MITRE ATT&CK Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.

Format: Size

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

Automated Collection
Exfiltration Over Web Service
Obfuscated Files or Information: Encrypted/Encoded File
Remote Service Session Hijacking: SSH Hijacking
Remote Services: Windows Remote Management
Pre-OS Boot: Bootkit
Boot or Logon Initialization Scripts
Masquerading: Space after Filename
Command and Scripting Interpreter: PowerShell
Hide Artifacts: Resource Forking
Scheduled Transfer
Hide Artifacts: Hidden Users
Process Injection: Portable Executable Injection
Gather Victim Host Information: Software
Modify System Image: Patch System Image
Container Administration Command
Web Service
Obfuscated Files or Information: Steganography
Compromise Infrastructure: Serverless
Modify Authentication Process: Multi-Factor Authentication
Boot or Logon Autostart Execution: Print Processors
Obtain Capabilities: Malware
Boot or Logon Autostart Execution: Active Setup
Steal or Forge Kerberos Tickets: AS-REP Roasting
Boot or Logon Autostart Execution: Login Items
Compromise Accounts: Cloud Accounts
Gather Victim Identity Information: Employee Names
Account Manipulation: Additional Cloud Roles
System Network Connections Discovery
Establish Accounts: Cloud Accounts
Hijack Execution Flow: Dynamic Linker Hijacking
Firmware Corruption
User Execution: Malicious Image
Template Injection
Archive Collected Data: Archive via Custom Method
Impersonation
System Location Discovery
Network Boundary Bridging: Network Address Translation Traversal
Endpoint Denial of Service: Application Exhaustion Flood
Steal Web Session Cookie
Direct Volume Access
Compromise Infrastructure: Virtual Private Server
System Shutdown/Reboot
Content Injection
Office Application Startup: Add-ins
Weaken Encryption: Reduce Key Space
Command and Scripting Interpreter: JavaScript
Office Application Startup: Outlook Home Page
Taint Shared Content
Access Token Manipulation
Remote Service Session Hijacking
Process Injection: VDSO Hijacking
Escape to Host
Input Capture: Web Portal Capture
Command and Scripting Interpreter: AppleScript
Audio Capture
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
Virtualization/Sandbox Evasion
Masquerading: Match Legitimate Name or Location
Impair Defenses: Disable Windows Event Logging
Command and Scripting Interpreter: Windows Command Shell
Phishing: Spearphishing Link
Application Layer Protocol
System Service Discovery
Data Staged: Remote Data Staging
Indicator Removal: Clear Mailbox Data
Pre-OS Boot: TFTP Boot
Adversary-in-the-Middle
Exfiltration Over Web Service: Exfiltration to Code Repository
Boot or Logon Initialization Scripts: Startup Items
Boot or Logon Autostart Execution: Re-opened Applications
Event Triggered Execution: Accessibility Features
System Script Proxy Execution
Unsecured Credentials: Private Keys
Process Injection: Dynamic-link Library Injection
Phishing for Information: Spearphishing Attachment
Obfuscated Files or Information: Polymorphic Code
Data Manipulation: Transmitted Data Manipulation
Hardware Additions
Compromise Infrastructure: Web Services
System Binary Proxy Execution: Verclsid
Indicator Removal: Network Share Connection Removal
Web Service: Dead Drop Resolver
Acquire Infrastructure: Serverless
Obfuscated Files or Information: Stripped Payloads
Resource Hijacking: SMS Pumping
Data from Information Repositories: Sharepoint
Modify Cloud Compute Infrastructure
Office Application Startup: Office Template Macros
Network Denial of Service: Reflection Amplification
Network Denial of Service
System Binary Proxy Execution: Odbcconf
Impair Defenses: Spoof Security Alerting
Hijack Execution Flow: KernelCallbackTable
External Remote Services
Brute Force: Password Cracking
Exfiltration Over C2 Channel
Communication Through Removable Media
System Binary Proxy Execution: InstallUtil
Proxy: Multi-hop Proxy
Account Access Removal
User Execution: Malicious Link
Remote Services: Remote Desktop Protocol
Hijack Execution Flow: DLL Side-Loading
Create Account: Cloud Account
Domain Trust Discovery
Shared Modules
Serverless Execution
Modify Cloud Compute Infrastructure: Create Snapshot
Boot or Logon Initialization Scripts: Logon Script (Windows)
Virtualization/Sandbox Evasion: System Checks
Account Discovery: Email Account
Active Scanning: Vulnerability Scanning
Plist File Modification
Acquire Infrastructure: DNS Server
Boot or Logon Autostart Execution: Authentication Package
Modify Authentication Process: Conditional Access Policies
Obtain Capabilities
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Compromise Infrastructure: DNS Server
Search Open Technical Databases
Scheduled Task/Job
Data from Removable Media
Process Injection: Thread Local Storage
Resource Hijacking: Compute Hijacking
Hide Artifacts: Hidden File System
File and Directory Permissions Modification
Search Open Websites/Domains
OS Credential Dumping: NTDS
Scheduled Task/Job: Cron
Boot or Logon Initialization Scripts: Login Hook
Account Manipulation
Application Layer Protocol: File Transfer Protocols
Event Triggered Execution: Change Default File Association
Subvert Trust Controls: SIP and Trust Provider Hijacking
Data Encoding: Non-Standard Encoding
BITS Jobs
Obtain Capabilities: Artificial Intelligence
Gather Victim Org Information
Input Capture
Establish Accounts: Email Accounts
Automated Exfiltration
XSL Script Processing
Resource Hijacking: Bandwidth Hijacking
Valid Accounts: Domain Accounts
Acquire Infrastructure: Domains
Event Triggered Execution: LC_LOAD_DYLIB Addition
Email Collection: Remote Email Collection
Execution Guardrails
Proxy: Domain Fronting
Phishing
Pre-OS Boot
Office Application Startup: Outlook Rules
Exploitation of Remote Services
Weaken Encryption
Exfiltration Over Physical Medium: Exfiltration over USB
Gather Victim Network Information: Network Trust Dependencies
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Unused/Unsupported Cloud Regions
Obfuscated Files or Information: Compile After Delivery
Scheduled Task/Job: Container Orchestration Job
Gather Victim Network Information: Domain Properties
Network Service Discovery
Software Discovery
Data Obfuscation: Steganography
Server Software Component: Transport Agent
Email Collection
Adversary-in-the-Middle: DHCP Spoofing
Server Software Component: IIS Components
Impair Defenses: Disable or Modify Linux Audit System
Implant Internal Image
Scheduled Task/Job: At
Multi-Factor Authentication Interception
Stage Capabilities: SEO Poisoning
System Binary Proxy Execution: Regsvr32
Process Injection
Defacement: Internal Defacement
System Location Discovery: System Language Discovery
Phishing: Spearphishing Voice
Search Victim-Owned Websites
Event Triggered Execution: Udev Rules
Data from Configuration Repository: Network Device Configuration Dump
Compromise Infrastructure: Server
Credentials from Password Stores: Password Managers
Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access
Data Manipulation
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Stage Capabilities: Upload Malware
Data from Information Repositories: Customer Relationship Management Software
System Binary Proxy Execution: Mshta
Proxy: Internal Proxy
Remote Services: Distributed Component Object Model
Forge Web Credentials: Web Cookies
Abuse Elevation Control Mechanism: Bypass User Account Control
Phishing for Information: Spearphishing Link
Hide Artifacts: Hidden Files and Directories
Log Enumeration
Data Staged
Hide Artifacts: Email Hiding Rules
Valid Accounts: Local Accounts
Trusted Relationship
System Binary Proxy Execution
Input Capture: Credential API Hooking
Use Alternate Authentication Material: Web Session Cookie
Obtain Capabilities: Vulnerabilities
System Information Discovery
Stage Capabilities: Link Target
Valid Accounts: Cloud Accounts
Use Alternate Authentication Material: Pass the Hash
Cloud Service Discovery
Gather Victim Network Information
Steal or Forge Kerberos Tickets
Permission Groups Discovery: Domain Groups
Abuse Elevation Control Mechanism
Gather Victim Host Information: Client Configurations
Hide Artifacts: Process Argument Spoofing
Exfiltration Over Alternative Protocol
Financial Theft
Establish Accounts
Account Discovery
System Binary Proxy Execution: Compiled HTML File
OS Credential Dumping: /etc/passwd and /etc/shadow
Modify Registry
Modify Authentication Process: Network Provider DLL
Unsecured Credentials: Bash History
Gather Victim Org Information: Business Relationships
Dynamic Resolution: DNS Calculation
Remote System Discovery
Command and Scripting Interpreter: Python
Account Discovery: Domain Account
Phishing for Information
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Compromise Infrastructure: Domains
Credentials from Password Stores: Cloud Secrets Management Stores
Brute Force: Password Guessing
Endpoint Denial of Service: Application or System Exploitation
Compromise Accounts
Input Capture: Keylogging
Stage Capabilities
Phishing for Information: Spearphishing Service
System Network Configuration Discovery: Internet Connection Discovery
Encrypted Channel
Brute Force: Password Spraying
Unsecured Credentials: Chat Messages
Data Obfuscation: Junk Data
Impair Defenses: Impair Command History Logging
Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
Exfiltration Over Physical Medium
Web Service: One-Way Communication
Non-Standard Port
Office Application Startup
Modify Authentication Process: Pluggable Authentication Modules
Boot or Logon Autostart Execution: Time Providers
Masquerading
Cloud Administration Command
Remote Services: SMB/Windows Admin Shares
Subvert Trust Controls: Code Signing
Encrypted Channel: Asymmetric Cryptography
Clipboard Data
System Network Configuration Discovery
Data from Local System
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Access Token Manipulation: Make and Impersonate Token
Gather Victim Host Information
Stage Capabilities: Upload Tool
Permission Groups Discovery
Impair Defenses: Disable or Modify Cloud Firewall
Execution Guardrails: Mutual Exclusion
Gather Victim Network Information: Network Security Appliances
Browser Session Hijacking
Event Triggered Execution
Resource Hijacking: Cloud Service Hijacking
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Hijack Execution Flow: Path Interception by Search Order Hijacking
Event Triggered Execution: AppInit DLLs
Modify Authentication Process: Hybrid Identity
System Services: Service Execution
Obtain Capabilities: Exploits
Impair Defenses: Downgrade Attack
Impair Defenses: Indicator Blocking
Use Alternate Authentication Material: Application Access Token
Obfuscated Files or Information
Indirect Command Execution
Credentials from Password Stores
Browser Extensions
Process Injection: Extra Window Memory Injection
Domain or Tenant Policy Modification
Search Open Technical Databases: WHOIS
Reflective Code Loading
Obtain Capabilities: Digital Certificates
Event Triggered Execution: Component Object Model Hijacking
File and Directory Discovery
Search Open Websites/Domains: Social Media
Server Software Component: Web Shell
Event Triggered Execution: Installer Packages
Execution Guardrails: Environmental Keying
Access Token Manipulation: Parent PID Spoofing
Develop Capabilities: Exploits
Impair Defenses: Disable or Modify Cloud Logs
System Script Proxy Execution: PubPrn
Remote Services: VNC
Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
Debugger Evasion
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
Masquerading: Double File Extension
Protocol Tunneling
Create Account: Local Account
OS Credential Dumping: LSASS Memory
Masquerading: Break Process Trees
Compromise Accounts: Email Accounts
System Binary Proxy Execution: Control Panel
Endpoint Denial of Service: Service Exhaustion Flood
System Script Proxy Execution: SyncAppvPublishingServer
Data Encrypted for Impact
Resource Hijacking
Defacement: External Defacement
Command and Scripting Interpreter: AutoHotKey & AutoIT
Masquerading: Rename System Utilities
Rogue Domain Controller
Pre-OS Boot: ROMMONkit
Domain or Tenant Policy Modification: Trust Modification
Exploitation for Defense Evasion
Unsecured Credentials: Group Policy Preferences
Acquire Infrastructure
Acquire Infrastructure: Botnet
Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations
Modify System Image
User Execution: Malicious File
Obfuscated Files or Information: Software Packing
Exfiltration Over Other Network Medium
Cloud Service Dashboard
Event Triggered Execution: Emond
Event Triggered Execution: Screensaver
Stage Capabilities: Drive-by Target
Command and Scripting Interpreter: Visual Basic
Obfuscated Files or Information: Binary Padding
System Binary Proxy Execution: Regsvcs/Regasm
Web Service: Bidirectional Communication
Hide Artifacts: Hidden Window
Search Open Technical Databases: Scan Databases
Acquire Infrastructure: Server
Masquerading: Masquerade File Type
Weaken Encryption: Disable Crypto Hardware
Archive Collected Data: Archive via Library
Boot or Logon Autostart Execution
Impair Defenses: Disable or Modify Tools
Password Policy Discovery
Hide Artifacts
Network Share Discovery
Gather Victim Identity Information: Credentials
Hijack Execution Flow
Use Alternate Authentication Material
Network Boundary Bridging
Steal or Forge Kerberos Tickets: Golden Ticket
Multi-Factor Authentication Request Generation
Transfer Data to Cloud Account
Account Manipulation: Additional Email Delegate Permissions
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Proxy: External Proxy
Unsecured Credentials: Container API
Subvert Trust Controls: Code Signing Policy Modification
Command and Scripting Interpreter: Cloud API
Compromise Infrastructure: Botnet
Proxy
Unsecured Credentials: Credentials in Registry
Create Account: Domain Account
Traffic Signaling: Socket Filters
Phishing: Spearphishing via Service
Video Capture
Modify Cloud Compute Infrastructure: Create Cloud Instance
Process Injection: ListPlanting
Credentials from Password Stores: Credentials from Web Browsers
Process Injection: Proc Memory
Build Image on Host
Email Collection: Email Forwarding Rule
Modify Authentication Process
Power Settings
Active Scanning: Wordlist Scanning
Network Sniffing
Hijack Execution Flow: Path Interception by PATH Environment Variable
Boot or Logon Autostart Execution: Security Support Provider
Develop Capabilities: Code Signing Certificates
Traffic Signaling: Port Knocking
Server Software Component
Data from Information Repositories
Data from Configuration Repository
Develop Capabilities: Digital Certificates
Indicator Removal: Relocate Malware
Search Closed Sources: Purchase Technical Data
Remote Access Software
Endpoint Denial of Service: OS Exhaustion Flood
Create or Modify System Process: Systemd Service
Modify Cloud Compute Infrastructure: Delete Cloud Instance
Disk Wipe: Disk Content Wipe
Hijack Execution Flow: Services Registry Permissions Weakness
Indicator Removal: Clear Linux or Mac System Logs
Inter-Process Communication
Pre-OS Boot: System Firmware
Event Triggered Execution: Trap
Data Encoding: Standard Encoding
Exploitation for Credential Access
Event Triggered Execution: PowerShell Profile
Create Account
Adversary-in-the-Middle: ARP Cache Poisoning
Account Manipulation: SSH Authorized Keys
Compromise Accounts: Social Media Accounts
Defacement
Boot or Logon Autostart Execution: LSASS Driver
Adversary-in-the-Middle: Evil Twin
Unsecured Credentials: Credentials In Files
Data from Configuration Repository: SNMP (MIB Dump)
Traffic Signaling
Supply Chain Compromise: Compromise Software Supply Chain
Inter-Process Communication: Dynamic Data Exchange
System Time Discovery
Search Closed Sources: Threat Intel Vendors
Indicator Removal: Clear Command History
System Services: Launchctl
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
System Binary Proxy Execution: CMSTP
Hijack Execution Flow: Services File Permissions Weakness
Data Staged: Local Data Staging
Active Scanning
Dynamic Resolution: Domain Generation Algorithms
Software Discovery: Security Software Discovery
Hijack Execution Flow: Path Interception by Unquoted Path
Obfuscated Files or Information: Fileless Storage
Exploitation for Privilege Escalation
Obfuscated Files or Information: LNK Icon Smuggling
name
Dynamic Resolution
Boot or Logon Autostart Execution: XDG Autostart Entries
Group Policy Discovery
Phishing for Information: Spearphishing Voice
Hijack Execution Flow: DLL Search Order Hijacking
Impair Defenses: Safe Mode Boot
Compromise Infrastructure
Hide Infrastructure
Use Alternate Authentication Material: Pass the Ticket
Modify Authentication Process: Domain Controller Authentication
Network Denial of Service: Direct Network Flood
Obfuscated Files or Information: Command Obfuscation
Gather Victim Host Information: Hardware
Masquerading: Right-to-Left Override
Native API
Compromise Host Software Binary
Boot or Logon Autostart Execution: Winlogon Helper DLL
Develop Capabilities: Malware
Obtain Capabilities: Code Signing Certificates
Account Manipulation: Additional Cloud Credentials
Hide Artifacts: File/Path Exclusions
Boot or Logon Initialization Scripts: RC Scripts
Data Destruction: Lifecycle-Triggered Deletion
Abuse Elevation Control Mechanism: TCC Manipulation
Hijack Execution Flow: AppDomainManager
Subvert Trust Controls: Install Root Certificate
System Binary Proxy Execution: Msiexec
Encrypted Channel: Symmetric Cryptography
Server Software Component: Terminal Services DLL
Screen Capture
Exfiltration Over Web Service: Exfiltration to Text Storage Sites
Process Injection: Process Doppelgänging
Dynamic Resolution: Fast Flux DNS
Account Manipulation: Device Registration
Scheduled Task/Job: Systemd Timers
Permission Groups Discovery: Cloud Groups
Cloud Storage Object Discovery
Masquerading: Invalid Code Signature
Obfuscated Files or Information: Indicator Removal from Tools
System Binary Proxy Execution: MMC
Lateral Tool Transfer
Deploy Container
Application Layer Protocol: DNS
Multi-Stage Channels
Domain or Tenant Policy Modification: Group Policy Modification
Drive-by Compromise
Steal or Forge Authentication Certificates
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Gather Victim Host Information: Firmware
Windows Management Instrumentation
Data Destruction
System Network Configuration Discovery: Wi-Fi Discovery
Search Open Technical Databases: Digital Certificates
Indicator Removal
Pre-OS Boot: Component Firmware
Data Manipulation: Runtime Data Manipulation
Valid Accounts
Account Manipulation: Additional Container Cluster Roles
Create or Modify System Process: Container Service
Gather Victim Identity Information: Email Addresses
Gather Victim Identity Information
Query Registry
Event Triggered Execution: AppCert DLLs
Search Open Websites/Domains: Code Repositories
Indicator Removal: Clear Persistence
OS Credential Dumping: Security Account Manager
Deobfuscate/Decode Files or Information
Establish Accounts: Social Media Accounts
Gather Victim Org Information: Identify Business Tempo
Boot or Logon Initialization Scripts: Network Logon Script
Hide Artifacts: Ignore Process Interrupts
Acquire Infrastructure: Web Services
Virtualization/Sandbox Evasion: Time Based Evasion
Unsecured Credentials
Boot or Logon Autostart Execution: Shortcut Modification
Steal or Forge Kerberos Tickets: Kerberoasting
Data from Information Repositories: Messaging Applications
Exploitation for Client Execution
Access Token Manipulation: SID-History Injection
Browser Information Discovery
Steal or Forge Kerberos Tickets: Ccache Files
Steal or Forge Kerberos Tickets: Silver Ticket
Indicator Removal: Timestomp
Modify Authentication Process: Reversible Encryption
Endpoint Denial of Service
Modify Authentication Process: Network Device Authentication
System Binary Proxy Execution: Mavinject
Event Triggered Execution: Unix Shell Configuration Modification
Supply Chain Compromise
Application Layer Protocol: Publish/Subscribe Protocols
Process Injection: Asynchronous Procedure Call
Scheduled Task/Job: Scheduled Task
Software Deployment Tools
Application Layer Protocol: Web Protocols
Impair Defenses: Disable or Modify System Firewall
Rootkit
System Owner/User Discovery
Brute Force: Credential Stuffing
OS Credential Dumping
Supply Chain Compromise: Compromise Hardware Supply Chain
Internal Spearphishing
Data from Information Repositories: Code Repositories
Exploit Public-Facing Application
Command and Scripting Interpreter
Archive Collected Data
Indicator Removal: File Deletion
Command and Scripting Interpreter: Network Device CLI
Service Stop
Command and Scripting Interpreter: Lua
User Execution
Create or Modify System Process: Launch Agent
Trusted Developer Utilities Proxy Execution: ClickOnce
Search Open Technical Databases: DNS/Passive DNS
Create or Modify System Process: Windows Service
Data Obfuscation
Search Closed Sources
Remote Services
Process Injection: Ptrace System Calls
Valid Accounts: Default Accounts
Brute Force
Subvert Trust Controls: Gatekeeper Bypass
Disk Wipe
Account Discovery: Cloud Account
Forge Web Credentials
Impair Defenses
System Services
Remote Services: Direct Cloud VM Connections
Remote Services: SSH
Data from Cloud Storage
Automated Exfiltration: Traffic Duplication
Command and Scripting Interpreter: Unix Shell
Modify Cloud Compute Infrastructure: Revert Cloud Instance
Disk Wipe: Disk Structure Wipe
Hijack Execution Flow: Executable Installer File Permissions Weakness
OS Credential Dumping: Proc Filesystem
Email Collection: Local Email Collection
Modify System Image: Downgrade System Image
Acquire Infrastructure: Malvertising
OS Credential Dumping: DCSync
Hide Artifacts: Run Virtual Instance
Gather Victim Network Information: Network Topology
Cloud Infrastructure Discovery
Obfuscated Files or Information: HTML Smuggling
Gather Victim Org Information: Determine Physical Locations
Masquerading: Masquerade Task or Service
Data Obfuscation: Protocol or Service Impersonation
Credentials from Password Stores: Keychain
Ingress Tool Transfer
Process Discovery
Event Triggered Execution: Image File Execution Options Injection
Steal Application Access Token
Indicator Removal: Clear Network Connection History and Configurations
Masquerading: Masquerade Account Name
Forced Authentication
Credentials from Password Stores: Windows Credential Manager
Container and Resource Discovery
Replication Through Removable Media
Application Window Discovery
Event Triggered Execution: Application Shimming
Inhibit System Recovery
Data from Information Repositories: Confluence
Virtualization/Sandbox Evasion: User Activity Based Checks
Gather Victim Network Information: IP Addresses
Stage Capabilities: Install Digital Certificate
Account Discovery: Local Account
Application Layer Protocol: Mail Protocols
Permission Groups Discovery: Local Groups
Hijack Execution Flow: Dylib Hijacking
Search Open Websites/Domains: Search Engines
Fallback Channels
Device Driver Discovery
Create or Modify System Process: Launch Daemon
Create or Modify System Process
System Binary Proxy Execution: Electron Applications
Remote Services: Cloud Services
Unsecured Credentials: Cloud Instance Metadata API
OS Credential Dumping: LSA Secrets
Data Encoding
Modify Authentication Process: Password Filter DLL
Active Scanning: Scanning IP Blocks
Indicator Removal: Clear Windows Event Logs
Obtain Capabilities: Tool
OS Credential Dumping: Cached Domain Credentials
Hide Artifacts: VBA Stomping
Forge Web Credentials: SAML Tokens
Input Capture: GUI Input Capture
Event Triggered Execution: Netsh Helper DLL
Process Injection: Process Hollowing
Inter-Process Communication: Component Object Model
Gather Victim Network Information: DNS
Develop Capabilities
Trusted Developer Utilities Proxy Execution: MSBuild
Gather Victim Org Information: Identify Roles
Subvert Trust Controls
Hijack Execution Flow: COR_PROFILER
Acquire Infrastructure: Virtual Private Server
Peripheral Device Discovery
Account Manipulation: Additional Local or Domain Groups
Data Manipulation: Stored Data Manipulation
Boot or Logon Autostart Execution: Port Monitors
Inter-Process Communication: XPC Services
Trusted Developer Utilities Proxy Execution
Remote Service Session Hijacking: RDP Hijacking
Modify Cloud Resource Hierarchy
Hide Artifacts: NTFS File Attributes
Server Software Component: SQL Stored Procedures
Access Token Manipulation: Token Impersonation/Theft
Phishing: Spearphishing Attachment
Credentials from Password Stores: Securityd Memory
Acquire Access
System Binary Proxy Execution: Rundll32
Non-Application Layer Protocol
Abuse Elevation Control Mechanism: Setuid and Setgid
Search Open Technical Databases: CDNs
Abuse Elevation Control Mechanism: Elevated Execution with Prompt
Obfuscated Files or Information: Embedded Payloads
Subvert Trust Controls: Mark-of-the-Web Bypass
Obfuscated Files or Information: Dynamic API Resolution
Exfiltration Over Web Service: Exfiltration Over Webhook
Compromise Infrastructure: Network Devices
Access Token Manipulation: Create Process with Token
Process Injection: Thread Execution Hijacking
Data from Network Shared Drive
Office Application Startup: Office Test
Archive Collected Data: Archive via Utility
Office Application Startup: Outlook Forms
Data Transfer Size Limits