Library · ATT&CK techniques

ATT&CK techniques

Last reviewed:

32 ATT&CK techniques in this batch, grouped by tactic. Click a tactic card to jump to its techniques. New techniques graduate as their CloudSigma rule sets land.

32
ATT&CK techniques
10
Tactics covered
126
CloudSigma rules
11
Platforms

Jump to a tactic:

TA0001

Initial Access

How adversaries get into the environment.

4 techniques TA0002

Execution

How adversaries run their code once inside.

1 techniques TA0003

Persistence

How adversaries keep their foothold across reboots and credential rotations.

3 techniques TA0004

Privilege Escalation

How adversaries gain higher privileges than they were given.

3 techniques TA0006

Credential Access

How adversaries steal credentials, account names and passwords.

3 techniques TA0007

Discovery

How adversaries learn what they have access to.

5 techniques TA0009

Collection

How adversaries gather data of interest before exfiltration.

2 techniques TA0040

Impact

How adversaries disrupt or destroy systems and data.

5 techniques TA0042

Resource Development

How adversaries acquire infrastructure they will use later.

1 techniques TA0112

Defense Impairment

How adversaries disable or degrade the defences that would have spotted them.

5 techniques
TA0001 Initial Access

Cloud scope Cloud-account abuse and exploitation of cloud-hosted public-facing applications. Phishing, removable media, drive-by compromise, supply-chain attacks on endpoint software, and trusted-relationship abuse via on-prem networks are endpoint and network vectors and are out of scope for cloud-audit-log detection.

TA0002 Execution

Cloud scope Cloud-API misuse, serverless / container execution paths, and cloud-shell or runtime-environment abuse. Endpoint command and scripting interpreters (PowerShell, bash, AppleScript), user execution of malware, and exploitation for client execution are EDR territory and out of scope here.

TA0003 Persistence

Cloud scope Cloud-account manipulation, additional cloud credentials, lambda / function injection, IAM role and policy abuse. Boot or logon persistence on endpoints (registry run keys, scheduled tasks, browser extensions, BIOS implants) is EDR territory.

TA0004 Privilege Escalation

Cloud scope Cloud-IAM privilege escalation: role assumption, policy modification, cross-account chains, and over-permissive trust relationships. Endpoint UAC bypass, exploit-for-privilege-escalation, and process-injection techniques are out of scope.

TA0006 Credential Access

Cloud scope Cloud-credential theft via metadata-service abuse, token theft, and secrets-store mining (Secrets Manager, Key Vault, GCP Secret Manager). OS credential dumping (Mimikatz against LSASS, reads of /etc/shadow, browser-stored password extraction) is endpoint territory and out of scope.

TA0007 Discovery

Cloud scope Cloud-resource enumeration via List* / Describe* / Get* API calls. Process discovery, file and directory discovery, account discovery on endpoints, and domain-trust enumeration require EDR or AD-side telemetry and are out of scope here.

TA0009 Collection

Cloud scope Cloud-storage and cloud-API data collection: S3 / Blob / GCS reads, snapshot exfil staging, repository collection from cloud-hosted code platforms. Endpoint clipboard, screen capture, audio capture, and local email collection are out of scope.

TA0040 Impact

Cloud scope Cloud-resource destruction or denial (S3 object deletion, RDS instance drop, EC2 stop, snapshot deletion), data encryption for impact via cloud-managed keys, and DoS against cloud endpoints. Endpoint ransomware encrypting local disks and disk-wiping malware are EDR territory.

TA0042 Resource Development

Cloud scope Limited cloud signal: adversaries rarely build infrastructure inside victim cloud accounts pre-attack. Where they do (e.g. spinning up compute for cryptomining), the activity surfaces under Impact (T1496) and is detected via cloud audit logs there.

T1587.004

Exploits

Descriptive entry: research-linked technique without victim-side cloud-audit-log signal of its own.

View coverage →
TA0112 Defense Impairment

Cloud scope Disabling cloud logging or cloud firewalls, modifying cloud-control configurations to hide activity, and tampering with cloud authentication or policy controls. Endpoint defence tampering (host firewall edits, AV or EDR disable, on-host artefact removal) is endpoint territory and out of scope.

Sources
  • MITRE ATT&CK Enterprise Matrix, https://attack.mitre.org/matrices/enterprise/
Last verified: 2026-06-06