NetworkBoundaryBridging: NetworkAddressTranslationTraversalImpairDefenses:ImpairCommandHistory LoggingAudioCaptureBoot or LogonInitializationScripts: LogonScript(Windows)Multi-FactorAuthenticationInterceptionEventTriggeredExecution:AccessibilityFeaturesCommandand ScriptingInterpreter:PythonMasquerading:RenameSystemUtilitiesCreateAccount:LocalAccountObfuscatedFiles orInformation:PolymorphicCodeObfuscatedFiles orInformation:SoftwarePackingDataDestructionOS CredentialDumping:SecurityAccountManagerNetworkDenial ofService: DirectNetwork FloodMasquerading:MasqueradeTask orServiceSearch OpenTechnicalDatabases:DigitalCertificatesNetworkDenial ofService:ReflectionAmplificationExfiltration OverAlternativeProtocol:Exfiltration OverAsymmetricEncrypted Non-C2ProtocolHardwareAdditionsAcquireAccessBrowserExtensionsDefacementMasqueradingOSCredentialDumping:NTDSSystemLocationDiscoveryModifyAuthenticationProcess:ReversibleEncryptionGatherVictimNetworkInformationContentInjectionBoot orLogonAutostartExecution:Login ItemsDataManipulationContainerAdministrationCommandHideArtifacts:Run VirtualInstanceEvent TriggeredExecution: UnixShellConfigurationModificationCompromiseAccounts:EmailAccountsPre-OSBoot:BootkitUserExecutionAccountManipulation:Additional Localor DomainGroupsNetworkServiceDiscoveryUse AlternateAuthenticationMaterialData fromConfigurationRepository:Network DeviceConfigurationDumpDevelopCapabilities:MalwareImpairDefenses:DisableWindowsEvent LoggingIndicatorRemoval:TimestompValidAccountsSystemOwner/UserDiscoveryPhishingforInformationArchiveCollectedData: Archivevia CustomMethodSearch OpenTechnicalDatabases:DNS/PassiveDNSSteal or ForgeAuthenticationCertificatesGatherVictimNetworkInformation:DNSPhishing forInformation:SpearphishingAttachmentTrustedRelationshipHijackExecutionFlow: DLLSide-LoadingDataStagedBITSJobsAccountManipulation:AdditionalContainerCluster RolesDevelopCapabilitiesProtocolTunnelingCompromiseAccounts:Social MediaAccountsTrafficSignalingData fromInformationRepositories:SharepointEmailCollectionAcquireInfrastructure:ServerDrive-byCompromiseDiskWipeServerlessExecutionValidAccounts:LocalAccountsResourceHijackingSystemBinary ProxyExecution:ControlPanelOSCredentialDumping:LSA SecretsBoot or LogonAutostartExecution:AuthenticationPackageTrustedDeveloperUtilities ProxyExecution:ClickOnceSystem NetworkConfigurationDiscovery:InternetConnectionDiscoveryHijack ExecutionFlow:AppDomainManagerSearchOpenTechnicalDatabasesSystemLocationDiscovery:SystemLanguageDiscoveryScreenCaptureData fromConfigurationRepositoryObfuscatedFiles orInformation:CommandObfuscationApplicationLayerProtocol:WebProtocolsDynamicResolution:DNSCalculationArchiveCollectedData:Archive viaUtilityCompromiseAccountsInter-ProcessCommunication:XPC ServicesAbuseElevationControlMechanismData fromNetworkSharedDriveHijack ExecutionFlow:KernelCallbackTableSupply ChainCompromise:CompromiseSoftwareSupply ChainIndicatorRemoval:ClearWindowsEvent LogsCompromiseInfrastructureExfiltrationOver WebServiceProcessInjection:ProcMemoryExploitationforCredentialAccessSearchOpenTechnicalDatabases:WHOISNon-StandardPortObfuscatedFiles orInformation:HTMLSmugglingAcquireInfrastructure:ServerlessAccountManipulation:SSHAuthorizedKeysAutomatedExfiltration:TrafficDuplicationCreate orModify SystemProcess:ContainerServicePhishing:SpearphishingAttachmentSearch OpenWebsites/Domains:Code RepositoriesEventTriggeredExecution:TrapModify CloudComputeInfrastructure:Modify CloudComputeConfigurationsModifyAuthenticationProcess:NetworkProvider DLLCloudServiceDashboardFallbackChannelsEventTriggeredExecution:Udev RulesInputCapture:CredentialAPI HookingEventTriggeredExecution:Netsh HelperDLLHideArtifacts:File/PathExclusionsFile and DirectoryPermissionsModification: Linuxand Mac File andDirectoryPermissionsModificationIndirectCommandExecutionEmailCollection:RemoteEmailCollectionGather VictimHostInformation:ClientConfigurationsServerSoftwareComponent:SQL StoredProceduresSystemServices:LaunchctlGatherVictim OrgInformation:IdentifyRolesNetworkBoundaryBridgingPre-OSBootAcquireInfrastructure:Virtual PrivateServerSteal or ForgeKerberosTickets:KerberoastingExfiltrationOver WebService:ExfiltrationOver WebhookForge WebCredentials:WebCookiesObtainCapabilities:ExploitsCloudServiceDiscoveryCredentialsfrom PasswordStores:SecuritydMemoryRemoteSystemDiscoveryMulti-StageChannelsModifySystemImageApplicationLayerProtocol: FileTransferProtocolsModifySystemImage:DowngradeSystem ImageForcedAuthenticationExecutionGuardrails:MutualExclusionCommunicationThroughRemovableMediaObfuscatedFiles orInformation:EmbeddedPayloadsStageCapabilities:Upload ToolScheduledTask/Job:ContainerOrchestrationJobImpairDefenses:Disable orModify LinuxAudit SystemExploitationof RemoteServicesCompromiseInfrastructure:ServerModifyAuthenticationProcess:PasswordFilter DLLWeakenEncryption:ReduceKey SpaceDebuggerEvasionSystemBinary ProxyExecution:MsiexecApplication LayerProtocol:Publish/SubscribeProtocolsMasquerading:Right-to-LeftOverrideDataManipulation:Runtime DataManipulationHideArtifacts:IgnoreProcessInterruptsHijack ExecutionFlow: PathInterception byPATHEnvironmentVariableDomain orTenantPolicyModificationBoot orLogonAutostartExecution:Active SetupIndicatorRemoval:Clear Linuxor MacSystem LogsOS CredentialDumping:/etc/passwdand/etc/shadowGather VictimNetworkInformation:Network TrustDependenciesDevelopCapabilities:DigitalCertificatesMasquerading:MatchLegitimateName orLocationEventTriggeredExecutionUse AlternateAuthenticationMaterial:ApplicationAccess TokenAcquireInfrastructure:DomainsAccountDiscovery:DomainAccountExfiltrationOver C2ChannelExfiltration OverAlternativeProtocol:Exfiltration OverUnencryptedNon-C2 ProtocolBuildImageon HostHijackExecution Flow:Services FilePermissionsWeaknessEncryptedChannel:AsymmetricCryptographyApplicationWindowDiscoveryObtainCapabilities:CodeSigningCertificatesObtainCapabilitiesFirmwareCorruptionEvent TriggeredExecution:Change DefaultFile AssociationCloudAdministrationCommandUserExecution:MaliciousLinkPermissionGroupsDiscovery:LocalGroupsLateralToolTransferDataTransferSizeLimitsInputCaptureEventTriggeredExecution:AppCertDLLsPermissionGroupsDiscoveryDevelopCapabilities:ExploitsSystemScript ProxyExecution:PubPrnData fromInformationRepositories:ConfluenceEmailCollection:EmailForwardingRuleGather VictimNetworkInformation:DomainPropertiesGather VictimNetworkInformation:NetworkSecurityAppliancesBoot or LogonAutostartExecution:TimeProvidersEncryptedChannel:SymmetricCryptographyUnsecuredCredentials:Group PolicyPreferencesAccountManipulation:AdditionalEmail DelegatePermissionsTaintSharedContentUnused/UnsupportedCloud RegionsDynamicResolution:Fast FluxDNSEstablishAccounts:EmailAccountsOfficeApplicationStartupHijackExecutionFlow: DylibHijackingUse AlternateAuthenticationMaterial: WebSessionCookieHideArtifacts:ResourceForkingReflectiveCodeLoadingSubvert TrustControls:Code SigningPolicyModificationAccess TokenManipulation:CreateProcess withTokenServiceStopAccountDiscovery:LocalAccountUse AlternateAuthenticationMaterial: Passthe TicketDisk Wipe:DiskStructureWipeAccountDiscovery:CloudAccountBrowserSessionHijackingPhishing forInformation:SpearphishingServicePowerSettingsCommand andScriptingInterpreter:WindowsCommandShellAbuse ElevationControlMechanism:TemporaryElevated CloudAccessOfficeApplicationStartup:OutlookRulesImpairDefenses:IndicatorBlockingObfuscatedFiles orInformation:Compile AfterDeliveryResourceHijacking:CloudServiceHijackingMulti-FactorAuthenticationRequestGenerationUnsecuredCredentials:CredentialsIn FilesExecutionGuardrails:EnvironmentalKeyingMasquerading:Break ProcessTreesEstablishAccounts:CloudAccountsHideArtifactsExploitationforPrivilegeEscalationSearchVictim-OwnedWebsitesImpairDefenses:Disable orModify SystemFirewallObfuscatedFiles orInformationFinancialTheftObfuscatedFiles orInformation:Dynamic APIResolutionQueryRegistryVirtualization/SandboxEvasion: SystemChecksBoot orLogonAutostartExecution:Port MonitorsSoftwareDiscoverySearch OpenWebsites/DomainsObfuscatedFiles orInformation:StrippedPayloadsLogEnumerationOSCredentialDumpingProxy:DomainFrontingExploitationfor DefenseEvasionOSCredentialDumping:ProcFilesystemObfuscatedFiles orInformation:LNK IconSmugglingSearch OpenWebsites/Domains:Social MediaSteal orForgeKerberosTickets:Silver TicketModifyAuthenticationProcess:PluggableAuthenticationModulesCreateAccount:CloudAccountSubvertTrustControlsImpairDefenses:Disable orModify ToolsDeployContainerIngressToolTransferBoot or LogonAutostartExecution:ShortcutModificationStageCapabilitiesHideArtifacts:Hidden FilesandDirectoriesWebServiceWebService:Dead DropResolverForge WebCredentialsScheduledTask/Job:ScheduledTaskDataObfuscation:SteganographyNativeAPIDeobfuscate/DecodeFiles or InformationXSL ScriptProcessingResourceHijacking:SMSPumpingAccess TokenManipulation: TokenImpersonation/TheftEstablishAccounts:Social MediaAccountsStageCapabilities:UploadMalwareGroupPolicyDiscoveryObtainCapabilities:VulnerabilitiesDataStaged:Local DataStagingDataEncoding:StandardEncodingRemoteServicesAcquireInfrastructure:DNS ServerRemoteServices:RemoteDesktopProtocolExternalRemoteServicesForge WebCredentials:SAMLTokensSearch OpenWebsites/Domains:Search EnginesSubvertTrustControls:GatekeeperBypassSoftwareDeploymentToolsSystemBinary ProxyExecution:ElectronApplicationsDataDestruction:Lifecycle-TriggeredDeletionEvent TriggeredExecution:WindowsManagementInstrumentationEvent SubscriptionRemoteServiceSessionHijackingPhishing forInformation:SpearphishingLinkNetworkShareDiscoveryData fromCloudStorageDomainTrustDiscoverySystemServicesContainerandResourceDiscoveryPlist FileModificationEventTriggeredExecution:PowerShellProfileExfiltrationOver OtherNetworkMedium:ExfiltrationOver BluetoothIndicatorRemovalSearch OpenTechnicalDatabases:ScanDatabasesAccountDiscoverySystemTimeDiscoveryCreate orModify SystemProcess:LaunchDaemonInter-ProcessCommunicationAdversary-in-the-MiddleSystemBinary ProxyExecution:InstallUtilSupply ChainCompromise:CompromiseHardwareSupply ChainRootkitModifyAuthenticationProcess:DomainControllerAuthenticationData fromRemovableMediaCloudInfrastructureDiscoveryValidAccounts:CloudAccountsModify CloudComputeInfrastructure:CreateSnapshotEstablishAccountsAcquireInfrastructureInputCapture:KeyloggingCredentialsfrom PasswordStores: CloudSecretsManagementStoresDynamicResolution:DomainGenerationAlgorithmsProcessInjection:Dynamic-linkLibraryInjectionImpairDefenses:Disable orModify CloudFirewallUnsecuredCredentials:PrivateKeysSystemShutdown/RebootRemoteServices:Direct CloudVMConnectionsExfiltrationOver PhysicalMedium:Exfiltrationover USBBruteForce:CredentialStuffingEscapeto HostAccessTokenManipulation:SID-HistoryInjectionCompromiseInfrastructure:NetworkDevicesResourceHijacking:BandwidthHijackingProcessInjection:ProcessDoppelgängingActiveScanning:WordlistScanningModifySystemImage: PatchSystemImageCommandand ScriptingInterpreter:JavaScriptImpairDefenses:DowngradeAttackEndpointDenial ofServiceNetworkSniffingGatherVictim HostInformation:HardwareHijackExecution Flow:PathInterception bySearch OrderHijackingPhishing forInformation:SpearphishingVoiceImpairDefenses:Disable orModify CloudLogsNetworkDenial ofServiceServerSoftwareComponent:Web ShellEventTriggeredExecution:EmondSteal orForgeKerberosTicketsDataEncoding:Non-StandardEncodingDisk Wipe:DiskContentWipeReplicationThroughRemovableMediaCredentialsfromPasswordStoresIndicatorRemoval:Network ShareConnectionRemovalOfficeApplicationStartup:OutlookHome PageProcessInjection:PortableExecutableInjectionCreate orModifySystemProcessCredentialsfromPasswordStores:KeychainProxyHijackExecution Flow:ExecutableInstaller FilePermissionsWeaknessCloudStorageObjectDiscoveryGather VictimIdentityInformation:EmployeeNamesCommandand ScriptingInterpreter:Visual BasicPre-OSBoot:ComponentFirmwareObtainCapabilities:ArtificialIntelligenceAcquireInfrastructure:Web ServicesCommandand ScriptingInterpreter:AppleScriptBoot or LogonAutostartExecution:Kernel Modulesand ExtensionsAccountManipulation:AdditionalCloud RolesHideInfrastructureIndicatorRemoval:ClearCommandHistoryBoot or LogonInitializationScripts:NetworkLogon ScriptEncryptedChannelBruteForceHideArtifacts:HiddenWindowCreate orModifySystemProcess:Launch AgentArchiveCollectedDataAccountDiscovery:EmailAccountPre-OSBoot:TFTPBootSteal orForgeKerberosTickets:Golden TicketEvent TriggeredExecution:ComponentObject ModelHijackingObtainCapabilities:ToolExfiltration OverAlternativeProtocol:Exfiltration OverSymmetricEncrypted Non-C2ProtocolProxy:InternalProxyBoot or LogonAutostartExecution:Re-openedApplicationsSupply ChainCompromise:CompromiseSoftwareDependencies andDevelopmentToolsGather VictimOrgInformation:DeterminePhysicalLocationsImpersonationBruteForce:PasswordSprayingObfuscatedFiles orInformation:SteganographyFile andDirectoryPermissionsModificationCredentialsfrom PasswordStores:Credentialsfrom WebBrowsersSteal or ForgeKerberosTickets: AS-REP RoastingAccountManipulation:AdditionalCloudCredentialsSystemBinary ProxyExecution:CMSTPData fromInformationRepositories:CustomerRelationshipManagementSoftwareModify CloudComputeInfrastructure:Delete CloudInstanceUse AlternateAuthenticationMaterial: Passthe HashCompromiseAccounts:CloudAccountsOfficeApplicationStartup:Office TestCommandand ScriptingInterpreter:Unix ShellAccess TokenManipulation:Make andImpersonateTokenSearchClosedSources:Threat IntelVendorsBoot or LogonAutostartExecution:LSASS DriverHijackExecutionFlowSubvert TrustControls: SIPand TrustProviderHijackingNon-ApplicationLayerProtocolSystemScriptProxyExecutionServerSoftwareComponent:IISComponentsSearchOpenTechnicalDatabases:CDNsCompromiseInfrastructure:DomainsModifyCloudResourceHierarchyData fromInformationRepositories:MessagingApplicationsOS CredentialDumping:CachedDomainCredentialsBoot or LogonAutostartExecution:Registry RunKeys / StartupFolderRemoteServices:WindowsRemoteManagementObtainCapabilities:DigitalCertificatesGather VictimIdentityInformation:EmailAddressesDirectVolumeAccessCompromiseInfrastructure:Virtual PrivateServerScheduledTask/JobBoot orLogonAutostartExecutionSearch ClosedSources:PurchaseTechnical DataProcessInjection:AsynchronousProcedureCallPre-OSBoot:SystemFirmwareWeb Service:BidirectionalCommunicationImpairDefenses:SpoofSecurityAlertingPhishingWeb Service:One-WayCommunicationDataObfuscation:Protocol orServiceImpersonationHijackExecutionFlow: DLLSearch OrderHijackingUnsecuredCredentials:BashHistoryExecutionGuardrailsRemoteAccessSoftwareEvent TriggeredExecution:Image FileExecutionOptionsInjectionDevelopCapabilities:CodeSigningCertificatesExfiltrationOver WebService:Exfiltration toCodeRepositoryProxy:ExternalProxyCredentialsfrom PasswordStores:PasswordManagersHideArtifacts:Hidden FileSystemScheduledTask/Job:CronAccountManipulation:DeviceRegistrationTrustedDeveloperUtilitiesProxyExecutionImpairDefensesCredentialsfrom PasswordStores:WindowsCredentialManagerAccountAccessRemovalAdversary-in-the-Middle:Evil TwinBrowserInformationDiscoveryRemoteServices:VNCModifyRegistryImplantInternalImageMasquerading:MasqueradeFile TypeEventTriggeredExecution:AppInit DLLsSystem BinaryProxy Execution:Regsvcs/RegasmServerSoftwareComponentRemoteServices:CloudServicesPre-OSBoot:ROMMONkitStageCapabilities:SEOPoisoningAutomatedExfiltrationTrustedDeveloperUtilities ProxyExecution:MSBuildSystemNetworkConfigurationDiscovery: Wi-Fi DiscoveryPhishing:SpearphishingVoiceAccountManipulationHijack ExecutionFlow:COR_PROFILERCreate orModify SystemProcess:WindowsServiceSubvertTrustControls:Install RootCertificateFile and DirectoryPermissionsModification:Windows File andDirectoryPermissionsModificationGatherVictim HostInformation:SoftwareData fromInformationRepositoriesTemplateInjectionOfficeApplicationStartup: OfficeTemplateMacrosOfficeApplicationStartup:OutlookFormsHideArtifacts:NTFS FileAttributesCommandand ScriptingInterpreter:AutoHotKey& AutoITSystemBinary ProxyExecution:OdbcconfDataObfuscation:Junk DataIndicatorRemoval:ClearPersistenceInhibitSystemRecoverySystemServiceDiscoveryProcessInjection:Thread LocalStorageVirtualization/SandboxEvasionObtainCapabilities:MalwareSystemBinaryProxyExecutionServerSoftwareComponent:TransportAgentModify CloudComputeInfrastructure:Revert CloudInstanceScheduledTask/Job:AtBoot or LogonAutostartExecution:WinlogonHelper DLLSystemInformationDiscoveryAbuseElevationControlMechanism:TCCManipulationOSCredentialDumping:LSASSMemoryApplicationLayerProtocol:MailProtocolsSupplyChainCompromiseDataEncryptedfor ImpactAccessTokenManipulationMasquerading:Double FileExtensionData fromInformationRepositories:CodeRepositoriesModify CloudComputeInfrastructure:Create CloudInstanceCommandandScriptingInterpreterUnsecuredCredentialsMasquerading:Invalid CodeSignatureRemoteServiceSessionHijacking:SSH HijackingSystemBinary ProxyExecution:MMCSteal orForgeKerberosTickets:Ccache FilesIndicatorRemoval: ClearNetworkConnectionHistory andConfigurationsProcessDiscoveryEventTriggeredExecution:ScreensaverEmailCollection:Local EmailCollectionMasquerading:MasqueradeAccount NameWeakenEncryption:DisableCryptoHardwareIndicatorRemoval:ClearMailbox DataObfuscatedFiles orInformation:IndicatorRemoval fromToolsGather VictimOrgInformation:BusinessRelationshipsAccessTokenManipulation:Parent PIDSpoofingProcessInjection:PtraceSystem CallsSystemBinary ProxyExecution:MshtaDomain orTenant PolicyModification:Group PolicyModificationApplicationLayerProtocol:DNSGatherVictim OrgInformationBoot orLogonInitializationScripts:Startup ItemsAbuseElevationControlMechanism:Sudo and SudoCachingEventTriggeredExecution:InstallerPackagesHijackExecution Flow:ServicesRegistryPermissionsWeaknessAcquireInfrastructure:MalvertisingSystemBinary ProxyExecution:Rundll32UnsecuredCredentials:Credentialsin RegistryScheduledTransferSystemServices:ServiceExecutionModifyAuthenticationProcess:Multi-FactorAuthenticationSystemBinary ProxyExecution:VerclsidApplicationLayerProtocolSubvertTrustControls:Mark-of-the-Web BypassnameStageCapabilities:Drive-byTargetGatherVictimIdentityInformationPermissionGroupsDiscovery:DomainGroupsCompromiseInfrastructure:BotnetTrafficSignaling:PortKnockingBruteForce:PasswordGuessingSearchClosedSourcesImpairDefenses:Safe ModeBootBoot orLogonInitializationScriptsDynamicResolutionPermissionGroupsDiscovery:CloudGroupsSystemNetworkConnectionsDiscoveryPhishing:Spearphishingvia ServiceDataManipulation:TransmittedDataManipulationInter-ProcessCommunication:Dynamic DataExchangeHijackExecutionFlow: DynamicLinkerHijackingAdversary-in-the-Middle:DHCPSpoofingProcessInjection:ListPlantingModifyAuthenticationProcess:Hybrid IdentityGatherVictimIdentityInformation:CredentialsAdversary-in-the-Middle: ARPCachePoisoningUserExecution:MaliciousFileCommandand ScriptingInterpreter:LuaInter-ProcessCommunication:ComponentObject ModelAbuse ElevationControlMechanism:Bypass UserAccount ControlClipboardDataStageCapabilities:Install DigitalCertificateModify CloudComputeInfrastructureUserExecution:MaliciousImageDeviceDriverDiscoveryHideArtifacts:VBAStompingHijackExecutionFlow: PathInterception byUnquoted PathCreateAccount:DomainAccountExploitPublic-FacingApplicationCreateAccountSoftwareDiscovery:SecuritySoftwareDiscoveryExfiltrationOver WebService:Exfiltration toText StorageSitesEventTriggeredExecution:ApplicationShimmingInputCapture:Web PortalCaptureDataObfuscationCommandand ScriptingInterpreter:NetworkDevice CLIExfiltrationOverAlternativeProtocolIndicatorRemoval:FileDeletionBoot or LogonAutostartExecution:SecuritySupportProviderBoot or LogonAutostartExecution:XDG AutostartEntriesVirtualization/SandboxEvasion: Time BasedEvasionModifyAuthenticationProcess:Network DeviceAuthenticationUnsecuredCredentials:ContainerAPIVirtualization/SandboxEvasion: User ActivityBased ChecksHideArtifacts:Email HidingRulesObfuscatedFiles orInformation:FilelessStorageTransferData toCloudAccountActiveScanning:ScanningIP BlocksProcessInjectionProcessInjection:ThreadExecutionHijackingObfuscatedFiles orInformation:BinaryPaddingHideArtifacts:ProcessArgumentSpoofingProcessInjection:VDSOHijackingCommandand ScriptingInterpreter:PowerShellOfficeApplicationStartup:Add-insDataEncodingCompromiseInfrastructure:Web ServicesProcessInjection:ProcessHollowingDefacement:ExternalDefacementStealApplicationAccessTokenRemoteServiceSessionHijacking:RDP HijackingActiveScanningInternalSpearphishingSystemBinary ProxyExecution:Regsvr32UnsecuredCredentials:CloudInstanceMetadata APIInputCapture:GUI InputCaptureEndpoint Denialof Service:Application orSystemExploitationIndicatorRemoval:RelocateMalwareDataManipulation:Stored DataManipulationEvent TriggeredExecution:LC_LOAD_DYLIBAdditionServerSoftwareComponent:TerminalServices DLLCreate orModify SystemProcess:SystemdServiceScheduledTask/Job:SystemdTimersSystem Script ProxyExecution:SyncAppvPublishingServerGather VictimNetworkInformation:NetworkTopologyExploitationfor ClientExecutionExfiltrationOver OtherNetworkMediumBruteForce:PasswordCrackingWindowsManagementInstrumentationSharedModulesSystemBinary ProxyExecution:CompiledHTML FileWeakenEncryptionBoot or LogonAutostartExecution:PrintProcessorsRemoteServices:SSHProcessInjection:Extra WindowMemoryInjectionModifyAuthenticationProcessRemoteServices:SMB/WindowsAdmin SharesPasswordPolicyDiscoveryCompromiseInfrastructure:DNS ServerPhishing:SpearphishingLinkSystemNetworkConfigurationDiscoveryProxy:Multi-hopProxyAbuseElevationControlMechanism:Setuid andSetgidGather VictimOrgInformation:IdentifyBusinessTempoUnsecuredCredentials:ChatMessagesValidAccounts:DefaultAccountsActiveScanning:VulnerabilityScanningOSCredentialDumping:DCSyncCommandand ScriptingInterpreter:Cloud APIGather VictimNetworkInformation:IP AddressesRogueDomainControllerHideArtifacts:HiddenUsersExfiltrationOver WebService:Exfiltration toCloud StorageAutomatedCollectionEndpoint Denialof Service:ServiceExhaustionFloodSystemBinary ProxyExecution:MavinjectData Staged:RemoteData StagingPeripheralDeviceDiscoveryCompromiseInfrastructure:ServerlessResourceHijacking:ComputeHijackingStageCapabilities:Link TargetRemoteServices:DistributedComponentObject ModelDefacement:InternalDefacementModifyAuthenticationProcess:ConditionalAccess PoliciesArchiveCollectedData:Archive viaLibraryBoot orLogonInitializationScripts: RCScriptsAdversary-in-the-Middle:LLMNR/NBT-NS Poisoningand SMB RelayValidAccounts:DomainAccountsSteal WebSessionCookieFile andDirectoryDiscoveryAbuse ElevationControlMechanism:ElevatedExecution withPromptExfiltrationOverPhysicalMediumCompromiseHostSoftwareBinaryBoot orLogonInitializationScripts:Login HookEndpoint Denialof Service:ApplicationExhaustionFloodMasquerading:Space afterFilenameGatherVictim HostInformation:FirmwareGatherVictimHostInformationData fromConfigurationRepository:SNMP (MIBDump)TrafficSignaling:SocketFiltersEndpointDenial ofService: OSExhaustionFloodSubvertTrustControls:CodeSigningData fromLocalSystemVideoCaptureAcquireInfrastructure:BotnetDomain orTenant PolicyModification:TrustModificationObfuscated Files orInformation:Encrypted/EncodedFileNetworkBoundaryBridging: NetworkAddressTranslationTraversalImpairDefenses:ImpairCommandHistory LoggingAudioCaptureBoot or LogonInitializationScripts: LogonScript(Windows)Multi-FactorAuthenticationInterceptionEventTriggeredExecution:AccessibilityFeaturesCommandand ScriptingInterpreter:PythonMasquerading:RenameSystemUtilitiesCreateAccount:LocalAccountObfuscatedFiles orInformation:PolymorphicCodeObfuscatedFiles orInformation:SoftwarePackingDataDestructionOS CredentialDumping:SecurityAccountManagerNetworkDenial ofService: DirectNetwork FloodMasquerading:MasqueradeTask orServiceSearch OpenTechnicalDatabases:DigitalCertificatesNetworkDenial ofService:ReflectionAmplificationExfiltration OverAlternativeProtocol:Exfiltration OverAsymmetricEncrypted Non-C2ProtocolHardwareAdditionsAcquireAccessBrowserExtensionsDefacementMasqueradingOSCredentialDumping:NTDSSystemLocationDiscoveryModifyAuthenticationProcess:ReversibleEncryptionGatherVictimNetworkInformationContentInjectionBoot orLogonAutostartExecution:Login ItemsDataManipulationContainerAdministrationCommandHideArtifacts:Run VirtualInstanceEvent TriggeredExecution: UnixShellConfigurationModificationCompromiseAccounts:EmailAccountsPre-OSBoot:BootkitUserExecutionAccountManipulation:Additional Localor DomainGroupsNetworkServiceDiscoveryUse AlternateAuthenticationMaterialData fromConfigurationRepository:Network DeviceConfigurationDumpDevelopCapabilities:MalwareImpairDefenses:DisableWindowsEvent LoggingIndicatorRemoval:TimestompValidAccountsSystemOwner/UserDiscoveryPhishingforInformationArchiveCollectedData: Archivevia CustomMethodSearch OpenTechnicalDatabases:DNS/PassiveDNSSteal or ForgeAuthenticationCertificatesGatherVictimNetworkInformation:DNSPhishing forInformation:SpearphishingAttachmentTrustedRelationshipHijackExecutionFlow: DLLSide-LoadingDataStagedBITSJobsAccountManipulation:AdditionalContainerCluster RolesDevelopCapabilitiesProtocolTunnelingCompromiseAccounts:Social MediaAccountsTrafficSignalingData fromInformationRepositories:SharepointEmailCollectionAcquireInfrastructure:ServerDrive-byCompromiseDiskWipeServerlessExecutionValidAccounts:LocalAccountsResourceHijackingSystemBinary ProxyExecution:ControlPanelOSCredentialDumping:LSA SecretsBoot or LogonAutostartExecution:AuthenticationPackageTrustedDeveloperUtilities ProxyExecution:ClickOnceSystem NetworkConfigurationDiscovery:InternetConnectionDiscoveryHijack ExecutionFlow:AppDomainManagerSearchOpenTechnicalDatabasesSystemLocationDiscovery:SystemLanguageDiscoveryScreenCaptureData fromConfigurationRepositoryObfuscatedFiles orInformation:CommandObfuscationApplicationLayerProtocol:WebProtocolsDynamicResolution:DNSCalculationArchiveCollectedData:Archive viaUtilityCompromiseAccountsInter-ProcessCommunication:XPC ServicesAbuseElevationControlMechanismData fromNetworkSharedDriveHijack ExecutionFlow:KernelCallbackTableSupply ChainCompromise:CompromiseSoftwareSupply ChainIndicatorRemoval:ClearWindowsEvent LogsCompromiseInfrastructureExfiltrationOver WebServiceProcessInjection:ProcMemoryExploitationforCredentialAccessSearchOpenTechnicalDatabases:WHOISNon-StandardPortObfuscatedFiles orInformation:HTMLSmugglingAcquireInfrastructure:ServerlessAccountManipulation:SSHAuthorizedKeysAutomatedExfiltration:TrafficDuplicationCreate orModify SystemProcess:ContainerServicePhishing:SpearphishingAttachmentSearch OpenWebsites/Domains:Code RepositoriesEventTriggeredExecution:TrapModify CloudComputeInfrastructure:Modify CloudComputeConfigurationsModifyAuthenticationProcess:NetworkProvider DLLCloudServiceDashboardFallbackChannelsEventTriggeredExecution:Udev RulesInputCapture:CredentialAPI HookingEventTriggeredExecution:Netsh HelperDLLHideArtifacts:File/PathExclusionsFile and DirectoryPermissionsModification: Linuxand Mac File andDirectoryPermissionsModificationIndirectCommandExecutionEmailCollection:RemoteEmailCollectionGather VictimHostInformation:ClientConfigurationsServerSoftwareComponent:SQL StoredProceduresSystemServices:LaunchctlGatherVictim OrgInformation:IdentifyRolesNetworkBoundaryBridgingPre-OSBootAcquireInfrastructure:Virtual PrivateServerSteal or ForgeKerberosTickets:KerberoastingExfiltrationOver WebService:ExfiltrationOver WebhookForge WebCredentials:WebCookiesObtainCapabilities:ExploitsCloudServiceDiscoveryCredentialsfrom PasswordStores:SecuritydMemoryRemoteSystemDiscoveryMulti-StageChannelsModifySystemImageApplicationLayerProtocol: FileTransferProtocolsModifySystemImage:DowngradeSystem ImageForcedAuthenticationExecutionGuardrails:MutualExclusionCommunicationThroughRemovableMediaObfuscatedFiles orInformation:EmbeddedPayloadsStageCapabilities:Upload ToolScheduledTask/Job:ContainerOrchestrationJobImpairDefenses:Disable orModify LinuxAudit SystemExploitationof RemoteServicesCompromiseInfrastructure:ServerModifyAuthenticationProcess:PasswordFilter DLLWeakenEncryption:ReduceKey SpaceDebuggerEvasionSystemBinary ProxyExecution:MsiexecApplication LayerProtocol:Publish/SubscribeProtocolsMasquerading:Right-to-LeftOverrideDataManipulation:Runtime DataManipulationHideArtifacts:IgnoreProcessInterruptsHijack ExecutionFlow: PathInterception byPATHEnvironmentVariableDomain orTenantPolicyModificationBoot orLogonAutostartExecution:Active SetupIndicatorRemoval:Clear Linuxor MacSystem LogsOS CredentialDumping:/etc/passwdand/etc/shadowGather VictimNetworkInformation:Network TrustDependenciesDevelopCapabilities:DigitalCertificatesMasquerading:MatchLegitimateName orLocationEventTriggeredExecutionUse AlternateAuthenticationMaterial:ApplicationAccess TokenAcquireInfrastructure:DomainsAccountDiscovery:DomainAccountExfiltrationOver C2ChannelExfiltration OverAlternativeProtocol:Exfiltration OverUnencryptedNon-C2 ProtocolBuildImageon HostHijackExecution Flow:Services FilePermissionsWeaknessEncryptedChannel:AsymmetricCryptographyApplicationWindowDiscoveryObtainCapabilities:CodeSigningCertificatesObtainCapabilitiesFirmwareCorruptionEvent TriggeredExecution:Change DefaultFile AssociationCloudAdministrationCommandUserExecution:MaliciousLinkPermissionGroupsDiscovery:LocalGroupsLateralToolTransferDataTransferSizeLimitsInputCaptureEventTriggeredExecution:AppCertDLLsPermissionGroupsDiscoveryDevelopCapabilities:ExploitsSystemScript ProxyExecution:PubPrnData fromInformationRepositories:ConfluenceEmailCollection:EmailForwardingRuleGather VictimNetworkInformation:DomainPropertiesGather VictimNetworkInformation:NetworkSecurityAppliancesBoot or LogonAutostartExecution:TimeProvidersEncryptedChannel:SymmetricCryptographyUnsecuredCredentials:Group PolicyPreferencesAccountManipulation:AdditionalEmail DelegatePermissionsTaintSharedContentUnused/UnsupportedCloud RegionsDynamicResolution:Fast FluxDNSEstablishAccounts:EmailAccountsOfficeApplicationStartupHijackExecutionFlow: DylibHijackingUse AlternateAuthenticationMaterial: WebSessionCookieHideArtifacts:ResourceForkingReflectiveCodeLoadingSubvert TrustControls:Code SigningPolicyModificationAccess TokenManipulation:CreateProcess withTokenServiceStopAccountDiscovery:LocalAccountUse AlternateAuthenticationMaterial: Passthe TicketDisk Wipe:DiskStructureWipeAccountDiscovery:CloudAccountBrowserSessionHijackingPhishing forInformation:SpearphishingServicePowerSettingsCommand andScriptingInterpreter:WindowsCommandShellAbuse ElevationControlMechanism:TemporaryElevated CloudAccessOfficeApplicationStartup:OutlookRulesImpairDefenses:IndicatorBlockingObfuscatedFiles orInformation:Compile AfterDeliveryResourceHijacking:CloudServiceHijackingMulti-FactorAuthenticationRequestGenerationUnsecuredCredentials:CredentialsIn FilesExecutionGuardrails:EnvironmentalKeyingMasquerading:Break ProcessTreesEstablishAccounts:CloudAccountsHideArtifactsExploitationforPrivilegeEscalationSearchVictim-OwnedWebsitesImpairDefenses:Disable orModify SystemFirewallObfuscatedFiles orInformationFinancialTheftObfuscatedFiles orInformation:Dynamic APIResolutionQueryRegistryVirtualization/SandboxEvasion: SystemChecksBoot orLogonAutostartExecution:Port MonitorsSoftwareDiscoverySearch OpenWebsites/DomainsObfuscatedFiles orInformation:StrippedPayloadsLogEnumerationOSCredentialDumpingProxy:DomainFrontingExploitationfor DefenseEvasionOSCredentialDumping:ProcFilesystemObfuscatedFiles orInformation:LNK IconSmugglingSearch OpenWebsites/Domains:Social MediaSteal orForgeKerberosTickets:Silver TicketModifyAuthenticationProcess:PluggableAuthenticationModulesCreateAccount:CloudAccountSubvertTrustControlsImpairDefenses:Disable orModify ToolsDeployContainerIngressToolTransferBoot or LogonAutostartExecution:ShortcutModificationStageCapabilitiesHideArtifacts:Hidden FilesandDirectoriesWebServiceWebService:Dead DropResolverForge WebCredentialsScheduledTask/Job:ScheduledTaskDataObfuscation:SteganographyNativeAPIDeobfuscate/DecodeFiles or InformationXSL ScriptProcessingResourceHijacking:SMSPumpingAccess TokenManipulation: TokenImpersonation/TheftEstablishAccounts:Social MediaAccountsStageCapabilities:UploadMalwareGroupPolicyDiscoveryObtainCapabilities:VulnerabilitiesDataStaged:Local DataStagingDataEncoding:StandardEncodingRemoteServicesAcquireInfrastructure:DNS ServerRemoteServices:RemoteDesktopProtocolExternalRemoteServicesForge WebCredentials:SAMLTokensSearch OpenWebsites/Domains:Search EnginesSubvertTrustControls:GatekeeperBypassSoftwareDeploymentToolsSystemBinary ProxyExecution:ElectronApplicationsDataDestruction:Lifecycle-TriggeredDeletionEvent TriggeredExecution:WindowsManagementInstrumentationEvent SubscriptionRemoteServiceSessionHijackingPhishing forInformation:SpearphishingLinkNetworkShareDiscoveryData fromCloudStorageDomainTrustDiscoverySystemServicesContainerandResourceDiscoveryPlist FileModificationEventTriggeredExecution:PowerShellProfileExfiltrationOver OtherNetworkMedium:ExfiltrationOver BluetoothIndicatorRemovalSearch OpenTechnicalDatabases:ScanDatabasesAccountDiscoverySystemTimeDiscoveryCreate orModify SystemProcess:LaunchDaemonInter-ProcessCommunicationAdversary-in-the-MiddleSystemBinary ProxyExecution:InstallUtilSupply ChainCompromise:CompromiseHardwareSupply ChainRootkitModifyAuthenticationProcess:DomainControllerAuthenticationData fromRemovableMediaCloudInfrastructureDiscoveryValidAccounts:CloudAccountsModify CloudComputeInfrastructure:CreateSnapshotEstablishAccountsAcquireInfrastructureInputCapture:KeyloggingCredentialsfrom PasswordStores: CloudSecretsManagementStoresDynamicResolution:DomainGenerationAlgorithmsProcessInjection:Dynamic-linkLibraryInjectionImpairDefenses:Disable orModify CloudFirewallUnsecuredCredentials:PrivateKeysSystemShutdown/RebootRemoteServices:Direct CloudVMConnectionsExfiltrationOver PhysicalMedium:Exfiltrationover USBBruteForce:CredentialStuffingEscapeto HostAccessTokenManipulation:SID-HistoryInjectionCompromiseInfrastructure:NetworkDevicesResourceHijacking:BandwidthHijackingProcessInjection:ProcessDoppelgängingActiveScanning:WordlistScanningModifySystemImage: PatchSystemImageCommandand ScriptingInterpreter:JavaScriptImpairDefenses:DowngradeAttackEndpointDenial ofServiceNetworkSniffingGatherVictim HostInformation:HardwareHijackExecution Flow:PathInterception bySearch OrderHijackingPhishing forInformation:SpearphishingVoiceImpairDefenses:Disable orModify CloudLogsNetworkDenial ofServiceServerSoftwareComponent:Web ShellEventTriggeredExecution:EmondSteal orForgeKerberosTicketsDataEncoding:Non-StandardEncodingDisk Wipe:DiskContentWipeReplicationThroughRemovableMediaCredentialsfromPasswordStoresIndicatorRemoval:Network ShareConnectionRemovalOfficeApplicationStartup:OutlookHome PageProcessInjection:PortableExecutableInjectionCreate orModifySystemProcessCredentialsfromPasswordStores:KeychainProxyHijackExecution Flow:ExecutableInstaller FilePermissionsWeaknessCloudStorageObjectDiscoveryGather VictimIdentityInformation:EmployeeNamesCommandand ScriptingInterpreter:Visual BasicPre-OSBoot:ComponentFirmwareObtainCapabilities:ArtificialIntelligenceAcquireInfrastructure:Web ServicesCommandand ScriptingInterpreter:AppleScriptBoot or LogonAutostartExecution:Kernel Modulesand ExtensionsAccountManipulation:AdditionalCloud RolesHideInfrastructureIndicatorRemoval:ClearCommandHistoryBoot or LogonInitializationScripts:NetworkLogon ScriptEncryptedChannelBruteForceHideArtifacts:HiddenWindowCreate orModifySystemProcess:Launch AgentArchiveCollectedDataAccountDiscovery:EmailAccountPre-OSBoot:TFTPBootSteal orForgeKerberosTickets:Golden TicketEvent TriggeredExecution:ComponentObject ModelHijackingObtainCapabilities:ToolExfiltration OverAlternativeProtocol:Exfiltration OverSymmetricEncrypted Non-C2ProtocolProxy:InternalProxyBoot or LogonAutostartExecution:Re-openedApplicationsSupply ChainCompromise:CompromiseSoftwareDependencies andDevelopmentToolsGather VictimOrgInformation:DeterminePhysicalLocationsImpersonationBruteForce:PasswordSprayingObfuscatedFiles orInformation:SteganographyFile andDirectoryPermissionsModificationCredentialsfrom PasswordStores:Credentialsfrom WebBrowsersSteal or ForgeKerberosTickets: AS-REP RoastingAccountManipulation:AdditionalCloudCredentialsSystemBinary ProxyExecution:CMSTPData fromInformationRepositories:CustomerRelationshipManagementSoftwareModify CloudComputeInfrastructure:Delete CloudInstanceUse AlternateAuthenticationMaterial: Passthe HashCompromiseAccounts:CloudAccountsOfficeApplicationStartup:Office TestCommandand ScriptingInterpreter:Unix ShellAccess TokenManipulation:Make andImpersonateTokenSearchClosedSources:Threat IntelVendorsBoot or LogonAutostartExecution:LSASS DriverHijackExecutionFlowSubvert TrustControls: SIPand TrustProviderHijackingNon-ApplicationLayerProtocolSystemScriptProxyExecutionServerSoftwareComponent:IISComponentsSearchOpenTechnicalDatabases:CDNsCompromiseInfrastructure:DomainsModifyCloudResourceHierarchyData fromInformationRepositories:MessagingApplicationsOS CredentialDumping:CachedDomainCredentialsBoot or LogonAutostartExecution:Registry RunKeys / StartupFolderRemoteServices:WindowsRemoteManagementObtainCapabilities:DigitalCertificatesGather VictimIdentityInformation:EmailAddressesDirectVolumeAccessCompromiseInfrastructure:Virtual PrivateServerScheduledTask/JobBoot orLogonAutostartExecutionSearch ClosedSources:PurchaseTechnical DataProcessInjection:AsynchronousProcedureCallPre-OSBoot:SystemFirmwareWeb Service:BidirectionalCommunicationImpairDefenses:SpoofSecurityAlertingPhishingWeb Service:One-WayCommunicationDataObfuscation:Protocol orServiceImpersonationHijackExecutionFlow: DLLSearch OrderHijackingUnsecuredCredentials:BashHistoryExecutionGuardrailsRemoteAccessSoftwareEvent TriggeredExecution:Image FileExecutionOptionsInjectionDevelopCapabilities:CodeSigningCertificatesExfiltrationOver WebService:Exfiltration toCodeRepositoryProxy:ExternalProxyCredentialsfrom PasswordStores:PasswordManagersHideArtifacts:Hidden FileSystemScheduledTask/Job:CronAccountManipulation:DeviceRegistrationTrustedDeveloperUtilitiesProxyExecutionImpairDefensesCredentialsfrom PasswordStores:WindowsCredentialManagerAccountAccessRemovalAdversary-in-the-Middle:Evil TwinBrowserInformationDiscoveryRemoteServices:VNCModifyRegistryImplantInternalImageMasquerading:MasqueradeFile TypeEventTriggeredExecution:AppInit DLLsSystem BinaryProxy Execution:Regsvcs/RegasmServerSoftwareComponentRemoteServices:CloudServicesPre-OSBoot:ROMMONkitStageCapabilities:SEOPoisoningAutomatedExfiltrationTrustedDeveloperUtilities ProxyExecution:MSBuildSystemNetworkConfigurationDiscovery: Wi-Fi DiscoveryPhishing:SpearphishingVoiceAccountManipulationHijack ExecutionFlow:COR_PROFILERCreate orModify SystemProcess:WindowsServiceSubvertTrustControls:Install RootCertificateFile and DirectoryPermissionsModification:Windows File andDirectoryPermissionsModificationGatherVictim HostInformation:SoftwareData fromInformationRepositoriesTemplateInjectionOfficeApplicationStartup: OfficeTemplateMacrosOfficeApplicationStartup:OutlookFormsHideArtifacts:NTFS FileAttributesCommandand ScriptingInterpreter:AutoHotKey& AutoITSystemBinary ProxyExecution:OdbcconfDataObfuscation:Junk DataIndicatorRemoval:ClearPersistenceInhibitSystemRecoverySystemServiceDiscoveryProcessInjection:Thread LocalStorageVirtualization/SandboxEvasionObtainCapabilities:MalwareSystemBinaryProxyExecutionServerSoftwareComponent:TransportAgentModify CloudComputeInfrastructure:Revert CloudInstanceScheduledTask/Job:AtBoot or LogonAutostartExecution:WinlogonHelper DLLSystemInformationDiscoveryAbuseElevationControlMechanism:TCCManipulationOSCredentialDumping:LSASSMemoryApplicationLayerProtocol:MailProtocolsSupplyChainCompromiseDataEncryptedfor ImpactAccessTokenManipulationMasquerading:Double FileExtensionData fromInformationRepositories:CodeRepositoriesModify CloudComputeInfrastructure:Create CloudInstanceCommandandScriptingInterpreterUnsecuredCredentialsMasquerading:Invalid CodeSignatureRemoteServiceSessionHijacking:SSH HijackingSystemBinary ProxyExecution:MMCSteal orForgeKerberosTickets:Ccache FilesIndicatorRemoval: ClearNetworkConnectionHistory andConfigurationsProcessDiscoveryEventTriggeredExecution:ScreensaverEmailCollection:Local EmailCollectionMasquerading:MasqueradeAccount NameWeakenEncryption:DisableCryptoHardwareIndicatorRemoval:ClearMailbox DataObfuscatedFiles orInformation:IndicatorRemoval fromToolsGather VictimOrgInformation:BusinessRelationshipsAccessTokenManipulation:Parent PIDSpoofingProcessInjection:PtraceSystem CallsSystemBinary ProxyExecution:MshtaDomain orTenant PolicyModification:Group PolicyModificationApplicationLayerProtocol:DNSGatherVictim OrgInformationBoot orLogonInitializationScripts:Startup ItemsAbuseElevationControlMechanism:Sudo and SudoCachingEventTriggeredExecution:InstallerPackagesHijackExecution Flow:ServicesRegistryPermissionsWeaknessAcquireInfrastructure:MalvertisingSystemBinary ProxyExecution:Rundll32UnsecuredCredentials:Credentialsin RegistryScheduledTransferSystemServices:ServiceExecutionModifyAuthenticationProcess:Multi-FactorAuthenticationSystemBinary ProxyExecution:VerclsidApplicationLayerProtocolSubvertTrustControls:Mark-of-the-Web BypassnameStageCapabilities:Drive-byTargetGatherVictimIdentityInformationPermissionGroupsDiscovery:DomainGroupsCompromiseInfrastructure:BotnetTrafficSignaling:PortKnockingBruteForce:PasswordGuessingSearchClosedSourcesImpairDefenses:Safe ModeBootBoot orLogonInitializationScriptsDynamicResolutionPermissionGroupsDiscovery:CloudGroupsSystemNetworkConnectionsDiscoveryPhishing:Spearphishingvia ServiceDataManipulation:TransmittedDataManipulationInter-ProcessCommunication:Dynamic DataExchangeHijackExecutionFlow: DynamicLinkerHijackingAdversary-in-the-Middle:DHCPSpoofingProcessInjection:ListPlantingModifyAuthenticationProcess:Hybrid IdentityGatherVictimIdentityInformation:CredentialsAdversary-in-the-Middle: ARPCachePoisoningUserExecution:MaliciousFileCommandand ScriptingInterpreter:LuaInter-ProcessCommunication:ComponentObject ModelAbuse ElevationControlMechanism:Bypass UserAccount ControlClipboardDataStageCapabilities:Install DigitalCertificateModify CloudComputeInfrastructureUserExecution:MaliciousImageDeviceDriverDiscoveryHideArtifacts:VBAStompingHijackExecutionFlow: PathInterception byUnquoted PathCreateAccount:DomainAccountExploitPublic-FacingApplicationCreateAccountSoftwareDiscovery:SecuritySoftwareDiscoveryExfiltrationOver WebService:Exfiltration toText StorageSitesEventTriggeredExecution:ApplicationShimmingInputCapture:Web PortalCaptureDataObfuscationCommandand ScriptingInterpreter:NetworkDevice CLIExfiltrationOverAlternativeProtocolIndicatorRemoval:FileDeletionBoot or LogonAutostartExecution:SecuritySupportProviderBoot or LogonAutostartExecution:XDG AutostartEntriesVirtualization/SandboxEvasion: Time BasedEvasionModifyAuthenticationProcess:Network DeviceAuthenticationUnsecuredCredentials:ContainerAPIVirtualization/SandboxEvasion: User ActivityBased ChecksHideArtifacts:Email HidingRulesObfuscatedFiles orInformation:FilelessStorageTransferData toCloudAccountActiveScanning:ScanningIP BlocksProcessInjectionProcessInjection:ThreadExecutionHijackingObfuscatedFiles orInformation:BinaryPaddingHideArtifacts:ProcessArgumentSpoofingProcessInjection:VDSOHijackingCommandand ScriptingInterpreter:PowerShellOfficeApplicationStartup:Add-insDataEncodingCompromiseInfrastructure:Web ServicesProcessInjection:ProcessHollowingDefacement:ExternalDefacementStealApplicationAccessTokenRemoteServiceSessionHijacking:RDP HijackingActiveScanningInternalSpearphishingSystemBinary ProxyExecution:Regsvr32UnsecuredCredentials:CloudInstanceMetadata APIInputCapture:GUI InputCaptureEndpoint Denialof Service:Application orSystemExploitationIndicatorRemoval:RelocateMalwareDataManipulation:Stored DataManipulationEvent TriggeredExecution:LC_LOAD_DYLIBAdditionServerSoftwareComponent:TerminalServices DLLCreate orModify SystemProcess:SystemdServiceScheduledTask/Job:SystemdTimersSystem Script ProxyExecution:SyncAppvPublishingServerGather VictimNetworkInformation:NetworkTopologyExploitationfor ClientExecutionExfiltrationOver OtherNetworkMediumBruteForce:PasswordCrackingWindowsManagementInstrumentationSharedModulesSystemBinary ProxyExecution:CompiledHTML FileWeakenEncryptionBoot or LogonAutostartExecution:PrintProcessorsRemoteServices:SSHProcessInjection:Extra WindowMemoryInjectionModifyAuthenticationProcessRemoteServices:SMB/WindowsAdmin SharesPasswordPolicyDiscoveryCompromiseInfrastructure:DNS ServerPhishing:SpearphishingLinkSystemNetworkConfigurationDiscoveryProxy:Multi-hopProxyAbuseElevationControlMechanism:Setuid andSetgidGather VictimOrgInformation:IdentifyBusinessTempoUnsecuredCredentials:ChatMessagesValidAccounts:DefaultAccountsActiveScanning:VulnerabilityScanningOSCredentialDumping:DCSyncCommandand ScriptingInterpreter:Cloud APIGather VictimNetworkInformation:IP AddressesRogueDomainControllerHideArtifacts:HiddenUsersExfiltrationOver WebService:Exfiltration toCloud StorageAutomatedCollectionEndpoint Denialof Service:ServiceExhaustionFloodSystemBinary ProxyExecution:MavinjectData Staged:RemoteData StagingPeripheralDeviceDiscoveryCompromiseInfrastructure:ServerlessResourceHijacking:ComputeHijackingStageCapabilities:Link TargetRemoteServices:DistributedComponentObject ModelDefacement:InternalDefacementModifyAuthenticationProcess:ConditionalAccess PoliciesArchiveCollectedData:Archive viaLibraryBoot orLogonInitializationScripts: RCScriptsAdversary-in-the-Middle:LLMNR/NBT-NS Poisoningand SMB RelayValidAccounts:DomainAccountsSteal WebSessionCookieFile andDirectoryDiscoveryAbuse ElevationControlMechanism:ElevatedExecution withPromptExfiltrationOverPhysicalMediumCompromiseHostSoftwareBinaryBoot orLogonInitializationScripts:Login HookEndpoint Denialof Service:ApplicationExhaustionFloodMasquerading:Space afterFilenameGatherVictim HostInformation:FirmwareGatherVictimHostInformationData fromConfigurationRepository:SNMP (MIBDump)TrafficSignaling:SocketFiltersEndpointDenial ofService: OSExhaustionFloodSubvertTrustControls:CodeSigningData fromLocalSystemVideoCaptureAcquireInfrastructure:BotnetDomain orTenant PolicyModification:TrustModificationObfuscated Files orInformation:Encrypted/EncodedFile

MITRE ATT&CK Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
  1. Network Boundary Bridging: Network Address Translation Traversal
  2. Impair Defenses: Impair Command History Logging
  3. Audio Capture
  4. Boot or Logon Initialization Scripts: Logon Script (Windows)
  5. Multi-Factor Authentication Interception
  6. Event Triggered Execution: Accessibility Features
  7. Command and Scripting Interpreter: Python
  8. Masquerading: Rename System Utilities
  9. Create Account: Local Account
  10. Obfuscated Files or Information: Polymorphic Code
  11. Obfuscated Files or Information: Software Packing
  12. Data Destruction
  13. OS Credential Dumping: Security Account Manager
  14. Network Denial of Service: Direct Network Flood
  15. Masquerading: Masquerade Task or Service
  16. Search Open Technical Databases: Digital Certificates
  17. Network Denial of Service: Reflection Amplification
  18. Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
  19. Hardware Additions
  20. Acquire Access
  21. Browser Extensions
  22. Defacement
  23. Masquerading
  24. OS Credential Dumping: NTDS
  25. System Location Discovery
  26. Modify Authentication Process: Reversible Encryption
  27. Gather Victim Network Information
  28. Content Injection
  29. Boot or Logon Autostart Execution: Login Items
  30. Data Manipulation
  31. Container Administration Command
  32. Hide Artifacts: Run Virtual Instance
  33. Event Triggered Execution: Unix Shell Configuration Modification
  34. Compromise Accounts: Email Accounts
  35. Pre-OS Boot: Bootkit
  36. User Execution
  37. Account Manipulation: Additional Local or Domain Groups
  38. Network Service Discovery
  39. Use Alternate Authentication Material
  40. Data from Configuration Repository: Network Device Configuration Dump
  41. Develop Capabilities: Malware
  42. Impair Defenses: Disable Windows Event Logging
  43. Indicator Removal: Timestomp
  44. Valid Accounts
  45. System Owner/User Discovery
  46. Phishing for Information
  47. Archive Collected Data: Archive via Custom Method
  48. Search Open Technical Databases: DNS/Passive DNS
  49. Steal or Forge Authentication Certificates
  50. Gather Victim Network Information: DNS
  51. Phishing for Information: Spearphishing Attachment
  52. Trusted Relationship
  53. Hijack Execution Flow: DLL Side-Loading
  54. Data Staged
  55. BITS Jobs
  56. Account Manipulation: Additional Container Cluster Roles
  57. Develop Capabilities
  58. Protocol Tunneling
  59. Compromise Accounts: Social Media Accounts
  60. Traffic Signaling
  61. Data from Information Repositories: Sharepoint
  62. Email Collection
  63. Acquire Infrastructure: Server
  64. Drive-by Compromise
  65. Disk Wipe
  66. Serverless Execution
  67. Valid Accounts: Local Accounts
  68. Resource Hijacking
  69. System Binary Proxy Execution: Control Panel
  70. OS Credential Dumping: LSA Secrets
  71. Boot or Logon Autostart Execution: Authentication Package
  72. Trusted Developer Utilities Proxy Execution: ClickOnce
  73. System Network Configuration Discovery: Internet Connection Discovery
  74. Hijack Execution Flow: AppDomainManager
  75. Search Open Technical Databases
  76. System Location Discovery: System Language Discovery
  77. Screen Capture
  78. Data from Configuration Repository
  79. Obfuscated Files or Information: Command Obfuscation
  80. Application Layer Protocol: Web Protocols
  81. Dynamic Resolution: DNS Calculation
  82. Archive Collected Data: Archive via Utility
  83. Compromise Accounts
  84. Inter-Process Communication: XPC Services
  85. Abuse Elevation Control Mechanism
  86. Data from Network Shared Drive
  87. Hijack Execution Flow: KernelCallbackTable
  88. Supply Chain Compromise: Compromise Software Supply Chain
  89. Indicator Removal: Clear Windows Event Logs
  90. Compromise Infrastructure
  91. Exfiltration Over Web Service
  92. Process Injection: Proc Memory
  93. Exploitation for Credential Access
  94. Search Open Technical Databases: WHOIS
  95. Non-Standard Port
  96. Obfuscated Files or Information: HTML Smuggling
  97. Acquire Infrastructure: Serverless
  98. Account Manipulation: SSH Authorized Keys
  99. Automated Exfiltration: Traffic Duplication
  100. Create or Modify System Process: Container Service
  101. Phishing: Spearphishing Attachment
  102. Search Open Websites/Domains: Code Repositories
  103. Event Triggered Execution: Trap
  104. Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations
  105. Modify Authentication Process: Network Provider DLL
  106. Cloud Service Dashboard
  107. Fallback Channels
  108. Event Triggered Execution: Udev Rules
  109. Input Capture: Credential API Hooking
  110. Event Triggered Execution: Netsh Helper DLL
  111. Hide Artifacts: File/Path Exclusions
  112. File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
  113. Indirect Command Execution
  114. Email Collection: Remote Email Collection
  115. Gather Victim Host Information: Client Configurations
  116. Server Software Component: SQL Stored Procedures
  117. System Services: Launchctl
  118. Gather Victim Org Information: Identify Roles
  119. Network Boundary Bridging
  120. Pre-OS Boot
  121. Acquire Infrastructure: Virtual Private Server
  122. Steal or Forge Kerberos Tickets: Kerberoasting
  123. Exfiltration Over Web Service: Exfiltration Over Webhook
  124. Forge Web Credentials: Web Cookies
  125. Obtain Capabilities: Exploits
  126. Cloud Service Discovery
  127. Credentials from Password Stores: Securityd Memory
  128. Remote System Discovery
  129. Multi-Stage Channels
  130. Modify System Image
  131. Application Layer Protocol: File Transfer Protocols
  132. Modify System Image: Downgrade System Image
  133. Forced Authentication
  134. Execution Guardrails: Mutual Exclusion
  135. Communication Through Removable Media
  136. Obfuscated Files or Information: Embedded Payloads
  137. Stage Capabilities: Upload Tool
  138. Scheduled Task/Job: Container Orchestration Job
  139. Impair Defenses: Disable or Modify Linux Audit System
  140. Exploitation of Remote Services
  141. Compromise Infrastructure: Server
  142. Modify Authentication Process: Password Filter DLL
  143. Weaken Encryption: Reduce Key Space
  144. Debugger Evasion
  145. System Binary Proxy Execution: Msiexec
  146. Application Layer Protocol: Publish/Subscribe Protocols
  147. Masquerading: Right-to-Left Override
  148. Data Manipulation: Runtime Data Manipulation
  149. Hide Artifacts: Ignore Process Interrupts
  150. Hijack Execution Flow: Path Interception by PATH Environment Variable
  151. Domain or Tenant Policy Modification
  152. Boot or Logon Autostart Execution: Active Setup
  153. Indicator Removal: Clear Linux or Mac System Logs
  154. OS Credential Dumping: /etc/passwd and /etc/shadow
  155. Gather Victim Network Information: Network Trust Dependencies
  156. Develop Capabilities: Digital Certificates
  157. Masquerading: Match Legitimate Name or Location
  158. Event Triggered Execution
  159. Use Alternate Authentication Material: Application Access Token
  160. Acquire Infrastructure: Domains
  161. Account Discovery: Domain Account
  162. Exfiltration Over C2 Channel
  163. Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
  164. Build Image on Host
  165. Hijack Execution Flow: Services File Permissions Weakness
  166. Encrypted Channel: Asymmetric Cryptography
  167. Application Window Discovery
  168. Obtain Capabilities: Code Signing Certificates
  169. Obtain Capabilities
  170. Firmware Corruption
  171. Event Triggered Execution: Change Default File Association
  172. Cloud Administration Command
  173. User Execution: Malicious Link
  174. Permission Groups Discovery: Local Groups
  175. Lateral Tool Transfer
  176. Data Transfer Size Limits
  177. Input Capture
  178. Event Triggered Execution: AppCert DLLs
  179. Permission Groups Discovery
  180. Develop Capabilities: Exploits
  181. System Script Proxy Execution: PubPrn
  182. Data from Information Repositories: Confluence
  183. Email Collection: Email Forwarding Rule
  184. Gather Victim Network Information: Domain Properties
  185. Gather Victim Network Information: Network Security Appliances
  186. Boot or Logon Autostart Execution: Time Providers
  187. Encrypted Channel: Symmetric Cryptography
  188. Unsecured Credentials: Group Policy Preferences
  189. Account Manipulation: Additional Email Delegate Permissions
  190. Taint Shared Content
  191. Unused/Unsupported Cloud Regions
  192. Dynamic Resolution: Fast Flux DNS
  193. Establish Accounts: Email Accounts
  194. Office Application Startup
  195. Hijack Execution Flow: Dylib Hijacking
  196. Use Alternate Authentication Material: Web Session Cookie
  197. Hide Artifacts: Resource Forking
  198. Reflective Code Loading
  199. Subvert Trust Controls: Code Signing Policy Modification
  200. Access Token Manipulation: Create Process with Token
  201. Service Stop
  202. Account Discovery: Local Account
  203. Use Alternate Authentication Material: Pass the Ticket
  204. Disk Wipe: Disk Structure Wipe
  205. Account Discovery: Cloud Account
  206. Browser Session Hijacking
  207. Phishing for Information: Spearphishing Service
  208. Power Settings
  209. Command and Scripting Interpreter: Windows Command Shell
  210. Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access
  211. Office Application Startup: Outlook Rules
  212. Impair Defenses: Indicator Blocking
  213. Obfuscated Files or Information: Compile After Delivery
  214. Resource Hijacking: Cloud Service Hijacking
  215. Multi-Factor Authentication Request Generation
  216. Unsecured Credentials: Credentials In Files
  217. Execution Guardrails: Environmental Keying
  218. Masquerading: Break Process Trees
  219. Establish Accounts: Cloud Accounts
  220. Hide Artifacts
  221. Exploitation for Privilege Escalation
  222. Search Victim-Owned Websites
  223. Impair Defenses: Disable or Modify System Firewall
  224. Obfuscated Files or Information
  225. Financial Theft
  226. Obfuscated Files or Information: Dynamic API Resolution
  227. Query Registry
  228. Virtualization/Sandbox Evasion: System Checks
  229. Boot or Logon Autostart Execution: Port Monitors
  230. Software Discovery
  231. Search Open Websites/Domains
  232. Obfuscated Files or Information: Stripped Payloads
  233. Log Enumeration
  234. OS Credential Dumping
  235. Proxy: Domain Fronting
  236. Exploitation for Defense Evasion
  237. OS Credential Dumping: Proc Filesystem
  238. Obfuscated Files or Information: LNK Icon Smuggling
  239. Search Open Websites/Domains: Social Media
  240. Steal or Forge Kerberos Tickets: Silver Ticket
  241. Modify Authentication Process: Pluggable Authentication Modules
  242. Create Account: Cloud Account
  243. Subvert Trust Controls
  244. Impair Defenses: Disable or Modify Tools
  245. Deploy Container
  246. Ingress Tool Transfer
  247. Boot or Logon Autostart Execution: Shortcut Modification
  248. Stage Capabilities
  249. Hide Artifacts: Hidden Files and Directories
  250. Web Service
  251. Web Service: Dead Drop Resolver
  252. Forge Web Credentials
  253. Scheduled Task/Job: Scheduled Task
  254. Data Obfuscation: Steganography
  255. Native API
  256. Deobfuscate/Decode Files or Information
  257. XSL Script Processing
  258. Resource Hijacking: SMS Pumping
  259. Access Token Manipulation: Token Impersonation/Theft
  260. Establish Accounts: Social Media Accounts
  261. Stage Capabilities: Upload Malware
  262. Group Policy Discovery
  263. Obtain Capabilities: Vulnerabilities
  264. Data Staged: Local Data Staging
  265. Data Encoding: Standard Encoding
  266. Remote Services
  267. Acquire Infrastructure: DNS Server
  268. Remote Services: Remote Desktop Protocol
  269. External Remote Services
  270. Forge Web Credentials: SAML Tokens
  271. Search Open Websites/Domains: Search Engines
  272. Subvert Trust Controls: Gatekeeper Bypass
  273. Software Deployment Tools
  274. System Binary Proxy Execution: Electron Applications
  275. Data Destruction: Lifecycle-Triggered Deletion
  276. Event Triggered Execution: Windows Management Instrumentation Event Subscription
  277. Remote Service Session Hijacking
  278. Phishing for Information: Spearphishing Link
  279. Network Share Discovery
  280. Data from Cloud Storage
  281. Domain Trust Discovery
  282. System Services
  283. Container and Resource Discovery
  284. Plist File Modification
  285. Event Triggered Execution: PowerShell Profile
  286. Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
  287. Indicator Removal
  288. Search Open Technical Databases: Scan Databases
  289. Account Discovery
  290. System Time Discovery
  291. Create or Modify System Process: Launch Daemon
  292. Inter-Process Communication
  293. Adversary-in-the-Middle
  294. System Binary Proxy Execution: InstallUtil
  295. Supply Chain Compromise: Compromise Hardware Supply Chain
  296. Rootkit
  297. Modify Authentication Process: Domain Controller Authentication
  298. Data from Removable Media
  299. Cloud Infrastructure Discovery
  300. Valid Accounts: Cloud Accounts
  301. Modify Cloud Compute Infrastructure: Create Snapshot
  302. Establish Accounts
  303. Acquire Infrastructure
  304. Input Capture: Keylogging
  305. Credentials from Password Stores: Cloud Secrets Management Stores
  306. Dynamic Resolution: Domain Generation Algorithms
  307. Process Injection: Dynamic-link Library Injection
  308. Impair Defenses: Disable or Modify Cloud Firewall
  309. Unsecured Credentials: Private Keys
  310. System Shutdown/Reboot
  311. Remote Services: Direct Cloud VM Connections
  312. Exfiltration Over Physical Medium: Exfiltration over USB
  313. Brute Force: Credential Stuffing
  314. Escape to Host
  315. Access Token Manipulation: SID-History Injection
  316. Compromise Infrastructure: Network Devices
  317. Resource Hijacking: Bandwidth Hijacking
  318. Process Injection: Process Doppelgänging
  319. Active Scanning: Wordlist Scanning
  320. Modify System Image: Patch System Image
  321. Command and Scripting Interpreter: JavaScript
  322. Impair Defenses: Downgrade Attack
  323. Endpoint Denial of Service
  324. Network Sniffing
  325. Gather Victim Host Information: Hardware
  326. Hijack Execution Flow: Path Interception by Search Order Hijacking
  327. Phishing for Information: Spearphishing Voice
  328. Impair Defenses: Disable or Modify Cloud Logs
  329. Network Denial of Service
  330. Server Software Component: Web Shell
  331. Event Triggered Execution: Emond
  332. Steal or Forge Kerberos Tickets
  333. Data Encoding: Non-Standard Encoding
  334. Disk Wipe: Disk Content Wipe
  335. Replication Through Removable Media
  336. Credentials from Password Stores
  337. Indicator Removal: Network Share Connection Removal
  338. Office Application Startup: Outlook Home Page
  339. Process Injection: Portable Executable Injection
  340. Create or Modify System Process
  341. Credentials from Password Stores: Keychain
  342. Proxy
  343. Hijack Execution Flow: Executable Installer File Permissions Weakness
  344. Cloud Storage Object Discovery
  345. Gather Victim Identity Information: Employee Names
  346. Command and Scripting Interpreter: Visual Basic
  347. Pre-OS Boot: Component Firmware
  348. Obtain Capabilities: Artificial Intelligence
  349. Acquire Infrastructure: Web Services
  350. Command and Scripting Interpreter: AppleScript
  351. Boot or Logon Autostart Execution: Kernel Modules and Extensions
  352. Account Manipulation: Additional Cloud Roles
  353. Hide Infrastructure
  354. Indicator Removal: Clear Command History
  355. Boot or Logon Initialization Scripts: Network Logon Script
  356. Encrypted Channel
  357. Brute Force
  358. Hide Artifacts: Hidden Window
  359. Create or Modify System Process: Launch Agent
  360. Archive Collected Data
  361. Account Discovery: Email Account
  362. Pre-OS Boot: TFTP Boot
  363. Steal or Forge Kerberos Tickets: Golden Ticket
  364. Event Triggered Execution: Component Object Model Hijacking
  365. Obtain Capabilities: Tool
  366. Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
  367. Proxy: Internal Proxy
  368. Boot or Logon Autostart Execution: Re-opened Applications
  369. Supply Chain Compromise: Compromise Software Dependencies and Development Tools
  370. Gather Victim Org Information: Determine Physical Locations
  371. Impersonation
  372. Brute Force: Password Spraying
  373. Obfuscated Files or Information: Steganography
  374. File and Directory Permissions Modification
  375. Credentials from Password Stores: Credentials from Web Browsers
  376. Steal or Forge Kerberos Tickets: AS-REP Roasting
  377. Account Manipulation: Additional Cloud Credentials
  378. System Binary Proxy Execution: CMSTP
  379. Data from Information Repositories: Customer Relationship Management Software
  380. Modify Cloud Compute Infrastructure: Delete Cloud Instance
  381. Use Alternate Authentication Material: Pass the Hash
  382. Compromise Accounts: Cloud Accounts
  383. Office Application Startup: Office Test
  384. Command and Scripting Interpreter: Unix Shell
  385. Access Token Manipulation: Make and Impersonate Token
  386. Search Closed Sources: Threat Intel Vendors
  387. Boot or Logon Autostart Execution: LSASS Driver
  388. Hijack Execution Flow
  389. Subvert Trust Controls: SIP and Trust Provider Hijacking
  390. Non-Application Layer Protocol
  391. System Script Proxy Execution
  392. Server Software Component: IIS Components
  393. Search Open Technical Databases: CDNs
  394. Compromise Infrastructure: Domains
  395. Modify Cloud Resource Hierarchy
  396. Data from Information Repositories: Messaging Applications
  397. OS Credential Dumping: Cached Domain Credentials
  398. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
  399. Remote Services: Windows Remote Management
  400. Obtain Capabilities: Digital Certificates
  401. Gather Victim Identity Information: Email Addresses
  402. Direct Volume Access
  403. Compromise Infrastructure: Virtual Private Server
  404. Scheduled Task/Job
  405. Boot or Logon Autostart Execution
  406. Search Closed Sources: Purchase Technical Data
  407. Process Injection: Asynchronous Procedure Call
  408. Pre-OS Boot: System Firmware
  409. Web Service: Bidirectional Communication
  410. Impair Defenses: Spoof Security Alerting
  411. Phishing
  412. Web Service: One-Way Communication
  413. Data Obfuscation: Protocol or Service Impersonation
  414. Hijack Execution Flow: DLL Search Order Hijacking
  415. Unsecured Credentials: Bash History
  416. Execution Guardrails
  417. Remote Access Software
  418. Event Triggered Execution: Image File Execution Options Injection
  419. Develop Capabilities: Code Signing Certificates
  420. Exfiltration Over Web Service: Exfiltration to Code Repository
  421. Proxy: External Proxy
  422. Credentials from Password Stores: Password Managers
  423. Hide Artifacts: Hidden File System
  424. Scheduled Task/Job: Cron
  425. Account Manipulation: Device Registration
  426. Trusted Developer Utilities Proxy Execution
  427. Impair Defenses
  428. Credentials from Password Stores: Windows Credential Manager
  429. Account Access Removal
  430. Adversary-in-the-Middle: Evil Twin
  431. Browser Information Discovery
  432. Remote Services: VNC
  433. Modify Registry
  434. Implant Internal Image
  435. Masquerading: Masquerade File Type
  436. Event Triggered Execution: AppInit DLLs
  437. System Binary Proxy Execution: Regsvcs/Regasm
  438. Server Software Component
  439. Remote Services: Cloud Services
  440. Pre-OS Boot: ROMMONkit
  441. Stage Capabilities: SEO Poisoning
  442. Automated Exfiltration
  443. Trusted Developer Utilities Proxy Execution: MSBuild
  444. System Network Configuration Discovery: Wi-Fi Discovery
  445. Phishing: Spearphishing Voice
  446. Account Manipulation
  447. Hijack Execution Flow: COR_PROFILER
  448. Create or Modify System Process: Windows Service
  449. Subvert Trust Controls: Install Root Certificate
  450. File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  451. Gather Victim Host Information: Software
  452. Data from Information Repositories
  453. Template Injection
  454. Office Application Startup: Office Template Macros
  455. Office Application Startup: Outlook Forms
  456. Hide Artifacts: NTFS File Attributes
  457. Command and Scripting Interpreter: AutoHotKey & AutoIT
  458. System Binary Proxy Execution: Odbcconf
  459. Data Obfuscation: Junk Data
  460. Indicator Removal: Clear Persistence
  461. Inhibit System Recovery
  462. System Service Discovery
  463. Process Injection: Thread Local Storage
  464. Virtualization/Sandbox Evasion
  465. Obtain Capabilities: Malware
  466. System Binary Proxy Execution
  467. Server Software Component: Transport Agent
  468. Modify Cloud Compute Infrastructure: Revert Cloud Instance
  469. Scheduled Task/Job: At
  470. Boot or Logon Autostart Execution: Winlogon Helper DLL
  471. System Information Discovery
  472. Abuse Elevation Control Mechanism: TCC Manipulation
  473. OS Credential Dumping: LSASS Memory
  474. Application Layer Protocol: Mail Protocols
  475. Supply Chain Compromise
  476. Data Encrypted for Impact
  477. Access Token Manipulation
  478. Masquerading: Double File Extension
  479. Data from Information Repositories: Code Repositories
  480. Modify Cloud Compute Infrastructure: Create Cloud Instance
  481. Command and Scripting Interpreter
  482. Unsecured Credentials
  483. Masquerading: Invalid Code Signature
  484. Remote Service Session Hijacking: SSH Hijacking
  485. System Binary Proxy Execution: MMC
  486. Steal or Forge Kerberos Tickets: Ccache Files
  487. Indicator Removal: Clear Network Connection History and Configurations
  488. Process Discovery
  489. Event Triggered Execution: Screensaver
  490. Email Collection: Local Email Collection
  491. Masquerading: Masquerade Account Name
  492. Weaken Encryption: Disable Crypto Hardware
  493. Indicator Removal: Clear Mailbox Data
  494. Obfuscated Files or Information: Indicator Removal from Tools
  495. Gather Victim Org Information: Business Relationships
  496. Access Token Manipulation: Parent PID Spoofing
  497. Process Injection: Ptrace System Calls
  498. System Binary Proxy Execution: Mshta
  499. Domain or Tenant Policy Modification: Group Policy Modification
  500. Application Layer Protocol: DNS
  501. Gather Victim Org Information
  502. Boot or Logon Initialization Scripts: Startup Items
  503. Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  504. Event Triggered Execution: Installer Packages
  505. Hijack Execution Flow: Services Registry Permissions Weakness
  506. Acquire Infrastructure: Malvertising
  507. System Binary Proxy Execution: Rundll32
  508. Unsecured Credentials: Credentials in Registry
  509. Scheduled Transfer
  510. System Services: Service Execution
  511. Modify Authentication Process: Multi-Factor Authentication
  512. System Binary Proxy Execution: Verclsid
  513. Application Layer Protocol
  514. Subvert Trust Controls: Mark-of-the-Web Bypass
  515. name
  516. Stage Capabilities: Drive-by Target
  517. Gather Victim Identity Information
  518. Permission Groups Discovery: Domain Groups
  519. Compromise Infrastructure: Botnet
  520. Traffic Signaling: Port Knocking
  521. Brute Force: Password Guessing
  522. Search Closed Sources
  523. Impair Defenses: Safe Mode Boot
  524. Boot or Logon Initialization Scripts
  525. Dynamic Resolution
  526. Permission Groups Discovery: Cloud Groups
  527. System Network Connections Discovery
  528. Phishing: Spearphishing via Service
  529. Data Manipulation: Transmitted Data Manipulation
  530. Inter-Process Communication: Dynamic Data Exchange
  531. Hijack Execution Flow: Dynamic Linker Hijacking
  532. Adversary-in-the-Middle: DHCP Spoofing
  533. Process Injection: ListPlanting
  534. Modify Authentication Process: Hybrid Identity
  535. Gather Victim Identity Information: Credentials
  536. Adversary-in-the-Middle: ARP Cache Poisoning
  537. User Execution: Malicious File
  538. Command and Scripting Interpreter: Lua
  539. Inter-Process Communication: Component Object Model
  540. Abuse Elevation Control Mechanism: Bypass User Account Control
  541. Clipboard Data
  542. Stage Capabilities: Install Digital Certificate
  543. Modify Cloud Compute Infrastructure
  544. User Execution: Malicious Image
  545. Device Driver Discovery
  546. Hide Artifacts: VBA Stomping
  547. Hijack Execution Flow: Path Interception by Unquoted Path
  548. Create Account: Domain Account
  549. Exploit Public-Facing Application
  550. Create Account
  551. Software Discovery: Security Software Discovery
  552. Exfiltration Over Web Service: Exfiltration to Text Storage Sites
  553. Event Triggered Execution: Application Shimming
  554. Input Capture: Web Portal Capture
  555. Data Obfuscation
  556. Command and Scripting Interpreter: Network Device CLI
  557. Exfiltration Over Alternative Protocol
  558. Indicator Removal: File Deletion
  559. Boot or Logon Autostart Execution: Security Support Provider
  560. Boot or Logon Autostart Execution: XDG Autostart Entries
  561. Virtualization/Sandbox Evasion: Time Based Evasion
  562. Modify Authentication Process: Network Device Authentication
  563. Unsecured Credentials: Container API
  564. Virtualization/Sandbox Evasion: User Activity Based Checks
  565. Hide Artifacts: Email Hiding Rules
  566. Obfuscated Files or Information: Fileless Storage
  567. Transfer Data to Cloud Account
  568. Active Scanning: Scanning IP Blocks
  569. Process Injection
  570. Process Injection: Thread Execution Hijacking
  571. Obfuscated Files or Information: Binary Padding
  572. Hide Artifacts: Process Argument Spoofing
  573. Process Injection: VDSO Hijacking
  574. Command and Scripting Interpreter: PowerShell
  575. Office Application Startup: Add-ins
  576. Data Encoding
  577. Compromise Infrastructure: Web Services
  578. Process Injection: Process Hollowing
  579. Defacement: External Defacement
  580. Steal Application Access Token
  581. Remote Service Session Hijacking: RDP Hijacking
  582. Active Scanning
  583. Internal Spearphishing
  584. System Binary Proxy Execution: Regsvr32
  585. Unsecured Credentials: Cloud Instance Metadata API
  586. Input Capture: GUI Input Capture
  587. Endpoint Denial of Service: Application or System Exploitation
  588. Indicator Removal: Relocate Malware
  589. Data Manipulation: Stored Data Manipulation
  590. Event Triggered Execution: LC_LOAD_DYLIB Addition
  591. Server Software Component: Terminal Services DLL
  592. Create or Modify System Process: Systemd Service
  593. Scheduled Task/Job: Systemd Timers
  594. System Script Proxy Execution: SyncAppvPublishingServer
  595. Gather Victim Network Information: Network Topology
  596. Exploitation for Client Execution
  597. Exfiltration Over Other Network Medium
  598. Brute Force: Password Cracking
  599. Windows Management Instrumentation
  600. Shared Modules
  601. System Binary Proxy Execution: Compiled HTML File
  602. Weaken Encryption
  603. Boot or Logon Autostart Execution: Print Processors
  604. Remote Services: SSH
  605. Process Injection: Extra Window Memory Injection
  606. Modify Authentication Process
  607. Remote Services: SMB/Windows Admin Shares
  608. Password Policy Discovery
  609. Compromise Infrastructure: DNS Server
  610. Phishing: Spearphishing Link
  611. System Network Configuration Discovery
  612. Proxy: Multi-hop Proxy
  613. Abuse Elevation Control Mechanism: Setuid and Setgid
  614. Gather Victim Org Information: Identify Business Tempo
  615. Unsecured Credentials: Chat Messages
  616. Valid Accounts: Default Accounts
  617. Active Scanning: Vulnerability Scanning
  618. OS Credential Dumping: DCSync
  619. Command and Scripting Interpreter: Cloud API
  620. Gather Victim Network Information: IP Addresses
  621. Rogue Domain Controller
  622. Hide Artifacts: Hidden Users
  623. Exfiltration Over Web Service: Exfiltration to Cloud Storage
  624. Automated Collection
  625. Endpoint Denial of Service: Service Exhaustion Flood
  626. System Binary Proxy Execution: Mavinject
  627. Data Staged: Remote Data Staging
  628. Peripheral Device Discovery
  629. Compromise Infrastructure: Serverless
  630. Resource Hijacking: Compute Hijacking
  631. Stage Capabilities: Link Target
  632. Remote Services: Distributed Component Object Model
  633. Defacement: Internal Defacement
  634. Modify Authentication Process: Conditional Access Policies
  635. Archive Collected Data: Archive via Library
  636. Boot or Logon Initialization Scripts: RC Scripts
  637. Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
  638. Valid Accounts: Domain Accounts
  639. Steal Web Session Cookie
  640. File and Directory Discovery
  641. Abuse Elevation Control Mechanism: Elevated Execution with Prompt
  642. Exfiltration Over Physical Medium
  643. Compromise Host Software Binary
  644. Boot or Logon Initialization Scripts: Login Hook
  645. Endpoint Denial of Service: Application Exhaustion Flood
  646. Masquerading: Space after Filename
  647. Gather Victim Host Information: Firmware
  648. Gather Victim Host Information
  649. Data from Configuration Repository: SNMP (MIB Dump)
  650. Traffic Signaling: Socket Filters
  651. Endpoint Denial of Service: OS Exhaustion Flood
  652. Subvert Trust Controls: Code Signing
  653. Data from Local System
  654. Video Capture
  655. Acquire Infrastructure: Botnet
  656. Domain or Tenant Policy Modification: Trust Modification
  657. Obfuscated Files or Information: Encrypted/Encoded File