Techniques and Procedures Overview
All techniques and sub-techniques across tactics (listed under their primary tactic).
| Tactic ID | ID | Name | Description |
|---|---|---|---|
| PT0001 | P0001 | Gather Victim Facility Information | Adversaries may gather information about the target facility to plan entry, movement, and collection. This includes building layout, access controls, occupancy patterns, and security-relevant infrastructure. |
| PT0001 | P0001.001 | Facility Plans | Adversaries may obtain floor plans, evacuation routes, door schedules, and other facility documentation through open sources, social engineering, or theft to understand layout and access paths. |
| PT0001 | P0001.002 | Facility Rhythms | Adversaries may study staff rhythms and patterns such as shift changes, break times, delivery schedules, and typical foot traffic to time movement and blend with normal activity. |
| PT0001 | P0002 | Surveillance | Adversaries may observe facilities, people, and security routines to collect information for planning. Surveillance may occur on site or remotely using open sources, cameras, or other collection methods. |
| PT0001 | P0002.001 | On-site Surveillance | Adversaries may conduct surveillance from public or authorized vantage points near the facility, including fixed observation, walk-by reconnaissance, and repeated visits to establish patterns. |
| PT0001 | P0002.002 | Remote Surveillance | Adversaries may collect facility information remotely using open-source research, social media, satellite or street imagery, public records, and other sources without physical presence at the site. |
| PT0001 | P0003 | Gather Victim Facility Perimeter | Adversaries may observe and map the physical perimeter of a target facility to understand boundaries, access points, and external security controls. This includes fencing, walls, gates, vehicle barriers, lighting, cameras along the perimeter, patrol routes, and adjacent property lines that affect approach or escape. |
| PT0002 | P0004 | Fabricate ID | Adversaries may create or alter identification credentials to impersonate authorized personnel, contractors, or visitors at a target facility. Fabricated IDs support pretext-based access and reduce scrutiny at checkpoints. |
| PT0002 | P0004.001 | Fabricate Victim Company ID | Adversaries may create identification that mimics the target organization's badges, access cards, or visitor credentials. This may include copying branding, badge formats, or card technologies observed during reconnaissance. |
| PT0002 | P0004.002 | Fabricate Victim Vendor ID | Adversaries may create identification associated with vendors, contractors, or service providers commonly seen at the target facility. Vendor or subcontractor credentials can exploit weaker verification for third-party personnel. |
| PT0002 | P0005 | Develop Pretext | Adversaries may develop a cover story and supporting materials to justify their presence during physical operations. Pretext development aligns appearance, behavior, and artifacts with roles that are plausible at the target facility. |
| PT0002 | P0005.001 | Develop Pretext Story | Adversaries may craft a plausible narrative explaining why they are on site, who they represent, and what work they are performing. The story is tailored to facility roles, schedules, and observed security practices. |
| PT0002 | P0005.002 | Gather Pretext Props | Adversaries may obtain or assemble props that reinforce their cover story, such as clipboards, work orders, tool kits, delivery manifests, or branded materials associated with their claimed role. |
| PT0002 | P0005.003 | Gather Pretext Uniform | Adversaries may acquire clothing or uniforms that match roles expected at the facility, such as maintenance, cleaning, catering, security, or vendor attire. Uniforms increase perceived legitimacy during entry and movement. |
| PT0003 | P0006 | Tailgate | Adversaries may follow authorized personnel through controlled entry points without presenting their own credentials. Tailgating exploits courtesy holds, distraction, or high-traffic periods when doors and turnstiles remain open. |
| PT0001 | P0007 | Social Engineering | Adversaries may manipulate people to obtain access, information, or assistance at a target facility. This includes impersonation, authority appeals, urgency, and other influence tactics at entry points, reception areas, or during escorted movement. |
| PT0001 | P0007.001 | Exploit Business Process | Adversaries may exploit missing, ambiguous, or unenforced business processes to gain access or avoid scrutiny. Weak processes for visitor handling, deliveries, escorts, after-hours access, and contractor workflows can be abused through pretext, policy gaps, or inconsistent enforcement. |
| PT0001 | P0007.002 | Impersonate Staff or Vendor | Adversaries may present themselves as employees, contractors, or vendor personnel to appear legitimate during entry and movement. Impersonation pairs with dress, tools, and behavior expected for the claimed role. |
| PT0001 | P0007.003 | Pose as Visitor or Guest | Adversaries may act as visitors, interview candidates, guests, or event attendees to blend with normal foot traffic. Visitor pretexts often face lighter challenge at reception when appearance and behavior match expected patterns. |
| PT0001 | P0007.004 | Employ Pretext in Conversation | Adversaries may use a prepared cover story when interacting with staff, security, or reception during operations. Consistent pretext in conversation reinforces legitimacy and deflects casual questions about purpose or destination. |
| PT0001 | P0007.005 | Wear Cover Dress | Adversaries may wear clothing, uniforms, PPE, or accessories that match expected roles at the facility during live operations. Cover dress reduces scrutiny compared to out-of-place attire and supports blending with staff, vendors, or visitors. |
| PT0001 | P0007.006 | Employ Pretext via Phone Calls | Adversaries may use a prepared cover story during phone calls to staff, security, reception, or help desks to obtain information or assistance without physical presence at the facility. Phone pretexts can elicit facility details, access procedures, or identities useful for planning and later tactics. |
| PT0001 | P0007.007 | Employ Pretext via Email | Adversaries may use a prepared cover story in email to staff, contractors, or shared mailboxes to obtain information or assistance without physical presence at the facility. Email pretexts can request layouts, visitor procedures, or organizational details that support planning and later tactics. |
| PT0003 | P0008 | Valid Credentials | Adversaries may use legitimate or previously valid credentials to enter controlled areas. This includes badges, keys, PINs, biometric enrollments, or access cards obtained through theft, sharing, cloning, or insider assistance. |
| PT0003 | P0009 | Bypass Physical Access Controls | Adversaries may circumvent physical access controls without exploiting a specific design flaw. Bypass methods defeat or avoid locks, doors, windows, and perimeter barriers through force, manipulation, or alternate paths. |
| PT0003 | P0009.001 | Bypass Window | Adversaries may bypass window-based physical barriers to enter a facility or controlled area. This includes breaking glass, defeating latches, removing panes, or using unsecured or operable windows as entry points. |
| PT0003 | P0009.002 | Bypass Door | Adversaries may bypass door-based access controls to enter restricted areas. This includes lock picking, shimming, forcing doors, removing hinge pins, or exploiting gaps in door hardware (for example, under-the-door tools). |
| PT0003 | P0009.003 | Bypass Perimeter Controls | Adversaries may bypass perimeter security controls such as fencing, gates, bollards, or vehicle barriers. Methods include cutting, climbing, lifting, wedging, or using unmanned access points along the facility boundary. |
| PT0003 | P0010 | Exploit Physical Access Weaknesses | Adversaries may take advantage of misconfigurations, poor maintenance, or unintended gaps in physical security. Exploitation targets weaknesses such as unsecured perimeter controls or openings left unrestricted. |
| PT0003 | P0010.001 | Exploit Perimeter Controls | Adversaries may exploit weaknesses in perimeter controls such as gaps in fencing, inoperative sensors, misaligned gates, or schedules that leave boundaries unmonitored. Exploitation uses the control failure rather than direct force against the barrier. |
| PT0003 | P0010.002 | Exploit Unrestricted Opening | Adversaries may exploit doors, windows, loading docks, or other openings left unlocked, propped open, or without required access controls. Unrestricted openings allow entry without defeating hardware or credentials. |
| PT0003 | P0010.003 | Exploit Request-to-Exit Sensor | Adversaries may exploit request-to-exit sensors that unlock doors from the secure side without credential validation. Triggering motion detectors, pressure mats, or push plates from outside the controlled area can unlock secured doors without valid credentials. |
| PT0004 | P0011 | Establish Trust | Adversaries may build rapport with staff, security, or regular occupants to reduce scrutiny and enable repeat access. Established trust supports recurring entry, escorted movement, and persistence across multiple visits. |
| PT0004 | P0012 | Manipulate Physical Access Controls | Adversaries may alter physical access control hardware to maintain covert entry or exit paths. Manipulation can leave controls appearing normal while allowing unauthorized access on demand. |
| PT0004 | P0012.001 | Replace Lock | Adversaries may swap or rekey locks so that only they retain working keys while the original hardware remains in place. Replaced locks can preserve the appearance of normal access control while enabling covert re-entry. |
| PT0004 | P0012.002 | Disable Latch | Adversaries may disable door latches, strike plates, or similar mechanisms so doors can be opened without normal authorization. Disabled latches may allow quiet re-entry while appearing closed from a distance. |
| PT0004 | P0013 | Hide on Premises | Adversaries may conceal themselves within a facility or controlled area to avoid detection between operating periods. Hiding locations include unused spaces, storage areas, ceilings, and other low-traffic zones that support extended presence. |
| PT0006 | P0014 | Steal Valid Credentials | Adversaries may steal physical access credentials from personnel, workspaces, or unsecured storage. Stolen badges, keys or PINs can be used immediately or retained for later entry, privilege escalation and lateral movement. |
| PT0006 | P0014.001 | Shoulder Surf PIN Entry | Adversaries may observe personnel entering PINs at doors, gates, or PIN pads to capture access codes without handling credentials directly. Shoulder surfing can occur in queues, at turnstiles, or by positioning near controlled entry points. |
| PT0006 | P0015 | Forge Key | Adversaries may create unauthorized copies of mechanical keys or obtain keys cut to match target locks. Forged keys enable entry without triggering electronic access logs when mechanical locks are used alone or as a fallback. |
| PT0006 | P0016 | Clone Badge | Adversaries may duplicate access badges or cards using captured credential data or physical specimens. Cloned badges can grant entry at readers that do not enforce additional verification or detect duplicate serial numbers. |
| PT0006 | P0016.001 | Skim Badge with Covert Reader | Adversaries may place covert reader hardware over or adjacent to legitimate access readers to capture badge data without the holder's knowledge. Covert readers may resemble the original reader face or hide in mounting gaps and can record credentials for later cloning. |
| PT0006 | P0016.002 | Capture Badge with Long-Range Reader | Adversaries may use long-range or portable RFID/NFC readers to capture badge data from personnel at distance, through clothing, or without interaction at a controlled door. |
| PT0007 | P0017 | Cross Security Zone | Adversaries may move between defined security zones within or across facilities after initial access. Zone crossings exploit gaps between perimeter and interior controls, inconsistent badge enforcement, or transition areas such as lobbies and mantraps. |
| PT0007 | P0017.001 | Cross Zone via Internal Door | Adversaries may pass through interior doors, turnstiles, or mantraps that separate security zones within the same building. This includes using valid credentials, tailgating, or exploiting doors held open during transitions between public and restricted areas. |
| PT0007 | P0017.002 | Cross Zone via Inter-Building Connector | Adversaries may move between buildings or structures using skybridges, underground tunnels, shared atria, or campus connectors. Inter-building paths can bypass perimeter controls applied at each building's main entry. |
| PT0007 | P0018 | Use Vertical Circulation | Adversaries may move between floors using stairs, elevators, or other vertical circulation paths. Floor-to-floor movement can bypass zone controls that are enforced only at building entry or on selected levels. |
| PT0007 | P0018.001 | Use Stairwell | Adversaries may use stairwells to change floors, including emergency stairs and tenant stairs that connect multiple levels. Stairwell doors may be propped, follow traffic, or accept credentials that differ from elevator floor selects. |
| PT0007 | P0018.002 | Use Elevator | Adversaries may use passenger or freight elevators to reach other floors, including riding with authorized personnel or using credentials, keys, or elevator codes scoped beyond their intended area. |
| PT0007 | P0018.003 | Use Exterior Access or Climbing | Adversaries may use exterior building features to reach other floors or secured areas without passing interior access controls. This includes exterior emergency stairways, fire escapes, and ledges, as well as climbing or rappelling to and from upper floors, roofs, or windows that are less monitored than main entries. |
| PT0007 | P0019 | Use Service Route | Adversaries may traverse back-of-house paths such as loading docks, utility corridors, mail rooms, and maintenance tunnels to reach areas not visible from public spaces. Service routes often have lighter monitoring or fewer credential checks than main entries. |
| PT0008 | P0021 | Select Low-Visibility Route | Adversaries may choose paths that minimize exposure to guards, reception desks, cameras, and high-visibility lobbies. Route selection favors service corridors, stairwells, loading areas, and times when fewer people observe transit between objectives. |
| PT0008 | P0022 | Activity Timing | Adversaries may schedule entry, movement, or actions for specific times that improve success or reduce scrutiny. Timing can align with busy periods that provide cover or with quiet periods when fewer people are present. |
| PT0008 | P0022.001 | Time Activity to Normal Operations | Adversaries may schedule movement and actions to coincide with routine facility activity. Examples include shift changes, meal periods, delivery windows, and peak visitor traffic when additional people reduce individual scrutiny. |
| PT0008 | P0022.002 | Time Activity Outside Regular Business Hours | Adversaries may schedule entry or movement outside regular business hours, such as nights, weekends, or holidays when facilities are closed or lightly staffed. Operating off-hours can reduce encounters with personnel while exploiting gaps in patrols, escorts, or visitor controls. |
| PT0009 | P0024 | Disable Sensor | Adversaries may deactivate, damage, or bypass physical security sensors so they no longer report events. Disabled sensors reduce detection of movement, entry, or environmental changes across the protected area. |
| PT0009 | P0024.001 | Disable Camera | Adversaries may disable or blind video cameras by cutting power, disconnecting cabling, damaging housings, or using switches and breakers that remove coverage. Camera outages create gaps in visual monitoring along routes and entry points. |
| PT0009 | P0024.002 | Disable Intrusion Sensor | Adversaries may disable intrusion detection devices such as motion detectors, door contacts, glass-break sensors, and beam barriers. Tampering or bypassing these sensors reduces alarm generation when adversaries cross protected boundaries. |
| PT0009 | P0024.003 | Disable Alarm Device | Adversaries may silence or disable audible and visual alarm appliances, panels, or notification paths. Impaired alarm devices delay or prevent staff and responders from learning that a sensor event occurred. |
| PT0009 | P0025 | Block Camera View | Adversaries may obstruct camera fields of view without necessarily disabling the device. Blocking methods include covering lenses, repositioning cameras, introducing blind spots with objects, or using glare and lighting to reduce usable footage. |
| PT0009 | P0026 | Employ Distraction | Adversaries may create events that draw guard or staff attention away from their activity. Distractions degrade effective monitoring and response by flooding defenders with false or competing priorities. |
| PT0009 | P0026.001 | Trigger False Alarm | Adversaries may intentionally cause alarm activations that are not tied to their objective, such as pulling manual stations, tripping sensors, or staging incidents. False alarms consume guard time and can desensitize staff to subsequent events. |
| PT0009 | P0026.002 | Stage Diversion | Adversaries may create non-alarm distractions such as staged disputes, medical incidents, delivery confusion, or commotion in another area. Diversion draws eyes and radios away from the adversary's actual location or route. |
| PT0010 | P0027 | Steal Hardware | Adversaries may remove physical computing or storage hardware from the target environment. Stolen hardware can contain data, credentials, or configuration information useful for follow-on access and analysis. |
| PT0010 | P0027.001 | Steal Endpoint Device | Adversaries may take laptops, desktops, tablets, or other endpoint devices from workspaces, labs, or unsecured areas. Endpoint theft can expose local storage, cached credentials, and peripheral tokens left with the device. |
| PT0010 | P0027.002 | Steal Removable Media | Adversaries may remove USB drives, external hard disks, backup tapes, or other portable storage found on site. Removable media may hold sensitive files, keys, or images copied from internal systems. |
| PT0010 | P0027.003 | Steal Server Hardware | Adversaries may remove servers, NAS appliances, or other rack-mounted or closet storage systems when physical access permits. Server hardware theft can provide drives, memory, and configuration labels tied to the target environment. |
| PT0010 | P0028 | Copy Information | Adversaries may duplicate information in place without removing the original materials. Copying preserves access to content while leaving source documents, displays, or boards apparently undisturbed. |
| PT0010 | P0028.001 | Photograph Information | Adversaries may capture images of documents, whiteboards, posted schedules, screen displays, or labels using phones or cameras. Photography allows quick collection without removing originals from the facility. |
| PT0010 | P0028.002 | Photocopy Documents | Adversaries may use copiers, scanners, or multifunction devices to duplicate paper records on site. Photocopying can produce full copies of binders, visitor logs, or internal memos while originals remain in place. |
| PT0010 | P0029 | Steal Information | Adversaries may remove physical documents, files, or other recorded information from the target environment. Stolen materials can include paper records, binders, mail, and other portable information carriers taken from offices or secure storage. |
| PT0010 | P0030 | Plant Surveillance Device | Adversaries may conceal listening devices, cameras, or other recorders in the target environment to capture audio or video after they leave. Implants can be placed in offices, meeting rooms, cabling paths, or furnishings to collect information without continuous on-site presence. |
| PT0011 | P0031 | Exfiltrate via Entry Route | Adversaries may exit through the same controlled entry points used for access, such as main doors, turnstiles, or visitor checkpoints. Departing via the entry route preserves cover when the adversary still appears authorized or follows normal egress flow. |
| PT0011 | P0032 | Exfiltrate via Emergency Route | Adversaries may leave through emergency exits, fire doors, or other egress paths intended for evacuation. Emergency routes may have fewer credential checks or monitoring than primary entries during an operation. |
| PT0011 | P0033 | Exfiltrate via Alternative Route | Adversaries may exit through paths other than the primary entry or designated emergency egress, such as loading docks, service doors, utility tunnels, or perimeter gaps. Alternative routes can avoid checkpoints where the adversary would be challenged on departure. |
| PT0012 | P0034 | Espionage | Adversaries may conduct physical operations to obtain sensitive information for an external beneficiary. Espionage objectives include trade secrets, operational plans, credentials, and facility details collected to advantage a competing or hostile organization. |
| PT0012 | P0034.001 | Industry Espionage | Adversaries may conduct espionage to benefit a commercial competitor or private interest. Industry espionage targets trade secrets, product plans, customer lists, pricing, and proprietary processes that provide market advantage. |
| PT0012 | P0034.002 | Nation State Espionage | Adversaries may conduct espionage to benefit a government or state-aligned program. Nation state espionage can target critical infrastructure, defense suppliers, research facilities, and other sites whose physical access or materials support strategic intelligence goals. |
| PT0012 | P0035 | Sabotage | Adversaries may deliberately damage, disable, or interfere with equipment, utilities, or processes to disrupt operations. Sabotage can target production systems, safety controls, infrastructure, or assets needed for normal facility function. |
| PT0012 | P0036 | Theft | Adversaries may steal property or assets as a primary outcome of the operation, beyond information collection alone. Theft can target equipment, materials, inventory, or other valuables that impose direct loss on the victim organization. |
| PT0012 | P0037 | Distraction | Adversaries may create confusion or competing incidents to disrupt normal operations or mask other impact activities. Distraction as an objective can delay detection of sabotage or theft, overwhelm staff response, or shift attention away from the adversary's primary goal. |
| PT0003 | P0038 | Manipulate Electronic Access Control | Adversaries may tamper with electronic access hardware such as card readers, PIN pads, and electronic locks, or related wiring and controllers, to bypass, spoof, capture credentials, or hold access in an open state. Manipulated controls can enable initial entry, credential theft, movement between zones, or covert re-entry without valid credentials while appearing operational. |
| PT0003 | P0038.001 | Implant Covert Capture Device | Adversaries may install concealed hardware inside or behind card readers and PIN pads to intercept credential data passed to access controllers. Implants may sit inline on reader wiring or within the enclosure, capturing badge reads and PIN entry for later use while leaving the device outwardly functional. |
| PT0001 | P0039 | Dumpster Diving | Adversaries may search discarded waste from the target facility or personnel to collect information useful for planning. Discarded documents, media, badges, or packaging can reveal floor plans, access procedures, organizational structure, or credentials. |