UnsecuredCredentials:ChatMessagesApplicationLayerProtocolServerSoftwareComponentEvent TriggeredExecution:WindowsManagementInstrumentationEvent SubscriptionProcessInjection:ThreadExecutionHijackingSearch OpenWebsites/Domains:Social MediaVirtualization/SandboxEvasionGatherVictimNetworkInformation:DNSStageCapabilities:SEOPoisoningUnsecuredCredentials:CredentialsIn FilesArchiveCollectedData: Archivevia CustomMethodContainerAdministrationCommandAcquireInfrastructure:DomainsSubvert TrustControls: SIPand TrustProviderHijackingSteal WebSessionCookieObtainCapabilitiesEventTriggeredExecution:Udev RulesAdversary-in-the-Middle:DHCPSpoofingModify CloudComputeInfrastructure:Delete CloudInstanceObfuscatedFiles orInformation:SteganographySteal orForgeKerberosTickets:Silver TicketExecutionGuardrailsAdversary-in-the-Middle:LLMNR/NBT-NS Poisoningand SMB RelayForcedAuthenticationObtainCapabilities:ToolEventTriggeredExecution:PowerShellProfileBruteForce:PasswordGuessingAbuseElevationControlMechanism:Setuid andSetgidExfiltration OverAlternativeProtocol:Exfiltration OverSymmetricEncrypted Non-C2ProtocolStageCapabilities:Drive-byTargetHideArtifacts:HiddenUsersAccountDiscovery:EmailAccountRemoteServiceSessionHijacking:SSH HijackingCommandand ScriptingInterpreter:PowerShellUserExecutionSystemShutdown/RebootValidAccounts:DomainAccountsAccountManipulation:SSHAuthorizedKeysProcessInjection:PortableExecutableInjectionModifyAuthenticationProcess:PluggableAuthenticationModulesModify CloudComputeInfrastructure:Revert CloudInstanceGather VictimIdentityInformation:EmailAddressesQueryRegistryInputCapture:Web PortalCaptureUse AlternateAuthenticationMaterial: WebSessionCookieSearch ClosedSources:PurchaseTechnical DataResourceHijacking:BandwidthHijackingExfiltration OverAlternativeProtocol:Exfiltration OverUnencryptedNon-C2 ProtocolAcquireInfrastructure:Virtual PrivateServerCloudInfrastructureDiscoveryObfuscatedFiles orInformation:Dynamic APIResolutionApplicationLayerProtocol:MailProtocolsDynamicResolutionAccountAccessRemovalEventTriggeredExecution:InstallerPackagesDataObfuscation:Junk DataRemoteServices:CloudServicesAdversary-in-the-MiddleAcquireInfrastructure:DNS ServerScheduledTask/JobScheduledTask/Job:SystemdTimersBoot orLogonAutostartExecution:Login ItemsScheduledTransferExfiltration OverAlternativeProtocol:Exfiltration OverAsymmetricEncrypted Non-C2ProtocolSystemBinary ProxyExecution:VerclsidAudioCaptureDefacement:ExternalDefacementAccessTokenManipulation:Parent PIDSpoofingBruteForce:PasswordSprayingAcquireInfrastructure:MalvertisingSoftwareDiscovery:SecuritySoftwareDiscoveryStageCapabilitiesAbuseElevationControlMechanismObfuscatedFiles orInformation:LNK IconSmugglingModifyAuthenticationProcess:NetworkProvider DLLCompromiseAccounts:EmailAccountsGather VictimNetworkInformation:Network TrustDependenciesAcquireInfrastructure:ServerCredentialsfrom PasswordStores:Credentialsfrom WebBrowsersDiskWipeModifyAuthenticationProcess:Multi-FactorAuthenticationInter-ProcessCommunication:Dynamic DataExchangeIngressToolTransferData fromConfigurationRepositoryDataManipulation:Stored DataManipulationInhibitSystemRecoveryInputCapture:CredentialAPI HookingDeployContainerAbuseElevationControlMechanism:Sudo and SudoCachingDataObfuscationHijackExecutionFlow: PathInterception byUnquoted PathUserExecution:MaliciousLinkSystemBinaryProxyExecutionPhishing:SpearphishingLinkHideArtifacts:VBAStompingData fromLocalSystemNetworkSniffingCompromiseInfrastructure:ServerlessIndirectCommandExecutionTemplateInjectionTrustedRelationshipApplicationLayerProtocol:DNSCredentialsfrom PasswordStores:WindowsCredentialManagerSystem Script ProxyExecution:SyncAppvPublishingServerExploitPublic-FacingApplicationFallbackChannelsIndicatorRemoval:ClearPersistenceServerSoftwareComponent:TransportAgentOfficeApplicationStartup:OutlookRulesModifyRegistryPre-OSBoot:TFTPBootEventTriggeredExecution:EmondOfficeApplicationStartup:OutlookHome PageModify CloudComputeInfrastructureNon-ApplicationLayerProtocolSearchClosedSources:Threat IntelVendorsDevelopCapabilities:DigitalCertificatesEncryptedChannelActiveScanning:VulnerabilityScanningData fromInformationRepositories:CustomerRelationshipManagementSoftwareResourceHijackingMasquerading:Break ProcessTreesSystemOwner/UserDiscoveryHideArtifacts:Hidden FilesandDirectoriesObtainCapabilities:ArtificialIntelligenceBoot or LogonAutostartExecution:Registry RunKeys / StartupFolderAccessTokenManipulationUnsecuredCredentials:BashHistoryCompromiseAccountsImpairDefensesCommandand ScriptingInterpreter:PythonSystem BinaryProxy Execution:Regsvcs/RegasmObfuscatedFiles orInformation:StrippedPayloadsSystemBinary ProxyExecution:MshtaFirmwareCorruptionStageCapabilities:Install DigitalCertificateHideArtifacts:IgnoreProcessInterruptsHijackExecutionFlow: DynamicLinkerHijackingImpairDefenses:DowngradeAttackExploitationforCredentialAccessSearchOpenTechnicalDatabases:WHOISEvent TriggeredExecution: UnixShellConfigurationModificationForge WebCredentials:SAMLTokensRemoteServiceSessionHijacking:RDP HijackingInternalSpearphishingProtocolTunnelingCommandand ScriptingInterpreter:LuaSystemBinary ProxyExecution:MMCUnsecuredCredentials:PrivateKeysProcessInjectionEstablishAccountsDevelopCapabilities:MalwareSystemServicesContainerandResourceDiscoveryNetworkShareDiscoveryHijackExecutionFlow: DLLSearch OrderHijackingPermissionGroupsDiscovery:DomainGroupsPhishingCommunicationThroughRemovableMediaModifyCloudResourceHierarchySystemServiceDiscoveryProxy:Multi-hopProxySteal or ForgeAuthenticationCertificatesProcessInjection:AsynchronousProcedureCallOSCredentialDumping:LSA SecretsObfuscatedFiles orInformation:PolymorphicCodeCredentialsfromPasswordStores:KeychainHijackExecution Flow:ExecutableInstaller FilePermissionsWeaknessWebService:Dead DropResolverEscapeto HostPre-OSBoot:SystemFirmwareValidAccounts:LocalAccountsGatherVictim OrgInformationMasquerading:RenameSystemUtilitiesData fromNetworkSharedDriveCompromiseInfrastructure:BotnetSystemBinary ProxyExecution:MavinjectExfiltrationOver PhysicalMedium:Exfiltrationover USBAutomatedCollectionIndicatorRemoval:ClearWindowsEvent LogsExfiltrationOver WebService:Exfiltration toText StorageSitesOS CredentialDumping:CachedDomainCredentialsEndpointDenial ofServiceStealApplicationAccessTokenBoot orLogonAutostartExecution:Port MonitorsOSCredentialDumping:LSASSMemoryCredentialsfrom PasswordStores:SecuritydMemoryDisk Wipe:DiskStructureWipeDynamicResolution:DomainGenerationAlgorithmsMasquerading:MasqueradeAccount NameHideArtifacts:NTFS FileAttributesHijack ExecutionFlow:KernelCallbackTableObtainCapabilities:ExploitsSearch OpenTechnicalDatabases:DNS/PassiveDNSSystemLocationDiscovery:SystemLanguageDiscoveryHideArtifacts:ProcessArgumentSpoofingEncryptedChannel:SymmetricCryptographySearch OpenWebsites/Domains:Code RepositoriesNetworkBoundaryBridging: NetworkAddressTranslationTraversalSystemLocationDiscoverySystemScript ProxyExecution:PubPrnAdversary-in-the-Middle:Evil TwinSearch OpenTechnicalDatabases:DigitalCertificatesRemoteServices:WindowsRemoteManagementTrafficSignaling:PortKnockingMasquerading:Right-to-LeftOverrideSteal or ForgeKerberosTickets:KerberoastingGatherVictimNetworkInformationCommandandScriptingInterpreterVirtualization/SandboxEvasion: SystemChecksCreate orModify SystemProcess:ContainerServiceBoot orLogonInitializationScripts:Startup ItemsProcessInjection:Thread LocalStorageSteal orForgeKerberosTickets:Ccache FilesUnused/UnsupportedCloud RegionsSystemBinary ProxyExecution:ElectronApplicationsOSCredentialDumping:NTDSPhishing forInformation:SpearphishingVoiceBoot orLogonInitializationScripts: RCScriptsProcessInjection:Dynamic-linkLibraryInjectionSubvertTrustControls:Mark-of-the-Web BypassImpairDefenses:Safe ModeBootObfuscatedFiles orInformation:Compile AfterDeliveryOSCredentialDumpingIndicatorRemoval:Network ShareConnectionRemovalDataStagedForge WebCredentials:WebCookiesCreate orModify SystemProcess:LaunchDaemonPlist FileModificationApplicationWindowDiscoveryServerSoftwareComponent:Web ShellBrowserSessionHijackingDataEncoding:Non-StandardEncodingDataManipulationSupplyChainCompromiseHijackExecution Flow:ServicesRegistryPermissionsWeaknessModifyAuthenticationProcess:PasswordFilter DLLBruteForce:PasswordCrackingCommandand ScriptingInterpreter:AutoHotKey& AutoITObfuscatedFiles orInformation:HTMLSmugglingnameModifyAuthenticationProcess:DomainControllerAuthenticationDataEncoding:StandardEncodingObfuscatedFiles orInformation:FilelessStorageLateralToolTransferExfiltrationOverPhysicalMediumObfuscatedFiles orInformation:BinaryPaddingBoot orLogonInitializationScriptsEventTriggeredExecutionRemoteServices:DistributedComponentObject ModelIndicatorRemoval:ClearCommandHistoryPermissionGroupsDiscovery:CloudGroupsRemoteServices:Direct CloudVMConnectionsWeb Service:One-WayCommunicationAccountManipulation:DeviceRegistrationCommand andScriptingInterpreter:WindowsCommandShellInputCapture:GUI InputCaptureInter-ProcessCommunicationServerlessExecutionUnsecuredCredentialsSearchClosedSourcesEvent TriggeredExecution:ComponentObject ModelHijackingGatherVictim HostInformation:SoftwareResourceHijacking:CloudServiceHijackingExfiltrationOver C2ChannelEventTriggeredExecution:Netsh HelperDLLAdversary-in-the-Middle: ARPCachePoisoningCompromiseAccounts:CloudAccountsObtainCapabilities:DigitalCertificatesObtainCapabilities:MalwareApplicationLayerProtocol: FileTransferProtocolsImpairDefenses:Disable orModify SystemFirewallArchiveCollectedData:Archive viaLibrarySystemBinary ProxyExecution:MsiexecDefacementForge WebCredentialsCreateAccount:LocalAccountExfiltrationOver WebService:Exfiltration toCloud StorageExecutionGuardrails:EnvironmentalKeyingHijack ExecutionFlow:AppDomainManagerGather VictimNetworkInformation:NetworkSecurityAppliancesGroupPolicyDiscoverySearchOpenTechnicalDatabasesApplication LayerProtocol:Publish/SubscribeProtocolsPre-OSBoot:ROMMONkitScheduledTask/Job:AtCreate orModify SystemProcess:SystemdServiceWeb Service:BidirectionalCommunicationImplantInternalImageProxySystemTimeDiscoveryEventTriggeredExecution:AppInit DLLsFile and DirectoryPermissionsModification: Linuxand Mac File andDirectoryPermissionsModificationEndpoint Denialof Service:Application orSystemExploitationUnsecuredCredentials:CloudInstanceMetadata APILogEnumerationAutomatedExfiltrationPhishing:SpearphishingVoiceAcquireInfrastructure:ServerlessOS CredentialDumping:SecurityAccountManagerHideArtifacts:Hidden FileSystemMulti-FactorAuthenticationRequestGenerationBrowserInformationDiscoverySubvertTrustControls:GatekeeperBypassOfficeApplicationStartup:Office TestCompromiseAccounts:Social MediaAccountsNon-StandardPortMasquerading:MasqueradeTask orServiceBITSJobsDataDestruction:Lifecycle-TriggeredDeletionSystemBinary ProxyExecution:Rundll32Search OpenTechnicalDatabases:ScanDatabasesImpairDefenses:Disable orModify LinuxAudit SystemUnsecuredCredentials:ContainerAPINetworkBoundaryBridgingInter-ProcessCommunication:XPC ServicesDataEncryptedfor ImpactSupply ChainCompromise:CompromiseHardwareSupply ChainTrustedDeveloperUtilities ProxyExecution:MSBuildModifyAuthenticationProcess:ConditionalAccess PoliciesProcessInjection:PtraceSystem CallsAcquireAccessDomain orTenantPolicyModificationResourceHijacking:SMSPumpingEstablishAccounts:CloudAccountsInputCapturePermissionGroupsDiscoveryEmailCollectionSteal orForgeKerberosTicketsArchiveCollectedDataAccountDiscovery:DomainAccountXSL ScriptProcessingObfuscatedFiles orInformation:SoftwarePackingPeripheralDeviceDiscoveryBrowserExtensionsEstablishAccounts:EmailAccountsHijackExecutionFlowObfuscatedFiles orInformation:CommandObfuscationDefacement:InternalDefacementCompromiseInfrastructure:Virtual PrivateServerHideArtifacts:ResourceForkingActiveScanningDataDestructionPhishingforInformationDrive-byCompromiseCompromiseInfrastructure:Web ServicesEmailCollection:RemoteEmailCollectionExfiltrationOver WebServiceEndpoint Denialof Service:ServiceExhaustionFloodData fromConfigurationRepository:Network DeviceConfigurationDumpExfiltrationOver OtherNetworkMediumServerSoftwareComponent:SQL StoredProceduresCloudServiceDashboardObtainCapabilities:VulnerabilitiesServerSoftwareComponent:IISComponentsResourceHijacking:ComputeHijackingScheduledTask/Job:ScheduledTaskHideArtifacts:Email HidingRulesServerSoftwareComponent:TerminalServices DLLScheduledTask/Job:CronBoot or LogonAutostartExecution:PrintProcessorsSystemNetworkConnectionsDiscoveryEndpoint Denialof Service:ApplicationExhaustionFloodDomain orTenant PolicyModification:Group PolicyModificationSoftwareDiscoveryDataManipulation:TransmittedDataManipulationSharedModulesEventTriggeredExecution:TrapNetworkServiceDiscoveryPhishing:Spearphishingvia ServiceWeakenEncryption:ReduceKey SpaceGatherVictimHostInformationWebServiceDataEncodingProcessInjection:Extra WindowMemoryInjectionCommandand ScriptingInterpreter:Unix ShellModifyAuthenticationProcessScreenCaptureModify CloudComputeInfrastructure:CreateSnapshotIndicatorRemovalExploitationof RemoteServicesIndicatorRemoval:ClearMailbox DataOfficeApplicationStartup:OutlookFormsEmailCollection:Local EmailCollectionOSCredentialDumping:ProcFilesystemReflectiveCodeLoadingDataStaged:Local DataStagingTrustedDeveloperUtilitiesProxyExecutionBoot orLogonAutostartExecution:Active SetupMasquerading:Invalid CodeSignatureModify CloudComputeInfrastructure:Create CloudInstanceTrafficSignaling:SocketFiltersObfuscatedFiles orInformation:IndicatorRemoval fromToolsCompromiseInfrastructure:ServerDebuggerEvasionMulti-FactorAuthenticationInterceptionPermissionGroupsDiscovery:LocalGroupsCredentialsfrom PasswordStores: CloudSecretsManagementStoresData fromInformationRepositories:MessagingApplicationsTrafficSignalingBoot or LogonAutostartExecution:Re-openedApplicationsCompromiseInfrastructure:DNS ServerPhishing:SpearphishingAttachmentMasquerading:Double FileExtensionGather VictimNetworkInformation:IP AddressesMasquerading:MasqueradeFile TypeBuildImageon HostExecutionGuardrails:MutualExclusionVideoCaptureExploitationforPrivilegeEscalationAccountDiscovery:CloudAccountCommandand ScriptingInterpreter:AppleScriptProcessDiscoveryAccessTokenManipulation:SID-HistoryInjectionDataTransferSizeLimitsScheduledTask/Job:ContainerOrchestrationJobAccess TokenManipulation: TokenImpersonation/TheftSearch OpenWebsites/Domains:Search EnginesAccess TokenManipulation:CreateProcess withTokenReplicationThroughRemovableMediaWindowsManagementInstrumentationAccountDiscoveryGather VictimHostInformation:ClientConfigurationsCompromiseInfrastructureStageCapabilities:UploadMalwareUse AlternateAuthenticationMaterialBruteForce:CredentialStuffingBoot or LogonAutostartExecution:XDG AutostartEntriesBoot or LogonInitializationScripts: LogonScript(Windows)EventTriggeredExecution:AppCertDLLsAccountManipulationExternalRemoteServicesSystemBinary ProxyExecution:ControlPanelUserExecution:MaliciousImageUse AlternateAuthenticationMaterial: Passthe HashPasswordPolicyDiscoveryPhishing forInformation:SpearphishingLinkValidAccounts:CloudAccountsCreateAccountUserExecution:MaliciousFileAccountDiscovery:LocalAccountWeakenEncryptionProxy:DomainFrontingEventTriggeredExecution:ApplicationShimmingSystemNetworkConfigurationDiscoveryModifyAuthenticationProcess:Network DeviceAuthenticationDomain orTenant PolicyModification:TrustModificationProcessInjection:ListPlantingWeakenEncryption:DisableCryptoHardwareBoot orLogonAutostartExecutionSearch OpenWebsites/DomainsCredentialsfromPasswordStoresDisk Wipe:DiskContentWipeDataManipulation:Runtime DataManipulationExploitationfor ClientExecutionArchiveCollectedData:Archive viaUtilityAbuse ElevationControlMechanism:TemporaryElevated CloudAccessEncryptedChannel:AsymmetricCryptographyDynamicResolution:DNSCalculationAccountManipulation:Additional Localor DomainGroupsNativeAPIRemoteServices:SSHPowerSettingsDataObfuscation:Protocol orServiceImpersonationData fromInformationRepositories:CodeRepositoriesCompromiseInfrastructure:DomainsSteal orForgeKerberosTickets:Golden TicketData fromInformationRepositories:SharepointDevelopCapabilities:ExploitsImpairDefenses:IndicatorBlockingFile andDirectoryPermissionsModificationDeobfuscate/DecodeFiles or InformationExfiltrationOver OtherNetworkMedium:ExfiltrationOver BluetoothTransferData toCloudAccountRemoteServices:RemoteDesktopProtocolGather VictimOrgInformation:BusinessRelationshipsGatherVictim OrgInformation:IdentifyRolesModifyAuthenticationProcess:ReversibleEncryptionUse AlternateAuthenticationMaterial: Passthe TicketInter-ProcessCommunication:ComponentObject ModelSystemServices:ServiceExecutionProxy:InternalProxyRemoteServices:VNCAccountManipulation:AdditionalContainerCluster RolesGather VictimOrgInformation:IdentifyBusinessTempoAccountManipulation:AdditionalEmail DelegatePermissionsProcessInjection:ProcessHollowingGather VictimNetworkInformation:DomainPropertiesSoftwareDeploymentToolsStageCapabilities:Link TargetHijack ExecutionFlow:COR_PROFILERData fromInformationRepositories:ConfluenceImpersonationEvent TriggeredExecution:Change DefaultFile AssociationActiveScanning:WordlistScanningApplicationLayerProtocol:WebProtocolsHijackExecution Flow:Services FilePermissionsWeaknessGatherVictimIdentityInformationContentInjectionObfuscatedFiles orInformationNetworkDenial ofService:ReflectionAmplificationImpairDefenses:Disable orModify ToolsModifySystemImage:DowngradeSystem ImageProxy:ExternalProxyHideArtifacts:File/PathExclusionsAutomatedExfiltration:TrafficDuplicationOfficeApplicationStartup:Add-insRemoteSystemDiscoveryModifySystemImage: PatchSystemImageDataObfuscation:SteganographyGather VictimOrgInformation:DeterminePhysicalLocationsCredentialsfrom PasswordStores:PasswordManagersModifySystemImageOfficeApplicationStartupUnsecuredCredentials:Group PolicyPreferencesAccess TokenManipulation:Make andImpersonateTokenBruteForceSystemBinary ProxyExecution:OdbcconfBoot or LogonAutostartExecution:Kernel Modulesand ExtensionsRemoteServices:SMB/WindowsAdmin SharesObfuscated Files orInformation:Encrypted/EncodedFileServiceStopData Staged:RemoteData StagingCreateAccount:CloudAccountHijackExecution Flow:PathInterception bySearch OrderHijackingGatherVictimIdentityInformation:CredentialsAccountManipulation:AdditionalCloud RolesSystemBinary ProxyExecution:CompiledHTML FileSubvertTrustControlsRemoteServiceSessionHijackingCompromiseInfrastructure:NetworkDevicesUse AlternateAuthenticationMaterial:ApplicationAccess TokenImpairDefenses:SpoofSecurityAlertingCreateAccount:DomainAccountClipboardDataAccountManipulation:AdditionalCloudCredentialsPre-OSBoot:ComponentFirmwareHardwareAdditionsGather VictimIdentityInformation:EmployeeNamesHideArtifacts:Run VirtualInstanceHideInfrastructureData fromInformationRepositoriesAcquireInfrastructureRogueDomainControllerIndicatorRemoval:Clear Linuxor MacSystem LogsData fromRemovableMediaPhishing forInformation:SpearphishingAttachmentModify CloudComputeInfrastructure:Modify CloudComputeConfigurationsOfficeApplicationStartup: OfficeTemplateMacrosSystemBinary ProxyExecution:CMSTPMulti-StageChannelsTrustedDeveloperUtilities ProxyExecution:ClickOnceValidAccounts:DefaultAccountsCommandand ScriptingInterpreter:Cloud APICloudStorageObjectDiscoveryFinancialTheftRemoteAccessSoftwareSteal or ForgeKerberosTickets: AS-REP RoastingSearchVictim-OwnedWebsitesSystemBinary ProxyExecution:InstallUtilSupply ChainCompromise:CompromiseSoftwareSupply ChainSubvertTrustControls:CodeSigningImpairDefenses:Disable orModify CloudLogsBoot orLogonInitializationScripts:Login HookHijackExecutionFlow: DLLSide-LoadingSubvert TrustControls:Code SigningPolicyModificationBoot or LogonInitializationScripts:NetworkLogon ScriptIndicatorRemoval:TimestompImpairDefenses:ImpairCommandHistory LoggingHideArtifacts:HiddenWindowVirtualization/SandboxEvasion: Time BasedEvasionDynamicResolution:Fast FluxDNSExfiltrationOver WebService:ExfiltrationOver WebhookDomainTrustDiscoveryNetworkDenial ofServiceExfiltrationOverAlternativeProtocolCommandand ScriptingInterpreter:JavaScriptBoot or LogonAutostartExecution:AuthenticationPackageAbuse ElevationControlMechanism:Bypass UserAccount ControlDevelopCapabilities:CodeSigningCertificatesCommandand ScriptingInterpreter:NetworkDevice CLIData fromConfigurationRepository:SNMP (MIBDump)EventTriggeredExecution:ScreensaverModifyAuthenticationProcess:Hybrid IdentityAcquireInfrastructure:Web ServicesSystemNetworkConfigurationDiscovery: Wi-Fi DiscoveryCreate orModifySystemProcess:Launch AgentBoot or LogonAutostartExecution:LSASS DriverHijack ExecutionFlow: PathInterception byPATHEnvironmentVariableRootkitEvent TriggeredExecution:Image FileExecutionOptionsInjectionImpairDefenses:DisableWindowsEvent LoggingCloudAdministrationCommandBoot or LogonAutostartExecution:TimeProvidersCloudServiceDiscoveryMasquerading:Space afterFilenameProcessInjection:VDSOHijackingProcessInjection:ProcessDoppelgängingSystemScriptProxyExecutionOS CredentialDumping:/etc/passwdand/etc/shadowFile andDirectoryDiscoveryVirtualization/SandboxEvasion: User ActivityBased ChecksSubvertTrustControls:Install RootCertificateIndicatorRemoval:FileDeletionGather VictimNetworkInformation:NetworkTopologyEmailCollection:EmailForwardingRuleAbuseElevationControlMechanism:TCCManipulationOSCredentialDumping:DCSyncSystemBinary ProxyExecution:Regsvr32ValidAccountsPhishing forInformation:SpearphishingServiceSupply ChainCompromise:CompromiseSoftwareDependencies andDevelopmentToolsCreate orModify SystemProcess:WindowsServiceCompromiseHostSoftwareBinaryIndicatorRemoval:RelocateMalwareBoot or LogonAutostartExecution:ShortcutModificationBoot or LogonAutostartExecution:SecuritySupportProviderData fromCloudStorageInputCapture:KeyloggingTaintSharedContentCommandand ScriptingInterpreter:Visual BasicRemoteServicesSearchOpenTechnicalDatabases:CDNsDevelopCapabilitiesObfuscatedFiles orInformation:EmbeddedPayloadsDirectVolumeAccessUnsecuredCredentials:Credentialsin RegistryFile and DirectoryPermissionsModification:Windows File andDirectoryPermissionsModificationObtainCapabilities:CodeSigningCertificatesSystem NetworkConfigurationDiscovery:InternetConnectionDiscoveryImpairDefenses:Disable orModify CloudFirewallExfiltrationOver WebService:Exfiltration toCodeRepositoryGatherVictim HostInformation:HardwareBoot or LogonAutostartExecution:WinlogonHelper DLLAbuse ElevationControlMechanism:ElevatedExecution withPromptHideArtifactsEndpointDenial ofService: OSExhaustionFloodActiveScanning:ScanningIP BlocksSystemServices:LaunchctlEvent TriggeredExecution:LC_LOAD_DYLIBAdditionEstablishAccounts:Social MediaAccountsEventTriggeredExecution:AccessibilityFeaturesCreate orModifySystemProcessSystemInformationDiscoveryMasquerading:MatchLegitimateName orLocationAcquireInfrastructure:BotnetGatherVictim HostInformation:FirmwareHijackExecutionFlow: DylibHijackingPre-OSBootPre-OSBoot:BootkitExploitationfor DefenseEvasionProcessInjection:ProcMemoryNetworkDenial ofService: DirectNetwork FloodMasqueradingIndicatorRemoval: ClearNetworkConnectionHistory andConfigurationsDeviceDriverDiscoveryStageCapabilities:Upload ToolUnsecuredCredentials:ChatMessagesApplicationLayerProtocolServerSoftwareComponentEvent TriggeredExecution:WindowsManagementInstrumentationEvent SubscriptionProcessInjection:ThreadExecutionHijackingSearch OpenWebsites/Domains:Social MediaVirtualization/SandboxEvasionGatherVictimNetworkInformation:DNSStageCapabilities:SEOPoisoningUnsecuredCredentials:CredentialsIn FilesArchiveCollectedData: Archivevia CustomMethodContainerAdministrationCommandAcquireInfrastructure:DomainsSubvert TrustControls: SIPand TrustProviderHijackingSteal WebSessionCookieObtainCapabilitiesEventTriggeredExecution:Udev RulesAdversary-in-the-Middle:DHCPSpoofingModify CloudComputeInfrastructure:Delete CloudInstanceObfuscatedFiles orInformation:SteganographySteal orForgeKerberosTickets:Silver TicketExecutionGuardrailsAdversary-in-the-Middle:LLMNR/NBT-NS Poisoningand SMB RelayForcedAuthenticationObtainCapabilities:ToolEventTriggeredExecution:PowerShellProfileBruteForce:PasswordGuessingAbuseElevationControlMechanism:Setuid andSetgidExfiltration OverAlternativeProtocol:Exfiltration OverSymmetricEncrypted Non-C2ProtocolStageCapabilities:Drive-byTargetHideArtifacts:HiddenUsersAccountDiscovery:EmailAccountRemoteServiceSessionHijacking:SSH HijackingCommandand ScriptingInterpreter:PowerShellUserExecutionSystemShutdown/RebootValidAccounts:DomainAccountsAccountManipulation:SSHAuthorizedKeysProcessInjection:PortableExecutableInjectionModifyAuthenticationProcess:PluggableAuthenticationModulesModify CloudComputeInfrastructure:Revert CloudInstanceGather VictimIdentityInformation:EmailAddressesQueryRegistryInputCapture:Web PortalCaptureUse AlternateAuthenticationMaterial: WebSessionCookieSearch ClosedSources:PurchaseTechnical DataResourceHijacking:BandwidthHijackingExfiltration OverAlternativeProtocol:Exfiltration OverUnencryptedNon-C2 ProtocolAcquireInfrastructure:Virtual PrivateServerCloudInfrastructureDiscoveryObfuscatedFiles orInformation:Dynamic APIResolutionApplicationLayerProtocol:MailProtocolsDynamicResolutionAccountAccessRemovalEventTriggeredExecution:InstallerPackagesDataObfuscation:Junk DataRemoteServices:CloudServicesAdversary-in-the-MiddleAcquireInfrastructure:DNS ServerScheduledTask/JobScheduledTask/Job:SystemdTimersBoot orLogonAutostartExecution:Login ItemsScheduledTransferExfiltration OverAlternativeProtocol:Exfiltration OverAsymmetricEncrypted Non-C2ProtocolSystemBinary ProxyExecution:VerclsidAudioCaptureDefacement:ExternalDefacementAccessTokenManipulation:Parent PIDSpoofingBruteForce:PasswordSprayingAcquireInfrastructure:MalvertisingSoftwareDiscovery:SecuritySoftwareDiscoveryStageCapabilitiesAbuseElevationControlMechanismObfuscatedFiles orInformation:LNK IconSmugglingModifyAuthenticationProcess:NetworkProvider DLLCompromiseAccounts:EmailAccountsGather VictimNetworkInformation:Network TrustDependenciesAcquireInfrastructure:ServerCredentialsfrom PasswordStores:Credentialsfrom WebBrowsersDiskWipeModifyAuthenticationProcess:Multi-FactorAuthenticationInter-ProcessCommunication:Dynamic DataExchangeIngressToolTransferData fromConfigurationRepositoryDataManipulation:Stored DataManipulationInhibitSystemRecoveryInputCapture:CredentialAPI HookingDeployContainerAbuseElevationControlMechanism:Sudo and SudoCachingDataObfuscationHijackExecutionFlow: PathInterception byUnquoted PathUserExecution:MaliciousLinkSystemBinaryProxyExecutionPhishing:SpearphishingLinkHideArtifacts:VBAStompingData fromLocalSystemNetworkSniffingCompromiseInfrastructure:ServerlessIndirectCommandExecutionTemplateInjectionTrustedRelationshipApplicationLayerProtocol:DNSCredentialsfrom PasswordStores:WindowsCredentialManagerSystem Script ProxyExecution:SyncAppvPublishingServerExploitPublic-FacingApplicationFallbackChannelsIndicatorRemoval:ClearPersistenceServerSoftwareComponent:TransportAgentOfficeApplicationStartup:OutlookRulesModifyRegistryPre-OSBoot:TFTPBootEventTriggeredExecution:EmondOfficeApplicationStartup:OutlookHome PageModify CloudComputeInfrastructureNon-ApplicationLayerProtocolSearchClosedSources:Threat IntelVendorsDevelopCapabilities:DigitalCertificatesEncryptedChannelActiveScanning:VulnerabilityScanningData fromInformationRepositories:CustomerRelationshipManagementSoftwareResourceHijackingMasquerading:Break ProcessTreesSystemOwner/UserDiscoveryHideArtifacts:Hidden FilesandDirectoriesObtainCapabilities:ArtificialIntelligenceBoot or LogonAutostartExecution:Registry RunKeys / StartupFolderAccessTokenManipulationUnsecuredCredentials:BashHistoryCompromiseAccountsImpairDefensesCommandand ScriptingInterpreter:PythonSystem BinaryProxy Execution:Regsvcs/RegasmObfuscatedFiles orInformation:StrippedPayloadsSystemBinary ProxyExecution:MshtaFirmwareCorruptionStageCapabilities:Install DigitalCertificateHideArtifacts:IgnoreProcessInterruptsHijackExecutionFlow: DynamicLinkerHijackingImpairDefenses:DowngradeAttackExploitationforCredentialAccessSearchOpenTechnicalDatabases:WHOISEvent TriggeredExecution: UnixShellConfigurationModificationForge WebCredentials:SAMLTokensRemoteServiceSessionHijacking:RDP HijackingInternalSpearphishingProtocolTunnelingCommandand ScriptingInterpreter:LuaSystemBinary ProxyExecution:MMCUnsecuredCredentials:PrivateKeysProcessInjectionEstablishAccountsDevelopCapabilities:MalwareSystemServicesContainerandResourceDiscoveryNetworkShareDiscoveryHijackExecutionFlow: DLLSearch OrderHijackingPermissionGroupsDiscovery:DomainGroupsPhishingCommunicationThroughRemovableMediaModifyCloudResourceHierarchySystemServiceDiscoveryProxy:Multi-hopProxySteal or ForgeAuthenticationCertificatesProcessInjection:AsynchronousProcedureCallOSCredentialDumping:LSA SecretsObfuscatedFiles orInformation:PolymorphicCodeCredentialsfromPasswordStores:KeychainHijackExecution Flow:ExecutableInstaller FilePermissionsWeaknessWebService:Dead DropResolverEscapeto HostPre-OSBoot:SystemFirmwareValidAccounts:LocalAccountsGatherVictim OrgInformationMasquerading:RenameSystemUtilitiesData fromNetworkSharedDriveCompromiseInfrastructure:BotnetSystemBinary ProxyExecution:MavinjectExfiltrationOver PhysicalMedium:Exfiltrationover USBAutomatedCollectionIndicatorRemoval:ClearWindowsEvent LogsExfiltrationOver WebService:Exfiltration toText StorageSitesOS CredentialDumping:CachedDomainCredentialsEndpointDenial ofServiceStealApplicationAccessTokenBoot orLogonAutostartExecution:Port MonitorsOSCredentialDumping:LSASSMemoryCredentialsfrom PasswordStores:SecuritydMemoryDisk Wipe:DiskStructureWipeDynamicResolution:DomainGenerationAlgorithmsMasquerading:MasqueradeAccount NameHideArtifacts:NTFS FileAttributesHijack ExecutionFlow:KernelCallbackTableObtainCapabilities:ExploitsSearch OpenTechnicalDatabases:DNS/PassiveDNSSystemLocationDiscovery:SystemLanguageDiscoveryHideArtifacts:ProcessArgumentSpoofingEncryptedChannel:SymmetricCryptographySearch OpenWebsites/Domains:Code RepositoriesNetworkBoundaryBridging: NetworkAddressTranslationTraversalSystemLocationDiscoverySystemScript ProxyExecution:PubPrnAdversary-in-the-Middle:Evil TwinSearch OpenTechnicalDatabases:DigitalCertificatesRemoteServices:WindowsRemoteManagementTrafficSignaling:PortKnockingMasquerading:Right-to-LeftOverrideSteal or ForgeKerberosTickets:KerberoastingGatherVictimNetworkInformationCommandandScriptingInterpreterVirtualization/SandboxEvasion: SystemChecksCreate orModify SystemProcess:ContainerServiceBoot orLogonInitializationScripts:Startup ItemsProcessInjection:Thread LocalStorageSteal orForgeKerberosTickets:Ccache FilesUnused/UnsupportedCloud RegionsSystemBinary ProxyExecution:ElectronApplicationsOSCredentialDumping:NTDSPhishing forInformation:SpearphishingVoiceBoot orLogonInitializationScripts: RCScriptsProcessInjection:Dynamic-linkLibraryInjectionSubvertTrustControls:Mark-of-the-Web BypassImpairDefenses:Safe ModeBootObfuscatedFiles orInformation:Compile AfterDeliveryOSCredentialDumpingIndicatorRemoval:Network ShareConnectionRemovalDataStagedForge WebCredentials:WebCookiesCreate orModify SystemProcess:LaunchDaemonPlist FileModificationApplicationWindowDiscoveryServerSoftwareComponent:Web ShellBrowserSessionHijackingDataEncoding:Non-StandardEncodingDataManipulationSupplyChainCompromiseHijackExecution Flow:ServicesRegistryPermissionsWeaknessModifyAuthenticationProcess:PasswordFilter DLLBruteForce:PasswordCrackingCommandand ScriptingInterpreter:AutoHotKey& AutoITObfuscatedFiles orInformation:HTMLSmugglingnameModifyAuthenticationProcess:DomainControllerAuthenticationDataEncoding:StandardEncodingObfuscatedFiles orInformation:FilelessStorageLateralToolTransferExfiltrationOverPhysicalMediumObfuscatedFiles orInformation:BinaryPaddingBoot orLogonInitializationScriptsEventTriggeredExecutionRemoteServices:DistributedComponentObject ModelIndicatorRemoval:ClearCommandHistoryPermissionGroupsDiscovery:CloudGroupsRemoteServices:Direct CloudVMConnectionsWeb Service:One-WayCommunicationAccountManipulation:DeviceRegistrationCommand andScriptingInterpreter:WindowsCommandShellInputCapture:GUI InputCaptureInter-ProcessCommunicationServerlessExecutionUnsecuredCredentialsSearchClosedSourcesEvent TriggeredExecution:ComponentObject ModelHijackingGatherVictim HostInformation:SoftwareResourceHijacking:CloudServiceHijackingExfiltrationOver C2ChannelEventTriggeredExecution:Netsh HelperDLLAdversary-in-the-Middle: ARPCachePoisoningCompromiseAccounts:CloudAccountsObtainCapabilities:DigitalCertificatesObtainCapabilities:MalwareApplicationLayerProtocol: FileTransferProtocolsImpairDefenses:Disable orModify SystemFirewallArchiveCollectedData:Archive viaLibrarySystemBinary ProxyExecution:MsiexecDefacementForge WebCredentialsCreateAccount:LocalAccountExfiltrationOver WebService:Exfiltration toCloud StorageExecutionGuardrails:EnvironmentalKeyingHijack ExecutionFlow:AppDomainManagerGather VictimNetworkInformation:NetworkSecurityAppliancesGroupPolicyDiscoverySearchOpenTechnicalDatabasesApplication LayerProtocol:Publish/SubscribeProtocolsPre-OSBoot:ROMMONkitScheduledTask/Job:AtCreate orModify SystemProcess:SystemdServiceWeb Service:BidirectionalCommunicationImplantInternalImageProxySystemTimeDiscoveryEventTriggeredExecution:AppInit DLLsFile and DirectoryPermissionsModification: Linuxand Mac File andDirectoryPermissionsModificationEndpoint Denialof Service:Application orSystemExploitationUnsecuredCredentials:CloudInstanceMetadata APILogEnumerationAutomatedExfiltrationPhishing:SpearphishingVoiceAcquireInfrastructure:ServerlessOS CredentialDumping:SecurityAccountManagerHideArtifacts:Hidden FileSystemMulti-FactorAuthenticationRequestGenerationBrowserInformationDiscoverySubvertTrustControls:GatekeeperBypassOfficeApplicationStartup:Office TestCompromiseAccounts:Social MediaAccountsNon-StandardPortMasquerading:MasqueradeTask orServiceBITSJobsDataDestruction:Lifecycle-TriggeredDeletionSystemBinary ProxyExecution:Rundll32Search OpenTechnicalDatabases:ScanDatabasesImpairDefenses:Disable orModify LinuxAudit SystemUnsecuredCredentials:ContainerAPINetworkBoundaryBridgingInter-ProcessCommunication:XPC ServicesDataEncryptedfor ImpactSupply ChainCompromise:CompromiseHardwareSupply ChainTrustedDeveloperUtilities ProxyExecution:MSBuildModifyAuthenticationProcess:ConditionalAccess PoliciesProcessInjection:PtraceSystem CallsAcquireAccessDomain orTenantPolicyModificationResourceHijacking:SMSPumpingEstablishAccounts:CloudAccountsInputCapturePermissionGroupsDiscoveryEmailCollectionSteal orForgeKerberosTicketsArchiveCollectedDataAccountDiscovery:DomainAccountXSL ScriptProcessingObfuscatedFiles orInformation:SoftwarePackingPeripheralDeviceDiscoveryBrowserExtensionsEstablishAccounts:EmailAccountsHijackExecutionFlowObfuscatedFiles orInformation:CommandObfuscationDefacement:InternalDefacementCompromiseInfrastructure:Virtual PrivateServerHideArtifacts:ResourceForkingActiveScanningDataDestructionPhishingforInformationDrive-byCompromiseCompromiseInfrastructure:Web ServicesEmailCollection:RemoteEmailCollectionExfiltrationOver WebServiceEndpoint Denialof Service:ServiceExhaustionFloodData fromConfigurationRepository:Network DeviceConfigurationDumpExfiltrationOver OtherNetworkMediumServerSoftwareComponent:SQL StoredProceduresCloudServiceDashboardObtainCapabilities:VulnerabilitiesServerSoftwareComponent:IISComponentsResourceHijacking:ComputeHijackingScheduledTask/Job:ScheduledTaskHideArtifacts:Email HidingRulesServerSoftwareComponent:TerminalServices DLLScheduledTask/Job:CronBoot or LogonAutostartExecution:PrintProcessorsSystemNetworkConnectionsDiscoveryEndpoint Denialof Service:ApplicationExhaustionFloodDomain orTenant PolicyModification:Group PolicyModificationSoftwareDiscoveryDataManipulation:TransmittedDataManipulationSharedModulesEventTriggeredExecution:TrapNetworkServiceDiscoveryPhishing:Spearphishingvia ServiceWeakenEncryption:ReduceKey SpaceGatherVictimHostInformationWebServiceDataEncodingProcessInjection:Extra WindowMemoryInjectionCommandand ScriptingInterpreter:Unix ShellModifyAuthenticationProcessScreenCaptureModify CloudComputeInfrastructure:CreateSnapshotIndicatorRemovalExploitationof RemoteServicesIndicatorRemoval:ClearMailbox DataOfficeApplicationStartup:OutlookFormsEmailCollection:Local EmailCollectionOSCredentialDumping:ProcFilesystemReflectiveCodeLoadingDataStaged:Local DataStagingTrustedDeveloperUtilitiesProxyExecutionBoot orLogonAutostartExecution:Active SetupMasquerading:Invalid CodeSignatureModify CloudComputeInfrastructure:Create CloudInstanceTrafficSignaling:SocketFiltersObfuscatedFiles orInformation:IndicatorRemoval fromToolsCompromiseInfrastructure:ServerDebuggerEvasionMulti-FactorAuthenticationInterceptionPermissionGroupsDiscovery:LocalGroupsCredentialsfrom PasswordStores: CloudSecretsManagementStoresData fromInformationRepositories:MessagingApplicationsTrafficSignalingBoot or LogonAutostartExecution:Re-openedApplicationsCompromiseInfrastructure:DNS ServerPhishing:SpearphishingAttachmentMasquerading:Double FileExtensionGather VictimNetworkInformation:IP AddressesMasquerading:MasqueradeFile TypeBuildImageon HostExecutionGuardrails:MutualExclusionVideoCaptureExploitationforPrivilegeEscalationAccountDiscovery:CloudAccountCommandand ScriptingInterpreter:AppleScriptProcessDiscoveryAccessTokenManipulation:SID-HistoryInjectionDataTransferSizeLimitsScheduledTask/Job:ContainerOrchestrationJobAccess TokenManipulation: TokenImpersonation/TheftSearch OpenWebsites/Domains:Search EnginesAccess TokenManipulation:CreateProcess withTokenReplicationThroughRemovableMediaWindowsManagementInstrumentationAccountDiscoveryGather VictimHostInformation:ClientConfigurationsCompromiseInfrastructureStageCapabilities:UploadMalwareUse AlternateAuthenticationMaterialBruteForce:CredentialStuffingBoot or LogonAutostartExecution:XDG AutostartEntriesBoot or LogonInitializationScripts: LogonScript(Windows)EventTriggeredExecution:AppCertDLLsAccountManipulationExternalRemoteServicesSystemBinary ProxyExecution:ControlPanelUserExecution:MaliciousImageUse AlternateAuthenticationMaterial: Passthe HashPasswordPolicyDiscoveryPhishing forInformation:SpearphishingLinkValidAccounts:CloudAccountsCreateAccountUserExecution:MaliciousFileAccountDiscovery:LocalAccountWeakenEncryptionProxy:DomainFrontingEventTriggeredExecution:ApplicationShimmingSystemNetworkConfigurationDiscoveryModifyAuthenticationProcess:Network DeviceAuthenticationDomain orTenant PolicyModification:TrustModificationProcessInjection:ListPlantingWeakenEncryption:DisableCryptoHardwareBoot orLogonAutostartExecutionSearch OpenWebsites/DomainsCredentialsfromPasswordStoresDisk Wipe:DiskContentWipeDataManipulation:Runtime DataManipulationExploitationfor ClientExecutionArchiveCollectedData:Archive viaUtilityAbuse ElevationControlMechanism:TemporaryElevated CloudAccessEncryptedChannel:AsymmetricCryptographyDynamicResolution:DNSCalculationAccountManipulation:Additional Localor DomainGroupsNativeAPIRemoteServices:SSHPowerSettingsDataObfuscation:Protocol orServiceImpersonationData fromInformationRepositories:CodeRepositoriesCompromiseInfrastructure:DomainsSteal orForgeKerberosTickets:Golden TicketData fromInformationRepositories:SharepointDevelopCapabilities:ExploitsImpairDefenses:IndicatorBlockingFile andDirectoryPermissionsModificationDeobfuscate/DecodeFiles or InformationExfiltrationOver OtherNetworkMedium:ExfiltrationOver BluetoothTransferData toCloudAccountRemoteServices:RemoteDesktopProtocolGather VictimOrgInformation:BusinessRelationshipsGatherVictim OrgInformation:IdentifyRolesModifyAuthenticationProcess:ReversibleEncryptionUse AlternateAuthenticationMaterial: Passthe TicketInter-ProcessCommunication:ComponentObject ModelSystemServices:ServiceExecutionProxy:InternalProxyRemoteServices:VNCAccountManipulation:AdditionalContainerCluster RolesGather VictimOrgInformation:IdentifyBusinessTempoAccountManipulation:AdditionalEmail DelegatePermissionsProcessInjection:ProcessHollowingGather VictimNetworkInformation:DomainPropertiesSoftwareDeploymentToolsStageCapabilities:Link TargetHijack ExecutionFlow:COR_PROFILERData fromInformationRepositories:ConfluenceImpersonationEvent TriggeredExecution:Change DefaultFile AssociationActiveScanning:WordlistScanningApplicationLayerProtocol:WebProtocolsHijackExecution Flow:Services FilePermissionsWeaknessGatherVictimIdentityInformationContentInjectionObfuscatedFiles orInformationNetworkDenial ofService:ReflectionAmplificationImpairDefenses:Disable orModify ToolsModifySystemImage:DowngradeSystem ImageProxy:ExternalProxyHideArtifacts:File/PathExclusionsAutomatedExfiltration:TrafficDuplicationOfficeApplicationStartup:Add-insRemoteSystemDiscoveryModifySystemImage: PatchSystemImageDataObfuscation:SteganographyGather VictimOrgInformation:DeterminePhysicalLocationsCredentialsfrom PasswordStores:PasswordManagersModifySystemImageOfficeApplicationStartupUnsecuredCredentials:Group PolicyPreferencesAccess TokenManipulation:Make andImpersonateTokenBruteForceSystemBinary ProxyExecution:OdbcconfBoot or LogonAutostartExecution:Kernel Modulesand ExtensionsRemoteServices:SMB/WindowsAdmin SharesObfuscated Files orInformation:Encrypted/EncodedFileServiceStopData Staged:RemoteData StagingCreateAccount:CloudAccountHijackExecution Flow:PathInterception bySearch OrderHijackingGatherVictimIdentityInformation:CredentialsAccountManipulation:AdditionalCloud RolesSystemBinary ProxyExecution:CompiledHTML FileSubvertTrustControlsRemoteServiceSessionHijackingCompromiseInfrastructure:NetworkDevicesUse AlternateAuthenticationMaterial:ApplicationAccess TokenImpairDefenses:SpoofSecurityAlertingCreateAccount:DomainAccountClipboardDataAccountManipulation:AdditionalCloudCredentialsPre-OSBoot:ComponentFirmwareHardwareAdditionsGather VictimIdentityInformation:EmployeeNamesHideArtifacts:Run VirtualInstanceHideInfrastructureData fromInformationRepositoriesAcquireInfrastructureRogueDomainControllerIndicatorRemoval:Clear Linuxor MacSystem LogsData fromRemovableMediaPhishing forInformation:SpearphishingAttachmentModify CloudComputeInfrastructure:Modify CloudComputeConfigurationsOfficeApplicationStartup: OfficeTemplateMacrosSystemBinary ProxyExecution:CMSTPMulti-StageChannelsTrustedDeveloperUtilities ProxyExecution:ClickOnceValidAccounts:DefaultAccountsCommandand ScriptingInterpreter:Cloud APICloudStorageObjectDiscoveryFinancialTheftRemoteAccessSoftwareSteal or ForgeKerberosTickets: AS-REP RoastingSearchVictim-OwnedWebsitesSystemBinary ProxyExecution:InstallUtilSupply ChainCompromise:CompromiseSoftwareSupply ChainSubvertTrustControls:CodeSigningImpairDefenses:Disable orModify CloudLogsBoot orLogonInitializationScripts:Login HookHijackExecutionFlow: DLLSide-LoadingSubvert TrustControls:Code SigningPolicyModificationBoot or LogonInitializationScripts:NetworkLogon ScriptIndicatorRemoval:TimestompImpairDefenses:ImpairCommandHistory LoggingHideArtifacts:HiddenWindowVirtualization/SandboxEvasion: Time BasedEvasionDynamicResolution:Fast FluxDNSExfiltrationOver WebService:ExfiltrationOver WebhookDomainTrustDiscoveryNetworkDenial ofServiceExfiltrationOverAlternativeProtocolCommandand ScriptingInterpreter:JavaScriptBoot or LogonAutostartExecution:AuthenticationPackageAbuse ElevationControlMechanism:Bypass UserAccount ControlDevelopCapabilities:CodeSigningCertificatesCommandand ScriptingInterpreter:NetworkDevice CLIData fromConfigurationRepository:SNMP (MIBDump)EventTriggeredExecution:ScreensaverModifyAuthenticationProcess:Hybrid IdentityAcquireInfrastructure:Web ServicesSystemNetworkConfigurationDiscovery: Wi-Fi DiscoveryCreate orModifySystemProcess:Launch AgentBoot or LogonAutostartExecution:LSASS DriverHijack ExecutionFlow: PathInterception byPATHEnvironmentVariableRootkitEvent TriggeredExecution:Image FileExecutionOptionsInjectionImpairDefenses:DisableWindowsEvent LoggingCloudAdministrationCommandBoot or LogonAutostartExecution:TimeProvidersCloudServiceDiscoveryMasquerading:Space afterFilenameProcessInjection:VDSOHijackingProcessInjection:ProcessDoppelgängingSystemScriptProxyExecutionOS CredentialDumping:/etc/passwdand/etc/shadowFile andDirectoryDiscoveryVirtualization/SandboxEvasion: User ActivityBased ChecksSubvertTrustControls:Install RootCertificateIndicatorRemoval:FileDeletionGather VictimNetworkInformation:NetworkTopologyEmailCollection:EmailForwardingRuleAbuseElevationControlMechanism:TCCManipulationOSCredentialDumping:DCSyncSystemBinary ProxyExecution:Regsvr32ValidAccountsPhishing forInformation:SpearphishingServiceSupply ChainCompromise:CompromiseSoftwareDependencies andDevelopmentToolsCreate orModify SystemProcess:WindowsServiceCompromiseHostSoftwareBinaryIndicatorRemoval:RelocateMalwareBoot or LogonAutostartExecution:ShortcutModificationBoot or LogonAutostartExecution:SecuritySupportProviderData fromCloudStorageInputCapture:KeyloggingTaintSharedContentCommandand ScriptingInterpreter:Visual BasicRemoteServicesSearchOpenTechnicalDatabases:CDNsDevelopCapabilitiesObfuscatedFiles orInformation:EmbeddedPayloadsDirectVolumeAccessUnsecuredCredentials:Credentialsin RegistryFile and DirectoryPermissionsModification:Windows File andDirectoryPermissionsModificationObtainCapabilities:CodeSigningCertificatesSystem NetworkConfigurationDiscovery:InternetConnectionDiscoveryImpairDefenses:Disable orModify CloudFirewallExfiltrationOver WebService:Exfiltration toCodeRepositoryGatherVictim HostInformation:HardwareBoot or LogonAutostartExecution:WinlogonHelper DLLAbuse ElevationControlMechanism:ElevatedExecution withPromptHideArtifactsEndpointDenial ofService: OSExhaustionFloodActiveScanning:ScanningIP BlocksSystemServices:LaunchctlEvent TriggeredExecution:LC_LOAD_DYLIBAdditionEstablishAccounts:Social MediaAccountsEventTriggeredExecution:AccessibilityFeaturesCreate orModifySystemProcessSystemInformationDiscoveryMasquerading:MatchLegitimateName orLocationAcquireInfrastructure:BotnetGatherVictim HostInformation:FirmwareHijackExecutionFlow: DylibHijackingPre-OSBootPre-OSBoot:BootkitExploitationfor DefenseEvasionProcessInjection:ProcMemoryNetworkDenial ofService: DirectNetwork FloodMasqueradingIndicatorRemoval: ClearNetworkConnectionHistory andConfigurationsDeviceDriverDiscoveryStageCapabilities:Upload Tool

MITRE ATT&CK Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
  1. Unsecured Credentials: Chat Messages
  2. Application Layer Protocol
  3. Server Software Component
  4. Event Triggered Execution: Windows Management Instrumentation Event Subscription
  5. Process Injection: Thread Execution Hijacking
  6. Search Open Websites/Domains: Social Media
  7. Virtualization/Sandbox Evasion
  8. Gather Victim Network Information: DNS
  9. Stage Capabilities: SEO Poisoning
  10. Unsecured Credentials: Credentials In Files
  11. Archive Collected Data: Archive via Custom Method
  12. Container Administration Command
  13. Acquire Infrastructure: Domains
  14. Subvert Trust Controls: SIP and Trust Provider Hijacking
  15. Steal Web Session Cookie
  16. Obtain Capabilities
  17. Event Triggered Execution: Udev Rules
  18. Adversary-in-the-Middle: DHCP Spoofing
  19. Modify Cloud Compute Infrastructure: Delete Cloud Instance
  20. Obfuscated Files or Information: Steganography
  21. Steal or Forge Kerberos Tickets: Silver Ticket
  22. Execution Guardrails
  23. Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
  24. Forced Authentication
  25. Obtain Capabilities: Tool
  26. Event Triggered Execution: PowerShell Profile
  27. Brute Force: Password Guessing
  28. Abuse Elevation Control Mechanism: Setuid and Setgid
  29. Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
  30. Stage Capabilities: Drive-by Target
  31. Hide Artifacts: Hidden Users
  32. Account Discovery: Email Account
  33. Remote Service Session Hijacking: SSH Hijacking
  34. Command and Scripting Interpreter: PowerShell
  35. User Execution
  36. System Shutdown/Reboot
  37. Valid Accounts: Domain Accounts
  38. Account Manipulation: SSH Authorized Keys
  39. Process Injection: Portable Executable Injection
  40. Modify Authentication Process: Pluggable Authentication Modules
  41. Modify Cloud Compute Infrastructure: Revert Cloud Instance
  42. Gather Victim Identity Information: Email Addresses
  43. Query Registry
  44. Input Capture: Web Portal Capture
  45. Use Alternate Authentication Material: Web Session Cookie
  46. Search Closed Sources: Purchase Technical Data
  47. Resource Hijacking: Bandwidth Hijacking
  48. Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
  49. Acquire Infrastructure: Virtual Private Server
  50. Cloud Infrastructure Discovery
  51. Obfuscated Files or Information: Dynamic API Resolution
  52. Application Layer Protocol: Mail Protocols
  53. Dynamic Resolution
  54. Account Access Removal
  55. Event Triggered Execution: Installer Packages
  56. Data Obfuscation: Junk Data
  57. Remote Services: Cloud Services
  58. Adversary-in-the-Middle
  59. Acquire Infrastructure: DNS Server
  60. Scheduled Task/Job
  61. Scheduled Task/Job: Systemd Timers
  62. Boot or Logon Autostart Execution: Login Items
  63. Scheduled Transfer
  64. Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
  65. System Binary Proxy Execution: Verclsid
  66. Audio Capture
  67. Defacement: External Defacement
  68. Access Token Manipulation: Parent PID Spoofing
  69. Brute Force: Password Spraying
  70. Acquire Infrastructure: Malvertising
  71. Software Discovery: Security Software Discovery
  72. Stage Capabilities
  73. Abuse Elevation Control Mechanism
  74. Obfuscated Files or Information: LNK Icon Smuggling
  75. Modify Authentication Process: Network Provider DLL
  76. Compromise Accounts: Email Accounts
  77. Gather Victim Network Information: Network Trust Dependencies
  78. Acquire Infrastructure: Server
  79. Credentials from Password Stores: Credentials from Web Browsers
  80. Disk Wipe
  81. Modify Authentication Process: Multi-Factor Authentication
  82. Inter-Process Communication: Dynamic Data Exchange
  83. Ingress Tool Transfer
  84. Data from Configuration Repository
  85. Data Manipulation: Stored Data Manipulation
  86. Inhibit System Recovery
  87. Input Capture: Credential API Hooking
  88. Deploy Container
  89. Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  90. Data Obfuscation
  91. Hijack Execution Flow: Path Interception by Unquoted Path
  92. User Execution: Malicious Link
  93. System Binary Proxy Execution
  94. Phishing: Spearphishing Link
  95. Hide Artifacts: VBA Stomping
  96. Data from Local System
  97. Network Sniffing
  98. Compromise Infrastructure: Serverless
  99. Indirect Command Execution
  100. Template Injection
  101. Trusted Relationship
  102. Application Layer Protocol: DNS
  103. Credentials from Password Stores: Windows Credential Manager
  104. System Script Proxy Execution: SyncAppvPublishingServer
  105. Exploit Public-Facing Application
  106. Fallback Channels
  107. Indicator Removal: Clear Persistence
  108. Server Software Component: Transport Agent
  109. Office Application Startup: Outlook Rules
  110. Modify Registry
  111. Pre-OS Boot: TFTP Boot
  112. Event Triggered Execution: Emond
  113. Office Application Startup: Outlook Home Page
  114. Modify Cloud Compute Infrastructure
  115. Non-Application Layer Protocol
  116. Search Closed Sources: Threat Intel Vendors
  117. Develop Capabilities: Digital Certificates
  118. Encrypted Channel
  119. Active Scanning: Vulnerability Scanning
  120. Data from Information Repositories: Customer Relationship Management Software
  121. Resource Hijacking
  122. Masquerading: Break Process Trees
  123. System Owner/User Discovery
  124. Hide Artifacts: Hidden Files and Directories
  125. Obtain Capabilities: Artificial Intelligence
  126. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
  127. Access Token Manipulation
  128. Unsecured Credentials: Bash History
  129. Compromise Accounts
  130. Impair Defenses
  131. Command and Scripting Interpreter: Python
  132. System Binary Proxy Execution: Regsvcs/Regasm
  133. Obfuscated Files or Information: Stripped Payloads
  134. System Binary Proxy Execution: Mshta
  135. Firmware Corruption
  136. Stage Capabilities: Install Digital Certificate
  137. Hide Artifacts: Ignore Process Interrupts
  138. Hijack Execution Flow: Dynamic Linker Hijacking
  139. Impair Defenses: Downgrade Attack
  140. Exploitation for Credential Access
  141. Search Open Technical Databases: WHOIS
  142. Event Triggered Execution: Unix Shell Configuration Modification
  143. Forge Web Credentials: SAML Tokens
  144. Remote Service Session Hijacking: RDP Hijacking
  145. Internal Spearphishing
  146. Protocol Tunneling
  147. Command and Scripting Interpreter: Lua
  148. System Binary Proxy Execution: MMC
  149. Unsecured Credentials: Private Keys
  150. Process Injection
  151. Establish Accounts
  152. Develop Capabilities: Malware
  153. System Services
  154. Container and Resource Discovery
  155. Network Share Discovery
  156. Hijack Execution Flow: DLL Search Order Hijacking
  157. Permission Groups Discovery: Domain Groups
  158. Phishing
  159. Communication Through Removable Media
  160. Modify Cloud Resource Hierarchy
  161. System Service Discovery
  162. Proxy: Multi-hop Proxy
  163. Steal or Forge Authentication Certificates
  164. Process Injection: Asynchronous Procedure Call
  165. OS Credential Dumping: LSA Secrets
  166. Obfuscated Files or Information: Polymorphic Code
  167. Credentials from Password Stores: Keychain
  168. Hijack Execution Flow: Executable Installer File Permissions Weakness
  169. Web Service: Dead Drop Resolver
  170. Escape to Host
  171. Pre-OS Boot: System Firmware
  172. Valid Accounts: Local Accounts
  173. Gather Victim Org Information
  174. Masquerading: Rename System Utilities
  175. Data from Network Shared Drive
  176. Compromise Infrastructure: Botnet
  177. System Binary Proxy Execution: Mavinject
  178. Exfiltration Over Physical Medium: Exfiltration over USB
  179. Automated Collection
  180. Indicator Removal: Clear Windows Event Logs
  181. Exfiltration Over Web Service: Exfiltration to Text Storage Sites
  182. OS Credential Dumping: Cached Domain Credentials
  183. Endpoint Denial of Service
  184. Steal Application Access Token
  185. Boot or Logon Autostart Execution: Port Monitors
  186. OS Credential Dumping: LSASS Memory
  187. Credentials from Password Stores: Securityd Memory
  188. Disk Wipe: Disk Structure Wipe
  189. Dynamic Resolution: Domain Generation Algorithms
  190. Masquerading: Masquerade Account Name
  191. Hide Artifacts: NTFS File Attributes
  192. Hijack Execution Flow: KernelCallbackTable
  193. Obtain Capabilities: Exploits
  194. Search Open Technical Databases: DNS/Passive DNS
  195. System Location Discovery: System Language Discovery
  196. Hide Artifacts: Process Argument Spoofing
  197. Encrypted Channel: Symmetric Cryptography
  198. Search Open Websites/Domains: Code Repositories
  199. Network Boundary Bridging: Network Address Translation Traversal
  200. System Location Discovery
  201. System Script Proxy Execution: PubPrn
  202. Adversary-in-the-Middle: Evil Twin
  203. Search Open Technical Databases: Digital Certificates
  204. Remote Services: Windows Remote Management
  205. Traffic Signaling: Port Knocking
  206. Masquerading: Right-to-Left Override
  207. Steal or Forge Kerberos Tickets: Kerberoasting
  208. Gather Victim Network Information
  209. Command and Scripting Interpreter
  210. Virtualization/Sandbox Evasion: System Checks
  211. Create or Modify System Process: Container Service
  212. Boot or Logon Initialization Scripts: Startup Items
  213. Process Injection: Thread Local Storage
  214. Steal or Forge Kerberos Tickets: Ccache Files
  215. Unused/Unsupported Cloud Regions
  216. System Binary Proxy Execution: Electron Applications
  217. OS Credential Dumping: NTDS
  218. Phishing for Information: Spearphishing Voice
  219. Boot or Logon Initialization Scripts: RC Scripts
  220. Process Injection: Dynamic-link Library Injection
  221. Subvert Trust Controls: Mark-of-the-Web Bypass
  222. Impair Defenses: Safe Mode Boot
  223. Obfuscated Files or Information: Compile After Delivery
  224. OS Credential Dumping
  225. Indicator Removal: Network Share Connection Removal
  226. Data Staged
  227. Forge Web Credentials: Web Cookies
  228. Create or Modify System Process: Launch Daemon
  229. Plist File Modification
  230. Application Window Discovery
  231. Server Software Component: Web Shell
  232. Browser Session Hijacking
  233. Data Encoding: Non-Standard Encoding
  234. Data Manipulation
  235. Supply Chain Compromise
  236. Hijack Execution Flow: Services Registry Permissions Weakness
  237. Modify Authentication Process: Password Filter DLL
  238. Brute Force: Password Cracking
  239. Command and Scripting Interpreter: AutoHotKey & AutoIT
  240. Obfuscated Files or Information: HTML Smuggling
  241. name
  242. Modify Authentication Process: Domain Controller Authentication
  243. Data Encoding: Standard Encoding
  244. Obfuscated Files or Information: Fileless Storage
  245. Lateral Tool Transfer
  246. Exfiltration Over Physical Medium
  247. Obfuscated Files or Information: Binary Padding
  248. Boot or Logon Initialization Scripts
  249. Event Triggered Execution
  250. Remote Services: Distributed Component Object Model
  251. Indicator Removal: Clear Command History
  252. Permission Groups Discovery: Cloud Groups
  253. Remote Services: Direct Cloud VM Connections
  254. Web Service: One-Way Communication
  255. Account Manipulation: Device Registration
  256. Command and Scripting Interpreter: Windows Command Shell
  257. Input Capture: GUI Input Capture
  258. Inter-Process Communication
  259. Serverless Execution
  260. Unsecured Credentials
  261. Search Closed Sources
  262. Event Triggered Execution: Component Object Model Hijacking
  263. Gather Victim Host Information: Software
  264. Resource Hijacking: Cloud Service Hijacking
  265. Exfiltration Over C2 Channel
  266. Event Triggered Execution: Netsh Helper DLL
  267. Adversary-in-the-Middle: ARP Cache Poisoning
  268. Compromise Accounts: Cloud Accounts
  269. Obtain Capabilities: Digital Certificates
  270. Obtain Capabilities: Malware
  271. Application Layer Protocol: File Transfer Protocols
  272. Impair Defenses: Disable or Modify System Firewall
  273. Archive Collected Data: Archive via Library
  274. System Binary Proxy Execution: Msiexec
  275. Defacement
  276. Forge Web Credentials
  277. Create Account: Local Account
  278. Exfiltration Over Web Service: Exfiltration to Cloud Storage
  279. Execution Guardrails: Environmental Keying
  280. Hijack Execution Flow: AppDomainManager
  281. Gather Victim Network Information: Network Security Appliances
  282. Group Policy Discovery
  283. Search Open Technical Databases
  284. Application Layer Protocol: Publish/Subscribe Protocols
  285. Pre-OS Boot: ROMMONkit
  286. Scheduled Task/Job: At
  287. Create or Modify System Process: Systemd Service
  288. Web Service: Bidirectional Communication
  289. Implant Internal Image
  290. Proxy
  291. System Time Discovery
  292. Event Triggered Execution: AppInit DLLs
  293. File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
  294. Endpoint Denial of Service: Application or System Exploitation
  295. Unsecured Credentials: Cloud Instance Metadata API
  296. Log Enumeration
  297. Automated Exfiltration
  298. Phishing: Spearphishing Voice
  299. Acquire Infrastructure: Serverless
  300. OS Credential Dumping: Security Account Manager
  301. Hide Artifacts: Hidden File System
  302. Multi-Factor Authentication Request Generation
  303. Browser Information Discovery
  304. Subvert Trust Controls: Gatekeeper Bypass
  305. Office Application Startup: Office Test
  306. Compromise Accounts: Social Media Accounts
  307. Non-Standard Port
  308. Masquerading: Masquerade Task or Service
  309. BITS Jobs
  310. Data Destruction: Lifecycle-Triggered Deletion
  311. System Binary Proxy Execution: Rundll32
  312. Search Open Technical Databases: Scan Databases
  313. Impair Defenses: Disable or Modify Linux Audit System
  314. Unsecured Credentials: Container API
  315. Network Boundary Bridging
  316. Inter-Process Communication: XPC Services
  317. Data Encrypted for Impact
  318. Supply Chain Compromise: Compromise Hardware Supply Chain
  319. Trusted Developer Utilities Proxy Execution: MSBuild
  320. Modify Authentication Process: Conditional Access Policies
  321. Process Injection: Ptrace System Calls
  322. Acquire Access
  323. Domain or Tenant Policy Modification
  324. Resource Hijacking: SMS Pumping
  325. Establish Accounts: Cloud Accounts
  326. Input Capture
  327. Permission Groups Discovery
  328. Email Collection
  329. Steal or Forge Kerberos Tickets
  330. Archive Collected Data
  331. Account Discovery: Domain Account
  332. XSL Script Processing
  333. Obfuscated Files or Information: Software Packing
  334. Peripheral Device Discovery
  335. Browser Extensions
  336. Establish Accounts: Email Accounts
  337. Hijack Execution Flow
  338. Obfuscated Files or Information: Command Obfuscation
  339. Defacement: Internal Defacement
  340. Compromise Infrastructure: Virtual Private Server
  341. Hide Artifacts: Resource Forking
  342. Active Scanning
  343. Data Destruction
  344. Phishing for Information
  345. Drive-by Compromise
  346. Compromise Infrastructure: Web Services
  347. Email Collection: Remote Email Collection
  348. Exfiltration Over Web Service
  349. Endpoint Denial of Service: Service Exhaustion Flood
  350. Data from Configuration Repository: Network Device Configuration Dump
  351. Exfiltration Over Other Network Medium
  352. Server Software Component: SQL Stored Procedures
  353. Cloud Service Dashboard
  354. Obtain Capabilities: Vulnerabilities
  355. Server Software Component: IIS Components
  356. Resource Hijacking: Compute Hijacking
  357. Scheduled Task/Job: Scheduled Task
  358. Hide Artifacts: Email Hiding Rules
  359. Server Software Component: Terminal Services DLL
  360. Scheduled Task/Job: Cron
  361. Boot or Logon Autostart Execution: Print Processors
  362. System Network Connections Discovery
  363. Endpoint Denial of Service: Application Exhaustion Flood
  364. Domain or Tenant Policy Modification: Group Policy Modification
  365. Software Discovery
  366. Data Manipulation: Transmitted Data Manipulation
  367. Shared Modules
  368. Event Triggered Execution: Trap
  369. Network Service Discovery
  370. Phishing: Spearphishing via Service
  371. Weaken Encryption: Reduce Key Space
  372. Gather Victim Host Information
  373. Web Service
  374. Data Encoding
  375. Process Injection: Extra Window Memory Injection
  376. Command and Scripting Interpreter: Unix Shell
  377. Modify Authentication Process
  378. Screen Capture
  379. Modify Cloud Compute Infrastructure: Create Snapshot
  380. Indicator Removal
  381. Exploitation of Remote Services
  382. Indicator Removal: Clear Mailbox Data
  383. Office Application Startup: Outlook Forms
  384. Email Collection: Local Email Collection
  385. OS Credential Dumping: Proc Filesystem
  386. Reflective Code Loading
  387. Data Staged: Local Data Staging
  388. Trusted Developer Utilities Proxy Execution
  389. Boot or Logon Autostart Execution: Active Setup
  390. Masquerading: Invalid Code Signature
  391. Modify Cloud Compute Infrastructure: Create Cloud Instance
  392. Traffic Signaling: Socket Filters
  393. Obfuscated Files or Information: Indicator Removal from Tools
  394. Compromise Infrastructure: Server
  395. Debugger Evasion
  396. Multi-Factor Authentication Interception
  397. Permission Groups Discovery: Local Groups
  398. Credentials from Password Stores: Cloud Secrets Management Stores
  399. Data from Information Repositories: Messaging Applications
  400. Traffic Signaling
  401. Boot or Logon Autostart Execution: Re-opened Applications
  402. Compromise Infrastructure: DNS Server
  403. Phishing: Spearphishing Attachment
  404. Masquerading: Double File Extension
  405. Gather Victim Network Information: IP Addresses
  406. Masquerading: Masquerade File Type
  407. Build Image on Host
  408. Execution Guardrails: Mutual Exclusion
  409. Video Capture
  410. Exploitation for Privilege Escalation
  411. Account Discovery: Cloud Account
  412. Command and Scripting Interpreter: AppleScript
  413. Process Discovery
  414. Access Token Manipulation: SID-History Injection
  415. Data Transfer Size Limits
  416. Scheduled Task/Job: Container Orchestration Job
  417. Access Token Manipulation: Token Impersonation/Theft
  418. Search Open Websites/Domains: Search Engines
  419. Access Token Manipulation: Create Process with Token
  420. Replication Through Removable Media
  421. Windows Management Instrumentation
  422. Account Discovery
  423. Gather Victim Host Information: Client Configurations
  424. Compromise Infrastructure
  425. Stage Capabilities: Upload Malware
  426. Use Alternate Authentication Material
  427. Brute Force: Credential Stuffing
  428. Boot or Logon Autostart Execution: XDG Autostart Entries
  429. Boot or Logon Initialization Scripts: Logon Script (Windows)
  430. Event Triggered Execution: AppCert DLLs
  431. Account Manipulation
  432. External Remote Services
  433. System Binary Proxy Execution: Control Panel
  434. User Execution: Malicious Image
  435. Use Alternate Authentication Material: Pass the Hash
  436. Password Policy Discovery
  437. Phishing for Information: Spearphishing Link
  438. Valid Accounts: Cloud Accounts
  439. Create Account
  440. User Execution: Malicious File
  441. Account Discovery: Local Account
  442. Weaken Encryption
  443. Proxy: Domain Fronting
  444. Event Triggered Execution: Application Shimming
  445. System Network Configuration Discovery
  446. Modify Authentication Process: Network Device Authentication
  447. Domain or Tenant Policy Modification: Trust Modification
  448. Process Injection: ListPlanting
  449. Weaken Encryption: Disable Crypto Hardware
  450. Boot or Logon Autostart Execution
  451. Search Open Websites/Domains
  452. Credentials from Password Stores
  453. Disk Wipe: Disk Content Wipe
  454. Data Manipulation: Runtime Data Manipulation
  455. Exploitation for Client Execution
  456. Archive Collected Data: Archive via Utility
  457. Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access
  458. Encrypted Channel: Asymmetric Cryptography
  459. Dynamic Resolution: DNS Calculation
  460. Account Manipulation: Additional Local or Domain Groups
  461. Native API
  462. Remote Services: SSH
  463. Power Settings
  464. Data Obfuscation: Protocol or Service Impersonation
  465. Data from Information Repositories: Code Repositories
  466. Compromise Infrastructure: Domains
  467. Steal or Forge Kerberos Tickets: Golden Ticket
  468. Data from Information Repositories: Sharepoint
  469. Develop Capabilities: Exploits
  470. Impair Defenses: Indicator Blocking
  471. File and Directory Permissions Modification
  472. Deobfuscate/Decode Files or Information
  473. Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
  474. Transfer Data to Cloud Account
  475. Remote Services: Remote Desktop Protocol
  476. Gather Victim Org Information: Business Relationships
  477. Gather Victim Org Information: Identify Roles
  478. Modify Authentication Process: Reversible Encryption
  479. Use Alternate Authentication Material: Pass the Ticket
  480. Inter-Process Communication: Component Object Model
  481. System Services: Service Execution
  482. Proxy: Internal Proxy
  483. Remote Services: VNC
  484. Account Manipulation: Additional Container Cluster Roles
  485. Gather Victim Org Information: Identify Business Tempo
  486. Account Manipulation: Additional Email Delegate Permissions
  487. Process Injection: Process Hollowing
  488. Gather Victim Network Information: Domain Properties
  489. Software Deployment Tools
  490. Stage Capabilities: Link Target
  491. Hijack Execution Flow: COR_PROFILER
  492. Data from Information Repositories: Confluence
  493. Impersonation
  494. Event Triggered Execution: Change Default File Association
  495. Active Scanning: Wordlist Scanning
  496. Application Layer Protocol: Web Protocols
  497. Hijack Execution Flow: Services File Permissions Weakness
  498. Gather Victim Identity Information
  499. Content Injection
  500. Obfuscated Files or Information
  501. Network Denial of Service: Reflection Amplification
  502. Impair Defenses: Disable or Modify Tools
  503. Modify System Image: Downgrade System Image
  504. Proxy: External Proxy
  505. Hide Artifacts: File/Path Exclusions
  506. Automated Exfiltration: Traffic Duplication
  507. Office Application Startup: Add-ins
  508. Remote System Discovery
  509. Modify System Image: Patch System Image
  510. Data Obfuscation: Steganography
  511. Gather Victim Org Information: Determine Physical Locations
  512. Credentials from Password Stores: Password Managers
  513. Modify System Image
  514. Office Application Startup
  515. Unsecured Credentials: Group Policy Preferences
  516. Access Token Manipulation: Make and Impersonate Token
  517. Brute Force
  518. System Binary Proxy Execution: Odbcconf
  519. Boot or Logon Autostart Execution: Kernel Modules and Extensions
  520. Remote Services: SMB/Windows Admin Shares
  521. Obfuscated Files or Information: Encrypted/Encoded File
  522. Service Stop
  523. Data Staged: Remote Data Staging
  524. Create Account: Cloud Account
  525. Hijack Execution Flow: Path Interception by Search Order Hijacking
  526. Gather Victim Identity Information: Credentials
  527. Account Manipulation: Additional Cloud Roles
  528. System Binary Proxy Execution: Compiled HTML File
  529. Subvert Trust Controls
  530. Remote Service Session Hijacking
  531. Compromise Infrastructure: Network Devices
  532. Use Alternate Authentication Material: Application Access Token
  533. Impair Defenses: Spoof Security Alerting
  534. Create Account: Domain Account
  535. Clipboard Data
  536. Account Manipulation: Additional Cloud Credentials
  537. Pre-OS Boot: Component Firmware
  538. Hardware Additions
  539. Gather Victim Identity Information: Employee Names
  540. Hide Artifacts: Run Virtual Instance
  541. Hide Infrastructure
  542. Data from Information Repositories
  543. Acquire Infrastructure
  544. Rogue Domain Controller
  545. Indicator Removal: Clear Linux or Mac System Logs
  546. Data from Removable Media
  547. Phishing for Information: Spearphishing Attachment
  548. Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations
  549. Office Application Startup: Office Template Macros
  550. System Binary Proxy Execution: CMSTP
  551. Multi-Stage Channels
  552. Trusted Developer Utilities Proxy Execution: ClickOnce
  553. Valid Accounts: Default Accounts
  554. Command and Scripting Interpreter: Cloud API
  555. Cloud Storage Object Discovery
  556. Financial Theft
  557. Remote Access Software
  558. Steal or Forge Kerberos Tickets: AS-REP Roasting
  559. Search Victim-Owned Websites
  560. System Binary Proxy Execution: InstallUtil
  561. Supply Chain Compromise: Compromise Software Supply Chain
  562. Subvert Trust Controls: Code Signing
  563. Impair Defenses: Disable or Modify Cloud Logs
  564. Boot or Logon Initialization Scripts: Login Hook
  565. Hijack Execution Flow: DLL Side-Loading
  566. Subvert Trust Controls: Code Signing Policy Modification
  567. Boot or Logon Initialization Scripts: Network Logon Script
  568. Indicator Removal: Timestomp
  569. Impair Defenses: Impair Command History Logging
  570. Hide Artifacts: Hidden Window
  571. Virtualization/Sandbox Evasion: Time Based Evasion
  572. Dynamic Resolution: Fast Flux DNS
  573. Exfiltration Over Web Service: Exfiltration Over Webhook
  574. Domain Trust Discovery
  575. Network Denial of Service
  576. Exfiltration Over Alternative Protocol
  577. Command and Scripting Interpreter: JavaScript
  578. Boot or Logon Autostart Execution: Authentication Package
  579. Abuse Elevation Control Mechanism: Bypass User Account Control
  580. Develop Capabilities: Code Signing Certificates
  581. Command and Scripting Interpreter: Network Device CLI
  582. Data from Configuration Repository: SNMP (MIB Dump)
  583. Event Triggered Execution: Screensaver
  584. Modify Authentication Process: Hybrid Identity
  585. Acquire Infrastructure: Web Services
  586. System Network Configuration Discovery: Wi-Fi Discovery
  587. Create or Modify System Process: Launch Agent
  588. Boot or Logon Autostart Execution: LSASS Driver
  589. Hijack Execution Flow: Path Interception by PATH Environment Variable
  590. Rootkit
  591. Event Triggered Execution: Image File Execution Options Injection
  592. Impair Defenses: Disable Windows Event Logging
  593. Cloud Administration Command
  594. Boot or Logon Autostart Execution: Time Providers
  595. Cloud Service Discovery
  596. Masquerading: Space after Filename
  597. Process Injection: VDSO Hijacking
  598. Process Injection: Process Doppelgänging
  599. System Script Proxy Execution
  600. OS Credential Dumping: /etc/passwd and /etc/shadow
  601. File and Directory Discovery
  602. Virtualization/Sandbox Evasion: User Activity Based Checks
  603. Subvert Trust Controls: Install Root Certificate
  604. Indicator Removal: File Deletion
  605. Gather Victim Network Information: Network Topology
  606. Email Collection: Email Forwarding Rule
  607. Abuse Elevation Control Mechanism: TCC Manipulation
  608. OS Credential Dumping: DCSync
  609. System Binary Proxy Execution: Regsvr32
  610. Valid Accounts
  611. Phishing for Information: Spearphishing Service
  612. Supply Chain Compromise: Compromise Software Dependencies and Development Tools
  613. Create or Modify System Process: Windows Service
  614. Compromise Host Software Binary
  615. Indicator Removal: Relocate Malware
  616. Boot or Logon Autostart Execution: Shortcut Modification
  617. Boot or Logon Autostart Execution: Security Support Provider
  618. Data from Cloud Storage
  619. Input Capture: Keylogging
  620. Taint Shared Content
  621. Command and Scripting Interpreter: Visual Basic
  622. Remote Services
  623. Search Open Technical Databases: CDNs
  624. Develop Capabilities
  625. Obfuscated Files or Information: Embedded Payloads
  626. Direct Volume Access
  627. Unsecured Credentials: Credentials in Registry
  628. File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  629. Obtain Capabilities: Code Signing Certificates
  630. System Network Configuration Discovery: Internet Connection Discovery
  631. Impair Defenses: Disable or Modify Cloud Firewall
  632. Exfiltration Over Web Service: Exfiltration to Code Repository
  633. Gather Victim Host Information: Hardware
  634. Boot or Logon Autostart Execution: Winlogon Helper DLL
  635. Abuse Elevation Control Mechanism: Elevated Execution with Prompt
  636. Hide Artifacts
  637. Endpoint Denial of Service: OS Exhaustion Flood
  638. Active Scanning: Scanning IP Blocks
  639. System Services: Launchctl
  640. Event Triggered Execution: LC_LOAD_DYLIB Addition
  641. Establish Accounts: Social Media Accounts
  642. Event Triggered Execution: Accessibility Features
  643. Create or Modify System Process
  644. System Information Discovery
  645. Masquerading: Match Legitimate Name or Location
  646. Acquire Infrastructure: Botnet
  647. Gather Victim Host Information: Firmware
  648. Hijack Execution Flow: Dylib Hijacking
  649. Pre-OS Boot
  650. Pre-OS Boot: Bootkit
  651. Exploitation for Defense Evasion
  652. Process Injection: Proc Memory
  653. Network Denial of Service: Direct Network Flood
  654. Masquerading
  655. Indicator Removal: Clear Network Connection History and Configurations
  656. Device Driver Discovery
  657. Stage Capabilities: Upload Tool