--- title: "MITRE ATT&CK AI Classification in ThreatConnect | ThreatConnect" slug: "mitre-attack-ai-classification-in-threatconnect" description: "This article explains how the MITRE ATT&CK AI classification model works in ThreatConnect, describes the areas in ThreatConnect that leverage the model, and lists the techniques and sub-techniques used in the model." tags: ["Analytical Tools"] updated: 2026-06-15T18:13:30Z published: 2026-06-15T18:13:30Z canonical: "knowledge.threatconnect.com/mitre-attack-ai-classification-in-threatconnect" --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # MITRE ATT&CK AI Classification in ThreatConnect ## Overview The [MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework](https://attack.mitre.org/) is a knowledge base that uses metadata codes to standardize and classify adversary goals (*tactics*) and offensive actions (*techniques*). ThreatConnect® leverages the MITRE ATT&CK® framework in various areas across the platform to optimize the way you use your threat intelligence to understand adversaries, automate workflows, and mitigate threats. ## Before You Start ### User Roles - To view ATT&CK Tags, your user account can have any [Organization role](https://knowledge.threatconnect.com/docs/organization-roles). ### Prerequisites - Activate the **CAL Automated Threat Library** Source to view Tags applied to Report Groups in this Source. To activate the **CAL Automated Threat Library**Source, turn on the **Active**toggle for **CAL Automated Threat Library**on the **Feeds**tab of the **TC Exchange****™ Settings**screen (must be a System Administrator to perform this action). - Verify your ThreatConnect instance can receive data from `cal.threatconnect.com`. ## How MITRE ATT&CK AI Classification Works ThreatConnect uses a proprietary artificial intelligence (AI) classification model to read unstructured text from documents like reports and blogs attached to Report Groups in the [**CAL Automated Threat Library**](https://knowledge.threatconnect.com/docs/cal-automated-threat-library-atl) (ATL) Source and assess the content for relevant context clues to related techniques and sub-techniques in the MITRE ATT&CK framework. The MITRE ATT&CK AI classification model can identify 632 techniques and sub-techniques at a 95% confidence level. It returns these techniques and sub-techniques as system-level [ATT&CK Tags](https://knowledge.threatconnect.com/docs/attack-tags) associated to the Report Group containing the unstructured-text file. You can use these ATT&CK Tags as “at-a-glance” reference points, enabling you to quickly assess and pivot through large amounts of information in CAL™ ATL Reports, as well as any threat intelligence object to which you or another user has manually applied an ATT&CK Tag. ![A graphical depiction of unstructured text being converted to machine-readable intelligence (an ATT&CK Tag) by the MITRE ATT&CK AI model](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/MITRE%20ATT&CK%20AI%20Classification%20Model_7.7.1.png) The model is monitored for accuracy and updated to support the latest version of the MITRE ATT&CK framework. When new techniques and sub-techniques are added to the framework, the model is trained to identify and “understand” them. Once the updates to the model meet ThreatConnect’s quality standards, the techniques and sub-techniques are released for use by the model. ## Using MITRE ATT&CK AI Classification You can leverage MITRE ATT&CK AI classification directly in the following ThreatConnect features: - If the AI-powered features of [Document Parsing Import](https://knowledge.threatconnect.com/docs/document-parsing-import) are enabled (that is, the **CALServices** system setting is set to the **CAL AI Processing** level), you can use MITRE ATT&CK AI classification to extract and import implicit MITRE ATT&CK Enterprise techniques and sub-techniques from the contents of an unstructured file or text block. - When configuring the [**ThreatConnect Doc Analysis** playbook app](https://threatconnect.readme.io/docs/threatconnect-doc-analysis-playbook), you can select **AI MITRE ATT&CK Classification** from the **Features** dropdown to label text from an imported document identified as MITRE ATT&CK techniques and sub-techniques. - The [**CAL Automated Threat Library**](https://knowledge.threatconnect.com/docs/cal-automated-threat-library-atl) Source contains all ATT&CK Tags, including those in the MITRE ATT&CK AI classification model. You can search for ATT&CK Tags when [searching all object types on the **Search** screen](https://knowledge.threatconnect.com/docs/searching-all-object-types) or when [searching Tags on the **Search: Tags** screen](https://knowledge.threatconnect.com/docs/searching-tags), and you can [query for ATT&CK Tags](https://knowledge.threatconnect.com/docs/constructing-query-expressions#query-for-attck-tags) on the **Legacy Browse** screen using [ThreatConnect Query Language (TQL)](https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql). You can leverage [ATT&CK Tags](https://knowledge.threatconnect.com/docs/attack-tags), including those applied automatically to CAL ATL Reports by the MITRE ATT&CK AI classification model, in a number of places in ThreatConnect, including the following: - [The **Search** screen](https://knowledge.threatconnect.com/docs/searching-in-threatconnect) [](https://knowledge.threatconnect.com/docs/the-browse-screen) - [The **Legacy Browse** screen](https://knowledge.threatconnect.com/docs/the-browse-screen) - [Intelligence Requirements](https://knowledge.threatconnect.com/docs/intelligence-requirements) - [The ThreatConnect ATT&CK Visualizer](https://knowledge.threatconnect.com/docs/attack-visualizer) - [Threat Graph](https://knowledge.threatconnect.com/docs/explore-in-graph) ## Techniques and Sub-techniques in the MITRE ATT&CK AI Classification Model | Technique | Sub-techniques | | --- | --- | | T1001 - Data Obfuscation | - T1001.001 - Junk Data - T1001.002 - Steganography - T1001.003 - Protocol or Service Impersonation | | T1003 - OS Credential Dumping | - T1003.001 - LSASS Memory - T1003.003 - NTDS - T1003.004 - LSA Secrets - T1003.005 - Cached Domain Credentials - T1003.006 - DCSync - T1003.007 - Proc Filesystem - T1003.008 - /etc/passwd and /etc/shadow | | T1005 - Data from Local System | | | T1007 - System Service Discovery | | | T1008 - Fallback Channels | | | T1010 - Application Window Discovery | | | T1011 - Exfiltration Over Other Network Medium | T1011.001 - Exfiltration Over Bluetooth | | T1012 - Query Registry | | | T1016 - System Network Configuration Discovery | T1016.002 - Wi-Fi Discovery | | T1018 - Remote System Discovery | | | T1020 - Automated Exfiltration | T1020.001 - Traffic Duplication | | T1021 - Remote Services | - T1021.001 - Remote Desktop Protocol - T1021.002 - SMB/Windows Admin Shares - T1021.003 - Distributed Component Object Model - T1021.004 - SSH - T1021.005 - VNC - T1021.006 - Windows Remote Management - T1021.007 - Cloud Services - T1021.008 - Direct Cloud VM Connections | | T1025 - Data from Removable Media | | | T1027 - Obfuscated Files or Information | - T1027.001 - Binary Padding - T1027.002 - Software Packing - T1027.003 - Steganography - T1027.004 - Compile After Delivery - T1027.005 - Indicator Removal from Tools - T1027.006 - HTML Smuggling - T1027.007 - Dynamic API Resolution - T1027.008 - Stripped Payloads - T1027.009 - Embedded Payloads - T1027.010 - Command Obfuscation - T1027.012 - LNK Icon Smuggling - T1027.013 - Encrypted/Encoded File - T1027.014 - Polymorphic Code - T1027.016 - Junk Code Insertion - T1027.017 - SVG Smuggling - T1027.018 - Obfuscated Files or Information: Invisible Unicode | | T1029 - Scheduled Transfer | | | T1030 - Data Transfer Size Limits | | | T1033 - System Owner/User Discovery | | | T1036 - Masquerading | - T1036.001 - Invalid Code Signature - T1036.002 - Right-to-Left Override - T1036.003 - Rename Legitimate Utilities - T1036.004 - Masquerade Task or Service - T1036.005 - Match Legitimate Resource Name or Location - T1036.006 - Space after Filename - T1036.007 - Double File Extension - T1036.008 - Masquerade File Type - T1036.009 - Break Process Trees - T1036.010 - Masquerade Account Name - T1036.011 - Overwrite Process Arguments | | T1037 - Boot or Logon Initialization Scripts | - T1037.001 - Logon Script (Windows) - T1037.002 - Login Hook - T1037.003 - Network Logon Script - T1037.004 - RC Scripts - T1037.005 - Startup Items - T1036.012 - Masquerading: Browser Fingerprint | | T1039 - Data from Network Shared Drive | | | T1040 - Network Sniffing | | | T1041 - Exfiltration Over C2 Channel | | | T1046 - Network Service Discovery | | | T1047 - Windows Management Instrumentation | | | T1048 - Exfiltration Over Alternative Protocol | - T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol | | T1049 - System Network Connections Discovery | | | T1052 - Exfiltration Over Physical Medium | - T1052.001 - Exfiltration Over USB | | T1053 - Scheduled Task/Job | - T1053.003 - Cron - T1053.005 - Scheduled Task - T1053.006 - Systemd Timers - T1053.007 - Container Orchestration Job | | T1055 - Process Injection | - T1055.001 - Dynamic-link Library Injection - T1055.002 - Portable Executable Injection - T1055.003 - Thread Execution Hijacking - T1055.004 - Asynchronous Procedure Call - T1055.005 - Thread Local Storage - T1055.008 - Ptrace System Calls - T1055.009 - Proc Memory - T1055.011 - Extra Window Memory Injection - T1055.012 - Process Hollowing - T1055.014 - VDSO Hijacking - T1055.015 - ListPlanting | | T1056 - Input Capture | - T1056.001 - Keylogging - T1056.002 - GUI Input Capture - T1056.003 - Web Portal Capture - T1056.004 - Credential API Hooking | | T1057 - Process Discovery | | | T1059 - Command and Scripting Interpreter | - T1059.001 - PowerShell - T1059.003 - Windows Command Shell - T1059.005 - Visual Basic - T1059.006 - Python - T1059.007 - JavaScript - T1059.008 - Network Device CLI - T1059.009 - Cloud API - T1059.010 - AutoHotKey & AutoIT - T1059.011 - Lua - T1059.012 - Hypervisor CLI - T1059.013 - Container CLI and API Abuse via Docker/Kubernetes | | T1068 - Exploitation for Privilege Escalation | | | T1069 - Permission Groups Discovery | T1069.003 - Cloud Groups | | T1070 - Indicator Removal | - T1070.003 - Clear Command History - T1070.004 - File Deletion - T1070.005 - Network Share Connection Removal - T1070.006 - Timestomp - T1070.007 - Clear Network Connection History and Configurations - T1070.008 - Clear Mailbox Data - T1070.009 - Clear Persistence - T1070.010 - Relocate Malware | | T1071 - Application Layer Protocol | - T1071.001 - Web Protocols - T1071.004 - DNS - T1071.005 - Publish/Subscribe Protocols | | T1074 - Data Staged | T1074.001 - Local Data Staging | | T1078 - Valid Accounts | - T1078.001 - Default Accounts - T1078.003 - Local Accounts | | T1080 - Taint Shared Content | | | T1082 - System Information Discovery | | | T1083 - File and Directory Discovery | | | T1087 - Account Discovery | - T1087.002 - Domain Account - T1087.003 - Email Account - T1087.004 - Cloud Account | | T1090 - Proxy | - T1090.003 - Multi-hop Proxy - T1090.004 - Domain Fronting | | T1091 - Replication Through Removable Media | | | T1092 - Communication Through Removable Media | | | T1095 - Non-Application Layer Protocol | | | T1098 - Account Manipulation | - T1098.001 - Additional Cloud Credentials - T1098.002 - Additional Email Delegate Permissions - T1098.003 - Additional Cloud Roles - T1098.004 - SSH Authorized Keys - T1098.005 - Device Registration - T1098.006 - Additional Container Cluster Roles - T1098.007 - Additional Local or Domain Groups | | T1102 - Web Service | T1102.002 - Bidirectional Communication | | T1104 - Multi-Stage Channels | | | T1105 - Ingress Tool Transfer | | | T1106 - Native API | | | T1110 - Brute Force | - T1110.001 - Password Guessing - T1110.002 - Password Cracking - T1110.003 - Password Spraying - T1110.004 - Credential Stuffing | | T1111 - Multi-Factor Authentication Interception | | | T1112 - Modify Registry | | | T1113 - Screen Capture | | | T1114 - Email Collection | - T1114.001 - Local Email Collection - T1114.002 - Remote Email Collection - T1114.003 - Email Forwarding Rule | | T1115 - Clipboard Data | | | T1119 - Automated Collection | | | T1120 - Peripheral Device Discovery | | | T1123 - Audio Capture | | | T1124 - System Time Discovery | | | T1125 - Video Capture | | | T1127 - Trusted Developer Utilities Proxy Execution | - T1127.001 - MSBuild - T1127.002 - ClickOnce - T1127.003 - JamPlus | | T1132 - Data Encoding | - T1132.001 - Standard Encoding - T1132.002 - Non-Standard Encoding | | T1133 - External Remote Services | | | T1134 - Access Token Manipulation | - T1134.002 - Create Process with Token - T1134.003 - Make and Impersonate Token - T1134.004 - Parent PID Spoofing - T1134.005 - SID-History Injection | | T1135 - Network Share Discovery | | | T1136 - Create Account | - T1136.001 - Local Account - T1136.002 - Domain Account - T1136.003 - Cloud Account | | T1137 - Office Application Startup | - T1137.001 - Office Template Macros - T1137.002 - Office Test - T1137.003 - Outlook Forms - T1137.004 - Outlook Home Page - T1137.005 - Outlook Rules - T1137.006 - Add-ins | | T1140 - Deobfuscate/Decode Files or Information | | | T1176 - Software Extensions | - T1176.001 - Browser Extensions - T1176.002 - IDE Extensions | | T1185 - Browser Session Hijacking | | | T1187 - Forced Authentication | | | T1190 - Exploit Public-Facing Application | | | T1195 - Supply Chain Compromise | - T1195.001 - Compromise Software Dependencies and Development Tools - T1195.002 - Compromise Software Supply Chain - T1195.003 - Compromise Hardware Supply Chain | | T1199 - Trusted Relationship | | | T1200 - Hardware Additions | | | T1201 - Password Policy Discovery | | | T1202 - Indirect Command Execution | | | T1203 - Exploitation for Client Execution | | | T1204 - User Execution | - T1204.001 - Malicious Link - T1204.002 - Malicious File - T1204.003 - Malicious Image - T1204.004 - Malicious Copy and Paste - T1204.005 - Malicious Library | | T1205 - Traffic Signaling | - T1205.001 - Port Knocking - T1205.002 - Socket Filters | | T1207 - Rogue Domain Controller | | | T1210 - Exploitation of Remote Services | | | T1212 - Exploitation for Credential Access | | | T1213 - Data from Information Repositories | - T1213.001 - Confluence - T1213.002 - Sharepoint - T1213.003 - Code Repositories - T1213.004 - Customer Relationship Management Software - T1213.005 - Messaging Applications - T1213.006 - Databases | | T1216 - System Script Proxy Execution | - T1216.001 - PubPrn - T1216.002 - SyncAppvPublishingServer | | T1217 - Browser Information Discovery | | | T1218 - System Binary Proxy Execution | - T1218.001 - Compiled HTML File - T1218.002 - Control Panel - T1218.003 - CMSTP - T1218.004 - InstallUtil - T1218.007 - Msiexec - T1218.008 - Odbcconf - T1218.009 - Regsvcs/Regasm - T1218.010 - Regsvr32 - T1218.011 - Rundll32 - T1218.012 - Verclsid - T1218.013 - Mavinject - T1218.014 - MMC - T1218.015 - Electron Applications | | T1219 - Remote Access Tools | - T1219.001 - IDE Tunneling - T1219.002 - Remote Desktop Software - T1219.003 - Remote Access Hardware | | T1220 - XSL Script Processing | | | T1221 - Template Injection | | | T1222 - File and Directory Permissions Modification | - T1222.001 - Windows File and Directory Permissions Modification - T1222.002 - Linux and Mac File and Directory Permissions Modification | | T1480 - Execution Guardrails | - T1480.001 - Environmental Keying - T1480.002 - Mutual Exclusion | | T1482 - Domain Trust Discovery | | | T1484 - Domain or Tenant Policy Modification | T1484.002 - Trust Modification | | T1485 - Data Destruction | T1485.001 - Lifecycle-Triggered Deletion | | T1486 - Data Encrypted for Impact | | | T1490 - Inhibit System Recovery | | | T1491 - Defacement | - T1491.001 - Internal Defacement - T1491.002 - External Defacement | | T1495 - Firmware Corruption | | | T1496 - Resource Hijacking | - T1496.001 - Compute Hijacking - T1496.002 - Bandwidth Hijacking - T1496.003 - SMS Pumping - T1496.004 - Cloud Service Hijacking | | T1498 - Network Denial of Service | - T1498.001 - Direct Network Flood - T1498.002 - Reflection Amplification | | T1499 - Endpoint Denial of Service | - T1499.001 - OS Exhaustion Flood - T1499.002 - Service Exhaustion Flood - T1499.003 - Application Exhaustion Flood - T1499.004 - Application or System Exploitation | | T1505 - Server Software Component | - T1505.001 - SQL Stored Procedures - T1505.002 - Transport Agent - T1505.003 - Web Shell - T1505.004 - IIS Components - T1505.005 - Terminal Services DLL - T1505.006 - vSphere Installation Bundles | | T1518 - Software Discovery | - T1518.001 - Security Software Discovery - T1518.002 - Backup Software Discovery | | T1525 - Implant Internal Image | | | T1526 - Cloud Service Discovery | | | T1528 - Steal Application Access Token | | | T1529 - System Shutdown/Reboot | | | T1530 - Data from Cloud Storage | | | T1531 - Account Access Removal | | | T1535 - Unused/Unsupported Cloud Regions | | | T1537 - Transfer Data to Cloud Account | | | T1538 - Cloud Service Dashboard | | | T1542 - Pre-OS Boot | - T1542.001 - System Firmware - T1542.002 - Component Firmware - T1542.003 - Bootkit - T1542.004 - ROMMONkit - T1542.005 - TFTP Boot | | T1543 - Create or Modify System Process | - T1543.002 - Systemd Service - T1543.003 - Windows Service - T1543.004 - Launch Daemon - T1543.005 - Container Service | | T1546 - Event Triggered Execution | - T1546.001 - Change Default File Association - T1546.002 - Screensaver - T1546.003 - Windows Management Instrumentation Event Subscription - T1546.004 - Unix Shell Configuration Modification - T1546.005 - Trap - T1546.006 - LC_LOAD_DYLIB Addition - T1546.007 - Netsh Helper DLL - T1546.008 - Accessibility Features - T1546.009 - AppCert DLLs - T1546.010 - AppInit DLLs - T1546.011 - Application Shimming - T1546.012 - Image File Execution Options Injection - T1546.013 - PowerShell Profile - T1546.014 - Emond - T1546.015 - Component Object Model Hijacking - T1546.016 - Installer Packages - T1546.017 - Udev Rules - T1546.018 - Python Startup Hooks | | T1547 - Boot or Logon Autostart Execution | - T1547.001 - Registry Run Keys / Startup Folder - T1547.002 - Authentication Package - T1547.003 - Time Providers - T1547.004 - Winlogon Helper DLL - T1547.005 - Security Support Provider - T1547.006 - Kernel Modules and Extensions - T1547.007 Re-opened Applications - T1547.008 - LSASS Driver - T1547.010 - Port Monitors - T1547.012 - Print Processors - T1547.013 - XDG Autostart Entries - T1547.014 - Active Setup - T1547.015 - Login Items | | T1548 - Abuse Elevation Control Mechanism | - T1548.001 - Setuid and Setgid - T1548.002 - Bypass User Account Control - T1548.003 - Sudo and Sudo Caching - T1548.004 - Elevated Execution with Prompt - T1548.005 - Temporary Elevated Cloud Access - T1548.006 - TCC Manipulation | | T1550 - Use Alternate Authentication Material | - T1550.001 - Application Access Token - T1550.002 - Pass the Hash - T1550.003 - Pass the Ticket - T1550.004 - Web Session Cookie | | T1552 - Unsecured Credentials | - T1552.002 - Credentials in Registry - T1552.003 - Bash History - T1552.004 - Private Keys - T1552.005 - Cloud Instance Metadata API - T1552.006 - Group Policy Preferences - T1552.007 - Container API - T1552.008 - Chat Messages | | T1553 - Subvert Trust Controls | - T1553.001 - Gatekeeper Bypass - T1553.002 - Code Signing - T1553.003 - SIP and Trust Provider Hijacking - T1553.004 - Install Root Certificate - T1553.005 - Mark-of-the-Web Bypass - T1553.006 - Code Signing Policy Modification | | T1555 - Credentials from Password Stores | - T1555.001 - Keychain - T1555.002 - Securityd Memory - T1555.003 - Credentials from Web Browsers - T1555.004 - Windows Credential Manager - T1555.005 - Password Managers - T1555.006 - Cloud Secrets Management Stores | | T1556 - Modify Authentication Process | - T1556.001 - Domain Controller Authentication - T1556.002 - Password Filter DLL - T1556.003 - Pluggable Authentication Modules - T1556.004 - Network Device Authentication - T1556.005 - Reversible Encryption - T1556.006 - Multi-Factor Authentication - T1556.007 - Hybrid Identity - T1556.008 - Network Provider DLL - T1556.009 - Conditional Access Policies | | T1557 - Adversary-in-the-Middle | - T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay - T1557.002 - ARP Cache Poisoning - T1557.003 - DHCP Spoofing - T1557.004 - Evil Twin | | T1558 - Steal or Forge Kerberos Tickets | - T1558.001 - Golden Ticket - T1558.002 - Silver Ticket - T1558.003 - Kerberoasting - T1558.004 - AS-REP Roasting - T1558.005 - Ccache Files | | T1559 - Inter-Process Communication | - T1559.001 - Component Object Model - T1559.003 - XPC Services | | T1560 - Archive Collected Data | - T1560.001 - Archive via Utility - T1560.002 - Archive via Library - T1560.003 - Archive via Custom Method | | T1561 - Disk Wipe | T1561.002 - Disk Structure Wipe | | T1563 - Remote Service Session Hijacking | - T1563.001 - SSH Hijacking - T1563.002 - RDP Hijacking | | T1564 - Hide Artifacts | - T1564.001 - Hidden Files and Directories - T1564.002 - Hidden Users - T1564.003 - Hidden Window - T1564.004 - NTFS File Attributes - T1564.005 - Hidden File System - T1564.006 - Run Virtual Instance - T1564.007 - VBA Stomping - T1564.008 - Email Hiding Rules - T1564.009 - Resource Forking - T1564.010 - Process Argument Spoofing - T1564.011 - Ignore Process Interrupts - T1564.012 - File/Path Exclusions - T1564.013 - Bind Mounts - T1564.014 - Extended Attributes | | T1565 - Data Manipulation | - T1565.001 - Stored Data Manipulation - T1565.002 - Transmitted Data Manipulation - T1565.003 - Runtime Data Manipulation | | T1566 - Phishing | - T1566.001 - Spearphishing Attachment - T1566.002 - Spearphishing Link - T1566.003 - Spearphishing via Service - T1566.004 - Spearphishing Voice | | T1567 - Exfiltration Over Web Service | - T1567.001 - Exfiltration to Code Repository - T1567.002 - Exfiltration to Cloud Storage - T1567.003 - Exfiltration to Text Storage Sites - T1567.004 - Exfiltration Over Webhook | | T1568 - Dynamic Resolution | - T1568.001 - Fast Flux DNS - T1568.002 - Domain Generation Algorithms - T1568.003 - DNS Calculation | | T1569 - System Services | - T1569.001 - Launchctl - T1569.002 - Service Execution - T1569.003 - Systemctl | | T1570 - Lateral Tool Transfer | | | T1571 - Non-Standard Port | | | T1573 - Encrypted Channel | - T1573.001 - Symmetric Cryptography - T1573.002 - Asymmetric Cryptography | | T1574 - Hijack Execution Flow | - T1574.001 - DLL - T1574.004 - Dylib Hijacking - T1574.005 - Executable Installer File Permissions Weakness - T1574.006 - Dynamic Linker Hijacking - T1574.008 - Path Interception by Search Order Hijacking - T1574.009 - Path Interception by Unquoted Path - T1574.012 - COR_PROFILER - T1574.013 - KernelCallbackTable - T1574.014 - AppDomainManager | | T1578 - Modify Cloud Compute Infrastructure | - T1578.001 - Create Snapshot - T1578.002 - Create Cloud Instance - T1578.003 - Delete Cloud Instance - T1578.004 - Revert Cloud Instance - T1578.005 - Modify Cloud Compute Configurations | | T1580 - Cloud Infrastructure Discovery | | | T1583 - Acquire Infrastructure | - T1583.001 - Domains - T1583.002 - DNS Server - T1583.004 - Server - T1583.005 - Botnet - T1583.006 - Web Services - T1583.007 - Serverless - T1583.008 - Malvertising | | T1584 - Compromise Infrastructure | - T1584.001 - Domains - T1584.002 - DNS Server - T1584.003 - Virtual Private Server - T1584.004 - Server - T1584.005 - Botnet - T1584.006 - Web Services - T1584.007 - Serverless - T1584.008 - Network Devices | | T1585 - Establish Accounts | - T1585.001 - Social Media Accounts - T1585.002 - Email Accounts - T1585.003 - Cloud Accounts | | T1586 - Compromise Accounts | - T1586.001 - Social Media Accounts - T1586.002 - Email Accounts - T1586.003 - Cloud Accounts | | T1587 - Develop Capabilities | - T1587.001 - Malware - T1587.002 - Code Signing Certificates - T1587.003 - Digital Certificates - T1587.004 - Exploits | | T1588 - Obtain Capabilities | - T1588.001 - Malware - T1588.002 - Tool - T1588.003 - Code Signing Certificates - T1588.004 - Digital Certificates - T1588.005 - Exploits - T1588.006 - Vulnerabilities - T1588.007 - Artificial Intelligence | | T1589 - Gather Victim Identity Information | - T1589.001 - Credentials - T1589.002 - Email Addresses - T1589.003 - Employee Names | | T1590 - Gather Victim Network Information | - T1590.001 - Domain Properties - T1590.002 - DNS - T1590.003 - Network Trust Dependencies - T1590.004 - Network Topology - T1590.005 - IP Addresses - T1590.006 - Network Security Appliances | | T1591 - Gather Victim Org Information | - T1591.001 - Determine Physical Locations - T1591.002 - Business Relationships - T1591.003 - Identify Business Tempo - T1591.004 - Identify Roles | | T1592 - Gather Victim Host Information | - T1592.001 - Hardware - T1592.002 - Software - T1592.003 - Firmware - T1592.004 - Client Configurations | | T1593 - Search Open Websites/Domains | - T1593.001 - Social Media - T1593.002 - Search Engines - T1593.003 - Code Repositories | | T1594 - Search Victim-Owned Websites | | | T1595 - Active Scanning | - T1595.001 - Scanning IP Blocks - T1595.002 - Vulnerability Scanning - T1595.003 - Wordlist Scanning | | T1596 - Search Open Technical Databases | - T1596.001 - DNS/Passive DNS - T1596.002 - WHOIS - T1596.003 - Digital Certificates - T1596.004 - CDNs - T1596.005 - Scan Databases | | T1597 - Search Closed Sources | - T1597.001 - Threat Intel Vendors - T1597.002 - Purchase Technical Data | | T1598 - Phishing for Information | - T1598.001 - Spearphishing Service - T1598.002 - Spearphishing Attachment - T1598.004 - Spearphishing Voice | | T1599 - Network Boundary Bridging | T1599.001 - Network Address Translation Traversal | | T1600 - Weaken Encryption | - T1600.001 - Reduce Key Space - T1600.002 - Disable Crypto Hardware | | T1601 - Modify System Image | - T1601.001 - Patch System Image - T1601.002 - Downgrade System Image | | T1602 - Data from Configuration Repository | - T1602.001 - SNMP (MIB Dump) - T1602.002 - Network Device Configuration Dump | | T1606 - Forge Web Credentials | - T1606.001 - Web Cookies - T1606.002 - SAML Tokens | | T1608 - Stage Capabilities | - T1608.001 - Upload Malware - T1608.002 - Upload Tool - T1608.003 - Install Digital Certificate - T1608.004 - Drive-by Target - T1608.005 - Link Target - T1608.006 - SEO Poisoning | | T1609 - Container Administration Command | | | T1610 - Deploy Container | | | T1611 - Escape to Host | | | T1612 - Build Image on Host | | | T1613 - Container and Resource Discovery | | | T1615 - Group Policy Discovery | | | T1619 - Cloud Storage Object Discovery | | | T1620 - Reflective Code Loading | | | T1621 - Multi-Factor Authentication Request Generation | | | T1647 - Plist File Modification | | | T1648 - Serverless Execution | | | T1649 - Steal or Forge Authentication Certificates | | | T1650 - Acquire Access | | | T1651 - Cloud Administration Command | | | T1652 - Device Driver Discovery | | | T1653 - Power Settings | | | T1654 - Log Enumeration | | | T1657 - Financial Theft | | | T1659 - Content Injection | | | T1665 - Hide Infrastructure | | | T1666 - Modify Cloud Resource Hierarchy | | | T1667 - Email Bombing | | | T1668 - Exclusive Control | | | T1669 - Wi-Fi Networks | | | T1671 - Cloud Application Integration | | | T1673 - Virtual Machine Discovery | | | T1674 - Input Injection | | | T1675 - ESXi Administration Command | | | T1677 - Poisoned Pipeline Execution | | | T1678 - Delay Execution | | | T1679 - Selective Execution | | | T1680 - Local Storage Discovery | | | T1681 - Search Threat Vendor Data | | | T1682 - Query Public AI Services | | | T1683 - Generate Content | - T1683.001 - Generate Content: Written Content - T1683.002 - Generate Content: Audio-Visual Content | | T1684 - Social Engineering | - T1684.001 - Impersonation - T1684.002 - Email Spoofing | | T1685 - Disable or Modify Tools | - T1685.001 - Disable or Modify Windows Event Log - T1685.002 - Disable or Modify Cloud Log - T1685.003 - Modify or Spoof Tool UI - T1685.004 - Disable or Modify Linux Audit System Log - T1685.005 - Clear Windows Event Logs - T1685.006 - Clear Linux or Mac System Logs | | T1686 - Disable or Modify System Firewall | - T1686.001 - Cloud Firewall - T1686.002 - Network Device Firewall - T1686.003 - Windows Host Firewall | | T1687 - Exploitation for Defense Impairment | | | T1688 - Safe Mode Boot | | | T1689 - Downgrade Attack | | | T1690 - Prevent Command History Logging | | --- *ThreatConnect® is a registered trademark, and CAL™ and TC Exchange™ are trademarks, of ThreatConnect, Inc.* *MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.* 20166-01 v.05.A ## Related - [ATT&CK Tags](/attack-tags.md) - [CAL Automated Threat Library (ATL)](/cal-automated-threat-library-atl.md) - [Document Parsing Import](/document-parsing-import.md) - [Reviewing ThreatConnect Intelligence Anywhere Scan Results](/reviewing-threatconnect-intelligence-anywhere-scan-results.md)