Skip to content

Hide Navigation Hide TOC

User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Cluster A Galaxy A Cluster B Galaxy B Level
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Spearphishing Service - T1598.001 (f870408c-b1cd-49c7-a5c7-0ef0fc496cc6) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Steal Application Access Token - T1528 (890c9858-598c-401d-a4d5-c67ebcdd703a) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Multi-Factor Authentication Interception - T1111 (dd43c543-bb85-4a6f-aa6e-160d90d06a49) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Re-opened Applications - T1547.007 (e5cc9e7a-e61a-46a1-b869-55fb6eab058e) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Multi-Factor Authentication Request Generation - T1621 (954a1639-f2d6-407d-aef3-4917622ca493) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Spearphishing Voice - T1566.004 (bb5e59c4-abe7-40c7-8196-e373cb1e5974) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Software Deployment Tools - T1072 (92a78814-b191-47ca-909c-1ccfe3777414) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Impersonation - T1656 (c9e0c59e-162e-40a4-b8b1-78fab4329ada) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Confluence - T1213.001 (7ad38ef1-381a-406d-872a-38b136eb5ecc) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Spearphishing Voice - T1598.004 (6a5d222a-a7e0-4656-b110-782c33098289) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Chat Messages - T1552.008 (9664ad0e-789e-40ac-82e2-d7b17fbe8fb3) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 1
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Browser Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action 1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a) Course of Action Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 1
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 2
GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
Spearphishing Service - T1598.001 (f870408c-b1cd-49c7-a5c7-0ef0fc496cc6) Attack Pattern Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 2
Re-opened Applications - T1547.007 (e5cc9e7a-e61a-46a1-b869-55fb6eab058e) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Voice - T1566.004 (bb5e59c4-abe7-40c7-8196-e373cb1e5974) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec) Attack Pattern 2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Confluence - T1213.001 (7ad38ef1-381a-406d-872a-38b136eb5ecc) Attack Pattern Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 2
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 2
Spearphishing Voice - T1598.004 (6a5d222a-a7e0-4656-b110-782c33098289) Attack Pattern Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Chat Messages - T1552.008 (9664ad0e-789e-40ac-82e2-d7b17fbe8fb3) Attack Pattern 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a) Attack Pattern 2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 2