Library · ATT&CK techniques

ATT&CK techniques

20 ATT&CK techniques in this batch, grouped by tactic. Click a tactic card to jump to its techniques. New techniques graduate as their CloudSigma rule sets land.

20
ATT&CK techniques
8
Tactics covered
89
CloudSigma rules
10
Platforms

Jump to a tactic:

TA0001

Initial Access

How adversaries get into the environment.

3 techniques TA0002

Execution

How adversaries run their code once inside.

1 techniques TA0003

Persistence

How adversaries keep their foothold across reboots and credential rotations.

3 techniques TA0005

Defense Evasion

How adversaries avoid being detected by security controls.

4 techniques TA0006

Credential Access

How adversaries steal credentials, account names and passwords.

2 techniques TA0007

Discovery

How adversaries learn what they have access to.

1 techniques TA0009

Collection

How adversaries gather data of interest before exfiltration.

1 techniques TA0040

Impact

How adversaries disrupt or destroy systems and data.

5 techniques
TA0001 Initial Access

Cloud scope Cloud-account abuse and exploitation of cloud-hosted public-facing applications. Phishing, removable media, drive-by compromise, supply-chain attacks on endpoint software, and trusted-relationship abuse via on-prem networks are endpoint and network vectors and are out of scope for cloud-audit-log detection.

TA0002 Execution

Cloud scope Cloud-API misuse, serverless / container execution paths, and cloud-shell or runtime-environment abuse. Endpoint command and scripting interpreters (PowerShell, bash, AppleScript), user execution of malware, and exploitation for client execution are EDR territory and out of scope here.

TA0003 Persistence

Cloud scope Cloud-account manipulation, additional cloud credentials, lambda / function injection, IAM role and policy abuse. Boot or logon persistence on endpoints (registry run keys, scheduled tasks, browser extensions, BIOS implants) is EDR territory.

TA0005 Defense Evasion

Cloud scope Disabling cloud logging or cloud firewalls, modifying cloud-control configurations to hide activity. Process injection, file deletion, AV bypass, binary obfuscation, and on-host indicator removal are endpoint-only techniques and out of scope.

TA0006 Credential Access

Cloud scope Cloud-credential theft via metadata-service abuse, token theft, and secrets-store mining (Secrets Manager, Key Vault, GCP Secret Manager). OS credential dumping (Mimikatz against LSASS, reads of /etc/shadow, browser-stored password extraction) is endpoint territory and out of scope.

TA0007 Discovery

Cloud scope Cloud-resource enumeration via List* / Describe* / Get* API calls. Process discovery, file and directory discovery, account discovery on endpoints, and domain-trust enumeration require EDR or AD-side telemetry and are out of scope here.

TA0009 Collection

Cloud scope Cloud-storage and cloud-API data collection: S3 / Blob / GCS reads, snapshot exfil staging, repository collection from cloud-hosted code platforms. Endpoint clipboard, screen capture, audio capture, and local email collection are out of scope.

TA0040 Impact

Cloud scope Cloud-resource destruction or denial (S3 object deletion, RDS instance drop, EC2 stop, snapshot deletion), data encryption for impact via cloud-managed keys, and DoS against cloud endpoints. Endpoint ransomware encrypting local disks and disk-wiping malware are EDR territory.

Sources
  • MITRE ATT&CK Enterprise Matrix, https://attack.mitre.org/matrices/enterprise/
Last verified: 2026-04-24