{
"name": "Anthropic Cybersecurity Skills - ATT&CK Coverage",
"versions": {
"attack": "14",
"navigator": "4.9.1",
"layer": "4.5"
},
"domain": "enterprise-attack",
"description": "MITRE ATT&CK technique coverage map for the Anthropic Cybersecurity Skills repository. Each technique is scored by the number of skills that reference it. Higher scores (darker colors) indicate more comprehensive coverage across multiple training skills.",
"filters": {
"platforms": [
"Linux",
"macOS",
"Windows",
"Network",
"PRE",
"Containers",
"Office 365",
"SaaS",
"Google Workspace",
"IaaS",
"Azure AD"
]
},
"sorting": 3,
"layout": {
"layout": "side",
"showID": true,
"showName": true,
"showAggregateScores": false,
"countUnscored": false,
"aggregateFunction": "average",
"expandedSubtechniques": "annotated"
},
"hideDisabled": false,
"techniques": [
{
"techniqueID": "T1003",
"score": 42,
"comment": "OS Credential Dumping - Referenced in 11 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "11"
},
{
"name": "skills",
"value": "building-attack-pattern-library-from-cti-reports, building-detection-rules-with-sigma, detecting-container-escape-with-falco-rules, detecting-credential-dumping-techniques, detecting-credential-dumping-with-edr (+6 more)"
}
]
},
{
"techniqueID": "T1003.001",
"score": 46,
"comment": "LSASS Memory - Referenced in 12 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "12"
},
{
"name": "skills",
"value": "building-attack-pattern-library-from-cti-reports, building-detection-rule-with-splunk-spl, building-detection-rules-with-sigma, conducting-full-scope-red-team-engagement, conducting-internal-network-penetration-test (+7 more)"
}
]
},
{
"techniqueID": "T1003.002",
"score": 8,
"comment": "SAM - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "detecting-credential-dumping-with-edr, detecting-t1003-credential-dumping-with-edr"
}
]
},
{
"techniqueID": "T1003.003",
"score": 8,
"comment": "NTDS - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "detecting-credential-dumping-with-edr, detecting-t1003-credential-dumping-with-edr"
}
]
},
{
"techniqueID": "T1003.004",
"score": 12,
"comment": "LSA Secrets - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "detecting-credential-dumping-with-edr, detecting-t1003-credential-dumping-with-edr, performing-credential-access-with-lazagne"
}
]
},
{
"techniqueID": "T1003.005",
"score": 8,
"comment": "Cached Domain Credentials - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "detecting-credential-dumping-with-edr, detecting-t1003-credential-dumping-with-edr"
}
]
},
{
"techniqueID": "T1003.006",
"score": 50,
"comment": "DCSync - Referenced in 13 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "13"
},
{
"name": "skills",
"value": "analyzing-windows-event-logs-in-splunk, conducting-domain-persistence-with-dcsync, conducting-full-scope-red-team-engagement, conducting-internal-network-penetration-test, detecting-credential-dumping-with-edr (+8 more)"
}
]
},
{
"techniqueID": "T1005",
"score": 8,
"comment": "Data from Local System - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "conducting-malware-incident-response, detecting-container-escape-with-falco-rules"
}
]
},
{
"techniqueID": "T1016",
"score": 12,
"comment": "System Network Configuration Discovery - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "conducting-full-scope-red-team-engagement, conducting-internal-reconnaissance-with-bloodhound-ce, exploiting-active-directory-with-bloodhound"
}
]
},
{
"techniqueID": "T1018",
"score": 15,
"comment": "Remote System Discovery - Referenced in 4 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "4"
},
{
"name": "skills",
"value": "conducting-full-scope-red-team-engagement, conducting-internal-reconnaissance-with-bloodhound-ce, exploiting-active-directory-with-bloodhound, performing-active-directory-bloodhound-analysis"
}
]
},
{
"techniqueID": "T1020",
"score": 4,
"comment": "Automated Exfiltration - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-data-exfiltration-indicators"
}
]
},
{
"techniqueID": "T1021",
"score": 38,
"comment": "Remote Services - Referenced in 10 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "10"
},
{
"name": "skills",
"value": "detecting-lateral-movement-in-network, detecting-lateral-movement-with-splunk, detecting-service-account-abuse, exploiting-constrained-delegation-abuse, implementing-continuous-security-validation-with-bas (+5 more)"
}
]
},
{
"techniqueID": "T1021.001",
"score": 31,
"comment": "Remote Desktop Protocol - Referenced in 8 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "8"
},
{
"name": "skills",
"value": "analyzing-windows-event-logs-in-splunk, building-attack-pattern-library-from-cti-reports, detecting-lateral-movement-with-splunk, executing-red-team-exercise, implementing-mitre-attack-coverage-mapping (+3 more)"
}
]
},
{
"techniqueID": "T1021.002",
"score": 46,
"comment": "SMB/Windows Admin Shares - Referenced in 12 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "12"
},
{
"name": "skills",
"value": "analyzing-windows-event-logs-in-splunk, building-attack-pattern-library-from-cti-reports, building-detection-rule-with-splunk-spl, conducting-full-scope-red-team-engagement, conducting-internal-network-penetration-test (+7 more)"
}
]
},
{
"techniqueID": "T1021.003",
"score": 12,
"comment": "DCOM - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "detecting-lateral-movement-with-splunk, performing-lateral-movement-detection, performing-lateral-movement-with-wmiexec"
}
]
},
{
"techniqueID": "T1021.004",
"score": 4,
"comment": "SSH - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "detecting-lateral-movement-with-splunk"
}
]
},
{
"techniqueID": "T1021.006",
"score": 12,
"comment": "Windows Remote Management - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "building-attack-pattern-library-from-cti-reports, detecting-lateral-movement-with-splunk, performing-lateral-movement-detection"
}
]
},
{
"techniqueID": "T1027",
"score": 8,
"comment": "Obfuscated Files or Information - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "analyzing-apt-group-with-mitre-navigator, conducting-full-scope-red-team-engagement"
}
]
},
{
"techniqueID": "T1029",
"score": 4,
"comment": "Scheduled Transfer - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-data-exfiltration-indicators"
}
]
},
{
"techniqueID": "T1030",
"score": 4,
"comment": "Data Transfer Size Limits - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-data-exfiltration-indicators"
}
]
},
{
"techniqueID": "T1033",
"score": 8,
"comment": "System Owner/User Discovery - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "conducting-internal-reconnaissance-with-bloodhound-ce, exploiting-active-directory-with-bloodhound"
}
]
},
{
"techniqueID": "T1036",
"score": 12,
"comment": "Masquerading - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "detecting-evasion-techniques-in-endpoint-logs, implementing-mitre-attack-coverage-mapping, implementing-siem-use-cases-for-detection"
}
]
},
{
"techniqueID": "T1036.005",
"score": 4,
"comment": "Match Legitimate Name or Location - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "detecting-process-injection-techniques"
}
]
},
{
"techniqueID": "T1040",
"score": 4,
"comment": "Network Sniffing - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "implementing-continuous-security-validation-with-bas"
}
]
},
{
"techniqueID": "T1041",
"score": 35,
"comment": "Exfiltration Over C2 Channel - Referenced in 9 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "9"
},
{
"name": "skills",
"value": "analyzing-ransomware-network-indicators, building-attack-pattern-library-from-cti-reports, conducting-full-scope-red-team-engagement, conducting-malware-incident-response, executing-red-team-exercise (+4 more)"
}
]
},
{
"techniqueID": "T1047",
"score": 19,
"comment": "Windows Management Instrumentation - Referenced in 5 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "5"
},
{
"name": "skills",
"value": "conducting-full-scope-red-team-engagement, detecting-lateral-movement-with-splunk, performing-lateral-movement-detection, performing-lateral-movement-with-wmiexec, performing-purple-team-exercise"
}
]
},
{
"techniqueID": "T1048",
"score": 19,
"comment": "Exfiltration Over Alternative Protocol - Referenced in 5 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "5"
},
{
"name": "skills",
"value": "building-detection-rule-with-splunk-spl, conducting-full-scope-red-team-engagement, hunting-for-data-exfiltration-indicators, implementing-continuous-security-validation-with-bas, implementing-mitre-attack-coverage-mapping"
}
]
},
{
"techniqueID": "T1048.001",
"score": 4,
"comment": "Symmetric Encrypted Non-C2 - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-data-exfiltration-indicators"
}
]
},
{
"techniqueID": "T1048.002",
"score": 4,
"comment": "Asymmetric Encrypted Non-C2 - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-data-exfiltration-indicators"
}
]
},
{
"techniqueID": "T1048.003",
"score": 19,
"comment": "Unencrypted/Obfuscated Non-C2 - Referenced in 5 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "5"
},
{
"name": "skills",
"value": "conducting-full-scope-red-team-engagement, hunting-for-data-exfiltration-indicators, hunting-for-dns-tunneling-with-zeek, implementing-continuous-security-validation-with-bas, implementing-mitre-attack-coverage-mapping"
}
]
},
{
"techniqueID": "T1052",
"score": 4,
"comment": "Exfiltration Over Physical Medium - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-data-exfiltration-indicators"
}
]
},
{
"techniqueID": "T1053",
"score": 23,
"comment": "Scheduled Task/Job - Referenced in 6 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "6"
},
{
"name": "skills",
"value": "analyzing-apt-group-with-mitre-navigator, analyzing-persistence-mechanisms-in-linux, hunting-for-persistence-mechanisms-in-windows, implementing-mitre-attack-coverage-mapping, implementing-siem-use-cases-for-detection (+1 more)"
}
]
},
{
"techniqueID": "T1053.002",
"score": 4,
"comment": "At - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-scheduled-task-persistence"
}
]
},
{
"techniqueID": "T1053.003",
"score": 8,
"comment": "Cron - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "hunting-for-scheduled-task-persistence, performing-privilege-escalation-on-linux"
}
]
},
{
"techniqueID": "T1053.005",
"score": 62,
"comment": "Scheduled Task - Referenced in 16 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "16"
},
{
"name": "skills",
"value": "analyzing-apt-group-with-mitre-navigator, analyzing-windows-event-logs-in-splunk, building-attack-pattern-library-from-cti-reports, building-detection-rule-with-splunk-spl, conducting-full-scope-red-team-engagement (+11 more)"
}
]
},
{
"techniqueID": "T1055",
"score": 65,
"comment": "Process Injection - Referenced in 17 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "17"
},
{
"name": "skills",
"value": "building-attack-pattern-library-from-cti-reports, building-red-team-c2-infrastructure-with-havoc, conducting-full-scope-red-team-engagement, detecting-evasion-techniques-in-endpoint-logs, detecting-process-hollowing-technique (+12 more)"
}
]
},
{
"techniqueID": "T1055.001",
"score": 15,
"comment": "DLL Injection - Referenced in 4 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "4"
},
{
"name": "skills",
"value": "detecting-process-hollowing-technique, detecting-process-injection-techniques, detecting-t1055-process-injection-with-sysmon, hunting-for-process-injection-techniques"
}
]
},
{
"techniqueID": "T1055.002",
"score": 8,
"comment": "Portable Executable Injection - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "detecting-process-injection-techniques, detecting-t1055-process-injection-with-sysmon"
}
]
},
{
"techniqueID": "T1055.003",
"score": 12,
"comment": "Thread Execution Hijacking - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "detecting-process-hollowing-technique, detecting-process-injection-techniques, detecting-t1055-process-injection-with-sysmon"
}
]
},
{
"techniqueID": "T1055.004",
"score": 12,
"comment": "APC Injection - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "detecting-process-hollowing-technique, detecting-process-injection-techniques, detecting-t1055-process-injection-with-sysmon"
}
]
},
{
"techniqueID": "T1055.005",
"score": 8,
"comment": "Thread Local Storage - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "detecting-process-injection-techniques, detecting-t1055-process-injection-with-sysmon"
}
]
},
{
"techniqueID": "T1055.008",
"score": 4,
"comment": "Ptrace System Calls - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "detecting-process-injection-techniques"
}
]
},
{
"techniqueID": "T1055.009",
"score": 4,
"comment": "Proc Memory - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "detecting-process-injection-techniques"
}
]
},
{
"techniqueID": "T1055.011",
"score": 4,
"comment": "Extra Window Memory Injection - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "detecting-process-injection-techniques"
}
]
},
{
"techniqueID": "T1055.012",
"score": 23,
"comment": "Process Hollowing - Referenced in 6 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "6"
},
{
"name": "skills",
"value": "conducting-malware-incident-response, detecting-fileless-malware-techniques, detecting-process-hollowing-technique, detecting-process-injection-techniques, detecting-t1055-process-injection-with-sysmon (+1 more)"
}
]
},
{
"techniqueID": "T1055.013",
"score": 12,
"comment": "Process Doppelganging - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "detecting-process-hollowing-technique, detecting-process-injection-techniques, detecting-t1055-process-injection-with-sysmon"
}
]
},
{
"techniqueID": "T1055.014",
"score": 4,
"comment": "VDSO Hijacking - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "detecting-process-injection-techniques"
}
]
},
{
"techniqueID": "T1055.015",
"score": 8,
"comment": "ListPlanting - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "detecting-process-injection-techniques, detecting-t1055-process-injection-with-sysmon"
}
]
},
{
"techniqueID": "T1059",
"score": 38,
"comment": "Command and Scripting Interpreter - Referenced in 10 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "10"
},
{
"name": "skills",
"value": "analyzing-apt-group-with-mitre-navigator, analyzing-threat-actor-ttps-with-mitre-attack, analyzing-windows-event-logs-in-splunk, building-incident-timeline-with-timesketch, deobfuscating-powershell-obfuscated-malware (+5 more)"
}
]
},
{
"techniqueID": "T1059.001",
"score": 100,
"comment": "PowerShell - Referenced in 26 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "26"
},
{
"name": "skills",
"value": "analyzing-apt-group-with-mitre-navigator, analyzing-macro-malware-in-office-documents, analyzing-powershell-empire-artifacts, analyzing-security-logs-with-splunk, analyzing-threat-actor-ttps-with-mitre-navigator (+21 more)"
}
]
},
{
"techniqueID": "T1059.003",
"score": 12,
"comment": "Windows Command Shell - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "building-attack-pattern-library-from-cti-reports, detecting-suspicious-powershell-execution, mapping-mitre-attack-techniques"
}
]
},
{
"techniqueID": "T1059.005",
"score": 15,
"comment": "Visual Basic - Referenced in 4 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "4"
},
{
"name": "skills",
"value": "analyzing-macro-malware-in-office-documents, executing-red-team-exercise, hunting-for-lolbins-execution-in-endpoint-logs, mapping-mitre-attack-techniques"
}
]
},
{
"techniqueID": "T1068",
"score": 31,
"comment": "Exploitation for Privilege Escalation - Referenced in 8 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "8"
},
{
"name": "skills",
"value": "conducting-full-scope-red-team-engagement, detecting-container-escape-attempts, detecting-privilege-escalation-attempts, detecting-privilege-escalation-in-kubernetes-pods, exploiting-nopac-cve-2021-42278-42287 (+3 more)"
}
]
},
{
"techniqueID": "T1069.001",
"score": 4,
"comment": "Local Groups - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-active-directory-bloodhound-analysis"
}
]
},
{
"techniqueID": "T1069.002",
"score": 15,
"comment": "Domain Groups - Referenced in 4 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "4"
},
{
"name": "skills",
"value": "conducting-internal-reconnaissance-with-bloodhound-ce, exploiting-active-directory-with-bloodhound, performing-active-directory-bloodhound-analysis, performing-kerberoasting-attack"
}
]
},
{
"techniqueID": "T1070",
"score": 12,
"comment": "Indicator Removal - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "detecting-evasion-techniques-in-endpoint-logs, implementing-siem-use-cases-for-detection, implementing-velociraptor-for-ir-collection"
}
]
},
{
"techniqueID": "T1070.001",
"score": 12,
"comment": "Clear Windows Event Logs - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "detecting-evasion-techniques-in-endpoint-logs, implementing-mitre-attack-coverage-mapping, performing-purple-team-exercise"
}
]
},
{
"techniqueID": "T1070.004",
"score": 4,
"comment": "File Deletion - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "implementing-threat-modeling-with-mitre-attack"
}
]
},
{
"techniqueID": "T1070.006",
"score": 8,
"comment": "Timestomping - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "detecting-evasion-techniques-in-endpoint-logs, hunting-for-defense-evasion-via-timestomping"
}
]
},
{
"techniqueID": "T1071",
"score": 38,
"comment": "Application Layer Protocol - Referenced in 10 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "10"
},
{
"name": "skills",
"value": "analyzing-apt-group-with-mitre-navigator, analyzing-network-covert-channels-in-malware, analyzing-ransomware-network-indicators, analyzing-threat-actor-ttps-with-mitre-attack, hunting-advanced-persistent-threats (+5 more)"
}
]
},
{
"techniqueID": "T1071.001",
"score": 46,
"comment": "Web Protocols - Referenced in 12 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "12"
},
{
"name": "skills",
"value": "analyzing-apt-group-with-mitre-navigator, building-c2-infrastructure-with-sliver-framework, building-red-team-c2-infrastructure-with-havoc, conducting-malware-incident-response, detecting-process-injection-techniques (+7 more)"
}
]
},
{
"techniqueID": "T1071.004",
"score": 27,
"comment": "DNS - Referenced in 7 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "7"
},
{
"name": "skills",
"value": "building-attack-pattern-library-from-cti-reports, building-c2-infrastructure-with-sliver-framework, hunting-for-beaconing-with-frequency-analysis, hunting-for-command-and-control-beaconing, hunting-for-dns-tunneling-with-zeek (+2 more)"
}
]
},
{
"techniqueID": "T1074",
"score": 12,
"comment": "Data Staged - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "building-attack-pattern-library-from-cti-reports, executing-red-team-exercise, hunting-for-data-staging-before-exfiltration"
}
]
},
{
"techniqueID": "T1074.001",
"score": 4,
"comment": "Local Data Staging - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-data-staging-before-exfiltration"
}
]
},
{
"techniqueID": "T1074.002",
"score": 4,
"comment": "Remote Data Staging - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-data-staging-before-exfiltration"
}
]
},
{
"techniqueID": "T1078",
"score": 50,
"comment": "Valid Accounts - Referenced in 13 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "13"
},
{
"name": "skills",
"value": "analyzing-apt-group-with-mitre-navigator, analyzing-windows-event-logs-in-splunk, conducting-full-scope-red-team-engagement, conducting-internal-network-penetration-test, detecting-insider-threat-behaviors (+8 more)"
}
]
},
{
"techniqueID": "T1078.001",
"score": 4,
"comment": "Default Accounts - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "detecting-service-account-abuse"
}
]
},
{
"techniqueID": "T1078.002",
"score": 23,
"comment": "Domain Accounts - Referenced in 6 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "6"
},
{
"name": "skills",
"value": "conducting-domain-persistence-with-dcsync, detecting-service-account-abuse, exploiting-active-directory-certificate-services-esc1, exploiting-constrained-delegation-abuse, exploiting-nopac-cve-2021-42278-42287 (+1 more)"
}
]
},
{
"techniqueID": "T1078.004",
"score": 12,
"comment": "Cloud Accounts - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "detecting-azure-service-principal-abuse, implementing-mitre-attack-coverage-mapping, implementing-threat-modeling-with-mitre-attack"
}
]
},
{
"techniqueID": "T1082",
"score": 4,
"comment": "System Information Discovery - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "conducting-full-scope-red-team-engagement"
}
]
},
{
"techniqueID": "T1087",
"score": 8,
"comment": "Account Discovery - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "conducting-full-scope-red-team-engagement, implementing-continuous-security-validation-with-bas"
}
]
},
{
"techniqueID": "T1087.002",
"score": 23,
"comment": "Domain Account - Referenced in 6 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "6"
},
{
"name": "skills",
"value": "conducting-internal-reconnaissance-with-bloodhound-ce, exploiting-active-directory-certificate-services-esc1, exploiting-active-directory-with-bloodhound, exploiting-kerberoasting-with-impacket, performing-active-directory-bloodhound-analysis (+1 more)"
}
]
},
{
"techniqueID": "T1087.004",
"score": 8,
"comment": "Cloud Account - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "detecting-azure-service-principal-abuse, implementing-mitre-attack-coverage-mapping"
}
]
},
{
"techniqueID": "T1090",
"score": 4,
"comment": "Proxy - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "implementing-mitre-attack-coverage-mapping"
}
]
},
{
"techniqueID": "T1090.002",
"score": 8,
"comment": "External Proxy - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "building-c2-infrastructure-with-sliver-framework, building-red-team-c2-infrastructure-with-havoc"
}
]
},
{
"techniqueID": "T1090.004",
"score": 4,
"comment": "Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-domain-fronting-c2-traffic"
}
]
},
{
"techniqueID": "T1091",
"score": 4,
"comment": "Replication Through Removable Media - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-physical-intrusion-assessment"
}
]
},
{
"techniqueID": "T1095",
"score": 8,
"comment": "Non-Application Layer Protocol - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "hunting-for-command-and-control-beaconing, hunting-for-unusual-network-connections"
}
]
},
{
"techniqueID": "T1098",
"score": 19,
"comment": "Account Manipulation - Referenced in 5 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "5"
},
{
"name": "skills",
"value": "analyzing-windows-event-logs-in-splunk, conducting-domain-persistence-with-dcsync, hunting-for-t1098-account-manipulation, implementing-mitre-attack-coverage-mapping, performing-active-directory-compromise-investigation"
}
]
},
{
"techniqueID": "T1098.001",
"score": 12,
"comment": "Additional Cloud Credentials - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "conducting-cloud-penetration-testing, detecting-azure-service-principal-abuse, implementing-mitre-attack-coverage-mapping"
}
]
},
{
"techniqueID": "T1098.002",
"score": 4,
"comment": "Additional Email Delegate Permissions - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "detecting-email-forwarding-rules-attack"
}
]
},
{
"techniqueID": "T1102",
"score": 4,
"comment": "Web Service - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-living-off-the-cloud-techniques"
}
]
},
{
"techniqueID": "T1105",
"score": 23,
"comment": "Ingress Tool Transfer - Referenced in 6 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "6"
},
{
"name": "skills",
"value": "building-c2-infrastructure-with-sliver-framework, building-red-team-c2-infrastructure-with-havoc, detecting-living-off-the-land-with-lolbas, implementing-mitre-attack-coverage-mapping, implementing-siem-use-cases-for-detection (+1 more)"
}
]
},
{
"techniqueID": "T1110",
"score": 15,
"comment": "Brute Force - Referenced in 4 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "4"
},
{
"name": "skills",
"value": "analyzing-windows-event-logs-in-splunk, conducting-internal-network-penetration-test, implementing-mitre-attack-coverage-mapping, performing-alert-triage-with-elastic-siem"
}
]
},
{
"techniqueID": "T1110.001",
"score": 15,
"comment": "Password Guessing - Referenced in 4 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "4"
},
{
"name": "skills",
"value": "analyzing-windows-event-logs-in-splunk, building-detection-rule-with-splunk-spl, implementing-siem-use-cases-for-detection, performing-false-positive-reduction-in-siem"
}
]
},
{
"techniqueID": "T1110.002",
"score": 4,
"comment": "Password Cracking - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "exploiting-kerberoasting-with-impacket"
}
]
},
{
"techniqueID": "T1110.003",
"score": 4,
"comment": "Password Spraying - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "implementing-siem-use-cases-for-detection"
}
]
},
{
"techniqueID": "T1112",
"score": 4,
"comment": "Modify Registry - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "detecting-fileless-malware-techniques"
}
]
},
{
"techniqueID": "T1114.002",
"score": 4,
"comment": "Remote Email Collection - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "detecting-email-forwarding-rules-attack"
}
]
},
{
"techniqueID": "T1114.003",
"score": 8,
"comment": "Email Forwarding Rule - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "detecting-business-email-compromise, detecting-email-forwarding-rules-attack"
}
]
},
{
"techniqueID": "T1127",
"score": 8,
"comment": "Trusted Developer Utilities Proxy Execution - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "detecting-evasion-techniques-in-endpoint-logs, detecting-living-off-the-land-with-lolbas"
}
]
},
{
"techniqueID": "T1127.001",
"score": 4,
"comment": "MSBuild - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-lolbins-execution-in-endpoint-logs"
}
]
},
{
"techniqueID": "T1132",
"score": 4,
"comment": "Data Encoding - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-command-and-control-beaconing"
}
]
},
{
"techniqueID": "T1132.001",
"score": 4,
"comment": "Standard Encoding - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "building-c2-infrastructure-with-sliver-framework"
}
]
},
{
"techniqueID": "T1133",
"score": 4,
"comment": "External Remote Services - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-threat-landscape-assessment-for-sector"
}
]
},
{
"techniqueID": "T1134",
"score": 8,
"comment": "Access Token Manipulation - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "analyzing-windows-event-logs-in-splunk, detecting-privilege-escalation-attempts"
}
]
},
{
"techniqueID": "T1134.001",
"score": 4,
"comment": "Token Impersonation/Theft - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "exploiting-constrained-delegation-abuse"
}
]
},
{
"techniqueID": "T1134.005",
"score": 4,
"comment": "SID-History Injection - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-active-directory-compromise-investigation"
}
]
},
{
"techniqueID": "T1136",
"score": 8,
"comment": "Create Account - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "detecting-privilege-escalation-in-kubernetes-pods, implementing-mitre-attack-coverage-mapping"
}
]
},
{
"techniqueID": "T1136.001",
"score": 4,
"comment": "Local Account - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "analyzing-windows-event-logs-in-splunk"
}
]
},
{
"techniqueID": "T1136.002",
"score": 4,
"comment": "Domain Account - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "exploiting-nopac-cve-2021-42278-42287"
}
]
},
{
"techniqueID": "T1140",
"score": 12,
"comment": "Deobfuscate/Decode Files or Information - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "detecting-living-off-the-land-with-lolbas, hunting-for-living-off-the-land-binaries, hunting-for-lolbins-execution-in-endpoint-logs"
}
]
},
{
"techniqueID": "T1190",
"score": 15,
"comment": "Exploit Public-Facing Application - Referenced in 4 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "4"
},
{
"name": "skills",
"value": "conducting-full-scope-red-team-engagement, exploiting-ms17-010-eternalblue-vulnerability, hunting-for-webshell-activity, performing-threat-landscape-assessment-for-sector"
}
]
},
{
"techniqueID": "T1195",
"score": 8,
"comment": "Supply Chain Compromise - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "analyzing-supply-chain-malware-artifacts, performing-threat-landscape-assessment-for-sector"
}
]
},
{
"techniqueID": "T1195.001",
"score": 4,
"comment": "Compromise Software Dependencies - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-supply-chain-compromise"
}
]
},
{
"techniqueID": "T1195.002",
"score": 4,
"comment": "Compromise Software Supply Chain - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-supply-chain-compromise"
}
]
},
{
"techniqueID": "T1197",
"score": 8,
"comment": "BITS Jobs - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "hunting-for-living-off-the-land-binaries, hunting-for-lolbins-execution-in-endpoint-logs"
}
]
},
{
"techniqueID": "T1199",
"score": 8,
"comment": "Trusted Relationship - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "hunting-for-supply-chain-compromise, performing-physical-intrusion-assessment"
}
]
},
{
"techniqueID": "T1200",
"score": 4,
"comment": "Hardware Additions - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-physical-intrusion-assessment"
}
]
},
{
"techniqueID": "T1204.001",
"score": 4,
"comment": "Malicious Link - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "conducting-spearphishing-simulation-campaign"
}
]
},
{
"techniqueID": "T1204.002",
"score": 23,
"comment": "Malicious File - Referenced in 6 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "6"
},
{
"name": "skills",
"value": "analyzing-macro-malware-in-office-documents, conducting-full-scope-red-team-engagement, conducting-spearphishing-simulation-campaign, implementing-siem-use-cases-for-detection, performing-dynamic-analysis-with-any-run (+1 more)"
}
]
},
{
"techniqueID": "T1210",
"score": 8,
"comment": "Exploitation of Remote Services - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "exploiting-ms17-010-eternalblue-vulnerability, exploiting-zerologon-vulnerability-cve-2020-1472"
}
]
},
{
"techniqueID": "T1213",
"score": 4,
"comment": "Data from Information Repositories - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "conducting-full-scope-red-team-engagement"
}
]
},
{
"techniqueID": "T1218",
"score": 23,
"comment": "System Binary Proxy Execution - Referenced in 6 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "6"
},
{
"name": "skills",
"value": "detecting-evasion-techniques-in-endpoint-logs, detecting-living-off-the-land-with-lolbas, hunting-advanced-persistent-threats, hunting-for-living-off-the-land-binaries, hunting-for-lolbins-execution-in-endpoint-logs (+1 more)"
}
]
},
{
"techniqueID": "T1218.001",
"score": 8,
"comment": "Compiled HTML File - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "hunting-for-living-off-the-land-binaries, hunting-for-lolbins-execution-in-endpoint-logs"
}
]
},
{
"techniqueID": "T1218.002",
"score": 4,
"comment": "Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-living-off-the-land-binaries"
}
]
},
{
"techniqueID": "T1218.003",
"score": 8,
"comment": "CMSTP - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "hunting-for-living-off-the-land-binaries, hunting-for-lolbins-execution-in-endpoint-logs"
}
]
},
{
"techniqueID": "T1218.005",
"score": 12,
"comment": "Mshta - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "detecting-fileless-malware-techniques, hunting-for-living-off-the-land-binaries, hunting-for-lolbins-execution-in-endpoint-logs"
}
]
},
{
"techniqueID": "T1218.010",
"score": 8,
"comment": "Regsvr32 - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "hunting-for-living-off-the-land-binaries, hunting-for-lolbins-execution-in-endpoint-logs"
}
]
},
{
"techniqueID": "T1218.011",
"score": 12,
"comment": "Rundll32 - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "hunting-for-living-off-the-land-binaries, hunting-for-lolbins-execution-in-endpoint-logs, performing-dynamic-analysis-with-any-run"
}
]
},
{
"techniqueID": "T1222.001",
"score": 4,
"comment": "Windows - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "conducting-domain-persistence-with-dcsync"
}
]
},
{
"techniqueID": "T1482",
"score": 12,
"comment": "Domain Trust Discovery - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "conducting-internal-reconnaissance-with-bloodhound-ce, exploiting-active-directory-with-bloodhound, performing-active-directory-bloodhound-analysis"
}
]
},
{
"techniqueID": "T1484",
"score": 8,
"comment": "Domain Policy Modification - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "exploiting-active-directory-certificate-services-esc1, performing-active-directory-vulnerability-assessment"
}
]
},
{
"techniqueID": "T1484.001",
"score": 4,
"comment": "Group Policy Modification - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-active-directory-compromise-investigation"
}
]
},
{
"techniqueID": "T1485",
"score": 4,
"comment": "Data Destruction - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-shadow-copy-deletion"
}
]
},
{
"techniqueID": "T1486",
"score": 23,
"comment": "Data Encrypted for Impact - Referenced in 6 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "6"
},
{
"name": "skills",
"value": "conducting-full-scope-red-team-engagement, hunting-for-shadow-copy-deletion, implementing-honeypot-for-ransomware-detection, implementing-mitre-attack-coverage-mapping, performing-purple-team-exercise (+1 more)"
}
]
},
{
"techniqueID": "T1489",
"score": 4,
"comment": "Service Stop - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "conducting-full-scope-red-team-engagement"
}
]
},
{
"techniqueID": "T1490",
"score": 12,
"comment": "Inhibit System Recovery - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "building-soc-playbook-for-ransomware, hunting-for-shadow-copy-deletion, performing-purple-team-exercise"
}
]
},
{
"techniqueID": "T1497",
"score": 4,
"comment": "Virtualization/Sandbox Evasion - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "analyzing-malware-sandbox-evasion-techniques"
}
]
},
{
"techniqueID": "T1505.003",
"score": 8,
"comment": "Web Shell - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "building-attack-pattern-library-from-cti-reports, hunting-for-webshell-activity"
}
]
},
{
"techniqueID": "T1528",
"score": 4,
"comment": "Steal Application Access Token - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "detecting-azure-service-principal-abuse"
}
]
},
{
"techniqueID": "T1530",
"score": 12,
"comment": "Data from Cloud Storage Object - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "detecting-insider-threat-behaviors, implementing-mitre-attack-coverage-mapping, performing-cloud-incident-containment-procedures"
}
]
},
{
"techniqueID": "T1534",
"score": 4,
"comment": "Internal Spearphishing - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "implementing-mitre-attack-coverage-mapping"
}
]
},
{
"techniqueID": "T1537",
"score": 19,
"comment": "Transfer Data to Cloud Account - Referenced in 5 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "5"
},
{
"name": "skills",
"value": "hunting-for-data-exfiltration-indicators, hunting-for-living-off-the-cloud-techniques, implementing-mitre-attack-coverage-mapping, implementing-threat-modeling-with-mitre-attack, performing-cloud-incident-containment-procedures"
}
]
},
{
"techniqueID": "T1539",
"score": 8,
"comment": "Steal Web Session Cookie - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "performing-credential-access-with-lazagne, performing-initial-access-with-evilginx3"
}
]
},
{
"techniqueID": "T1543",
"score": 8,
"comment": "Create or Modify System Process - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "analyzing-persistence-mechanisms-in-linux, hunting-for-persistence-mechanisms-in-windows"
}
]
},
{
"techniqueID": "T1543.002",
"score": 4,
"comment": "Systemd Service - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-privilege-escalation-on-linux"
}
]
},
{
"techniqueID": "T1543.003",
"score": 12,
"comment": "Windows Service - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "hunting-for-persistence-mechanisms-in-windows, hunting-for-unusual-service-installations, implementing-mitre-attack-coverage-mapping"
}
]
},
{
"techniqueID": "T1546",
"score": 4,
"comment": "Event Triggered Execution - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "analyzing-persistence-mechanisms-in-linux"
}
]
},
{
"techniqueID": "T1546.003",
"score": 19,
"comment": "WMI Event Subscription - Referenced in 5 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "5"
},
{
"name": "skills",
"value": "analyzing-windows-event-logs-in-splunk, detecting-fileless-malware-techniques, detecting-wmi-persistence, hunting-for-persistence-mechanisms-in-windows, hunting-for-persistence-via-wmi-subscriptions"
}
]
},
{
"techniqueID": "T1546.010",
"score": 4,
"comment": "AppInit DLLs - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-persistence-mechanisms-in-windows"
}
]
},
{
"techniqueID": "T1546.012",
"score": 8,
"comment": "IFEO Injection - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "hunting-for-persistence-mechanisms-in-windows, hunting-for-registry-persistence-mechanisms"
}
]
},
{
"techniqueID": "T1546.015",
"score": 8,
"comment": "COM Hijacking - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "hunting-for-persistence-mechanisms-in-windows, hunting-for-registry-persistence-mechanisms"
}
]
},
{
"techniqueID": "T1547",
"score": 23,
"comment": "Boot or Logon Autostart Execution - Referenced in 6 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "6"
},
{
"name": "skills",
"value": "analyzing-apt-group-with-mitre-navigator, analyzing-malware-persistence-with-autoruns, hunting-advanced-persistent-threats, hunting-for-persistence-mechanisms-in-windows, implementing-siem-use-cases-for-detection (+1 more)"
}
]
},
{
"techniqueID": "T1547.001",
"score": 50,
"comment": "Registry Run Keys / Startup Folder - Referenced in 13 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "13"
},
{
"name": "skills",
"value": "analyzing-apt-group-with-mitre-navigator, analyzing-windows-event-logs-in-splunk, building-attack-pattern-library-from-cti-reports, conducting-full-scope-red-team-engagement, hunting-for-persistence-mechanisms-in-windows (+8 more)"
}
]
},
{
"techniqueID": "T1547.004",
"score": 8,
"comment": "Winlogon Helper DLL - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "hunting-for-persistence-mechanisms-in-windows, hunting-for-registry-persistence-mechanisms"
}
]
},
{
"techniqueID": "T1547.005",
"score": 4,
"comment": "Security Support Provider - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-persistence-mechanisms-in-windows"
}
]
},
{
"techniqueID": "T1548",
"score": 15,
"comment": "Abuse Elevation Control Mechanism - Referenced in 4 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "4"
},
{
"name": "skills",
"value": "detecting-container-escape-attempts, detecting-privilege-escalation-in-kubernetes-pods, detecting-t1548-abuse-elevation-control-mechanism, performing-privilege-escalation-assessment"
}
]
},
{
"techniqueID": "T1548.001",
"score": 12,
"comment": "Setuid and Setgid - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "detecting-privilege-escalation-in-kubernetes-pods, detecting-t1548-abuse-elevation-control-mechanism, performing-privilege-escalation-on-linux"
}
]
},
{
"techniqueID": "T1548.002",
"score": 12,
"comment": "Bypass User Account Control - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "conducting-full-scope-red-team-engagement, detecting-privilege-escalation-attempts, detecting-t1548-abuse-elevation-control-mechanism"
}
]
},
{
"techniqueID": "T1548.003",
"score": 12,
"comment": "Sudo and Sudo Caching - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "detecting-t1548-abuse-elevation-control-mechanism, performing-privilege-escalation-assessment, performing-privilege-escalation-on-linux"
}
]
},
{
"techniqueID": "T1548.004",
"score": 4,
"comment": "Elevated Execution with Prompt - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "detecting-t1548-abuse-elevation-control-mechanism"
}
]
},
{
"techniqueID": "T1550",
"score": 4,
"comment": "Use Alternate Authentication Material - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-lateral-movement-detection"
}
]
},
{
"techniqueID": "T1550.002",
"score": 35,
"comment": "Pass the Hash - Referenced in 9 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "9"
},
{
"name": "skills",
"value": "analyzing-windows-event-logs-in-splunk, building-attack-pattern-library-from-cti-reports, conducting-full-scope-red-team-engagement, detecting-lateral-movement-in-network, detecting-pass-the-hash-attacks (+4 more)"
}
]
},
{
"techniqueID": "T1550.003",
"score": 15,
"comment": "Pass the Ticket - Referenced in 4 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "4"
},
{
"name": "skills",
"value": "conducting-pass-the-ticket-attack, detecting-pass-the-hash-attacks, detecting-pass-the-ticket-attacks, exploiting-constrained-delegation-abuse"
}
]
},
{
"techniqueID": "T1550.004",
"score": 4,
"comment": "Web Session Cookie - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-initial-access-with-evilginx3"
}
]
},
{
"techniqueID": "T1552",
"score": 4,
"comment": "Unsecured Credentials - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-cloud-incident-containment-procedures"
}
]
},
{
"techniqueID": "T1552.001",
"score": 4,
"comment": "Credentials In Files - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-credential-access-with-lazagne"
}
]
},
{
"techniqueID": "T1552.002",
"score": 4,
"comment": "Credentials in Registry - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-credential-access-with-lazagne"
}
]
},
{
"techniqueID": "T1552.005",
"score": 4,
"comment": "Cloud Instance Metadata API - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "conducting-cloud-penetration-testing"
}
]
},
{
"techniqueID": "T1555",
"score": 4,
"comment": "Credentials from Password Stores - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-credential-access-with-lazagne"
}
]
},
{
"techniqueID": "T1555.003",
"score": 4,
"comment": "Web Browsers - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-credential-access-with-lazagne"
}
]
},
{
"techniqueID": "T1555.004",
"score": 4,
"comment": "Windows Credential Manager - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-credential-access-with-lazagne"
}
]
},
{
"techniqueID": "T1556",
"score": 4,
"comment": "Modify Authentication Process - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-initial-access-with-evilginx3"
}
]
},
{
"techniqueID": "T1557",
"score": 4,
"comment": "Adversary-in-the-Middle - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-initial-access-with-evilginx3"
}
]
},
{
"techniqueID": "T1557.001",
"score": 8,
"comment": "LLMNR/NBT-NS Poisoning - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "conducting-internal-network-penetration-test, hunting-for-ntlm-relay-attacks"
}
]
},
{
"techniqueID": "T1558",
"score": 19,
"comment": "Steal or Forge Kerberos Tickets - Referenced in 5 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "5"
},
{
"name": "skills",
"value": "analyzing-windows-event-logs-in-splunk, conducting-pass-the-ticket-attack, exploiting-kerberoasting-with-impacket, exploiting-nopac-cve-2021-42278-42287, performing-lateral-movement-detection"
}
]
},
{
"techniqueID": "T1558.001",
"score": 27,
"comment": "Golden Ticket - Referenced in 7 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "7"
},
{
"name": "skills",
"value": "analyzing-windows-event-logs-in-splunk, conducting-domain-persistence-with-dcsync, detecting-golden-ticket-forgery, detecting-kerberoasting-attacks, detecting-mimikatz-execution-patterns (+2 more)"
}
]
},
{
"techniqueID": "T1558.002",
"score": 4,
"comment": "Silver Ticket - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-active-directory-compromise-investigation"
}
]
},
{
"techniqueID": "T1558.003",
"score": 54,
"comment": "Kerberoasting - Referenced in 14 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "14"
},
{
"name": "skills",
"value": "analyzing-windows-event-logs-in-splunk, building-attack-pattern-library-from-cti-reports, conducting-full-scope-red-team-engagement, conducting-internal-network-penetration-test, detecting-kerberoasting-attacks (+9 more)"
}
]
},
{
"techniqueID": "T1558.004",
"score": 4,
"comment": "AS-REP Roasting - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "detecting-kerberoasting-attacks"
}
]
},
{
"techniqueID": "T1560",
"score": 8,
"comment": "Archive Collected Data - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "conducting-full-scope-red-team-engagement, hunting-for-data-staging-before-exfiltration"
}
]
},
{
"techniqueID": "T1562",
"score": 4,
"comment": "Impair Defenses - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "detecting-evasion-techniques-in-endpoint-logs"
}
]
},
{
"techniqueID": "T1562.001",
"score": 4,
"comment": "Disable or Modify Tools - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "detecting-suspicious-powershell-execution"
}
]
},
{
"techniqueID": "T1566",
"score": 23,
"comment": "Phishing - Referenced in 6 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "6"
},
{
"name": "skills",
"value": "analyzing-apt-group-with-mitre-navigator, analyzing-threat-actor-ttps-with-mitre-attack, analyzing-threat-landscape-with-misp, building-attack-pattern-library-from-cti-reports, implementing-mitre-attack-coverage-mapping (+1 more)"
}
]
},
{
"techniqueID": "T1566.001",
"score": 58,
"comment": "Spearphishing Attachment - Referenced in 15 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "15"
},
{
"name": "skills",
"value": "analyzing-apt-group-with-mitre-navigator, analyzing-macro-malware-in-office-documents, analyzing-threat-actor-ttps-with-mitre-navigator, building-attack-pattern-library-from-cti-reports, conducting-full-scope-red-team-engagement (+10 more)"
}
]
},
{
"techniqueID": "T1566.002",
"score": 23,
"comment": "Spearphishing Link - Referenced in 6 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "6"
},
{
"name": "skills",
"value": "building-attack-pattern-library-from-cti-reports, conducting-spearphishing-simulation-campaign, hunting-for-spearphishing-indicators, implementing-continuous-security-validation-with-bas, implementing-mitre-attack-coverage-mapping (+1 more)"
}
]
},
{
"techniqueID": "T1566.003",
"score": 12,
"comment": "Spearphishing via Service - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "conducting-spearphishing-simulation-campaign, hunting-for-spearphishing-indicators, implementing-continuous-security-validation-with-bas"
}
]
},
{
"techniqueID": "T1566.004",
"score": 4,
"comment": "Spearphishing Voice - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "conducting-social-engineering-pretext-call"
}
]
},
{
"techniqueID": "T1567",
"score": 15,
"comment": "Exfiltration Over Web Service - Referenced in 4 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "4"
},
{
"name": "skills",
"value": "detecting-insider-threat-behaviors, hunting-for-data-exfiltration-indicators, hunting-for-living-off-the-cloud-techniques, implementing-continuous-security-validation-with-bas"
}
]
},
{
"techniqueID": "T1567.002",
"score": 4,
"comment": "Exfiltration to Cloud Storage - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-data-exfiltration-indicators"
}
]
},
{
"techniqueID": "T1568",
"score": 8,
"comment": "Dynamic Resolution - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "hunting-for-command-and-control-beaconing, implementing-mitre-attack-coverage-mapping"
}
]
},
{
"techniqueID": "T1568.002",
"score": 4,
"comment": "Domain Generation Algorithms - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "hunting-for-beaconing-with-frequency-analysis"
}
]
},
{
"techniqueID": "T1569.002",
"score": 12,
"comment": "Service Execution - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "detecting-lateral-movement-in-network, detecting-lateral-movement-with-splunk, exploiting-ms17-010-eternalblue-vulnerability"
}
]
},
{
"techniqueID": "T1570",
"score": 12,
"comment": "Lateral Tool Transfer - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "detecting-lateral-movement-in-network, detecting-lateral-movement-with-splunk, performing-lateral-movement-with-wmiexec"
}
]
},
{
"techniqueID": "T1571",
"score": 8,
"comment": "Non-Standard Port - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "hunting-for-unusual-network-connections, implementing-mitre-attack-coverage-mapping"
}
]
},
{
"techniqueID": "T1572",
"score": 15,
"comment": "Protocol Tunneling - Referenced in 4 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "4"
},
{
"name": "skills",
"value": "building-c2-infrastructure-with-sliver-framework, hunting-for-command-and-control-beaconing, hunting-for-dns-tunneling-with-zeek, implementing-mitre-attack-coverage-mapping"
}
]
},
{
"techniqueID": "T1573",
"score": 15,
"comment": "Encrypted Channel - Referenced in 4 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "4"
},
{
"name": "skills",
"value": "analyzing-ransomware-network-indicators, hunting-for-beaconing-with-frequency-analysis, hunting-for-command-and-control-beaconing, implementing-mitre-attack-coverage-mapping"
}
]
},
{
"techniqueID": "T1573.002",
"score": 8,
"comment": "Asymmetric Cryptography - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "building-c2-infrastructure-with-sliver-framework, building-red-team-c2-infrastructure-with-havoc"
}
]
},
{
"techniqueID": "T1574",
"score": 4,
"comment": "Hijack Execution Flow - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "analyzing-persistence-mechanisms-in-linux"
}
]
},
{
"techniqueID": "T1574.001",
"score": 8,
"comment": "DLL Search Order Hijacking - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "detecting-dll-sideloading-attacks, hunting-for-persistence-mechanisms-in-windows"
}
]
},
{
"techniqueID": "T1574.002",
"score": 15,
"comment": "DLL Side-Loading - Referenced in 4 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "4"
},
{
"name": "skills",
"value": "analyzing-windows-event-logs-in-splunk, building-attack-pattern-library-from-cti-reports, detecting-dll-sideloading-attacks, implementing-siem-use-cases-for-detection"
}
]
},
{
"techniqueID": "T1574.006",
"score": 8,
"comment": "Dynamic Linker Hijacking - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "detecting-dll-sideloading-attacks, performing-privilege-escalation-on-linux"
}
]
},
{
"techniqueID": "T1574.008",
"score": 4,
"comment": "Path Interception by Search Order Hijacking - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "detecting-dll-sideloading-attacks"
}
]
},
{
"techniqueID": "T1574.009",
"score": 4,
"comment": "Unquoted Service Path - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "detecting-privilege-escalation-attempts"
}
]
},
{
"techniqueID": "T1578",
"score": 4,
"comment": "Modify Cloud Compute Infrastructure - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-cloud-incident-containment-procedures"
}
]
},
{
"techniqueID": "T1580",
"score": 4,
"comment": "Cloud Infrastructure Discovery - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "implementing-mitre-attack-coverage-mapping"
}
]
},
{
"techniqueID": "T1583.001",
"score": 15,
"comment": "Domains - Referenced in 4 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "4"
},
{
"name": "skills",
"value": "building-red-team-c2-infrastructure-with-havoc, conducting-full-scope-red-team-engagement, conducting-spearphishing-simulation-campaign, implementing-mitre-attack-coverage-mapping"
}
]
},
{
"techniqueID": "T1583.003",
"score": 4,
"comment": "Virtual Private Server - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "building-red-team-c2-infrastructure-with-havoc"
}
]
},
{
"techniqueID": "T1585.002",
"score": 4,
"comment": "Email Accounts - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "conducting-spearphishing-simulation-campaign"
}
]
},
{
"techniqueID": "T1587.001",
"score": 8,
"comment": "Malware - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "building-red-team-c2-infrastructure-with-havoc, conducting-full-scope-red-team-engagement"
}
]
},
{
"techniqueID": "T1589",
"score": 12,
"comment": "Gather Victim Identity Information - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "conducting-full-scope-red-team-engagement, conducting-social-engineering-pretext-call, performing-open-source-intelligence-gathering"
}
]
},
{
"techniqueID": "T1590",
"score": 4,
"comment": "Gather Victim Network Information - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-open-source-intelligence-gathering"
}
]
},
{
"techniqueID": "T1591",
"score": 12,
"comment": "Gather Victim Org Information - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "collecting-open-source-intelligence, conducting-social-engineering-pretext-call, performing-open-source-intelligence-gathering"
}
]
},
{
"techniqueID": "T1592",
"score": 4,
"comment": "Gather Victim Host Information - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-open-source-intelligence-gathering"
}
]
},
{
"techniqueID": "T1593",
"score": 8,
"comment": "Search Open Websites/Domains - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "conducting-full-scope-red-team-engagement, performing-open-source-intelligence-gathering"
}
]
},
{
"techniqueID": "T1594",
"score": 4,
"comment": "Search Victim-Owned Websites - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-open-source-intelligence-gathering"
}
]
},
{
"techniqueID": "T1595.001",
"score": 4,
"comment": "Scanning IP Blocks - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-open-source-intelligence-gathering"
}
]
},
{
"techniqueID": "T1595.002",
"score": 4,
"comment": "Vulnerability Scanning - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-open-source-intelligence-gathering"
}
]
},
{
"techniqueID": "T1596",
"score": 4,
"comment": "Search Open Technical Databases - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "performing-open-source-intelligence-gathering"
}
]
},
{
"techniqueID": "T1598",
"score": 4,
"comment": "Phishing for Information - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "conducting-social-engineering-pretext-call"
}
]
},
{
"techniqueID": "T1598.003",
"score": 8,
"comment": "Spearphishing Link/Voice - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "conducting-social-engineering-pretext-call, conducting-spearphishing-simulation-campaign"
}
]
},
{
"techniqueID": "T1608.001",
"score": 4,
"comment": "Upload Malware - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "conducting-spearphishing-simulation-campaign"
}
]
},
{
"techniqueID": "T1608.005",
"score": 4,
"comment": "Link Target - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "conducting-spearphishing-simulation-campaign"
}
]
},
{
"techniqueID": "T1610",
"score": 8,
"comment": "Deploy Container - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "detecting-container-escape-attempts, detecting-container-escape-with-falco-rules"
}
]
},
{
"techniqueID": "T1611",
"score": 8,
"comment": "Escape to Host - Referenced in 2 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "2"
},
{
"name": "skills",
"value": "detecting-container-escape-attempts, detecting-container-escape-with-falco-rules"
}
]
},
{
"techniqueID": "T1615",
"score": 12,
"comment": "Group Policy Discovery - Referenced in 3 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "3"
},
{
"name": "skills",
"value": "conducting-internal-reconnaissance-with-bloodhound-ce, exploiting-active-directory-with-bloodhound, performing-active-directory-bloodhound-analysis"
}
]
},
{
"techniqueID": "T1649",
"score": 4,
"comment": "Steal or Forge Authentication Certificates - Referenced in 1 skill(s)",
"enabled": true,
"metadata": [
{
"name": "skill_count",
"value": "1"
},
{
"name": "skills",
"value": "exploiting-active-directory-certificate-services-esc1"
}
]
}
],
"gradient": {
"colors": [
"#cfe2f3",
"#6fa8dc",
"#1155cc"
],
"minValue": 1,
"maxValue": 100
},
"legendItems": [
{
"label": "1-2 skills (Low coverage)",
"color": "#cfe2f3"
},
{
"label": "3-5 skills (Moderate coverage)",
"color": "#6fa8dc"
},
{
"label": "6-10 skills (Good coverage)",
"color": "#3d85c6"
},
{
"label": "11+ skills (Strong coverage)",
"color": "#1155cc"
}
],
"showTacticRowBackground": true,
"tacticRowBackground": "#205080",
"selectTechniquesAcrossTactics": true,
"selectSubtechniquesWithParent": true,
"selectVisibleTechniques": false,
"metadata": [
{
"name": "repository",
"value": "Anthropic-Cybersecurity-Skills"
},
{
"name": "total_techniques",
"value": "218"
},
{
"name": "total_skills_scanned",
"value": "742"
},
{
"name": "generated_date",
"value": "2026-03-11"
},
{
"name": "attack_version",
"value": "14"
},
{
"name": "description",
"value": "Auto-generated from skill SKILL.md files referencing ATT&CK technique IDs"
}
],
"links": [
{
"label": "Repository",
"url": "https://github.com/anthropics/cybersecurity-skills"
},
{
"label": "ATT&CK Navigator",
"url": "https://mitre-attack.github.io/attack-navigator/"
}
]
}