MITRE ATT&CK Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.

Format: Size

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

Disk Wipe: Disk Structure Wipe
Masquerading: Double File Extension
Process Injection: VDSO Hijacking
Stage Capabilities: Link Target
Weaken Encryption
Container and Resource Discovery
Command and Scripting Interpreter: Visual Basic
Establish Accounts
Steal or Forge Kerberos Tickets: Kerberoasting
Data Manipulation: Transmitted Data Manipulation
Office Application Startup: Outlook Home Page
Search Open Technical Databases: Scan Databases
Stage Capabilities
Command and Scripting Interpreter: AppleScript
Escape to Host
Active Scanning: Wordlist Scanning
Abuse Elevation Control Mechanism: Bypass User Account Control
Subvert Trust Controls
System Script Proxy Execution: SyncAppvPublishingServer
Impair Defenses: Disable or Modify System Firewall
System Script Proxy Execution
Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations
Peripheral Device Discovery
Account Discovery: Cloud Account
Use Alternate Authentication Material
System Binary Proxy Execution
Impair Defenses: Disable or Modify Cloud Firewall
Hijack Execution Flow: Dylib Hijacking
Acquire Infrastructure: Virtual Private Server
Masquerading: Masquerade File Type
Obtain Capabilities
Input Capture
Implant Internal Image
Firmware Corruption
Modify Cloud Compute Infrastructure: Delete Cloud Instance
Hide Artifacts
Modify Authentication Process: Hybrid Identity
Access Token Manipulation: SID-History Injection
Modify Authentication Process: Multi-Factor Authentication
Resource Hijacking: Bandwidth Hijacking
Server Software Component
Unsecured Credentials: Cloud Instance Metadata API
Steal or Forge Kerberos Tickets: Golden Ticket
Execution Guardrails: Mutual Exclusion
Weaken Encryption: Reduce Key Space
Scheduled Task/Job: Cron
Group Policy Discovery
OS Credential Dumping: NTDS
Hide Artifacts: Hidden Files and Directories
Active Scanning
System Services: Launchctl
Process Injection: Thread Execution Hijacking
Event Triggered Execution: Installer Packages
Hijack Execution Flow: DLL Side-Loading
Phishing for Information
Automated Exfiltration
System Location Discovery
Credentials from Password Stores: Windows Credential Manager
Traffic Signaling: Port Knocking
Data from Information Repositories: Sharepoint
Process Injection: Thread Local Storage
Native API
Exfiltration Over Web Service: Exfiltration to Text Storage Sites
Scheduled Transfer
Compromise Infrastructure: Network Devices
Boot or Logon Initialization Scripts
Hardware Additions
Content Injection
Unsecured Credentials: Group Policy Preferences
Boot or Logon Autostart Execution: Port Monitors
Valid Accounts: Local Accounts
Obtain Capabilities: Malware
Serverless Execution
Brute Force: Password Guessing
Forced Authentication
Obfuscated Files or Information: Command Obfuscation
Modify Cloud Compute Infrastructure: Create Snapshot
Data Encrypted for Impact
Data Encoding: Non-Standard Encoding
Hide Artifacts: Resource Forking
System Binary Proxy Execution: Msiexec
Encrypted Channel: Symmetric Cryptography
Search Closed Sources: Threat Intel Vendors
Proxy
Application Layer Protocol: Web Protocols
Resource Hijacking: SMS Pumping
Hide Artifacts: Hidden Users
Boot or Logon Initialization Scripts: Login Hook
Indicator Removal: Clear Linux or Mac System Logs
Indicator Removal: File Deletion
Log Enumeration
Web Service: One-Way Communication
Non-Standard Port
Impair Defenses: Safe Mode Boot
Gather Victim Host Information: Client Configurations
Search Open Technical Databases: CDNs
Account Discovery: Domain Account
Obtain Capabilities: Exploits
Ingress Tool Transfer
Create or Modify System Process: Launch Daemon
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
Gather Victim Network Information: IP Addresses
Indicator Removal
Proxy: Internal Proxy
Account Manipulation: Device Registration
Boot or Logon Initialization Scripts: Network Logon Script
Data Staged: Local Data Staging
Gather Victim Network Information: Domain Properties
Taint Shared Content
Masquerading: Rename System Utilities
Data Obfuscation: Junk Data
Boot or Logon Autostart Execution: Winlogon Helper DLL
Drive-by Compromise
Multi-Factor Authentication Interception
Hide Artifacts: Run Virtual Instance
Compromise Infrastructure: Virtual Private Server
Remote Service Session Hijacking
Data Encoding
Weaken Encryption: Disable Crypto Hardware
Modify Authentication Process: Pluggable Authentication Modules
Remote Services: VNC
Data from Information Repositories: Confluence
Permission Groups Discovery
OS Credential Dumping: LSASS Memory
Exploitation for Credential Access
Compromise Infrastructure: Server
Command and Scripting Interpreter: Cloud API
Gather Victim Org Information: Identify Roles
Modify Registry
Obfuscated Files or Information: Binary Padding
Archive Collected Data
Hide Artifacts: File/Path Exclusions
Office Application Startup: Office Test
System Information Discovery
Access Token Manipulation
Boot or Logon Autostart Execution: Active Setup
Stage Capabilities: Drive-by Target
Event Triggered Execution: Accessibility Features
Office Application Startup: Add-ins
Phishing: Spearphishing via Service
Obfuscated Files or Information: Indicator Removal from Tools
Office Application Startup: Outlook Rules
Account Manipulation: Additional Container Cluster Roles
Inter-Process Communication: Component Object Model
Server Software Component: Web Shell
Indirect Command Execution
Masquerading: Invalid Code Signature
Automated Collection
Browser Extensions
Compromise Infrastructure: Serverless
Rootkit
Email Collection: Local Email Collection
Account Manipulation
Indicator Removal: Timestomp
Process Injection
Abuse Elevation Control Mechanism
Obfuscated Files or Information: Polymorphic Code
Remote Services: Windows Remote Management
Modify Authentication Process: Reversible Encryption
Search Open Technical Databases
System Binary Proxy Execution: MMC
Application Layer Protocol: Publish/Subscribe Protocols
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Gather Victim Network Information
System Location Discovery: System Language Discovery
Domain or Tenant Policy Modification: Group Policy Modification
Network Denial of Service
Search Open Technical Databases: Digital Certificates
Network Boundary Bridging
Data from Information Repositories: Code Repositories
Brute Force: Credential Stuffing
Hide Artifacts: Ignore Process Interrupts
Domain or Tenant Policy Modification: Trust Modification
Gather Victim Network Information: Network Trust Dependencies
Container Administration Command
Hijack Execution Flow: Path Interception by Search Order Hijacking
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Supply Chain Compromise: Compromise Hardware Supply Chain
Account Access Removal
Hide Artifacts: Hidden File System
Server Software Component: Terminal Services DLL
System Binary Proxy Execution: InstallUtil
Modify System Image: Downgrade System Image
System Binary Proxy Execution: Electron Applications
Boot or Logon Autostart Execution: Time Providers
Inter-Process Communication: XPC Services
Endpoint Denial of Service: Service Exhaustion Flood
Account Discovery: Email Account
Multi-Stage Channels
Permission Groups Discovery: Domain Groups
Proxy: Domain Fronting
Phishing for Information: Spearphishing Link
Search Open Websites/Domains
Impair Defenses: Downgrade Attack
Process Discovery
Search Open Technical Databases: WHOIS
Phishing
Web Service
Endpoint Denial of Service: OS Exhaustion Flood
Unsecured Credentials: Container API
name
Resource Hijacking: Cloud Service Hijacking
OS Credential Dumping: DCSync
Archive Collected Data: Archive via Library
Application Layer Protocol: File Transfer Protocols
Modify Authentication Process
Valid Accounts: Domain Accounts
Establish Accounts: Social Media Accounts
System Script Proxy Execution: PubPrn
Acquire Infrastructure: Serverless
Acquire Infrastructure: Server
Inter-Process Communication: Dynamic Data Exchange
Encrypted Channel: Asymmetric Cryptography
Trusted Developer Utilities Proxy Execution: MSBuild
Search Victim-Owned Websites
Forge Web Credentials: SAML Tokens
Unsecured Credentials: Credentials in Registry
Hijack Execution Flow: Services File Permissions Weakness
Gather Victim Host Information: Firmware
Dynamic Resolution: Domain Generation Algorithms
Boot or Logon Initialization Scripts: RC Scripts
Event Triggered Execution: Udev Rules
Hijack Execution Flow: Executable Installer File Permissions Weakness
Data Destruction: Lifecycle-Triggered Deletion
Exfiltration Over Web Service: Exfiltration to Code Repository
Data from Configuration Repository: Network Device Configuration Dump
Access Token Manipulation: Make and Impersonate Token
Boot or Logon Autostart Execution: LSASS Driver
Data Manipulation
Resource Hijacking: Compute Hijacking
Masquerading: Masquerade Account Name
Network Service Discovery
File and Directory Discovery
Indicator Removal: Clear Persistence
Gather Victim Host Information: Hardware
Financial Theft
Gather Victim Identity Information: Employee Names
Process Injection: Extra Window Memory Injection
Process Injection: Ptrace System Calls
Permission Groups Discovery: Local Groups
User Execution: Malicious Image
Virtualization/Sandbox Evasion: System Checks
Indicator Removal: Network Share Connection Removal
Server Software Component: Transport Agent
Automated Exfiltration: Traffic Duplication
System Binary Proxy Execution: Mavinject
System Binary Proxy Execution: Regsvr32
Browser Information Discovery
Masquerading: Right-to-Left Override
Service Stop
Unsecured Credentials: Credentials In Files
Data Encoding: Standard Encoding
Lateral Tool Transfer
Cloud Storage Object Discovery
Compromise Infrastructure: DNS Server
Inter-Process Communication
Dynamic Resolution: DNS Calculation
Masquerading: Masquerade Task or Service
Remote Services: Distributed Component Object Model
Hijack Execution Flow: Path Interception by PATH Environment Variable
Account Manipulation: Additional Email Delegate Permissions
Develop Capabilities: Digital Certificates
Hide Infrastructure
Event Triggered Execution: Trap
Application Layer Protocol
Hide Artifacts: Process Argument Spoofing
Data Obfuscation
Obfuscated Files or Information
Defacement: Internal Defacement
Impair Defenses: Indicator Blocking
System Network Configuration Discovery
Data Staged: Remote Data Staging
Data Obfuscation: Steganography
Boot or Logon Autostart Execution: Authentication Package
Clipboard Data
Acquire Infrastructure: Botnet
Compromise Infrastructure: Web Services
Software Discovery
Phishing: Spearphishing Attachment
Compromise Accounts: Cloud Accounts
Software Discovery: Security Software Discovery
Credentials from Password Stores: Credentials from Web Browsers
Virtualization/Sandbox Evasion: User Activity Based Checks
Non-Application Layer Protocol
Hijack Execution Flow: Dynamic Linker Hijacking
Hide Artifacts: Hidden Window
Email Collection: Email Forwarding Rule
Deploy Container
Search Open Technical Databases: DNS/Passive DNS
Stage Capabilities: Upload Malware
Impair Defenses
Create or Modify System Process
Steal or Forge Kerberos Tickets
Execution Guardrails: Environmental Keying
Search Closed Sources
Compromise Accounts: Social Media Accounts
Event Triggered Execution: PowerShell Profile
Input Capture: Web Portal Capture
Defacement
Command and Scripting Interpreter: Python
Obtain Capabilities: Code Signing Certificates
Acquire Infrastructure: Malvertising
Data Destruction
Cloud Service Dashboard
Input Capture: GUI Input Capture
Scheduled Task/Job: Systemd Timers
Subvert Trust Controls: SIP and Trust Provider Hijacking
Obfuscated Files or Information: LNK Icon Smuggling
Encrypted Channel
Traffic Signaling: Socket Filters
Supply Chain Compromise
Trusted Developer Utilities Proxy Execution
Cloud Infrastructure Discovery
Search Open Websites/Domains: Social Media
Indicator Removal: Relocate Malware
Valid Accounts
Adversary-in-the-Middle: DHCP Spoofing
Process Injection: Process Doppelgänging
Stage Capabilities: Install Digital Certificate
Develop Capabilities
Server Software Component: IIS Components
Cloud Service Discovery
Permission Groups Discovery: Cloud Groups
Hijack Execution Flow
Event Triggered Execution: Unix Shell Configuration Modification
Inhibit System Recovery
Fallback Channels
XSL Script Processing
Boot or Logon Initialization Scripts: Logon Script (Windows)
Account Manipulation: Additional Cloud Credentials
Subvert Trust Controls: Code Signing
Unsecured Credentials: Bash History
Data Staged
Query Registry
Reflective Code Loading
Develop Capabilities: Malware
Template Injection
Defacement: External Defacement
Event Triggered Execution: Screensaver
Remote Services: SMB/Windows Admin Shares
Virtualization/Sandbox Evasion: Time Based Evasion
Hijack Execution Flow: KernelCallbackTable
Command and Scripting Interpreter: PowerShell
Create Account: Domain Account
System Time Discovery
System Binary Proxy Execution: Rundll32
Masquerading: Match Legitimate Name or Location
Develop Capabilities: Code Signing Certificates
Dynamic Resolution: Fast Flux DNS
Rogue Domain Controller
Boot or Logon Autostart Execution: XDG Autostart Entries
Command and Scripting Interpreter: AutoHotKey & AutoIT
Credentials from Password Stores: Keychain
System Binary Proxy Execution: Regsvcs/Regasm
Email Collection
Process Injection: Dynamic-link Library Injection
Pre-OS Boot: System Firmware
Command and Scripting Interpreter: Unix Shell
Acquire Infrastructure: Web Services
Create or Modify System Process: Container Service
Modify Authentication Process: Password Filter DLL
Remote Services: Remote Desktop Protocol
Modify Authentication Process: Conditional Access Policies
Phishing: Spearphishing Link
Exfiltration Over C2 Channel
Cloud Administration Command
Create Account: Local Account
Steal or Forge Kerberos Tickets: AS-REP Roasting
Data from Cloud Storage
Data from Information Repositories
Event Triggered Execution: AppInit DLLs
Boot or Logon Autostart Execution: Re-opened Applications
Active Scanning: Vulnerability Scanning
OS Credential Dumping: Security Account Manager
Remote Services: Direct Cloud VM Connections
Modify Authentication Process: Network Provider DLL
System Binary Proxy Execution: Odbcconf
Data from Network Shared Drive
Data Transfer Size Limits
Virtualization/Sandbox Evasion
OS Credential Dumping: Proc Filesystem
Search Open Websites/Domains: Code Repositories
Impair Defenses: Disable or Modify Tools
Exfiltration Over Physical Medium
Stage Capabilities: Upload Tool
Process Injection: Process Hollowing
Credentials from Password Stores: Password Managers
Create or Modify System Process: Systemd Service
Abuse Elevation Control Mechanism: Setuid and Setgid
Compromise Accounts
Input Capture: Credential API Hooking
Exploitation for Defense Evasion
Network Boundary Bridging: Network Address Translation Traversal
System Shutdown/Reboot
Supply Chain Compromise: Compromise Software Supply Chain
Boot or Logon Autostart Execution: Login Items
Abuse Elevation Control Mechanism: TCC Manipulation
Deobfuscate/Decode Files or Information
Remote Service Session Hijacking: SSH Hijacking
System Binary Proxy Execution: Mshta
Data from Information Repositories: Customer Relationship Management Software
Exploit Public-Facing Application
Pre-OS Boot: ROMMONkit
Obfuscated Files or Information: Fileless Storage
Account Discovery: Local Account
Phishing: Spearphishing Voice
Subvert Trust Controls: Code Signing Policy Modification
Traffic Signaling
External Remote Services
Hijack Execution Flow: Services Registry Permissions Weakness
Acquire Access
Event Triggered Execution: Image File Execution Options Injection
System Services: Service Execution
Account Manipulation: Additional Cloud Roles
Process Injection: Proc Memory
Gather Victim Org Information: Determine Physical Locations
Exfiltration Over Physical Medium: Exfiltration over USB
Device Driver Discovery
Compromise Infrastructure: Botnet
Obtain Capabilities: Digital Certificates
Data from Configuration Repository
Office Application Startup: Outlook Forms
Remote Services: Cloud Services
Indicator Removal: Clear Network Connection History and Configurations
Establish Accounts: Email Accounts
Data Manipulation: Stored Data Manipulation
Abuse Elevation Control Mechanism: Elevated Execution with Prompt
Gather Victim Identity Information: Email Addresses
Masquerading: Space after Filename
Network Sniffing
Subvert Trust Controls: Install Root Certificate
Obtain Capabilities: Tool
Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
Protocol Tunneling
Access Token Manipulation: Token Impersonation/Theft
User Execution: Malicious Link
Brute Force
Modify Cloud Compute Infrastructure: Create Cloud Instance
Subvert Trust Controls: Mark-of-the-Web Bypass
Adversary-in-the-Middle
Event Triggered Execution
Input Capture: Keylogging
Endpoint Denial of Service
Hide Artifacts: Email Hiding Rules
Event Triggered Execution: Application Shimming
Domain or Tenant Policy Modification
Compromise Infrastructure: Domains
Impair Defenses: Disable or Modify Cloud Logs
Data from Configuration Repository: SNMP (MIB Dump)
File and Directory Permissions Modification
OS Credential Dumping
Process Injection: Portable Executable Injection
Indicator Removal: Clear Mailbox Data
Shared Modules
Exploitation of Remote Services
Masquerading: Break Process Trees
System Network Configuration Discovery: Internet Connection Discovery
Account Manipulation: Additional Local or Domain Groups
Event Triggered Execution: Change Default File Association
Obtain Capabilities: Vulnerabilities
Steal or Forge Kerberos Tickets: Ccache Files
Modify Cloud Resource Hierarchy
Use Alternate Authentication Material: Pass the Hash
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Credentials from Password Stores: Cloud Secrets Management Stores
Exploitation for Privilege Escalation
OS Credential Dumping: /etc/passwd and /etc/shadow
Gather Victim Identity Information
Debugger Evasion
Server Software Component: SQL Stored Procedures
Obfuscated Files or Information: Dynamic API Resolution
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Archive Collected Data: Archive via Utility
Trusted Relationship
Gather Victim Host Information
Search Open Websites/Domains: Search Engines
Video Capture
Brute Force: Password Spraying
Compromise Accounts: Email Accounts
Data from Local System
Create or Modify System Process: Launch Agent
Email Collection: Remote Email Collection
Event Triggered Execution: Emond
Account Discovery
Use Alternate Authentication Material: Application Access Token
OS Credential Dumping: LSA Secrets
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Pre-OS Boot: TFTP Boot
Network Share Discovery
Command and Scripting Interpreter
System Service Discovery
Establish Accounts: Cloud Accounts
Data from Removable Media
Data from Information Repositories: Messaging Applications
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Remote System Discovery
System Network Connections Discovery
Data Manipulation: Runtime Data Manipulation
Gather Victim Network Information: Network Topology
Use Alternate Authentication Material: Pass the Ticket
Command and Scripting Interpreter: Network Device CLI
Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access
Endpoint Denial of Service: Application or System Exploitation
Unsecured Credentials: Chat Messages
Obfuscated Files or Information: HTML Smuggling
Steal Application Access Token
Steal Web Session Cookie
User Execution: Malicious File
Remote Service Session Hijacking: RDP Hijacking
Stage Capabilities: SEO Poisoning
Proxy: External Proxy
System Binary Proxy Execution: CMSTP
Boot or Logon Autostart Execution: Print Processors
Scheduled Task/Job: Container Orchestration Job
Password Policy Discovery
Obtain Capabilities: Artificial Intelligence
Hijack Execution Flow: Path Interception by Unquoted Path
Event Triggered Execution: AppCert DLLs
Gather Victim Org Information: Identify Business Tempo
Web Service: Bidirectional Communication
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Disk Wipe: Disk Content Wipe
Software Deployment Tools
Forge Web Credentials
Use Alternate Authentication Material: Web Session Cookie
Build Image on Host
Indicator Removal: Clear Windows Event Logs
Valid Accounts: Default Accounts
Credentials from Password Stores: Securityd Memory
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Impair Defenses: Disable or Modify Linux Audit System
Access Token Manipulation: Parent PID Spoofing
System Owner/User Discovery
Develop Capabilities: Exploits
Steal or Forge Kerberos Tickets: Silver Ticket
Network Denial of Service: Direct Network Flood
Scheduled Task/Job: At
Office Application Startup
Unsecured Credentials: Private Keys
Phishing for Information: Spearphishing Voice
Compromise Host Software Binary
Create or Modify System Process: Windows Service
Phishing for Information: Spearphishing Attachment
Proxy: Multi-hop Proxy
Data Obfuscation: Protocol or Service Impersonation
Scheduled Task/Job
Gather Victim Host Information: Software
Archive Collected Data: Archive via Custom Method
Pre-OS Boot
Impair Defenses: Disable Windows Event Logging
Compromise Infrastructure
Browser Session Hijacking
Hijack Execution Flow: AppDomainManager
Windows Management Instrumentation
Process Injection: Asynchronous Procedure Call
Unsecured Credentials
Domain Trust Discovery
Command and Scripting Interpreter: JavaScript
Endpoint Denial of Service: Application Exhaustion Flood
Power Settings
Acquire Infrastructure: DNS Server
Command and Scripting Interpreter: Lua
Boot or Logon Initialization Scripts: Startup Items
Unused/Unsupported Cloud Regions
Masquerading
Obfuscated Files or Information: Steganography
Scheduled Task/Job: Scheduled Task
Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
Acquire Infrastructure
Impair Defenses: Spoof Security Alerting
Process Injection: ListPlanting
Obfuscated Files or Information: Software Packing
Modify Authentication Process: Network Device Authentication
Indicator Removal: Clear Command History
System Binary Proxy Execution: Verclsid
System Services
Hijack Execution Flow: COR_PROFILER
Replication Through Removable Media
Phishing for Information: Spearphishing Service
Credentials from Password Stores
Active Scanning: Scanning IP Blocks
Exfiltration Over Web Service
Event Triggered Execution: Component Object Model Hijacking
Trusted Developer Utilities Proxy Execution: ClickOnce
System Network Configuration Discovery: Wi-Fi Discovery
Dynamic Resolution
Command and Scripting Interpreter: Windows Command Shell
Multi-Factor Authentication Request Generation
Gather Victim Org Information: Business Relationships
Plist File Modification
Boot or Logon Autostart Execution: Shortcut Modification
Modify System Image
Obfuscated Files or Information: Embedded Payloads
Obfuscated Files or Information: Stripped Payloads
Steal or Forge Authentication Certificates
Transfer Data to Cloud Account
Gather Victim Identity Information: Credentials
Impersonation
Subvert Trust Controls: Gatekeeper Bypass
Gather Victim Org Information
Network Denial of Service: Reflection Amplification
Audio Capture
Screen Capture
Impair Defenses: Impair Command History Logging
Gather Victim Network Information: DNS
Direct Volume Access
Exfiltration Over Alternative Protocol
Forge Web Credentials: Web Cookies
Modify Authentication Process: Domain Controller Authentication
OS Credential Dumping: Cached Domain Credentials
Boot or Logon Autostart Execution
Remote Services: SSH
Event Triggered Execution: Windows Management Instrumentation Event Subscription
System Binary Proxy Execution: Control Panel
Application Window Discovery
Adversary-in-the-Middle: ARP Cache Poisoning
Valid Accounts: Cloud Accounts
Exfiltration Over Web Service: Exfiltration Over Webhook
Execution Guardrails
Modify System Image: Patch System Image
Search Closed Sources: Purchase Technical Data
Disk Wipe
Brute Force: Password Cracking
Communication Through Removable Media
Event Triggered Execution: LC_LOAD_DYLIB Addition
Gather Victim Network Information: Network Security Appliances
User Execution
Exfiltration Over Other Network Medium
Exploitation for Client Execution
System Binary Proxy Execution: Compiled HTML File
Pre-OS Boot: Bootkit
Account Manipulation: SSH Authorized Keys
Hide Artifacts: VBA Stomping
Access Token Manipulation: Create Process with Token
Obfuscated Files or Information: Encrypted/Encoded File
Acquire Infrastructure: Domains
Application Layer Protocol: Mail Protocols
Event Triggered Execution: Netsh Helper DLL
Hijack Execution Flow: DLL Search Order Hijacking
Web Service: Dead Drop Resolver
Office Application Startup: Office Template Macros
Remote Services
Internal Spearphishing
Create Account: Cloud Account
Create Account
Modify Cloud Compute Infrastructure: Revert Cloud Instance
Resource Hijacking
Boot or Logon Autostart Execution: Security Support Provider
Modify Cloud Compute Infrastructure
Application Layer Protocol: DNS
Adversary-in-the-Middle: Evil Twin
Pre-OS Boot: Component Firmware
BITS Jobs
Obfuscated Files or Information: Compile After Delivery
Hide Artifacts: NTFS File Attributes
Remote Access Software