代码。"},"T1535":{"Name":"Unused/Unsupported Cloud Regions","姓名":"未使用/不支持的云区域","Description":"Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.","描述":"攻击者可能会在未使用的地理服务区域创建云实例以逃避检测。访问权限通常是通过破坏用于管理云基础设施的帐户来获得的。"},"T1550":{"Name":"Use Alternate Authentication Material","姓名":"使用替代认证材料","Description":"Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.","描述":"攻击者可以使用替代身份验证材料,例如密码哈希、Kerberos 票证和应用程序访问令牌,以便在环境中横向移动并绕过正常的系统访问控制。"},"T1497":{"Name":"Virtualization/Sandbox Evasion","姓名":"虚拟化/沙盒规避","Description":"Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.","描述":"攻击者可能会采用各种手段来检测和避开虚拟化和分析环境。这可能包括基于检查是否存在指示虚拟机环境 (VME) 或沙箱的工件的结果来更改行为。如果对手检测到 VME,他们可能会更改其恶意软件以脱离受害者或隐藏植入物的核心功能。他们还可以在删除辅助或附加有效负载之前搜索 VME 工件。对手可能会使用从那里学到的信息虚拟化/沙盒规避在自动翻找期间塑造后续行为。"},"T1600":{"Name":"Weaken Encryption","姓名":"弱加密","Description":"Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications.","描述":"攻击者可能会破坏网络设备的加密能力,以绕过原本可以保护数据通信的加密。"},"T1220":{"Name":"XSL Script Processing","姓名":"XSL 脚本处理","Description":"Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages.","描述":"攻击者可以通过在 XSL 文件中嵌入脚本来绕过应用程序控制并掩盖代码的执行。可扩展样式表语言 (XSL) 文件通常用于描述 XML 文件中数据的处理和呈现。为了支持复杂的操作,XSL 标准包括对各种语言的嵌入式脚本的支持。"},"T1557":{"Name":"Adversary-in-the-Middle","姓名":"中间对手","Description":"Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.","描述":"攻击者可能会尝试使用中间攻击 (AiTM) 技术将自己定位在两个或多个联网设备之间,以支持后续行为,例如网络嗅探或者传输数据操作.通过滥用可以确定网络流量(例如 ARP、DNS、LLMNR 等)的常见网络协议的特性,攻击者可能会强制设备通过攻击者控制的系统进行通信,以便他们可以收集信息或执行其他操作。"},"T1110":{"Name":"Brute Force","姓名":"暴力破解","Description":"Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.","描述":"当密码未知或获得密码哈希时,攻击者可能会使用蛮力技术来访问帐户。在不知道一个帐户或一组帐户的密码的情况下,攻击者可能会使用重复或迭代机制系统地猜测密码。暴力破解密码可以通过与服务进行交互来进行,该服务将检查这些凭据的有效性或离线对照先前获得的凭据数据,例如密码哈希。"},"T1555":{"Name":"Credentials from Password Stores","姓名":"来自密码存储的凭据","Description":"Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.","描述":"攻击者可能会搜索常见的密码存储位置以获取用户凭据。密码存储在系统上的多个位置,具体取决于持有凭据的操作系统或应用程序。还有一些特定的应用程序可以存储密码,以方便用户管理和维护。获得凭据后,它们可用于执行横向移动和访问受限信息。"},"T1212":{"Name":"Exploitation for Credential Access","姓名":"凭据访问的利用","Description":"Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions. Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.","描述":"攻击者可能会利用软件漏洞来尝试收集凭据。当攻击者利用程序、服务或操作系统软件或内核本身中的编程错误来执行攻击者控制的代码时,就会利用软件漏洞。凭据和身份验证机制可能会被攻击者利用,作为获取有用凭据的访问权限或规避获取系统访问权限的过程的手段。其中一个示例是 MS14-068,它以 Kerberos 为目标,可用于使用域用户权限伪造 Kerberos 票证。凭据访问的利用也可能导致权限升级,具体取决于目标过程或获得的凭据。"},"T1187":{"Name":"Forced Authentication","姓名":"强制认证","Description":"Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.","描述":"攻击者可以通过调用或强制用户通过他们可以拦截的机制自动提供身份验证信息来收集凭证材料。"},"T1606":{"Name":"Forge Web Credentials","姓名":"伪造网络凭证","Description":"Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.","描述":"攻击者可能会伪造可用于访问 Web 应用程序或 Internet 服务的凭证材料。 Web 应用程序和服务(托管在云 SaaS 环境或本地服务器中)通常使用会话 cookie、令牌或其他材料来验证和授权用户访问。"},"T1056":{"Name":"Input Capture","姓名":"输入捕捉","Description":"Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).","描述":"攻击者可能会使用捕获用户输入的方法来获取凭据或收集信息。在正常的系统使用过程中,用户通常会向各种不同的位置提供凭据,例如登录页面/门户或系统对话框。输入捕获机制可能对用户是透明的(例如凭据 API 挂钩 或依靠欺骗用户提供输入到他们认为是真正的服务(例如门户网站捕获)。"},"T1111":{"Name":"Multi-Factor Authentication Interception","姓名":"多重身份验证拦截","Description":"Adversaries may target multi-factor authentication (MFA) mechanisms, (I.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms.","描述":"攻击者可能会针对多因素身份验证 (MFA) 机制(即智能卡、令牌生成器等)来获得对可用于访问系统、服务和网络资源的凭证的访问权限。建议使用 MFA 并提供比单独使用用户名和密码更高级别的安全性,但组织应了解可用于拦截和绕过这些安全机制的技术。"},"T1621":{"Name":"Multi-Factor Authentication Request Generation","姓名":"多因素身份验证请求生成","Description":"Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.","描述":"攻击者可能会尝试绕过多因素身份验证 (MFA) 机制,并通过生成发送给用户的 MFA 请求来访问帐户。"},"T1040":{"Name":"Network Sniffing","姓名":"网络嗅探","Description":"Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.","描述":"攻击者可能会嗅探网络流量以捕获有关环境的信息,包括通过网络传递的身份验证材料。网络嗅探是指使用系统上的网络接口来监视或捕获通过有线或无线连接发送的信息。攻击者可能会将网络接口置于混杂模式以被动访问通过网络传输的数据,或使用跨端口捕获大量数据。"},"T1003":{"Name":"OS Credential Dumping","姓名":"操作系统凭证转储","Description":"Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.","描述":"攻击者可能会尝试转储凭证以从操作系统和软件中获取帐户登录和凭证材料,通常以散列或明文密码的形式。然后可以使用凭证来执行横向运动并访问受限信息。"},"T1528":{"Name":"Steal Application Access Token","姓名":"窃取应用程序访问令牌","Description":"Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.","描述":"攻击者可以窃取应用程序访问令牌作为获取凭据以访问远程系统和资源的一种手段。"},"T1558":{"Name":"Steal or Forge Kerberos Tickets","姓名":"窃取或伪造 Kerberos 门票","Description":"Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as \\"realms\\", there are three basic participants: client, service, and Key Distribution Center (KDC). Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.","描述":"攻击者可能会尝试通过窃取或伪造 Kerberos 票证来破坏 Kerberos 身份验证以启用传票 Kerberos 是一种在现代 Windows 域环境中广泛使用的身份验证协议。在称为“领域”的 Kerberos 环境中,存在三个基本参与者:客户端、服务和密钥分发中心 (KDC)。客户端请求访问服务,并通过来自 KDC 的 Kerberos 票证的交换,在成功通过身份验证后授予他们访问权限。 KDC 负责身份验证和票证授予。攻击者可能试图通过窃取票证或伪造票证来滥用 Kerberos 以启用未经授权的访问。"},"T1539":{"Name":"Steal Web Session Cookie","姓名":"窃取网络会话 Cookie","Description":"An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.","描述":"攻击者可能会窃取 Web 应用程序或服务会话 cookie,并使用它们以经过身份验证的用户身份访问 Web 应用程序或 Internet 服务,而无需凭据。 Web 应用程序和服务通常在用户对网站进行身份验证后使用会话 cookie 作为身份验证令牌。"},"T1552":{"Name":"Unsecured Credentials","姓名":"不安全凭证","Description":"Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).","描述":"攻击者可能会搜索受感染的系统以查找并获取不安全存储的凭据。这些凭证可以存储和/或放错位置在系统上的许多位置,包括纯文本文件(例如重击历史)、操作系统或特定于应用程序的存储库(例如注册表中的凭据),或其他专门的文件/工件(例如私钥)。"},"T1087":{"Name":"Account Discovery","姓名":"查看账户","Description":"Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.","描述":"攻击者可能会尝试获取系统或环境中的帐户列表。此信息可以帮助攻击者确定存在哪些帐户以帮助进行后续行为。"},"T1010":{"Name":"Application Window Discovery","姓名":"查看应用程序","Description":"Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.","描述":"攻击者可能会尝试获取打开的应用程序窗口的列表。窗口列表可以传达有关系统使用方式的信息或为键盘记录器收集的信息提供上下文。"},"T1217":{"Name":"Browser Bookmark Discovery","姓名":"查看浏览器书签","Description":"Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.","描述":"攻击者可能会枚举浏览器书签以了解有关受感染主机的更多信息。浏览器书签可能会显示有关用户的个人信息(例如:银行网站、兴趣、社交媒体等)以及有关内部网络资源(例如服务器、工具/仪表板或其他相关基础设施)的详细信息。"},"T1580":{"Name":"Cloud Infrastructure Discovery","姓名":"查看云基础设施","Description":"An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.","描述":"攻击者可能会尝试查看基础设施即服务 (IaaS) 环境中可用的基础设施和资源。这包括计算服务资源,例如实例、虚拟机和快照,以及其他服务的资源,包括存储和数据库服务。"},"T1538":{"Name":"Cloud Service Dashboard","姓名":"云服务仪表板","Description":"An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.","描述":"攻击者可能使用带有被盗凭证的云服务仪表板 GUI 从可操作的云环境中获取有用信息,例如特定服务、资源和功能。例如,GCP 指挥中心可用于查看所有资产、潜在安全风险的查看以及运行其他查询,例如查找公共 IP 地址和开放端口。"},"T1526":{"Name":"Cloud Service Discovery","姓名":"查看云服务","Description":"An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc.","描述":"攻击者可能会在获得访问权限后尝试枚举系统上运行的云服务。这些方法可能不同于平台即服务 (PaaS)、基础架构即服务 (IaaS) 或软件即服务 (SaaS)。许多服务存在于各种云提供商中,可以包括持续集成和持续交付 (CI/CD)、Lambda 函数、Azure AD 等。"},"T1619":{"Name":"Cloud Storage Object Discovery","姓名":"查看云存储对象","Description":"Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.","描述":"攻击者可能会枚举云存储基础设施中的对象。攻击者可能会在自动翻找期间使用此信息来塑造后续行为,包括从云存储请求所有或特定对象。如同文件和目录查看在本地主机上,识别可用的存储服务(即云基础设施查看 攻击者可以访问存储在云基础设施中的内容/对象。"},"T1613":{"Name":"Container and Resource Discovery","姓名":"查看容器和资源","Description":"Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.","描述":"攻击者可能会尝试查看容器环境中可用的容器和其他资源。其他资源可能包括图像、部署、pod、节点和其他信息,例如集群的状态。"},"T1482":{"Name":"Domain Trust Discovery","姓名":"查看信任域","Description":"Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.","描述":"攻击者可能会尝试收集有关域信任关系的信息,这些信息可用于识别 Windows 多域/林环境中的横向移动机会。域信任为域提供了一种机制,允许基于另一个域的身份验证过程访问资源。域信任允许受信任域的用户访问信任域中的资源。查看的信息可能有助于对手的行为SID-历史注入,传票, 和kerberoasting .域信任可以使用枚举DSEnumerateDomainTrusts()Win32 API 调用、.NET 方法和 LDAP。 Windows 实用程序测试已知被攻击者用来枚举域信任。"},"T1083":{"Name":"File and Directory Discovery","姓名":"查看文件和目录","Description":"Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","描述":"攻击者可能会枚举文件和目录,或者可能在主机或网络共享的特定位置搜索文件系统中的某些信息。攻击者可能会使用来自文件和目录发现在自动翻找期间塑造后续行为,包括对手是否完全感染目标和/或尝试特定行动。"},"T1615":{"Name":"Group Policy Discovery","姓名":"查看组策略","Description":"Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predicable network path \\\\\\\\SYSVOL\\\\\\\\Policies\\\\.","描述":"攻击者可能会收集有关组策略设置的信息,以识别权限提升的路径、域内应用的安全措施,并查看域对象中可以被操纵或用于混合环境的模式。组策略允许集中管理 Active Directory (AD) 中的用户和计算机设置。组策略对象 (GPO) 是组策略设置的容器,由存储在可预测网络路径中的文件组成\\\\\\\\SYSVOL\\\\\\\\策略\\\\."},"T1046":{"Name":"Network Service Discovery","姓名":"查看网络服务","Description":"Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.","描述":"攻击者可能会尝试获取在远程主机和本地网络基础设施设备上运行的服务列表,包括那些可能容易受到远程软件利用的服务。获取此信息的常用方法包括使用系统自带的工具进行端口和/或漏洞扫描。"},"T1135":{"Name":"Network Share Discovery","姓名":"查看网络共享","Description":"Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.","描述":"攻击者可能会寻找在远程系统上共享的文件夹和驱动器,作为识别信息来源的一种手段,以作为收集的前兆,并识别横向移动感兴趣的潜在系统。网络通常包含共享的网络驱动器和文件夹,使用户能够通过网络访问各种系统上的文件目录。"},"T1201":{"Name":"Password Policy Discovery","姓名":"查看密码策略","Description":"Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as \'pass123\'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).","描述":"攻击者可能会尝试访问有关企业网络或云环境中使用的密码策略的详细信息。密码策略是一种强制执行难以猜测或破解的复杂密码的方法蛮力.此信息可以帮助攻击者创建常用密码列表并发起字典和/或符合策略的蛮力攻击(例如,如果最小密码长度应为 8,则不尝试密码,例如“pass123”;不检查如果锁定设置为 6 以不锁定帐户,则每个帐户的密码超过 3-4 个)。"},"T1120":{"Name":"Peripheral Device Discovery","姓名":"查看外围设备","Description":"Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.","描述":"攻击者可能会尝试收集有关连接到计算机系统的附加外围设备和组件的信息。外围设备可能包括支持各种功能的辅助资源,例如键盘、打印机、相机、智能卡读卡器或可移动存储。该信息可用于增强他们对系统和网络环境的认识,或可用于进一步的行动。"},"T1069":{"Name":"Permission Groups Discovery","姓名":"查看权限组","Description":"Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.","描述":"攻击者可能会尝试查找组和权限设置。此信息可以帮助攻击者确定哪些用户帐户和组可用、特定组中用户的成员身份以及哪些用户和组具有提升的权限。"},"T1057":{"Name":"Process Discovery","姓名":"查看进程","Description":"Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","描述":"攻击者可能会尝试获取有关系统上正在运行的进程的信息。获得的信息可用于了解网络内系统上运行的常见软件/应用程序。攻击者可能会使用来自过程查看在自动翻找期间塑造后续行为,包括对手是否完全感染目标和/或尝试特定行动。"},"T1012":{"Name":"Query Registry","姓名":"查询注册表","Description":"Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.","描述":"攻击者可能与 Windows 注册表交互以收集有关系统、配置和已安装软件的信息。"},"T1018":{"Name":"Remote System Discovery","姓名":"查看远程系统","Description":"Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net.","描述":"攻击者可能会尝试通过 IP 地址、主机名或网络上的其他逻辑标识符获取其他系统的列表,该列表可用于从当前系统进行横向移动。远程访问工具中可能存在启用此功能的功能,但也可以使用操作系统上可用的实用程序,例如平或者净视图使用网."},"T1518":{"Name":"Software Discovery","姓名":"查看软件","Description":"Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","描述":"攻击者可能会尝试获取安装在系统或云环境中的软件和软件版本的列表。攻击者可能会使用来自软件查看在自动翻找期间塑造后续行为,包括对手是否完全感染目标和/或尝试特定行动。"},"T1082":{"Name":"System Information Discovery","姓名":"查看系统信息","Description":"An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","描述":"攻击者可能会尝试获取有关操作系统和硬件的详细信息,包括版本、补丁、修补程序、服务包和架构。攻击者可能会使用来自系统信息查看在自动翻找期间塑造后续行为,包括对手是否完全感染目标和/或尝试特定行动。"},"T1614":{"Name":"System Location Discovery","姓名":"查看系统位置","Description":"Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","描述":"攻击者可能会收集信息以试图计算受害主机的地理位置。攻击者可能会使用来自系统位置查看在自动翻找期间塑造后续行为,包括对手是否完全感染目标和/或尝试特定行动。"},"T1016":{"Name":"System Network Configuration Discovery","姓名":"查看系统网络配置","Description":"Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.","描述":"攻击者可能会查找有关他们访问的系统的网络配置和设置的详细信息,例如 IP 和/或 MAC 地址,或通过远程系统的信息查看。存在几个可用于收集此信息的操作系统管理实用程序。例子包括阿尔普,ipconfig/如果配置,nbtstat , 和路线."},"T1049":{"Name":"System Network Connections Discovery","姓名":"查看系统网络连接","Description":"Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.","描述":"攻击者可能会尝试通过在网络上查询信息来获取与他们当前正在访问的受感染系统或来自远程系统的网络连接列表。"},"T1033":{"Name":"System Owner/User Discovery","姓名":"查看系统所有者/用户","Description":"Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","描述":"攻击者可能会尝试识别主要用户、当前登录用户、通常使用系统的用户集,或者用户是否正在积极使用系统。他们可能会这样做,例如,通过检索帐户用户名或使用操作系统凭证转储.可以使用其他查看技术以多种不同方式收集信息,因为用户和用户名详细信息在整个系统中普遍存在,包括正在运行的进程所有权、文件/目录所有权、会话信息和系统日志。攻击者可能会使用来自系统所有者/用户查看在自动翻找期间塑造后续行为,包括对手是否完全感染目标和/或尝试特定行动。"},"T1007":{"Name":"System Service Discovery","姓名":"查看系统服务","Description":"Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start.","描述":"攻击者可能会尝试收集有关已注册本地系统服务的信息。攻击者可以使用工具以及操作系统实用程序命令(例如sc查询,任务列表 /svc , systemctl --type=服务, 和净开始."},"T1124":{"Name":"System Time Discovery","姓名":"查看系统时间","Description":"An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.","描述":"攻击者可以从本地或远程系统收集系统时间和/或时区。系统时间由域内的 Windows 时间服务设置和存储,以保持企业网络中系统和服务之间的时间同步。"},"T1210":{"Name":"Exploitation of Remote Services","姓名":"远程服务的利用","Description":"Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.","描述":"一旦进入网络,攻击者可能会利用远程服务获得对内部系统的未经授权的访问。当攻击者利用程序、服务或操作系统软件或内核本身中的编程错误来执行攻击者控制的代码时,就会利用软件漏洞。对远程服务进行攻击后利用的一个共同目标是横向移动以实现对远程系统的访问。"},"T1534":{"Name":"Internal Spearphishing","姓名":"内部鱼叉式钓鱼","Description":"Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged campaign where an email account is owned either by controlling the user\'s device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.","描述":"攻击者可能会使用内部鱼叉式网络钓鱼来访问其他信息或利用同一组织内的其他用户,因为他们已经可以访问环境中的帐户或系统。内部鱼叉式网络钓鱼是多阶段的活动,其中通过使用先前安装的恶意软件控制用户的设备或通过破坏用户的帐户凭据来拥有电子邮件帐户。攻击者试图利用受信任的内部帐户来增加诱骗目标陷入网络钓鱼尝试的可能性。"},"T1570":{"Name":"Lateral Tool Transfer","姓名":"横向工具移动","Description":"Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e. Ingress Tool Transfer) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB/Windows Admin Shares to connected network shares or with authenticated connections via Remote Desktop Protocol.","描述":"攻击者可能会在受感染环境中的系统之间传输工具或其他文件。一旦被带入受害者环境(即入口工具转移 文件然后可以从一个系统复制到另一个系统,以便在操作过程中部署攻击者工具或其他文件。攻击者可能会在内部受害系统之间复制文件,以使用固有的文件共享协议(例如文件共享)支持横向移动SMB/Windows 管理员共享到已连接的网络共享或通过经过身份验证的连接远程桌面协议."},"T1563":{"Name":"Remote Service Session Hijacking","姓名":"远程服务会话劫持","Description":"Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.","描述":"攻击者可能会控制与远程服务的预先存在的会话,以便在环境中横向移动。用户可以使用有效凭据登录专门设计用于接受远程连接的服务,例如 telnet、SSH 和 RDP。当用户登录到服务时,将建立一个会话,使他们能够与该服务保持持续的交互。"},"T1021":{"Name":"Remote Services","姓名":"远程服务","Description":"Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.","描述":"对手可以使用有效账户登录到专门设计用于接受远程连接的服务,例如 telnet、SSH 和 VNC。然后,攻击者可以作为登录用户执行操作。"},"T1080":{"Name":"Taint Shared Content","姓名":"污染共享内容","Description":"Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary\'s code on a remote system. Adversaries may use tainted shared content to move laterally.","描述":"攻击者可以通过将内容添加到共享存储位置(例如网络驱动器或内部代码存储库)来将有效负载传递到远程系统。存储在网络驱动器或其他共享位置的内容可能会因向其他有效文件添加恶意程序、脚本或漏洞代码而受到污染。一旦用户打开共享的受污染内容,就可以执行恶意部分以在远程系统上运行对手的代码。攻击者可能会使用受污染的共享内容横向移动。"},"T1560":{"Name":"Archive Collected Data","姓名":"归档收集的数据","Description":"An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.","描述":"攻击者可能会压缩和/或加密在泄露之前收集的数据。压缩数据有助于混淆收集的数据并最大限度地减少通过网络发送的数据量。加密可用于隐藏从检测中泄露的信息,或在防御者检查时使泄露不那么明显。"},"T1123":{"Name":"Audio Capture","姓名":"音频捕捉","Description":"An adversary can leverage a computer\'s peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.","描述":"攻击者可以利用计算机的外围设备(例如,麦克风和网络摄像头)或应用程序(例如,语音和视频呼叫服务)来捕获音频记录,以便收听敏感对话以收集信息。"},"T1119":{"Name":"Automated Collection","姓名":"自动收集","Description":"Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote access tools.","描述":"一旦在系统或网络中建立起来,攻击者就可以使用自动化技术来收集内部数据。执行此技术的方法可能包括使用命令和脚本解释器以特定时间间隔搜索和复制符合设置条件的信息,例如文件类型、位置或名称。在基于云的环境中,攻击者还可能使用云 API、命令行界面或提取、转换和加载 (ETL) 服务来自动收集数据。此功能也可以内置到远程访问工具中。"},"T1185":{"Name":"Browser Session Hijacking","姓名":"浏览器会话劫持","Description":"Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.","描述":"作为各种浏览器会话劫持技术的一部分,攻击者可能会利用浏览器软件中的安全漏洞和固有功能来更改内容、修改用户行为和拦截信息。"},"T1115":{"Name":"Clipboard Data","姓名":"收集剪贴板数据","Description":"Adversaries may collect data stored in the clipboard from users copying information within or between applications.","描述":"攻击者可能会从在应用程序内或应用程序之间复制信息的用户那里收集存储在剪贴板中的数据。"},"T1530":{"Name":"Data from Cloud Storage Object","姓名":"收集云存储的数据","Description":"Adversaries may access data objects from improperly secured cloud storage.","描述":"攻击者可能会从不适当保护的云存储中访问数据对象。"},"T1602":{"Name":"Data from Configuration Repository","姓名":"收集配置存储库的数据","Description":"Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.","描述":"攻击者可能会从配置存储库中收集与受管设备相关的数据。管理系统使用配置存储库来配置、管理和控制远程系统上的数据。配置存储库还可以促进设备的远程访问和管理。"},"T1213":{"Name":"Data from Information Repositories","姓名":"收集信息存储库的数据","Description":"Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.","描述":"攻击者可能会利用信息库来挖掘有价值的信息。信息存储库是允许存储信息的工具,通常是为了促进用户之间的协作或信息共享,并且可以存储各种各样的数据,这些数据可以帮助对手实现进一步的目标,或者直接访问目标信息。攻击者还可能滥用外部共享功能与组织外部的收件人共享敏感文档。"},"T1005":{"Name":"Data from Local System","姓名":"收集本地系统的数据","Description":"Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.","描述":"攻击者可能会搜索本地系统源,例如文件系统和配置文件或本地数据库,以在渗出之前找到感兴趣的文件和敏感数据。"},"T1039":{"Name":"Data from Network Shared Drive","姓名":"收集网络共享驱动器的数据","Description":"Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.","描述":"攻击者可能会在他们已经入侵的计算机上搜索网络共享以查找感兴趣的文件。敏感数据可以通过共享网络驱动器(主机共享目录、网络文件服务器等)从远程系统收集,这些驱动器可在渗出之前从当前系统访问。交互式命令 shell 可能正在使用中,并且其中的常用功能命令可用于收集信息。"},"T1025":{"Name":"Data from Removable Media","姓名":"收集可移动媒体的数据","Description":"Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.","描述":"攻击者可能会在他们已经入侵的计算机上搜索连接的可移动媒体以查找感兴趣的文件。敏感数据可以在渗出之前从连接到受感染系统的任何可移动媒体(光盘驱动器、USB 存储器等)中收集。交互式命令 shell 可能正在使用中,并且其中的常用功能命令可用于收集信息。"},"T1074":{"Name":"Data Staged","姓名":"数据暂存","Description":"Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.","描述":"攻击者可能会在渗出之前将收集的数据存放在中央位置或目录中。数据可以保存在单独的文件中,也可以通过以下技术合并到一个文件中:归档收集的数据.可以使用交互式命令外壳,并且可以使用其中的通用功能命令并且 bash 可用于将数据复制到暂存位置。"},"T1114":{"Name":"Email Collection","姓名":"电子邮件收集","Description":"Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.","描述":"攻击者可能会针对用户电子邮件来收集敏感信息。电子邮件可能包含对对手有价值的敏感数据,包括商业机密或个人信息。攻击者可以从邮件服务器或客户端收集或转发电子邮件。"},"T1113":{"Name":"Screen Capture","姓名":"屏幕截图","Description":"Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.","描述":"攻击者可能会尝试截取桌面的屏幕截图以在操作过程中收集信息。屏幕捕获功能可以作为在后入侵操作中使用的远程访问工具的一个特征。通常也可以通过本机实用程序或 API 调用来截取屏幕截图,例如CopyFromScreen ,xwd , 或者截屏."},"T1125":{"Name":"Video Capture","姓名":"视频截取","Description":"An adversary can leverage a computer\'s peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.","描述":"攻击者可以利用计算机的外围设备(例如,集成摄像头或网络摄像头)或应用程序(例如,视频呼叫服务)来捕获视频记录,以收集信息。图像也可以从设备或应用程序中捕获,可能以指定的时间间隔代替视频文件。"},"T1071":{"Name":"Application Layer Protocol","姓名":"应用层协议","Description":"Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.","描述":"攻击者可以使用应用层协议进行通信,通过与现有流量混合来避免检测/网络过滤。远程系统的命令,通常是这些命令的结果,将嵌入客户端和服务器之间的协议流量中。"},"T1092":{"Name":"Communication Through Removable Media","姓名":"通过可移动媒体进行交流","Description":"Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.","描述":"攻击者可以使用可移动媒体在可能断开连接的网络上的受感染主机之间执行命令和控制,以在系统之间传输命令。两个系统都需要被攻破,一个连接互联网的系统很可能首先被攻破,第二个可能是通过横向移动通过可移动媒体进行复制.命令和文件将从断开连接的系统中继到攻击者可以直接访问的互联网连接系统。"},"T1132":{"Name":"Data Encoding","姓名":"数据编码","Description":"Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems. Some data encoding systems may also result in data compression, such as gzip.","描述":"攻击者可能会对数据进行编码,以使命令和控制流量的内容更难以检测。命令和控制 (C2) 信息可以使用标准数据编码系统进行编码。数据编码的使用可以遵循现有的协议规范,包括使用 ASCII、Unicode、Base64、MIME 或其他二进制到文本和字符编码系统。一些数据编码系统也可能导致数据压缩,例如 gzip。"},"T1001":{"Name":"Data Obfuscation","姓名":"数据混淆","Description":"Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.","描述":"攻击者可能会混淆命令和控制流量,使其更难被查看。命令和控制 (C2) 通信是隐藏的(但不一定是加密的),试图使内容更难被查看或破译,并使通信不那么显眼并隐藏命令不被看到。这包括许多方法,例如将垃圾数据添加到协议流量、使用隐写术或冒充合法协议。"},"T1568":{"Name":"Dynamic Resolution","姓名":"动态分辨率","Description":"Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware\'s communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.","描述":"攻击者可以动态建立与指挥和控制基础设施的连接,以逃避常见的检测和补救措施。这可以通过使用与对手用来接收恶意软件通信的基础设施共享通用算法的恶意软件来实现。这些计算可用于动态调整恶意软件用于命令和控制的域名、IP 地址或端口号等参数。"},"T1573":{"Name":"Encrypted Channel","姓名":"加密频道","Description":"Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.","描述":"攻击者可以使用已知的加密算法来隐藏命令和控制流量,而不是依赖通信协议提供的任何固有保护。尽管使用了安全算法,但如果在恶意软件样本/配置文件中编码和/或生成密钥,这些实现可能容易受到逆向工程的影响。"},"T1008":{"Name":"Fallback Channels","姓名":"后备频道","Description":"Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.","描述":"如果主要通道受到损害或无法访问,攻击者可能会使用备用或备用通信通道,以维持可靠的命令和控制并避免数据传输阈值。"},"T1105":{"Name":"Ingress Tool Transfer","姓名":"入口工具转移","Description":"Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).","描述":"攻击者可能会将工具或其他文件从外部系统转移到受感染的环境中。工具或文件可以通过命令和控制通道或通过替代协议从外部攻击者控制的系统复制到受害者网络,例如ftp.一旦出现,攻击者还可能在受感染环境中的受害设备之间传输/传播工具(即横向工具转移)。"},"T1104":{"Name":"Multi-Stage Channels","姓名":"多级通道","Description":"Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.","描述":"对手可能会为在不同条件下或某些功能下使用的命令和控制创建多个阶段。使用多个阶段可能会混淆命令和控制通道,从而使检测更加困难。"},"T1095":{"Name":"Non-Application Layer Protocol","姓名":"非应用层协议","Description":"Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).","描述":"攻击者可能使用非应用层协议在主机和 C2 服务器之间或网络中受感染的主机之间进行通信。可能的协议列表很广泛。具体示例包括使用网络层协议,例如 Internet 控制消息协议 (ICMP),传输层协议,例如用户数据报协议 (UDP),会话层协议,例如套接字安全 (SOCKS),以及重定向/隧道协议,例如 LAN 上串行 (SOL)。"},"T1571":{"Name":"Non-Standard Port","姓名":"非标准端口","Description":"Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.","描述":"攻击者可以使用通常不相关的协议和端口配对进行通信。例如,HTTPS 通过端口 8088 或端口 587 而不是传统的端口 443。攻击者可能会更改协议使用的标准端口以绕过过滤或混淆网络数据的分析/解析。"},"T1572":{"Name":"Protocol Tunneling","姓名":"协议隧道","Description":"Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.","描述":"攻击者可能会在单独的协议中通过隧道与受害系统进行网络通信,以避免检测/网络过滤和/或启用对其他无法访问的系统的访问。隧道涉及将协议显式封装在另一个协议中。此行为可能会通过与现有流量混合和/或提供外层加密(类似于 VPN)来隐藏恶意流量。隧道还可以实现网络数据包的路由,否则这些数据包将无法到达其预期目的地,例如 SMB、RDP 或其他会被网络设备过滤或不会通过 Internet 路由的流量。"},"T1090":{"Name":"Proxy","姓名":"代理","Description":"Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.","描述":"攻击者可以使用连接代理来引导系统之间的网络流量,或者充当与命令和控制服务器进行网络通信的中介,以避免直接连接到他们的基础设施。存在许多通过代理或端口重定向启用流量重定向的工具,包括HTRAN 、ZXProxy 和 ZXPortMap。攻击者使用这些类型的代理来管理命令和控制通信,减少同时出站网络连接的数量,在连接丢失时提供弹性,或者绕过受害者之间现有的可信通信路径以避免怀疑。攻击者可能会将多个代理链接在一起,以进一步掩饰恶意流量的来源。"},"T1219":{"Name":"Remote Access Software","姓名":"远程访问软件","Description":"An adversary may use legitimate desktop support and remote access software, such as Team Viewer, AnyDesk, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.","描述":"攻击者可以使用合法的桌面支持和远程访问软件,例如 Team Viewer、AnyDesk、Go2Assist、LogMein、AmmyyAdmin 等,来建立一个交互式命令和控制通道,以连接网络内的目标系统。这些服务通常用作合法的技术支持软件,并且可能被目标环境中的应用程序控制所允许。与对手常用的其他合法软件相比,VNC、Ammyy 和 Teamviewer 等远程访问工具的使用频率很高。"},"T1102":{"Name":"Web Service","姓名":"网络服务","Description":"Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.","描述":"攻击者可能会使用现有的合法外部 Web 服务作为向/从受感染系统中继数据的手段。作为 C2 机制的流行网站和社交媒体可能会提供大量掩护,因为网络中的主机可能在入侵之前已经与它们通信。使用通用服务,例如谷歌或推特提供的服务,可以让对手更容易隐藏在预期的噪音中。 Web 服务提供商通常使用 SSL/TLS 加密,为攻击者提供更高级别的保护。"},"T1020":{"Name":"Automated Exfiltration","姓名":"自动数据回传","Description":"Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.","描述":"攻击者可能会在收集过程中收集到数据后,通过使用自动处理来泄露敏感文档等数据。"},"T1030":{"Name":"Data Transfer Size Limits","姓名":"数据传输大小限制","Description":"An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.","描述":"攻击者可能会以固定大小的块而不是整个文件的形式泄露数据,或者将数据包大小限制在特定阈值以下。该方法可用于避免触发网络数据传输阈值警报。"},"T1048":{"Name":"Exfiltration Over Alternative Protocol","姓名":"通过替代协议的数据回传","Description":"Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.","描述":"攻击者可能会通过与现有命令和控制通道不同的协议窃取数据来窃取数据。数据也可以从主命令和控制服务器发送到备用网络位置。"},"T1041":{"Name":"Exfiltration Over C2 Channel","姓名":"通过 C2 通道数据回传","Description":"Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.","描述":"攻击者可以通过现有的命令和控制通道窃取数据。使用与命令和控制通信相同的协议将窃取的数据编码到正常通信通道中。"},"T1011":{"Name":"Exfiltration Over Other Network Medium","姓名":"通过其他网络介质数据回传","Description":"Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.","描述":"攻击者可能会尝试通过与命令和控制通道不同的网络介质来窃取数据。如果命令和控制网络是有线互联网连接,则可以通过例如 WiFi 连接、调制解调器、蜂窝数据连接、蓝牙或其他射频 (RF) 通道进行渗漏。"},"T1052":{"Name":"Exfiltration Over Physical Medium","姓名":"物理介质数据回传","Description":"Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.","描述":"攻击者可能会尝试通过物理介质(例如可移动驱动器)窃取数据。在某些情况下,例如气隙网络泄露,可能会通过用户引入的物理介质或设备发生渗漏。此类媒体可以是外部硬盘驱动器、USB 驱动器、蜂窝电话、MP3 播放器或其他可移动存储和处理设备。物理介质或设备可用作最终渗出点或在其他断开连接的系统之间跳跃。"},"T1567":{"Name":"Exfiltration Over Web Service","姓名":"通过 Web 服务进行数据回传","Description":"Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.","描述":"攻击者可能使用现有的合法外部 Web 服务而不是他们的主要命令和控制通道来窃取数据。由于网络中的主机可能在受到攻击之前已经与它们进行通信,因此充当渗漏机制的流行 Web 服务可能会提供大量掩护。防火墙规则也可能已经存在以允许到这些服务的流量。"},"T1029":{"Name":"Scheduled Transfer","姓名":"预定时间转移数据","Description":"Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.","描述":"攻击者可能会安排仅在一天中的特定时间或特定时间间隔执行数据泄露。可以这样做以将流量模式与正常活动或可用性相结合。"},"T1537":{"Name":"Transfer Data to Cloud Account","姓名":"将数据传输到云帐户","Description":"Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.","描述":"攻击者可能会通过将数据(包括云环境的备份)传输到他们在同一服务上控制的另一个云帐户来泄露数据,以避免典型的文件传输/下载和基于网络的泄露检测。"},"T1531":{"Name":"Account Access Removal","姓名":"关闭帐户访问","Description":"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place.","描述":"攻击者可能会通过禁止访问合法用户使用的帐户来中断系统和网络资源的可用性。帐户可能会被删除、锁定或操纵(例如:更改的凭据)以删除对帐户的访问权限。攻击者也可能随后注销和/或执行系统关机/重启将恶意更改设置到位。"},"T1485":{"Name":"Data Destruction","姓名":"数据销毁","Description":"Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk\'s logical structure.","描述":"攻击者可能会破坏特定系统或网络上的大量数据和文件,以中断系统、服务和网络资源的可用性。通过覆盖本地和远程驱动器上的文件或数据,数据破坏很可能使取证技术无法恢复存储的数据。常见的操作系统文件删除命令如德尔和M通常只删除指向文件的指针而不擦除文件本身的内容,从而使文件可以通过适当的取证方法恢复。这种行为不同于磁盘内容擦除和磁盘结构擦除因为单个文件被破坏,而不是存储磁盘的部分或磁盘的逻辑结构。"},"T1486":{"Name":"Data Encrypted for Impact","姓名":"为影响而加密的数据","Description":"Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.","描述":"攻击者可能会加密目标系统或网络中大量系统上的数据,以中断系统和网络资源的可用性。他们可以尝试通过加密本地和远程驱动器上的文件或数据并阻止对解密密钥的访问来使存储的数据无法访问。这样做可能是为了从受害者那里提取金钱补偿以换取解密或解密密钥(勒索软件),或者在未保存或传输密钥的情况下使数据永久不可访问。"},"T1565":{"Name":"Data Manipulation","姓名":"数据处理","Description":"Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.","描述":"攻击者可能会插入、删除或操纵数据以影响外部结果或隐藏活动,从而威胁数据的完整性。通过操纵数据,对手可能会试图影响业务流程、组织理解或决策制定。"},"T1491":{"Name":"Defacement","姓名":"污损","Description":"Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.","描述":"攻击者可能会修改企业网络内部或外部可用的可视内容,从而影响原始内容的完整性。的原因污损包括传递信息、恐吓或声称(可能是虚假的)入侵行为。令人不安或令人反感的图像可能被用作污损以引起用户不适,或迫使用户遵守随附的消息。"},"T1561":{"Name":"Disk Wipe","姓名":"磁盘擦除","Description":"Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.","描述":"攻击者可能会擦除或破坏特定系统或网络中大量的原始磁盘数据,以中断系统和网络资源的可用性。通过对磁盘的直接写访问,攻击者可能会尝试覆盖部分磁盘数据。攻击者可能会选择擦除磁盘数据的任意部分和/或擦除主引导记录 (MBR) 等磁盘结构。可能会尝试完全擦除所有磁盘扇区。"},"T1499":{"Name":"Endpoint Denial of Service","姓名":"端点拒绝服务","Description":"Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.","描述":"攻击者可能会执行端点拒绝服务 (DoS) 攻击,以降低或阻止对用户的服务可用性。端点 DoS 可以通过耗尽这些服务所在的系统资源或利用系统导致持续崩溃情况来执行。示例服务包括网站、电子邮件服务、DNS 和基于 Web 的应用程序。已经观察到攻击者出于政治目的进行 DoS 攻击并支持其他恶意活动,包括分心、黑客行为和勒索。"},"T1495":{"Name":"Firmware Corruption","姓名":"固件损坏","Description":"Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system. Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.","描述":"攻击者可能会覆盖或破坏系统 BIOS 或连接到系统的设备中的其他固件的闪存内容,以使它们无法操作或无法启动,从而拒绝使用设备和/或系统的可用性。固件是从硬件设备上的非易失性存储器加载和执行的软件,用于初始化和管理设备功能。这些设备可能包括主板、硬盘驱动器或视频卡。"},"T1490":{"Name":"Inhibit System Recovery","姓名":"禁止系统恢复","Description":"Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This may deny access to available backups and recovery options.","描述":"攻击者可能会删除或移除内置操作系统数据,并关闭旨在帮助恢复损坏系统的服务以防止恢复。这可能会拒绝访问可用的备份和恢复选项。"},"T1498":{"Name":"Network Denial of Service","姓名":"网络拒绝服务","Description":"Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.","描述":"攻击者可能会执行网络拒绝服务 (DoS) 攻击,以降低或阻止目标资源对用户的可用性。网络 DoS 可以通过耗尽服务所依赖的网络带宽来执行。示例资源包括特定网站、电子邮件服务、DNS 和基于 Web 的应用程序。已经观察到攻击者出于政治目的进行网络 DoS 攻击并支持其他恶意活动,包括分心、黑客行为和勒索。"},"T1496":{"Name":"Resource Hijacking","姓名":"资源劫持","Description":"Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability.","描述":"攻击者可能会利用增选系统的资源来解决资源密集型问题,这可能会影响系统和/或托管服务的可用性。"},"T1489":{"Name":"Service Stop","姓名":"服务停止","Description":"Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary\'s overall objectives to cause damage to the environment.","描述":"攻击者可能会停止或禁用系统上的服务,以使合法用户无法使用这些服务。停止关键服务或流程可以抑制或停止对事件的响应,或帮助对手实现对环境造成破坏的总体目标。"},"T1529":{"Name":"System Shutdown/Reboot","姓名":"系统关机/重启","Description":"Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device. Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.","描述":"攻击者可能会关闭/重新启动系统以中断对这些系统的访问或帮助破坏这些系统。操作系统可能包含启动机器或网络设备关机/重启的命令。在某些情况下,这些命令还可用于启动远程计算机或网络设备的关机/重启。关闭或重新启动系统可能会中断合法用户对计算机资源的访问。"}}')}}]);