Hide Navigation Hide TOC

User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Spearphishing Service - T1598.001 (f870408c-b1cd-49c7-a5c7-0ef0fc496cc6)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605)	Attack Pattern	1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d)	Attack Pattern	User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Messaging Applications - T1213.005 (fb75213f-cfb0-40bf-a02f-3bad93d6601e)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Customer Relationship Management Software - T1213.004 (bbfbb096-6561-4d7d-aa2c-a5ee8e44c696)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Software Deployment Tools - T1072 (92a78814-b191-47ca-909c-1ccfe3777414)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Evil Twin - T1557.004 (48b836c6-e4ca-435a-82a3-29c03e5b492e)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Spearphishing Voice - T1566.004 (bb5e59c4-abe7-40c7-8196-e373cb1e5974)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	1
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213)	Attack Pattern	User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Spearphishing Voice - T1598.004 (6a5d222a-a7e0-4656-b110-782c33098289)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Chat Messages - T1552.008 (9664ad0e-789e-40ac-82e2-d7b17fbe8fb3)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Impersonation - T1656 (c9e0c59e-162e-40a4-b8b1-78fab4329ada)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Confluence - T1213.001 (7ad38ef1-381a-406d-872a-38b136eb5ecc)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Re-opened Applications - T1547.007 (e5cc9e7a-e61a-46a1-b869-55fb6eab058e)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Steal Application Access Token - T1528 (890c9858-598c-401d-a4d5-c67ebcdd703a)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Multi-Factor Authentication Request Generation - T1621 (954a1639-f2d6-407d-aef3-4917622ca493)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Browser Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Multi-Factor Authentication Interception - T1111 (dd43c543-bb85-4a6f-aa6e-160d90d06a49)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534)	Attack Pattern	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	1
Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3)	Attack Pattern	User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	1
User Training - M1017 (2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a)	Course of Action	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	1
Spearphishing Service - T1598.001 (f870408c-b1cd-49c7-a5c7-0ef0fc496cc6)	Attack Pattern	Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e)	Attack Pattern	2
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84)	Attack Pattern	Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605)	Attack Pattern	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416)	Attack Pattern	Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3)	Attack Pattern	2
Messaging Applications - T1213.005 (fb75213f-cfb0-40bf-a02f-3bad93d6601e)	Attack Pattern	Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530)	Attack Pattern	2
Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416)	Attack Pattern	Customer Relationship Management Software - T1213.004 (bbfbb096-6561-4d7d-aa2c-a5ee8e44c696)	Attack Pattern	2
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a)	Attack Pattern	Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	2
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d)	Attack Pattern	Evil Twin - T1557.004 (48b836c6-e4ca-435a-82a3-29c03e5b492e)	Attack Pattern	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Voice - T1566.004 (bb5e59c4-abe7-40c7-8196-e373cb1e5974)	Attack Pattern	2
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213)	Attack Pattern	Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d)	Attack Pattern	2
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	2
Spearphishing Voice - T1598.004 (6a5d222a-a7e0-4656-b110-782c33098289)	Attack Pattern	Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a)	Attack Pattern	2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Chat Messages - T1552.008 (9664ad0e-789e-40ac-82e2-d7b17fbe8fb3)	Attack Pattern	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21)	Attack Pattern	2
Confluence - T1213.001 (7ad38ef1-381a-406d-872a-38b136eb5ecc)	Attack Pattern	Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416)	Attack Pattern	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	2
Re-opened Applications - T1547.007 (e5cc9e7a-e61a-46a1-b869-55fb6eab058e)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a)	Attack Pattern	Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416)	Attack Pattern	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317)	Attack Pattern	2
Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc)	Attack Pattern	Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a)	Attack Pattern	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65)	Attack Pattern	2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d)	Attack Pattern	2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	2