TrustedDeveloperUtilities ProxyExecution:ClickOnceEmailCollection:RemoteEmailCollectionAccountDiscovery:DomainAccountImpairDefenses:ImpairCommandHistory LoggingSystemServiceDiscoveryGatherVictimHostInformationInter-ProcessCommunication:Dynamic DataExchangeProxy:DomainFrontingMasquerading:MasqueradeAccount NamePermissionGroupsDiscoveryBoot orLogonAutostartExecutionSupply ChainCompromise:CompromiseHardwareSupply ChainDomain orTenant PolicyModification:TrustModificationSoftwareDeploymentToolsStealApplicationAccessTokenSystemNetworkConfigurationDiscovery: Wi-Fi DiscoveryDomain orTenantPolicyModificationHijackExecutionFlow: PathInterception byUnquoted PathModifyCloudResourceHierarchyCommandand ScriptingInterpreter:AppleScriptGather VictimHostInformation:ClientConfigurationsContentInjectionSteal orForgeKerberosTicketsObfuscatedFiles orInformation:SoftwarePackingExfiltrationOver WebService:Exfiltration toText StorageSitesEmailCollectionMasquerading:Right-to-LeftOverrideCommandand ScriptingInterpreter:JavaScriptDataDestructionExternalRemoteServicesHijackExecutionFlow: DylibHijackingProcessInjection:ProcessDoppelgängingSearch OpenTechnicalDatabases:ScanDatabasesObtainCapabilities:CodeSigningCertificatesHijackExecutionFlowTransferData toCloudAccountImpairDefenses:IndicatorBlockingEventTriggeredExecution:PowerShellProfileObfuscatedFiles orInformation:LNK IconSmugglingProcessInjection:Extra WindowMemoryInjectionMasqueradingCredentialsfromPasswordStores:KeychainNetworkShareDiscoveryObfuscatedFiles orInformation:HTMLSmugglingLogEnumerationAbuseElevationControlMechanism:Setuid andSetgidCredentialsfrom PasswordStores:Credentialsfrom WebBrowsersStageCapabilities:Install DigitalCertificateInputCapture:Web PortalCaptureSubvertTrustControls:CodeSigningUnsecuredCredentials:ContainerAPIUnsecuredCredentials:Credentialsin RegistryProcessInjection:ListPlantingIndicatorRemoval:Network ShareConnectionRemovalSystem Script ProxyExecution:SyncAppvPublishingServerAdversary-in-the-Middle: ARPCachePoisoningScheduledTask/Job:ScheduledTaskAcquireInfrastructure:BotnetAccountManipulationPre-OSBoot:BootkitEventTriggeredExecution:AppCertDLLsAcquireInfrastructure:ServerlessSystemBinary ProxyExecution:InstallUtilSystemBinary ProxyExecution:ControlPanelObfuscatedFiles orInformation:PolymorphicCodeSystemBinary ProxyExecution:Regsvr32Endpoint Denialof Service:ApplicationExhaustionFloodAcquireInfrastructure:MalvertisingHijack ExecutionFlow:KernelCallbackTableRemoteAccessSoftwareAdversary-in-the-MiddleIndicatorRemoval:ClearPersistenceNetworkBoundaryBridgingAdversary-in-the-Middle:DHCPSpoofingGatherVictimIdentityInformationHideArtifacts:HiddenWindowTemplateInjectionModifyAuthenticationProcess:ReversibleEncryptionSystemServices:ServiceExecutionBoot or LogonAutostartExecution:PrintProcessorsFile andDirectoryPermissionsModificationMulti-FactorAuthenticationRequestGenerationSearchOpenTechnicalDatabases:CDNsGather VictimNetworkInformation:NetworkSecurityAppliancesPermissionGroupsDiscovery:CloudGroupsSearchOpenTechnicalDatabases:WHOISQueryRegistryIndicatorRemovalNetworkServiceDiscoveryBoot or LogonAutostartExecution:Re-openedApplicationsRemoteServiceSessionHijacking:RDP HijackingOfficeApplicationStartupSearchClosedSourcesGroupPolicyDiscoveryHijack ExecutionFlow:AppDomainManagerEventTriggeredExecution:AccessibilityFeaturesCreate orModify SystemProcess:ContainerServiceGather VictimNetworkInformation:IP AddressesForcedAuthenticationBoot or LogonAutostartExecution:TimeProvidersIndicatorRemoval: ClearNetworkConnectionHistory andConfigurationsScheduledTask/Job:CronSearch ClosedSources:PurchaseTechnical DataSystemBinary ProxyExecution:OdbcconfHideArtifacts:Hidden FilesandDirectoriesGather VictimNetworkInformation:Network TrustDependenciesSoftwareDiscoveryGather VictimOrgInformation:BusinessRelationshipsAccountDiscovery:CloudAccountSystemBinary ProxyExecution:Rundll32PeripheralDeviceDiscoveryIndicatorRemoval:ClearCommandHistoryApplicationLayerProtocolExfiltrationOver OtherNetworkMedium:ExfiltrationOver BluetoothRemoteServiceSessionHijacking:SSH HijackingExfiltrationOver PhysicalMedium:Exfiltrationover USBObfuscatedFiles orInformation:BinaryPaddingWeb Service:One-WayCommunicationUnsecuredCredentials:Group PolicyPreferencesGather VictimIdentityInformation:EmailAddressesExploitationfor ClientExecutionValidAccounts:DomainAccountsData fromConfigurationRepositoryArchiveCollectedData:Archive viaLibraryMasquerading:Double FileExtensionSystemLocationDiscoveryData fromInformationRepositories:CodeRepositoriesActiveScanning:WordlistScanningSearchOpenTechnicalDatabasesAcquireInfrastructureOfficeApplicationStartup:OutlookHome PageSearch OpenTechnicalDatabases:DNS/PassiveDNSDisk Wipe:DiskContentWipeCredentialsfromPasswordStoresStageCapabilities:UploadMalwareEncryptedChannel:SymmetricCryptographyOfficeApplicationStartup: OfficeTemplateMacrosBruteForce:CredentialStuffingHijack ExecutionFlow:COR_PROFILERSystemBinary ProxyExecution:VerclsidUse AlternateAuthenticationMaterial: Passthe HashModifyAuthenticationProcess:Multi-FactorAuthenticationResourceHijackingGather VictimNetworkInformation:DomainPropertiesSystemBinary ProxyExecution:ElectronApplicationsDataTransferSizeLimitsUnsecuredCredentials:CloudInstanceMetadata APIPhishing forInformation:SpearphishingAttachmentAutomatedExfiltrationBoot orLogonAutostartExecution:Login ItemsStageCapabilities:Upload ToolAcquireInfrastructure:ServerInputCapture:GUI InputCaptureSubvert TrustControls: SIPand TrustProviderHijackingModify CloudComputeInfrastructure:Delete CloudInstanceResourceHijacking:CloudServiceHijackingImpairDefenses:Disable orModify ToolsOfficeApplicationStartup:OutlookFormsData fromCloudStorageCloudInfrastructureDiscoveryDeobfuscate/DecodeFiles or InformationSystemBinary ProxyExecution:MMCBruteForceRemoteServices:Direct CloudVMConnectionsSharedModulesDevelopCapabilities:ExploitsEventTriggeredExecution:AppInit DLLsServerSoftwareComponent:SQL StoredProceduresProcessInjection:PortableExecutableInjectionProcessInjection:Dynamic-linkLibraryInjectionCommandand ScriptingInterpreter:Unix ShellHideArtifacts:HiddenUsersVirtualization/SandboxEvasion: Time BasedEvasionMasquerading:MasqueradeTask orServiceExploitPublic-FacingApplicationNetworkSniffingModifyAuthenticationProcess:DomainControllerAuthenticationAccountManipulation:Additional Localor DomainGroupsSystem NetworkConfigurationDiscovery:InternetConnectionDiscoveryIndicatorRemoval:ClearMailbox DataObfuscatedFiles orInformation:FilelessStorageObfuscated Files orInformation:Encrypted/EncodedFileSearch OpenWebsites/Domains:Code RepositoriesRemoteServices:DistributedComponentObject ModelOS CredentialDumping:SecurityAccountManagerUnsecuredCredentials:BashHistoryScheduledTransferAccountManipulation:AdditionalEmail DelegatePermissionsEscapeto HostImpairDefensesIndicatorRemoval:Clear Linuxor MacSystem LogsExploitationof RemoteServicesServerSoftwareComponent:Web ShellEventTriggeredExecution:TrapEvent TriggeredExecution:ComponentObject ModelHijackingCompromiseHostSoftwareBinaryPhishing forInformation:SpearphishingServiceModifySystemImage: PatchSystemImageSystemLocationDiscovery:SystemLanguageDiscoveryEventTriggeredExecution:ScreensaverData fromInformationRepositories:ConfluenceForge WebCredentials:WebCookiesUserExecutionValidAccounts:LocalAccountsReplicationThroughRemovableMediaDataEncodingSystemBinary ProxyExecution:MavinjectUnused/UnsupportedCloud RegionsCommand andScriptingInterpreter:WindowsCommandShellAbuse ElevationControlMechanism:ElevatedExecution withPromptEventTriggeredExecution:EmondCredentialsfrom PasswordStores: CloudSecretsManagementStoresInternalSpearphishingPermissionGroupsDiscovery:LocalGroupsPhishingHideArtifacts:IgnoreProcessInterruptsAccountManipulation:AdditionalCloud RolesProxy:InternalProxyArchiveCollectedData:Archive viaUtilityAcquireAccessInputCapture:CredentialAPI HookingCompromiseAccounts:EmailAccountsStageCapabilities:Drive-byTargetExploitationforCredentialAccessModify CloudComputeInfrastructure:Create CloudInstanceImplantInternalImageVirtualization/SandboxEvasion: User ActivityBased ChecksExfiltrationOverAlternativeProtocolInhibitSystemRecoveryDevelopCapabilities:DigitalCertificatesCloudStorageObjectDiscoveryNon-ApplicationLayerProtocolExfiltration OverAlternativeProtocol:Exfiltration OverSymmetricEncrypted Non-C2ProtocolResourceHijacking:BandwidthHijackingCreate orModify SystemProcess:LaunchDaemonDynamicResolution:DomainGenerationAlgorithmsServerSoftwareComponent:IISComponentsNetworkDenial ofServiceStageCapabilities:Link TargetOSCredentialDumping:NTDSAudioCaptureUse AlternateAuthenticationMaterial: WebSessionCookieBoot orLogonInitializationScripts:Login HookEventTriggeredExecution:ApplicationShimmingDataManipulation:Runtime DataManipulationSupply ChainCompromise:CompromiseSoftwareDependencies andDevelopmentToolsHideArtifacts:File/PathExclusionsProcessDiscoveryScheduledTask/JobTrustedDeveloperUtilitiesProxyExecutionCompromiseInfrastructure:Web ServicesGatherVictimNetworkInformation:DNSApplicationLayerProtocol: FileTransferProtocolsValidAccounts:CloudAccountsCommunicationThroughRemovableMediaCredentialsfrom PasswordStores:WindowsCredentialManagerRemoteServices:SSHBoot or LogonAutostartExecution:Kernel Modulesand ExtensionsMulti-FactorAuthenticationInterceptionUserExecution:MaliciousFileTrustedRelationshipResourceHijacking:ComputeHijackingCreateAccount:LocalAccountData fromInformationRepositories:CustomerRelationshipManagementSoftwareEncryptedChannel:AsymmetricCryptographyActiveScanning:ScanningIP BlocksRemoteServices:SMB/WindowsAdmin SharesBoot or LogonAutostartExecution:WinlogonHelper DLLSystemBinaryProxyExecutionAbuse ElevationControlMechanism:TemporaryElevated CloudAccessFile andDirectoryDiscoveryBruteForce:PasswordSprayingData fromLocalSystemCreateAccount:CloudAccountSystemServices:LaunchctlExploitationforPrivilegeEscalationUse AlternateAuthenticationMaterialEvent TriggeredExecution:Change DefaultFile AssociationCompromiseInfrastructure:BotnetUnsecuredCredentialsDataEncryptedfor ImpactSearch OpenWebsites/DomainsNetworkDenial ofService:ReflectionAmplificationUserExecution:MaliciousImageDynamicResolution:Fast FluxDNSObfuscatedFiles orInformation:Compile AfterDeliveryAbuseElevationControlMechanism:TCCManipulationData fromConfigurationRepository:Network DeviceConfigurationDumpServerSoftwareComponent:TransportAgentSystemNetworkConfigurationDiscoveryDataManipulation:Stored DataManipulationBoot orLogonInitializationScripts: RCScriptsInputCapture:KeyloggingExfiltrationOver C2ChannelObtainCapabilities:DigitalCertificatesHijackExecution Flow:Services FilePermissionsWeaknessGatherVictim HostInformation:FirmwareDataObfuscation:SteganographyEndpointDenial ofServiceCloudServiceDashboardCreate orModify SystemProcess:SystemdServiceDevelopCapabilities:CodeSigningCertificatesSystemScriptProxyExecutionCompromiseInfrastructure:ServerlessImpairDefenses:SpoofSecurityAlertingOS CredentialDumping:/etc/passwdand/etc/shadowSystemServicesScheduledTask/Job:SystemdTimersContainerandResourceDiscoveryBoot orLogonAutostartExecution:Active SetupUse AlternateAuthenticationMaterial: Passthe TicketAccess TokenManipulation:CreateProcess withTokenBoot or LogonAutostartExecution:SecuritySupportProviderSubvertTrustControls:Install RootCertificateInter-ProcessCommunicationProcessInjection:ProcessHollowingForge WebCredentials:SAMLTokensObfuscatedFiles orInformation:EmbeddedPayloadsPasswordPolicyDiscoveryServerSoftwareComponent:TerminalServices DLLProtocolTunnelingObfuscatedFiles orInformation:Dynamic APIResolutionCredentialsfrom PasswordStores:SecuritydMemoryCommandand ScriptingInterpreter:PowerShellOfficeApplicationStartup:Add-insAutomatedExfiltration:TrafficDuplicationGatherVictimIdentityInformation:CredentialsBoot orLogonInitializationScriptsApplicationLayerProtocol:MailProtocolsHideArtifacts:ProcessArgumentSpoofingSteal orForgeKerberosTickets:Ccache FilesModifyAuthenticationProcess:PasswordFilter DLLEventTriggeredExecution:InstallerPackagesEmailCollection:EmailForwardingRuleModifyAuthenticationProcess:NetworkProvider DLLSearch OpenWebsites/Domains:Search EnginesWeakenEncryption:DisableCryptoHardwareDevelopCapabilities:MalwarePhishing:SpearphishingLinkCompromiseInfrastructure:Virtual PrivateServerApplicationWindowDiscoveryDataDestruction:Lifecycle-TriggeredDeletionGather VictimNetworkInformation:NetworkTopologyNativeAPIObtainCapabilities:ToolDefacement:ExternalDefacementWeakenEncryptionHijackExecutionFlow: DLLSearch OrderHijackingCommandand ScriptingInterpreter:PythonImpairDefenses:Disable orModify SystemFirewallAbuse ElevationControlMechanism:Bypass UserAccount ControlAbuseElevationControlMechanismModifySystemImage:DowngradeSystem ImageModifyRegistryPhishingforInformationExecutionGuardrails:EnvironmentalKeyingIndicatorRemoval:ClearWindowsEvent LogsImpairDefenses:DowngradeAttackDisk Wipe:DiskStructureWipeCommandand ScriptingInterpreter:NetworkDevice CLIOS CredentialDumping:CachedDomainCredentialsAutomatedCollectionOfficeApplicationStartup:Office TestRemoteServices:CloudServicesDataManipulationAccess TokenManipulation:Make andImpersonateTokenData fromRemovableMediaHardwareAdditionsWebServiceExfiltrationOver WebServiceGather VictimOrgInformation:DeterminePhysicalLocationsCompromiseAccounts:Social MediaAccountsAccessTokenManipulation:Parent PIDSpoofingScheduledTask/Job:AtCompromiseInfrastructureDeviceDriverDiscoveryPre-OSBoot:SystemFirmwareSystemBinary ProxyExecution:CMSTPForge WebCredentialsImpairDefenses:Disable orModify CloudLogsObfuscatedFiles orInformation:CommandObfuscationDataStaged:Local DataStagingBITSJobsCreate orModify SystemProcess:WindowsServiceTaintSharedContentHideInfrastructureSubvertTrustControls:Mark-of-the-Web BypassDrive-byCompromiseEvent TriggeredExecution: UnixShellConfigurationModificationSystemOwner/UserDiscoveryAccountDiscovery:LocalAccountEstablishAccounts:EmailAccountsAccountManipulation:SSHAuthorizedKeysSoftwareDiscovery:SecuritySoftwareDiscoveryDevelopCapabilitiesPre-OSBoot:ComponentFirmwareSubvertTrustControls:GatekeeperBypassHideArtifacts:Hidden FileSystemPowerSettingsWeb Service:BidirectionalCommunicationSupplyChainCompromisePhishing:SpearphishingAttachmentSystemShutdown/RebootDataEncoding:StandardEncodingAbuseElevationControlMechanism:Sudo and SudoCachingSearchClosedSources:Threat IntelVendorsApplication LayerProtocol:Publish/SubscribeProtocolsWebService:Dead DropResolverCommandand ScriptingInterpreter:AutoHotKey& AutoITEvent TriggeredExecution:WindowsManagementInstrumentationEvent SubscriptionImpairDefenses:DisableWindowsEvent LoggingNon-StandardPortIndicatorRemoval:TimestompAccountAccessRemovalBoot or LogonAutostartExecution:Registry RunKeys / StartupFolderProcessInjectionGather VictimIdentityInformation:EmployeeNamesSteal or ForgeKerberosTickets:KerberoastingSystem BinaryProxy Execution:Regsvcs/RegasmData fromConfigurationRepository:SNMP (MIBDump)ActiveScanning:VulnerabilityScanningGatherVictim OrgInformation:IdentifyRolesCredentialsfrom PasswordStores:PasswordManagersProcessInjection:AsynchronousProcedureCallBoot or LogonAutostartExecution:LSASS DriverEncryptedChannelEndpoint Denialof Service:ServiceExhaustionFloodExfiltrationOver WebService:Exfiltration toCodeRepositoryEstablishAccounts:Social MediaAccountsPlist FileModificationAccountDiscovery:EmailAccountMasquerading:MatchLegitimateName orLocationExfiltrationOver WebService:ExfiltrationOver WebhookBrowserSessionHijackingDataObfuscationImpairDefenses:Disable orModify LinuxAudit SystemData fromInformationRepositoriesUse AlternateAuthenticationMaterial:ApplicationAccess TokenObtainCapabilitiesSystemTimeDiscoveryOSCredentialDumping:ProcFilesystemVirtualization/SandboxEvasionNetworkBoundaryBridging: NetworkAddressTranslationTraversalModifySystemImageDeployContainerReflectiveCodeLoadingFinancialTheftMasquerading:Invalid CodeSignatureRemoteSystemDiscoverySystemNetworkConnectionsDiscoveryWindowsManagementInstrumentationAccountManipulation:AdditionalCloudCredentialsHijackExecution Flow:ServicesRegistryPermissionsWeaknessProcessInjection:VDSOHijackingModifyAuthenticationProcess:ConditionalAccess PoliciesEventTriggeredExecutionSearchVictim-OwnedWebsitesModify CloudComputeInfrastructure:Modify CloudComputeConfigurationsFile and DirectoryPermissionsModification: Linuxand Mac File andDirectoryPermissionsModificationBoot or LogonAutostartExecution:XDG AutostartEntriesAcquireInfrastructure:Virtual PrivateServerObtainCapabilities:MalwareApplicationLayerProtocol:WebProtocolsData fromInformationRepositories:SharepointImpairDefenses:Disable orModify CloudFirewallAccessTokenManipulationExecutionGuardrailsGatherVictim HostInformation:SoftwareIndirectCommandExecutionHijackExecutionFlow: DynamicLinkerHijackingAccountManipulation:AdditionalContainerCluster RolesSubvert TrustControls:Code SigningPolicyModificationDataObfuscation:Junk DataBoot or LogonAutostartExecution:ShortcutModificationCompromiseAccounts:CloudAccountsRemoteServiceSessionHijackingHijackExecution Flow:ExecutableInstaller FilePermissionsWeaknessStageCapabilitiesEventTriggeredExecution:Udev RulesModify CloudComputeInfrastructure:CreateSnapshotHijackExecutionFlow: DLLSide-LoadingExecutionGuardrails:MutualExclusionObfuscatedFiles orInformationLateralToolTransferFirmwareCorruptionDataManipulation:TransmittedDataManipulationRemoteServicesPre-OSBootGatherVictim OrgInformationIndicatorRemoval:FileDeletionSystemInformationDiscoveryExfiltrationOver OtherNetworkMediumExfiltrationOver WebService:Exfiltration toCloud StorageClipboardDataProxy:ExternalProxySystemBinary ProxyExecution:MsiexecDiskWipeDynamicResolutionModifyAuthenticationProcess:Hybrid IdentityAccessTokenManipulation:SID-HistoryInjectionImpersonationModifyAuthenticationProcessBrowserInformationDiscoveryModify CloudComputeInfrastructureUnsecuredCredentials:PrivateKeysObfuscatedFiles orInformation:IndicatorRemoval fromToolsOfficeApplicationStartup:OutlookRulesCommandand ScriptingInterpreter:LuaObfuscatedFiles orInformation:SteganographyHideArtifactsnameOSCredentialDumpingSupply ChainCompromise:CompromiseSoftwareSupply ChainPhishing:SpearphishingVoiceBruteForce:PasswordCrackingMasquerading:MasqueradeFile TypeTrafficSignaling:SocketFiltersExfiltration OverAlternativeProtocol:Exfiltration OverUnencryptedNon-C2 ProtocolBrowserExtensionsRemoteServices:WindowsRemoteManagementBruteForce:PasswordGuessingHijack ExecutionFlow: PathInterception byPATHEnvironmentVariableServerlessExecutionAcquireInfrastructure:DomainsEndpoint Denialof Service:Application orSystemExploitationStageCapabilities:SEOPoisoningBoot or LogonInitializationScripts:NetworkLogon ScriptApplicationLayerProtocol:DNSGatherVictim HostInformation:HardwareCreate orModifySystemProcess:Launch AgentPre-OSBoot:ROMMONkitMasquerading:Break ProcessTreesEstablishAccounts:CloudAccountsCommandandScriptingInterpreterDefacementObtainCapabilities:VulnerabilitiesHideArtifacts:NTFS FileAttributesBoot orLogonInitializationScripts:Startup ItemsBuildImageon HostDomain orTenant PolicyModification:Group PolicyModificationWeakenEncryption:ReduceKey SpaceAdversary-in-the-Middle:LLMNR/NBT-NS Poisoningand SMB RelayAcquireInfrastructure:Web ServicesMulti-StageChannelsSystemBinary ProxyExecution:CompiledHTML FileMasquerading:RenameSystemUtilitiesSearch OpenWebsites/Domains:Social MediaTrafficSignalingEmailCollection:Local EmailCollectionProxy:Multi-hopProxyEventTriggeredExecution:Netsh HelperDLLPhishing forInformation:SpearphishingVoiceContainerAdministrationCommandIngressToolTransferData fromInformationRepositories:MessagingApplicationsVideoCaptureModify CloudComputeInfrastructure:Revert CloudInstanceSteal orForgeKerberosTickets:Golden TicketData fromNetworkSharedDriveProxyHideArtifacts:Email HidingRulesObtainCapabilities:ExploitsModifyAuthenticationProcess:Network DeviceAuthenticationExfiltration OverAlternativeProtocol:Exfiltration OverAsymmetricEncrypted Non-C2ProtocolCommandand ScriptingInterpreter:Visual BasicInter-ProcessCommunication:ComponentObject ModelAccess TokenManipulation: TokenImpersonation/TheftCloudServiceDiscoveryRemoteServices:RemoteDesktopProtocolAdversary-in-the-Middle:Evil TwinSteal orForgeKerberosTickets:Silver TicketEvent TriggeredExecution:Image FileExecutionOptionsInjectionUnsecuredCredentials:ChatMessagesEstablishAccountsSteal WebSessionCookieSystemScript ProxyExecution:PubPrnScreenCaptureSystemBinary ProxyExecution:MshtaHijackExecution Flow:PathInterception bySearch OrderHijackingSearch OpenTechnicalDatabases:DigitalCertificatesDebuggerEvasionPre-OSBoot:TFTPBootDefacement:InternalDefacementBoot orLogonAutostartExecution:Port MonitorsCompromiseInfrastructure:ServerRogueDomainControllerOSCredentialDumping:DCSyncDataObfuscation:Protocol orServiceImpersonationGatherVictimNetworkInformationDomainTrustDiscoveryHideArtifacts:VBAStompingValidAccountsHideArtifacts:ResourceForkingServiceStopProcessInjection:PtraceSystem CallsBoot or LogonInitializationScripts: LogonScript(Windows)DataEncoding:Non-StandardEncodingData Staged:RemoteData StagingCloudAdministrationCommandFile and DirectoryPermissionsModification:Windows File andDirectoryPermissionsModificationArchiveCollectedData: Archivevia CustomMethodValidAccounts:DefaultAccountsProcessInjection:ProcMemoryUserExecution:MaliciousLinkGather VictimOrgInformation:IdentifyBusinessTempoDynamicResolution:DNSCalculationCreate orModifySystemProcessRemoteServices:VNCNetworkDenial ofService: DirectNetwork FloodXSL ScriptProcessingCompromiseInfrastructure:DomainsInputCaptureSubvertTrustControlsSteal or ForgeKerberosTickets: AS-REP RoastingPhishing:Spearphishingvia ServiceAcquireInfrastructure:DNS ServerCompromiseInfrastructure:DNS ServerObfuscatedFiles orInformation:StrippedPayloadsExfiltrationOverPhysicalMediumHideArtifacts:Run VirtualInstanceServerSoftwareComponentScheduledTask/Job:ContainerOrchestrationJobAccountManipulation:DeviceRegistrationAccountDiscoveryPhishing forInformation:SpearphishingLinkUnsecuredCredentials:CredentialsIn FilesCompromiseAccountsDirectVolumeAccessCreateAccount:DomainAccountSteal or ForgeAuthenticationCertificatesModifyAuthenticationProcess:PluggableAuthenticationModulesEvent TriggeredExecution:LC_LOAD_DYLIBAdditionResourceHijacking:SMSPumpingProcessInjection:Thread LocalStorageRootkitOSCredentialDumping:LSASSMemoryArchiveCollectedDataExploitationfor DefenseEvasionOSCredentialDumping:LSA SecretsActiveScanningInter-ProcessCommunication:XPC ServicesPermissionGroupsDiscovery:DomainGroupsEndpointDenial ofService: OSExhaustionFloodMasquerading:Space afterFilenameTrustedDeveloperUtilities ProxyExecution:MSBuildCompromiseInfrastructure:NetworkDevicesIndicatorRemoval:RelocateMalwareCreateAccountFallbackChannelsProcessInjection:ThreadExecutionHijackingTrafficSignaling:PortKnockingCommandand ScriptingInterpreter:Cloud APIBoot or LogonAutostartExecution:AuthenticationPackageDataStagedImpairDefenses:Safe ModeBootVirtualization/SandboxEvasion: SystemChecksObtainCapabilities:ArtificialIntelligenceTrustedDeveloperUtilities ProxyExecution:ClickOnceEmailCollection:RemoteEmailCollectionAccountDiscovery:DomainAccountImpairDefenses:ImpairCommandHistory LoggingSystemServiceDiscoveryGatherVictimHostInformationInter-ProcessCommunication:Dynamic DataExchangeProxy:DomainFrontingMasquerading:MasqueradeAccount NamePermissionGroupsDiscoveryBoot orLogonAutostartExecutionSupply ChainCompromise:CompromiseHardwareSupply ChainDomain orTenant PolicyModification:TrustModificationSoftwareDeploymentToolsStealApplicationAccessTokenSystemNetworkConfigurationDiscovery: Wi-Fi DiscoveryDomain orTenantPolicyModificationHijackExecutionFlow: PathInterception byUnquoted PathModifyCloudResourceHierarchyCommandand ScriptingInterpreter:AppleScriptGather VictimHostInformation:ClientConfigurationsContentInjectionSteal orForgeKerberosTicketsObfuscatedFiles orInformation:SoftwarePackingExfiltrationOver WebService:Exfiltration toText StorageSitesEmailCollectionMasquerading:Right-to-LeftOverrideCommandand ScriptingInterpreter:JavaScriptDataDestructionExternalRemoteServicesHijackExecutionFlow: DylibHijackingProcessInjection:ProcessDoppelgängingSearch OpenTechnicalDatabases:ScanDatabasesObtainCapabilities:CodeSigningCertificatesHijackExecutionFlowTransferData toCloudAccountImpairDefenses:IndicatorBlockingEventTriggeredExecution:PowerShellProfileObfuscatedFiles orInformation:LNK IconSmugglingProcessInjection:Extra WindowMemoryInjectionMasqueradingCredentialsfromPasswordStores:KeychainNetworkShareDiscoveryObfuscatedFiles orInformation:HTMLSmugglingLogEnumerationAbuseElevationControlMechanism:Setuid andSetgidCredentialsfrom PasswordStores:Credentialsfrom WebBrowsersStageCapabilities:Install DigitalCertificateInputCapture:Web PortalCaptureSubvertTrustControls:CodeSigningUnsecuredCredentials:ContainerAPIUnsecuredCredentials:Credentialsin RegistryProcessInjection:ListPlantingIndicatorRemoval:Network ShareConnectionRemovalSystem Script ProxyExecution:SyncAppvPublishingServerAdversary-in-the-Middle: ARPCachePoisoningScheduledTask/Job:ScheduledTaskAcquireInfrastructure:BotnetAccountManipulationPre-OSBoot:BootkitEventTriggeredExecution:AppCertDLLsAcquireInfrastructure:ServerlessSystemBinary ProxyExecution:InstallUtilSystemBinary ProxyExecution:ControlPanelObfuscatedFiles orInformation:PolymorphicCodeSystemBinary ProxyExecution:Regsvr32Endpoint Denialof Service:ApplicationExhaustionFloodAcquireInfrastructure:MalvertisingHijack ExecutionFlow:KernelCallbackTableRemoteAccessSoftwareAdversary-in-the-MiddleIndicatorRemoval:ClearPersistenceNetworkBoundaryBridgingAdversary-in-the-Middle:DHCPSpoofingGatherVictimIdentityInformationHideArtifacts:HiddenWindowTemplateInjectionModifyAuthenticationProcess:ReversibleEncryptionSystemServices:ServiceExecutionBoot or LogonAutostartExecution:PrintProcessorsFile andDirectoryPermissionsModificationMulti-FactorAuthenticationRequestGenerationSearchOpenTechnicalDatabases:CDNsGather VictimNetworkInformation:NetworkSecurityAppliancesPermissionGroupsDiscovery:CloudGroupsSearchOpenTechnicalDatabases:WHOISQueryRegistryIndicatorRemovalNetworkServiceDiscoveryBoot or LogonAutostartExecution:Re-openedApplicationsRemoteServiceSessionHijacking:RDP HijackingOfficeApplicationStartupSearchClosedSourcesGroupPolicyDiscoveryHijack ExecutionFlow:AppDomainManagerEventTriggeredExecution:AccessibilityFeaturesCreate orModify SystemProcess:ContainerServiceGather VictimNetworkInformation:IP AddressesForcedAuthenticationBoot or LogonAutostartExecution:TimeProvidersIndicatorRemoval: ClearNetworkConnectionHistory andConfigurationsScheduledTask/Job:CronSearch ClosedSources:PurchaseTechnical DataSystemBinary ProxyExecution:OdbcconfHideArtifacts:Hidden FilesandDirectoriesGather VictimNetworkInformation:Network TrustDependenciesSoftwareDiscoveryGather VictimOrgInformation:BusinessRelationshipsAccountDiscovery:CloudAccountSystemBinary ProxyExecution:Rundll32PeripheralDeviceDiscoveryIndicatorRemoval:ClearCommandHistoryApplicationLayerProtocolExfiltrationOver OtherNetworkMedium:ExfiltrationOver BluetoothRemoteServiceSessionHijacking:SSH HijackingExfiltrationOver PhysicalMedium:Exfiltrationover USBObfuscatedFiles orInformation:BinaryPaddingWeb Service:One-WayCommunicationUnsecuredCredentials:Group PolicyPreferencesGather VictimIdentityInformation:EmailAddressesExploitationfor ClientExecutionValidAccounts:DomainAccountsData fromConfigurationRepositoryArchiveCollectedData:Archive viaLibraryMasquerading:Double FileExtensionSystemLocationDiscoveryData fromInformationRepositories:CodeRepositoriesActiveScanning:WordlistScanningSearchOpenTechnicalDatabasesAcquireInfrastructureOfficeApplicationStartup:OutlookHome PageSearch OpenTechnicalDatabases:DNS/PassiveDNSDisk Wipe:DiskContentWipeCredentialsfromPasswordStoresStageCapabilities:UploadMalwareEncryptedChannel:SymmetricCryptographyOfficeApplicationStartup: OfficeTemplateMacrosBruteForce:CredentialStuffingHijack ExecutionFlow:COR_PROFILERSystemBinary ProxyExecution:VerclsidUse AlternateAuthenticationMaterial: Passthe HashModifyAuthenticationProcess:Multi-FactorAuthenticationResourceHijackingGather VictimNetworkInformation:DomainPropertiesSystemBinary ProxyExecution:ElectronApplicationsDataTransferSizeLimitsUnsecuredCredentials:CloudInstanceMetadata APIPhishing forInformation:SpearphishingAttachmentAutomatedExfiltrationBoot orLogonAutostartExecution:Login ItemsStageCapabilities:Upload ToolAcquireInfrastructure:ServerInputCapture:GUI InputCaptureSubvert TrustControls: SIPand TrustProviderHijackingModify CloudComputeInfrastructure:Delete CloudInstanceResourceHijacking:CloudServiceHijackingImpairDefenses:Disable orModify ToolsOfficeApplicationStartup:OutlookFormsData fromCloudStorageCloudInfrastructureDiscoveryDeobfuscate/DecodeFiles or InformationSystemBinary ProxyExecution:MMCBruteForceRemoteServices:Direct CloudVMConnectionsSharedModulesDevelopCapabilities:ExploitsEventTriggeredExecution:AppInit DLLsServerSoftwareComponent:SQL StoredProceduresProcessInjection:PortableExecutableInjectionProcessInjection:Dynamic-linkLibraryInjectionCommandand ScriptingInterpreter:Unix ShellHideArtifacts:HiddenUsersVirtualization/SandboxEvasion: Time BasedEvasionMasquerading:MasqueradeTask orServiceExploitPublic-FacingApplicationNetworkSniffingModifyAuthenticationProcess:DomainControllerAuthenticationAccountManipulation:Additional Localor DomainGroupsSystem NetworkConfigurationDiscovery:InternetConnectionDiscoveryIndicatorRemoval:ClearMailbox DataObfuscatedFiles orInformation:FilelessStorageObfuscated Files orInformation:Encrypted/EncodedFileSearch OpenWebsites/Domains:Code RepositoriesRemoteServices:DistributedComponentObject ModelOS CredentialDumping:SecurityAccountManagerUnsecuredCredentials:BashHistoryScheduledTransferAccountManipulation:AdditionalEmail DelegatePermissionsEscapeto HostImpairDefensesIndicatorRemoval:Clear Linuxor MacSystem LogsExploitationof RemoteServicesServerSoftwareComponent:Web ShellEventTriggeredExecution:TrapEvent TriggeredExecution:ComponentObject ModelHijackingCompromiseHostSoftwareBinaryPhishing forInformation:SpearphishingServiceModifySystemImage: PatchSystemImageSystemLocationDiscovery:SystemLanguageDiscoveryEventTriggeredExecution:ScreensaverData fromInformationRepositories:ConfluenceForge WebCredentials:WebCookiesUserExecutionValidAccounts:LocalAccountsReplicationThroughRemovableMediaDataEncodingSystemBinary ProxyExecution:MavinjectUnused/UnsupportedCloud RegionsCommand andScriptingInterpreter:WindowsCommandShellAbuse ElevationControlMechanism:ElevatedExecution withPromptEventTriggeredExecution:EmondCredentialsfrom PasswordStores: CloudSecretsManagementStoresInternalSpearphishingPermissionGroupsDiscovery:LocalGroupsPhishingHideArtifacts:IgnoreProcessInterruptsAccountManipulation:AdditionalCloud RolesProxy:InternalProxyArchiveCollectedData:Archive viaUtilityAcquireAccessInputCapture:CredentialAPI HookingCompromiseAccounts:EmailAccountsStageCapabilities:Drive-byTargetExploitationforCredentialAccessModify CloudComputeInfrastructure:Create CloudInstanceImplantInternalImageVirtualization/SandboxEvasion: User ActivityBased ChecksExfiltrationOverAlternativeProtocolInhibitSystemRecoveryDevelopCapabilities:DigitalCertificatesCloudStorageObjectDiscoveryNon-ApplicationLayerProtocolExfiltration OverAlternativeProtocol:Exfiltration OverSymmetricEncrypted Non-C2ProtocolResourceHijacking:BandwidthHijackingCreate orModify SystemProcess:LaunchDaemonDynamicResolution:DomainGenerationAlgorithmsServerSoftwareComponent:IISComponentsNetworkDenial ofServiceStageCapabilities:Link TargetOSCredentialDumping:NTDSAudioCaptureUse AlternateAuthenticationMaterial: WebSessionCookieBoot orLogonInitializationScripts:Login HookEventTriggeredExecution:ApplicationShimmingDataManipulation:Runtime DataManipulationSupply ChainCompromise:CompromiseSoftwareDependencies andDevelopmentToolsHideArtifacts:File/PathExclusionsProcessDiscoveryScheduledTask/JobTrustedDeveloperUtilitiesProxyExecutionCompromiseInfrastructure:Web ServicesGatherVictimNetworkInformation:DNSApplicationLayerProtocol: FileTransferProtocolsValidAccounts:CloudAccountsCommunicationThroughRemovableMediaCredentialsfrom PasswordStores:WindowsCredentialManagerRemoteServices:SSHBoot or LogonAutostartExecution:Kernel Modulesand ExtensionsMulti-FactorAuthenticationInterceptionUserExecution:MaliciousFileTrustedRelationshipResourceHijacking:ComputeHijackingCreateAccount:LocalAccountData fromInformationRepositories:CustomerRelationshipManagementSoftwareEncryptedChannel:AsymmetricCryptographyActiveScanning:ScanningIP BlocksRemoteServices:SMB/WindowsAdmin SharesBoot or LogonAutostartExecution:WinlogonHelper DLLSystemBinaryProxyExecutionAbuse ElevationControlMechanism:TemporaryElevated CloudAccessFile andDirectoryDiscoveryBruteForce:PasswordSprayingData fromLocalSystemCreateAccount:CloudAccountSystemServices:LaunchctlExploitationforPrivilegeEscalationUse AlternateAuthenticationMaterialEvent TriggeredExecution:Change DefaultFile AssociationCompromiseInfrastructure:BotnetUnsecuredCredentialsDataEncryptedfor ImpactSearch OpenWebsites/DomainsNetworkDenial ofService:ReflectionAmplificationUserExecution:MaliciousImageDynamicResolution:Fast FluxDNSObfuscatedFiles orInformation:Compile AfterDeliveryAbuseElevationControlMechanism:TCCManipulationData fromConfigurationRepository:Network DeviceConfigurationDumpServerSoftwareComponent:TransportAgentSystemNetworkConfigurationDiscoveryDataManipulation:Stored DataManipulationBoot orLogonInitializationScripts: RCScriptsInputCapture:KeyloggingExfiltrationOver C2ChannelObtainCapabilities:DigitalCertificatesHijackExecution Flow:Services FilePermissionsWeaknessGatherVictim HostInformation:FirmwareDataObfuscation:SteganographyEndpointDenial ofServiceCloudServiceDashboardCreate orModify SystemProcess:SystemdServiceDevelopCapabilities:CodeSigningCertificatesSystemScriptProxyExecutionCompromiseInfrastructure:ServerlessImpairDefenses:SpoofSecurityAlertingOS CredentialDumping:/etc/passwdand/etc/shadowSystemServicesScheduledTask/Job:SystemdTimersContainerandResourceDiscoveryBoot orLogonAutostartExecution:Active SetupUse AlternateAuthenticationMaterial: Passthe TicketAccess TokenManipulation:CreateProcess withTokenBoot or LogonAutostartExecution:SecuritySupportProviderSubvertTrustControls:Install RootCertificateInter-ProcessCommunicationProcessInjection:ProcessHollowingForge WebCredentials:SAMLTokensObfuscatedFiles orInformation:EmbeddedPayloadsPasswordPolicyDiscoveryServerSoftwareComponent:TerminalServices DLLProtocolTunnelingObfuscatedFiles orInformation:Dynamic APIResolutionCredentialsfrom PasswordStores:SecuritydMemoryCommandand ScriptingInterpreter:PowerShellOfficeApplicationStartup:Add-insAutomatedExfiltration:TrafficDuplicationGatherVictimIdentityInformation:CredentialsBoot orLogonInitializationScriptsApplicationLayerProtocol:MailProtocolsHideArtifacts:ProcessArgumentSpoofingSteal orForgeKerberosTickets:Ccache FilesModifyAuthenticationProcess:PasswordFilter DLLEventTriggeredExecution:InstallerPackagesEmailCollection:EmailForwardingRuleModifyAuthenticationProcess:NetworkProvider DLLSearch OpenWebsites/Domains:Search EnginesWeakenEncryption:DisableCryptoHardwareDevelopCapabilities:MalwarePhishing:SpearphishingLinkCompromiseInfrastructure:Virtual PrivateServerApplicationWindowDiscoveryDataDestruction:Lifecycle-TriggeredDeletionGather VictimNetworkInformation:NetworkTopologyNativeAPIObtainCapabilities:ToolDefacement:ExternalDefacementWeakenEncryptionHijackExecutionFlow: DLLSearch OrderHijackingCommandand ScriptingInterpreter:PythonImpairDefenses:Disable orModify SystemFirewallAbuse ElevationControlMechanism:Bypass UserAccount ControlAbuseElevationControlMechanismModifySystemImage:DowngradeSystem ImageModifyRegistryPhishingforInformationExecutionGuardrails:EnvironmentalKeyingIndicatorRemoval:ClearWindowsEvent LogsImpairDefenses:DowngradeAttackDisk Wipe:DiskStructureWipeCommandand ScriptingInterpreter:NetworkDevice CLIOS CredentialDumping:CachedDomainCredentialsAutomatedCollectionOfficeApplicationStartup:Office TestRemoteServices:CloudServicesDataManipulationAccess TokenManipulation:Make andImpersonateTokenData fromRemovableMediaHardwareAdditionsWebServiceExfiltrationOver WebServiceGather VictimOrgInformation:DeterminePhysicalLocationsCompromiseAccounts:Social MediaAccountsAccessTokenManipulation:Parent PIDSpoofingScheduledTask/Job:AtCompromiseInfrastructureDeviceDriverDiscoveryPre-OSBoot:SystemFirmwareSystemBinary ProxyExecution:CMSTPForge WebCredentialsImpairDefenses:Disable orModify CloudLogsObfuscatedFiles orInformation:CommandObfuscationDataStaged:Local DataStagingBITSJobsCreate orModify SystemProcess:WindowsServiceTaintSharedContentHideInfrastructureSubvertTrustControls:Mark-of-the-Web BypassDrive-byCompromiseEvent TriggeredExecution: UnixShellConfigurationModificationSystemOwner/UserDiscoveryAccountDiscovery:LocalAccountEstablishAccounts:EmailAccountsAccountManipulation:SSHAuthorizedKeysSoftwareDiscovery:SecuritySoftwareDiscoveryDevelopCapabilitiesPre-OSBoot:ComponentFirmwareSubvertTrustControls:GatekeeperBypassHideArtifacts:Hidden FileSystemPowerSettingsWeb Service:BidirectionalCommunicationSupplyChainCompromisePhishing:SpearphishingAttachmentSystemShutdown/RebootDataEncoding:StandardEncodingAbuseElevationControlMechanism:Sudo and SudoCachingSearchClosedSources:Threat IntelVendorsApplication LayerProtocol:Publish/SubscribeProtocolsWebService:Dead DropResolverCommandand ScriptingInterpreter:AutoHotKey& AutoITEvent TriggeredExecution:WindowsManagementInstrumentationEvent SubscriptionImpairDefenses:DisableWindowsEvent LoggingNon-StandardPortIndicatorRemoval:TimestompAccountAccessRemovalBoot or LogonAutostartExecution:Registry RunKeys / StartupFolderProcessInjectionGather VictimIdentityInformation:EmployeeNamesSteal or ForgeKerberosTickets:KerberoastingSystem BinaryProxy Execution:Regsvcs/RegasmData fromConfigurationRepository:SNMP (MIBDump)ActiveScanning:VulnerabilityScanningGatherVictim OrgInformation:IdentifyRolesCredentialsfrom PasswordStores:PasswordManagersProcessInjection:AsynchronousProcedureCallBoot or LogonAutostartExecution:LSASS DriverEncryptedChannelEndpoint Denialof Service:ServiceExhaustionFloodExfiltrationOver WebService:Exfiltration toCodeRepositoryEstablishAccounts:Social MediaAccountsPlist FileModificationAccountDiscovery:EmailAccountMasquerading:MatchLegitimateName orLocationExfiltrationOver WebService:ExfiltrationOver WebhookBrowserSessionHijackingDataObfuscationImpairDefenses:Disable orModify LinuxAudit SystemData fromInformationRepositoriesUse AlternateAuthenticationMaterial:ApplicationAccess TokenObtainCapabilitiesSystemTimeDiscoveryOSCredentialDumping:ProcFilesystemVirtualization/SandboxEvasionNetworkBoundaryBridging: NetworkAddressTranslationTraversalModifySystemImageDeployContainerReflectiveCodeLoadingFinancialTheftMasquerading:Invalid CodeSignatureRemoteSystemDiscoverySystemNetworkConnectionsDiscoveryWindowsManagementInstrumentationAccountManipulation:AdditionalCloudCredentialsHijackExecution Flow:ServicesRegistryPermissionsWeaknessProcessInjection:VDSOHijackingModifyAuthenticationProcess:ConditionalAccess PoliciesEventTriggeredExecutionSearchVictim-OwnedWebsitesModify CloudComputeInfrastructure:Modify CloudComputeConfigurationsFile and DirectoryPermissionsModification: Linuxand Mac File andDirectoryPermissionsModificationBoot or LogonAutostartExecution:XDG AutostartEntriesAcquireInfrastructure:Virtual PrivateServerObtainCapabilities:MalwareApplicationLayerProtocol:WebProtocolsData fromInformationRepositories:SharepointImpairDefenses:Disable orModify CloudFirewallAccessTokenManipulationExecutionGuardrailsGatherVictim HostInformation:SoftwareIndirectCommandExecutionHijackExecutionFlow: DynamicLinkerHijackingAccountManipulation:AdditionalContainerCluster RolesSubvert TrustControls:Code SigningPolicyModificationDataObfuscation:Junk DataBoot or LogonAutostartExecution:ShortcutModificationCompromiseAccounts:CloudAccountsRemoteServiceSessionHijackingHijackExecution Flow:ExecutableInstaller FilePermissionsWeaknessStageCapabilitiesEventTriggeredExecution:Udev RulesModify CloudComputeInfrastructure:CreateSnapshotHijackExecutionFlow: DLLSide-LoadingExecutionGuardrails:MutualExclusionObfuscatedFiles orInformationLateralToolTransferFirmwareCorruptionDataManipulation:TransmittedDataManipulationRemoteServicesPre-OSBootGatherVictim OrgInformationIndicatorRemoval:FileDeletionSystemInformationDiscoveryExfiltrationOver OtherNetworkMediumExfiltrationOver WebService:Exfiltration toCloud StorageClipboardDataProxy:ExternalProxySystemBinary ProxyExecution:MsiexecDiskWipeDynamicResolutionModifyAuthenticationProcess:Hybrid IdentityAccessTokenManipulation:SID-HistoryInjectionImpersonationModifyAuthenticationProcessBrowserInformationDiscoveryModify CloudComputeInfrastructureUnsecuredCredentials:PrivateKeysObfuscatedFiles orInformation:IndicatorRemoval fromToolsOfficeApplicationStartup:OutlookRulesCommandand ScriptingInterpreter:LuaObfuscatedFiles orInformation:SteganographyHideArtifactsnameOSCredentialDumpingSupply ChainCompromise:CompromiseSoftwareSupply ChainPhishing:SpearphishingVoiceBruteForce:PasswordCrackingMasquerading:MasqueradeFile TypeTrafficSignaling:SocketFiltersExfiltration OverAlternativeProtocol:Exfiltration OverUnencryptedNon-C2 ProtocolBrowserExtensionsRemoteServices:WindowsRemoteManagementBruteForce:PasswordGuessingHijack ExecutionFlow: PathInterception byPATHEnvironmentVariableServerlessExecutionAcquireInfrastructure:DomainsEndpoint Denialof Service:Application orSystemExploitationStageCapabilities:SEOPoisoningBoot or LogonInitializationScripts:NetworkLogon ScriptApplicationLayerProtocol:DNSGatherVictim HostInformation:HardwareCreate orModifySystemProcess:Launch AgentPre-OSBoot:ROMMONkitMasquerading:Break ProcessTreesEstablishAccounts:CloudAccountsCommandandScriptingInterpreterDefacementObtainCapabilities:VulnerabilitiesHideArtifacts:NTFS FileAttributesBoot orLogonInitializationScripts:Startup ItemsBuildImageon HostDomain orTenant PolicyModification:Group PolicyModificationWeakenEncryption:ReduceKey SpaceAdversary-in-the-Middle:LLMNR/NBT-NS Poisoningand SMB RelayAcquireInfrastructure:Web ServicesMulti-StageChannelsSystemBinary ProxyExecution:CompiledHTML FileMasquerading:RenameSystemUtilitiesSearch OpenWebsites/Domains:Social MediaTrafficSignalingEmailCollection:Local EmailCollectionProxy:Multi-hopProxyEventTriggeredExecution:Netsh HelperDLLPhishing forInformation:SpearphishingVoiceContainerAdministrationCommandIngressToolTransferData fromInformationRepositories:MessagingApplicationsVideoCaptureModify CloudComputeInfrastructure:Revert CloudInstanceSteal orForgeKerberosTickets:Golden TicketData fromNetworkSharedDriveProxyHideArtifacts:Email HidingRulesObtainCapabilities:ExploitsModifyAuthenticationProcess:Network DeviceAuthenticationExfiltration OverAlternativeProtocol:Exfiltration OverAsymmetricEncrypted Non-C2ProtocolCommandand ScriptingInterpreter:Visual BasicInter-ProcessCommunication:ComponentObject ModelAccess TokenManipulation: TokenImpersonation/TheftCloudServiceDiscoveryRemoteServices:RemoteDesktopProtocolAdversary-in-the-Middle:Evil TwinSteal orForgeKerberosTickets:Silver TicketEvent TriggeredExecution:Image FileExecutionOptionsInjectionUnsecuredCredentials:ChatMessagesEstablishAccountsSteal WebSessionCookieSystemScript ProxyExecution:PubPrnScreenCaptureSystemBinary ProxyExecution:MshtaHijackExecution Flow:PathInterception bySearch OrderHijackingSearch OpenTechnicalDatabases:DigitalCertificatesDebuggerEvasionPre-OSBoot:TFTPBootDefacement:InternalDefacementBoot orLogonAutostartExecution:Port MonitorsCompromiseInfrastructure:ServerRogueDomainControllerOSCredentialDumping:DCSyncDataObfuscation:Protocol orServiceImpersonationGatherVictimNetworkInformationDomainTrustDiscoveryHideArtifacts:VBAStompingValidAccountsHideArtifacts:ResourceForkingServiceStopProcessInjection:PtraceSystem CallsBoot or LogonInitializationScripts: LogonScript(Windows)DataEncoding:Non-StandardEncodingData Staged:RemoteData StagingCloudAdministrationCommandFile and DirectoryPermissionsModification:Windows File andDirectoryPermissionsModificationArchiveCollectedData: Archivevia CustomMethodValidAccounts:DefaultAccountsProcessInjection:ProcMemoryUserExecution:MaliciousLinkGather VictimOrgInformation:IdentifyBusinessTempoDynamicResolution:DNSCalculationCreate orModifySystemProcessRemoteServices:VNCNetworkDenial ofService: DirectNetwork FloodXSL ScriptProcessingCompromiseInfrastructure:DomainsInputCaptureSubvertTrustControlsSteal or ForgeKerberosTickets: AS-REP RoastingPhishing:Spearphishingvia ServiceAcquireInfrastructure:DNS ServerCompromiseInfrastructure:DNS ServerObfuscatedFiles orInformation:StrippedPayloadsExfiltrationOverPhysicalMediumHideArtifacts:Run VirtualInstanceServerSoftwareComponentScheduledTask/Job:ContainerOrchestrationJobAccountManipulation:DeviceRegistrationAccountDiscoveryPhishing forInformation:SpearphishingLinkUnsecuredCredentials:CredentialsIn FilesCompromiseAccountsDirectVolumeAccessCreateAccount:DomainAccountSteal or ForgeAuthenticationCertificatesModifyAuthenticationProcess:PluggableAuthenticationModulesEvent TriggeredExecution:LC_LOAD_DYLIBAdditionResourceHijacking:SMSPumpingProcessInjection:Thread LocalStorageRootkitOSCredentialDumping:LSASSMemoryArchiveCollectedDataExploitationfor DefenseEvasionOSCredentialDumping:LSA SecretsActiveScanningInter-ProcessCommunication:XPC ServicesPermissionGroupsDiscovery:DomainGroupsEndpointDenial ofService: OSExhaustionFloodMasquerading:Space afterFilenameTrustedDeveloperUtilities ProxyExecution:MSBuildCompromiseInfrastructure:NetworkDevicesIndicatorRemoval:RelocateMalwareCreateAccountFallbackChannelsProcessInjection:ThreadExecutionHijackingTrafficSignaling:PortKnockingCommandand ScriptingInterpreter:Cloud APIBoot or LogonAutostartExecution:AuthenticationPackageDataStagedImpairDefenses:Safe ModeBootVirtualization/SandboxEvasion: SystemChecksObtainCapabilities:ArtificialIntelligence

MITRE ATT&CK Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
  1. Trusted Developer Utilities Proxy Execution: ClickOnce
  2. Email Collection: Remote Email Collection
  3. Account Discovery: Domain Account
  4. Impair Defenses: Impair Command History Logging
  5. System Service Discovery
  6. Gather Victim Host Information
  7. Inter-Process Communication: Dynamic Data Exchange
  8. Proxy: Domain Fronting
  9. Masquerading: Masquerade Account Name
  10. Permission Groups Discovery
  11. Boot or Logon Autostart Execution
  12. Supply Chain Compromise: Compromise Hardware Supply Chain
  13. Domain or Tenant Policy Modification: Trust Modification
  14. Software Deployment Tools
  15. Steal Application Access Token
  16. System Network Configuration Discovery: Wi-Fi Discovery
  17. Domain or Tenant Policy Modification
  18. Hijack Execution Flow: Path Interception by Unquoted Path
  19. Modify Cloud Resource Hierarchy
  20. Command and Scripting Interpreter: AppleScript
  21. Gather Victim Host Information: Client Configurations
  22. Content Injection
  23. Steal or Forge Kerberos Tickets
  24. Obfuscated Files or Information: Software Packing
  25. Exfiltration Over Web Service: Exfiltration to Text Storage Sites
  26. Email Collection
  27. Masquerading: Right-to-Left Override
  28. Command and Scripting Interpreter: JavaScript
  29. Data Destruction
  30. External Remote Services
  31. Hijack Execution Flow: Dylib Hijacking
  32. Process Injection: Process Doppelgänging
  33. Search Open Technical Databases: Scan Databases
  34. Obtain Capabilities: Code Signing Certificates
  35. Hijack Execution Flow
  36. Transfer Data to Cloud Account
  37. Impair Defenses: Indicator Blocking
  38. Event Triggered Execution: PowerShell Profile
  39. Obfuscated Files or Information: LNK Icon Smuggling
  40. Process Injection: Extra Window Memory Injection
  41. Masquerading
  42. Credentials from Password Stores: Keychain
  43. Network Share Discovery
  44. Obfuscated Files or Information: HTML Smuggling
  45. Log Enumeration
  46. Abuse Elevation Control Mechanism: Setuid and Setgid
  47. Credentials from Password Stores: Credentials from Web Browsers
  48. Stage Capabilities: Install Digital Certificate
  49. Input Capture: Web Portal Capture
  50. Subvert Trust Controls: Code Signing
  51. Unsecured Credentials: Container API
  52. Unsecured Credentials: Credentials in Registry
  53. Process Injection: ListPlanting
  54. Indicator Removal: Network Share Connection Removal
  55. System Script Proxy Execution: SyncAppvPublishingServer
  56. Adversary-in-the-Middle: ARP Cache Poisoning
  57. Scheduled Task/Job: Scheduled Task
  58. Acquire Infrastructure: Botnet
  59. Account Manipulation
  60. Pre-OS Boot: Bootkit
  61. Event Triggered Execution: AppCert DLLs
  62. Acquire Infrastructure: Serverless
  63. System Binary Proxy Execution: InstallUtil
  64. System Binary Proxy Execution: Control Panel
  65. Obfuscated Files or Information: Polymorphic Code
  66. System Binary Proxy Execution: Regsvr32
  67. Endpoint Denial of Service: Application Exhaustion Flood
  68. Acquire Infrastructure: Malvertising
  69. Hijack Execution Flow: KernelCallbackTable
  70. Remote Access Software
  71. Adversary-in-the-Middle
  72. Indicator Removal: Clear Persistence
  73. Network Boundary Bridging
  74. Adversary-in-the-Middle: DHCP Spoofing
  75. Gather Victim Identity Information
  76. Hide Artifacts: Hidden Window
  77. Template Injection
  78. Modify Authentication Process: Reversible Encryption
  79. System Services: Service Execution
  80. Boot or Logon Autostart Execution: Print Processors
  81. File and Directory Permissions Modification
  82. Multi-Factor Authentication Request Generation
  83. Search Open Technical Databases: CDNs
  84. Gather Victim Network Information: Network Security Appliances
  85. Permission Groups Discovery: Cloud Groups
  86. Search Open Technical Databases: WHOIS
  87. Query Registry
  88. Indicator Removal
  89. Network Service Discovery
  90. Boot or Logon Autostart Execution: Re-opened Applications
  91. Remote Service Session Hijacking: RDP Hijacking
  92. Office Application Startup
  93. Search Closed Sources
  94. Group Policy Discovery
  95. Hijack Execution Flow: AppDomainManager
  96. Event Triggered Execution: Accessibility Features
  97. Create or Modify System Process: Container Service
  98. Gather Victim Network Information: IP Addresses
  99. Forced Authentication
  100. Boot or Logon Autostart Execution: Time Providers
  101. Indicator Removal: Clear Network Connection History and Configurations
  102. Scheduled Task/Job: Cron
  103. Search Closed Sources: Purchase Technical Data
  104. System Binary Proxy Execution: Odbcconf
  105. Hide Artifacts: Hidden Files and Directories
  106. Gather Victim Network Information: Network Trust Dependencies
  107. Software Discovery
  108. Gather Victim Org Information: Business Relationships
  109. Account Discovery: Cloud Account
  110. System Binary Proxy Execution: Rundll32
  111. Peripheral Device Discovery
  112. Indicator Removal: Clear Command History
  113. Application Layer Protocol
  114. Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
  115. Remote Service Session Hijacking: SSH Hijacking
  116. Exfiltration Over Physical Medium: Exfiltration over USB
  117. Obfuscated Files or Information: Binary Padding
  118. Web Service: One-Way Communication
  119. Unsecured Credentials: Group Policy Preferences
  120. Gather Victim Identity Information: Email Addresses
  121. Exploitation for Client Execution
  122. Valid Accounts: Domain Accounts
  123. Data from Configuration Repository
  124. Archive Collected Data: Archive via Library
  125. Masquerading: Double File Extension
  126. System Location Discovery
  127. Data from Information Repositories: Code Repositories
  128. Active Scanning: Wordlist Scanning
  129. Search Open Technical Databases
  130. Acquire Infrastructure
  131. Office Application Startup: Outlook Home Page
  132. Search Open Technical Databases: DNS/Passive DNS
  133. Disk Wipe: Disk Content Wipe
  134. Credentials from Password Stores
  135. Stage Capabilities: Upload Malware
  136. Encrypted Channel: Symmetric Cryptography
  137. Office Application Startup: Office Template Macros
  138. Brute Force: Credential Stuffing
  139. Hijack Execution Flow: COR_PROFILER
  140. System Binary Proxy Execution: Verclsid
  141. Use Alternate Authentication Material: Pass the Hash
  142. Modify Authentication Process: Multi-Factor Authentication
  143. Resource Hijacking
  144. Gather Victim Network Information: Domain Properties
  145. System Binary Proxy Execution: Electron Applications
  146. Data Transfer Size Limits
  147. Unsecured Credentials: Cloud Instance Metadata API
  148. Phishing for Information: Spearphishing Attachment
  149. Automated Exfiltration
  150. Boot or Logon Autostart Execution: Login Items
  151. Stage Capabilities: Upload Tool
  152. Acquire Infrastructure: Server
  153. Input Capture: GUI Input Capture
  154. Subvert Trust Controls: SIP and Trust Provider Hijacking
  155. Modify Cloud Compute Infrastructure: Delete Cloud Instance
  156. Resource Hijacking: Cloud Service Hijacking
  157. Impair Defenses: Disable or Modify Tools
  158. Office Application Startup: Outlook Forms
  159. Data from Cloud Storage
  160. Cloud Infrastructure Discovery
  161. Deobfuscate/Decode Files or Information
  162. System Binary Proxy Execution: MMC
  163. Brute Force
  164. Remote Services: Direct Cloud VM Connections
  165. Shared Modules
  166. Develop Capabilities: Exploits
  167. Event Triggered Execution: AppInit DLLs
  168. Server Software Component: SQL Stored Procedures
  169. Process Injection: Portable Executable Injection
  170. Process Injection: Dynamic-link Library Injection
  171. Command and Scripting Interpreter: Unix Shell
  172. Hide Artifacts: Hidden Users
  173. Virtualization/Sandbox Evasion: Time Based Evasion
  174. Masquerading: Masquerade Task or Service
  175. Exploit Public-Facing Application
  176. Network Sniffing
  177. Modify Authentication Process: Domain Controller Authentication
  178. Account Manipulation: Additional Local or Domain Groups
  179. System Network Configuration Discovery: Internet Connection Discovery
  180. Indicator Removal: Clear Mailbox Data
  181. Obfuscated Files or Information: Fileless Storage
  182. Obfuscated Files or Information: Encrypted/Encoded File
  183. Search Open Websites/Domains: Code Repositories
  184. Remote Services: Distributed Component Object Model
  185. OS Credential Dumping: Security Account Manager
  186. Unsecured Credentials: Bash History
  187. Scheduled Transfer
  188. Account Manipulation: Additional Email Delegate Permissions
  189. Escape to Host
  190. Impair Defenses
  191. Indicator Removal: Clear Linux or Mac System Logs
  192. Exploitation of Remote Services
  193. Server Software Component: Web Shell
  194. Event Triggered Execution: Trap
  195. Event Triggered Execution: Component Object Model Hijacking
  196. Compromise Host Software Binary
  197. Phishing for Information: Spearphishing Service
  198. Modify System Image: Patch System Image
  199. System Location Discovery: System Language Discovery
  200. Event Triggered Execution: Screensaver
  201. Data from Information Repositories: Confluence
  202. Forge Web Credentials: Web Cookies
  203. User Execution
  204. Valid Accounts: Local Accounts
  205. Replication Through Removable Media
  206. Data Encoding
  207. System Binary Proxy Execution: Mavinject
  208. Unused/Unsupported Cloud Regions
  209. Command and Scripting Interpreter: Windows Command Shell
  210. Abuse Elevation Control Mechanism: Elevated Execution with Prompt
  211. Event Triggered Execution: Emond
  212. Credentials from Password Stores: Cloud Secrets Management Stores
  213. Internal Spearphishing
  214. Permission Groups Discovery: Local Groups
  215. Phishing
  216. Hide Artifacts: Ignore Process Interrupts
  217. Account Manipulation: Additional Cloud Roles
  218. Proxy: Internal Proxy
  219. Archive Collected Data: Archive via Utility
  220. Acquire Access
  221. Input Capture: Credential API Hooking
  222. Compromise Accounts: Email Accounts
  223. Stage Capabilities: Drive-by Target
  224. Exploitation for Credential Access
  225. Modify Cloud Compute Infrastructure: Create Cloud Instance
  226. Implant Internal Image
  227. Virtualization/Sandbox Evasion: User Activity Based Checks
  228. Exfiltration Over Alternative Protocol
  229. Inhibit System Recovery
  230. Develop Capabilities: Digital Certificates
  231. Cloud Storage Object Discovery
  232. Non-Application Layer Protocol
  233. Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
  234. Resource Hijacking: Bandwidth Hijacking
  235. Create or Modify System Process: Launch Daemon
  236. Dynamic Resolution: Domain Generation Algorithms
  237. Server Software Component: IIS Components
  238. Network Denial of Service
  239. Stage Capabilities: Link Target
  240. OS Credential Dumping: NTDS
  241. Audio Capture
  242. Use Alternate Authentication Material: Web Session Cookie
  243. Boot or Logon Initialization Scripts: Login Hook
  244. Event Triggered Execution: Application Shimming
  245. Data Manipulation: Runtime Data Manipulation
  246. Supply Chain Compromise: Compromise Software Dependencies and Development Tools
  247. Hide Artifacts: File/Path Exclusions
  248. Process Discovery
  249. Scheduled Task/Job
  250. Trusted Developer Utilities Proxy Execution
  251. Compromise Infrastructure: Web Services
  252. Gather Victim Network Information: DNS
  253. Application Layer Protocol: File Transfer Protocols
  254. Valid Accounts: Cloud Accounts
  255. Communication Through Removable Media
  256. Credentials from Password Stores: Windows Credential Manager
  257. Remote Services: SSH
  258. Boot or Logon Autostart Execution: Kernel Modules and Extensions
  259. Multi-Factor Authentication Interception
  260. User Execution: Malicious File
  261. Trusted Relationship
  262. Resource Hijacking: Compute Hijacking
  263. Create Account: Local Account
  264. Data from Information Repositories: Customer Relationship Management Software
  265. Encrypted Channel: Asymmetric Cryptography
  266. Active Scanning: Scanning IP Blocks
  267. Remote Services: SMB/Windows Admin Shares
  268. Boot or Logon Autostart Execution: Winlogon Helper DLL
  269. System Binary Proxy Execution
  270. Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access
  271. File and Directory Discovery
  272. Brute Force: Password Spraying
  273. Data from Local System
  274. Create Account: Cloud Account
  275. System Services: Launchctl
  276. Exploitation for Privilege Escalation
  277. Use Alternate Authentication Material
  278. Event Triggered Execution: Change Default File Association
  279. Compromise Infrastructure: Botnet
  280. Unsecured Credentials
  281. Data Encrypted for Impact
  282. Search Open Websites/Domains
  283. Network Denial of Service: Reflection Amplification
  284. User Execution: Malicious Image
  285. Dynamic Resolution: Fast Flux DNS
  286. Obfuscated Files or Information: Compile After Delivery
  287. Abuse Elevation Control Mechanism: TCC Manipulation
  288. Data from Configuration Repository: Network Device Configuration Dump
  289. Server Software Component: Transport Agent
  290. System Network Configuration Discovery
  291. Data Manipulation: Stored Data Manipulation
  292. Boot or Logon Initialization Scripts: RC Scripts
  293. Input Capture: Keylogging
  294. Exfiltration Over C2 Channel
  295. Obtain Capabilities: Digital Certificates
  296. Hijack Execution Flow: Services File Permissions Weakness
  297. Gather Victim Host Information: Firmware
  298. Data Obfuscation: Steganography
  299. Endpoint Denial of Service
  300. Cloud Service Dashboard
  301. Create or Modify System Process: Systemd Service
  302. Develop Capabilities: Code Signing Certificates
  303. System Script Proxy Execution
  304. Compromise Infrastructure: Serverless
  305. Impair Defenses: Spoof Security Alerting
  306. OS Credential Dumping: /etc/passwd and /etc/shadow
  307. System Services
  308. Scheduled Task/Job: Systemd Timers
  309. Container and Resource Discovery
  310. Boot or Logon Autostart Execution: Active Setup
  311. Use Alternate Authentication Material: Pass the Ticket
  312. Access Token Manipulation: Create Process with Token
  313. Boot or Logon Autostart Execution: Security Support Provider
  314. Subvert Trust Controls: Install Root Certificate
  315. Inter-Process Communication
  316. Process Injection: Process Hollowing
  317. Forge Web Credentials: SAML Tokens
  318. Obfuscated Files or Information: Embedded Payloads
  319. Password Policy Discovery
  320. Server Software Component: Terminal Services DLL
  321. Protocol Tunneling
  322. Obfuscated Files or Information: Dynamic API Resolution
  323. Credentials from Password Stores: Securityd Memory
  324. Command and Scripting Interpreter: PowerShell
  325. Office Application Startup: Add-ins
  326. Automated Exfiltration: Traffic Duplication
  327. Gather Victim Identity Information: Credentials
  328. Boot or Logon Initialization Scripts
  329. Application Layer Protocol: Mail Protocols
  330. Hide Artifacts: Process Argument Spoofing
  331. Steal or Forge Kerberos Tickets: Ccache Files
  332. Modify Authentication Process: Password Filter DLL
  333. Event Triggered Execution: Installer Packages
  334. Email Collection: Email Forwarding Rule
  335. Modify Authentication Process: Network Provider DLL
  336. Search Open Websites/Domains: Search Engines
  337. Weaken Encryption: Disable Crypto Hardware
  338. Develop Capabilities: Malware
  339. Phishing: Spearphishing Link
  340. Compromise Infrastructure: Virtual Private Server
  341. Application Window Discovery
  342. Data Destruction: Lifecycle-Triggered Deletion
  343. Gather Victim Network Information: Network Topology
  344. Native API
  345. Obtain Capabilities: Tool
  346. Defacement: External Defacement
  347. Weaken Encryption
  348. Hijack Execution Flow: DLL Search Order Hijacking
  349. Command and Scripting Interpreter: Python
  350. Impair Defenses: Disable or Modify System Firewall
  351. Abuse Elevation Control Mechanism: Bypass User Account Control
  352. Abuse Elevation Control Mechanism
  353. Modify System Image: Downgrade System Image
  354. Modify Registry
  355. Phishing for Information
  356. Execution Guardrails: Environmental Keying
  357. Indicator Removal: Clear Windows Event Logs
  358. Impair Defenses: Downgrade Attack
  359. Disk Wipe: Disk Structure Wipe
  360. Command and Scripting Interpreter: Network Device CLI
  361. OS Credential Dumping: Cached Domain Credentials
  362. Automated Collection
  363. Office Application Startup: Office Test
  364. Remote Services: Cloud Services
  365. Data Manipulation
  366. Access Token Manipulation: Make and Impersonate Token
  367. Data from Removable Media
  368. Hardware Additions
  369. Web Service
  370. Exfiltration Over Web Service
  371. Gather Victim Org Information: Determine Physical Locations
  372. Compromise Accounts: Social Media Accounts
  373. Access Token Manipulation: Parent PID Spoofing
  374. Scheduled Task/Job: At
  375. Compromise Infrastructure
  376. Device Driver Discovery
  377. Pre-OS Boot: System Firmware
  378. System Binary Proxy Execution: CMSTP
  379. Forge Web Credentials
  380. Impair Defenses: Disable or Modify Cloud Logs
  381. Obfuscated Files or Information: Command Obfuscation
  382. Data Staged: Local Data Staging
  383. BITS Jobs
  384. Create or Modify System Process: Windows Service
  385. Taint Shared Content
  386. Hide Infrastructure
  387. Subvert Trust Controls: Mark-of-the-Web Bypass
  388. Drive-by Compromise
  389. Event Triggered Execution: Unix Shell Configuration Modification
  390. System Owner/User Discovery
  391. Account Discovery: Local Account
  392. Establish Accounts: Email Accounts
  393. Account Manipulation: SSH Authorized Keys
  394. Software Discovery: Security Software Discovery
  395. Develop Capabilities
  396. Pre-OS Boot: Component Firmware
  397. Subvert Trust Controls: Gatekeeper Bypass
  398. Hide Artifacts: Hidden File System
  399. Power Settings
  400. Web Service: Bidirectional Communication
  401. Supply Chain Compromise
  402. Phishing: Spearphishing Attachment
  403. System Shutdown/Reboot
  404. Data Encoding: Standard Encoding
  405. Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  406. Search Closed Sources: Threat Intel Vendors
  407. Application Layer Protocol: Publish/Subscribe Protocols
  408. Web Service: Dead Drop Resolver
  409. Command and Scripting Interpreter: AutoHotKey & AutoIT
  410. Event Triggered Execution: Windows Management Instrumentation Event Subscription
  411. Impair Defenses: Disable Windows Event Logging
  412. Non-Standard Port
  413. Indicator Removal: Timestomp
  414. Account Access Removal
  415. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
  416. Process Injection
  417. Gather Victim Identity Information: Employee Names
  418. Steal or Forge Kerberos Tickets: Kerberoasting
  419. System Binary Proxy Execution: Regsvcs/Regasm
  420. Data from Configuration Repository: SNMP (MIB Dump)
  421. Active Scanning: Vulnerability Scanning
  422. Gather Victim Org Information: Identify Roles
  423. Credentials from Password Stores: Password Managers
  424. Process Injection: Asynchronous Procedure Call
  425. Boot or Logon Autostart Execution: LSASS Driver
  426. Encrypted Channel
  427. Endpoint Denial of Service: Service Exhaustion Flood
  428. Exfiltration Over Web Service: Exfiltration to Code Repository
  429. Establish Accounts: Social Media Accounts
  430. Plist File Modification
  431. Account Discovery: Email Account
  432. Masquerading: Match Legitimate Name or Location
  433. Exfiltration Over Web Service: Exfiltration Over Webhook
  434. Browser Session Hijacking
  435. Data Obfuscation
  436. Impair Defenses: Disable or Modify Linux Audit System
  437. Data from Information Repositories
  438. Use Alternate Authentication Material: Application Access Token
  439. Obtain Capabilities
  440. System Time Discovery
  441. OS Credential Dumping: Proc Filesystem
  442. Virtualization/Sandbox Evasion
  443. Network Boundary Bridging: Network Address Translation Traversal
  444. Modify System Image
  445. Deploy Container
  446. Reflective Code Loading
  447. Financial Theft
  448. Masquerading: Invalid Code Signature
  449. Remote System Discovery
  450. System Network Connections Discovery
  451. Windows Management Instrumentation
  452. Account Manipulation: Additional Cloud Credentials
  453. Hijack Execution Flow: Services Registry Permissions Weakness
  454. Process Injection: VDSO Hijacking
  455. Modify Authentication Process: Conditional Access Policies
  456. Event Triggered Execution
  457. Search Victim-Owned Websites
  458. Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations
  459. File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
  460. Boot or Logon Autostart Execution: XDG Autostart Entries
  461. Acquire Infrastructure: Virtual Private Server
  462. Obtain Capabilities: Malware
  463. Application Layer Protocol: Web Protocols
  464. Data from Information Repositories: Sharepoint
  465. Impair Defenses: Disable or Modify Cloud Firewall
  466. Access Token Manipulation
  467. Execution Guardrails
  468. Gather Victim Host Information: Software
  469. Indirect Command Execution
  470. Hijack Execution Flow: Dynamic Linker Hijacking
  471. Account Manipulation: Additional Container Cluster Roles
  472. Subvert Trust Controls: Code Signing Policy Modification
  473. Data Obfuscation: Junk Data
  474. Boot or Logon Autostart Execution: Shortcut Modification
  475. Compromise Accounts: Cloud Accounts
  476. Remote Service Session Hijacking
  477. Hijack Execution Flow: Executable Installer File Permissions Weakness
  478. Stage Capabilities
  479. Event Triggered Execution: Udev Rules
  480. Modify Cloud Compute Infrastructure: Create Snapshot
  481. Hijack Execution Flow: DLL Side-Loading
  482. Execution Guardrails: Mutual Exclusion
  483. Obfuscated Files or Information
  484. Lateral Tool Transfer
  485. Firmware Corruption
  486. Data Manipulation: Transmitted Data Manipulation
  487. Remote Services
  488. Pre-OS Boot
  489. Gather Victim Org Information
  490. Indicator Removal: File Deletion
  491. System Information Discovery
  492. Exfiltration Over Other Network Medium
  493. Exfiltration Over Web Service: Exfiltration to Cloud Storage
  494. Clipboard Data
  495. Proxy: External Proxy
  496. System Binary Proxy Execution: Msiexec
  497. Disk Wipe
  498. Dynamic Resolution
  499. Modify Authentication Process: Hybrid Identity
  500. Access Token Manipulation: SID-History Injection
  501. Impersonation
  502. Modify Authentication Process
  503. Browser Information Discovery
  504. Modify Cloud Compute Infrastructure
  505. Unsecured Credentials: Private Keys
  506. Obfuscated Files or Information: Indicator Removal from Tools
  507. Office Application Startup: Outlook Rules
  508. Command and Scripting Interpreter: Lua
  509. Obfuscated Files or Information: Steganography
  510. Hide Artifacts
  511. name
  512. OS Credential Dumping
  513. Supply Chain Compromise: Compromise Software Supply Chain
  514. Phishing: Spearphishing Voice
  515. Brute Force: Password Cracking
  516. Masquerading: Masquerade File Type
  517. Traffic Signaling: Socket Filters
  518. Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
  519. Browser Extensions
  520. Remote Services: Windows Remote Management
  521. Brute Force: Password Guessing
  522. Hijack Execution Flow: Path Interception by PATH Environment Variable
  523. Serverless Execution
  524. Acquire Infrastructure: Domains
  525. Endpoint Denial of Service: Application or System Exploitation
  526. Stage Capabilities: SEO Poisoning
  527. Boot or Logon Initialization Scripts: Network Logon Script
  528. Application Layer Protocol: DNS
  529. Gather Victim Host Information: Hardware
  530. Create or Modify System Process: Launch Agent
  531. Pre-OS Boot: ROMMONkit
  532. Masquerading: Break Process Trees
  533. Establish Accounts: Cloud Accounts
  534. Command and Scripting Interpreter
  535. Defacement
  536. Obtain Capabilities: Vulnerabilities
  537. Hide Artifacts: NTFS File Attributes
  538. Boot or Logon Initialization Scripts: Startup Items
  539. Build Image on Host
  540. Domain or Tenant Policy Modification: Group Policy Modification
  541. Weaken Encryption: Reduce Key Space
  542. Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
  543. Acquire Infrastructure: Web Services
  544. Multi-Stage Channels
  545. System Binary Proxy Execution: Compiled HTML File
  546. Masquerading: Rename System Utilities
  547. Search Open Websites/Domains: Social Media
  548. Traffic Signaling
  549. Email Collection: Local Email Collection
  550. Proxy: Multi-hop Proxy
  551. Event Triggered Execution: Netsh Helper DLL
  552. Phishing for Information: Spearphishing Voice
  553. Container Administration Command
  554. Ingress Tool Transfer
  555. Data from Information Repositories: Messaging Applications
  556. Video Capture
  557. Modify Cloud Compute Infrastructure: Revert Cloud Instance
  558. Steal or Forge Kerberos Tickets: Golden Ticket
  559. Data from Network Shared Drive
  560. Proxy
  561. Hide Artifacts: Email Hiding Rules
  562. Obtain Capabilities: Exploits
  563. Modify Authentication Process: Network Device Authentication
  564. Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
  565. Command and Scripting Interpreter: Visual Basic
  566. Inter-Process Communication: Component Object Model
  567. Access Token Manipulation: Token Impersonation/Theft
  568. Cloud Service Discovery
  569. Remote Services: Remote Desktop Protocol
  570. Adversary-in-the-Middle: Evil Twin
  571. Steal or Forge Kerberos Tickets: Silver Ticket
  572. Event Triggered Execution: Image File Execution Options Injection
  573. Unsecured Credentials: Chat Messages
  574. Establish Accounts
  575. Steal Web Session Cookie
  576. System Script Proxy Execution: PubPrn
  577. Screen Capture
  578. System Binary Proxy Execution: Mshta
  579. Hijack Execution Flow: Path Interception by Search Order Hijacking
  580. Search Open Technical Databases: Digital Certificates
  581. Debugger Evasion
  582. Pre-OS Boot: TFTP Boot
  583. Defacement: Internal Defacement
  584. Boot or Logon Autostart Execution: Port Monitors
  585. Compromise Infrastructure: Server
  586. Rogue Domain Controller
  587. OS Credential Dumping: DCSync
  588. Data Obfuscation: Protocol or Service Impersonation
  589. Gather Victim Network Information
  590. Domain Trust Discovery
  591. Hide Artifacts: VBA Stomping
  592. Valid Accounts
  593. Hide Artifacts: Resource Forking
  594. Service Stop
  595. Process Injection: Ptrace System Calls
  596. Boot or Logon Initialization Scripts: Logon Script (Windows)
  597. Data Encoding: Non-Standard Encoding
  598. Data Staged: Remote Data Staging
  599. Cloud Administration Command
  600. File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  601. Archive Collected Data: Archive via Custom Method
  602. Valid Accounts: Default Accounts
  603. Process Injection: Proc Memory
  604. User Execution: Malicious Link
  605. Gather Victim Org Information: Identify Business Tempo
  606. Dynamic Resolution: DNS Calculation
  607. Create or Modify System Process
  608. Remote Services: VNC
  609. Network Denial of Service: Direct Network Flood
  610. XSL Script Processing
  611. Compromise Infrastructure: Domains
  612. Input Capture
  613. Subvert Trust Controls
  614. Steal or Forge Kerberos Tickets: AS-REP Roasting
  615. Phishing: Spearphishing via Service
  616. Acquire Infrastructure: DNS Server
  617. Compromise Infrastructure: DNS Server
  618. Obfuscated Files or Information: Stripped Payloads
  619. Exfiltration Over Physical Medium
  620. Hide Artifacts: Run Virtual Instance
  621. Server Software Component
  622. Scheduled Task/Job: Container Orchestration Job
  623. Account Manipulation: Device Registration
  624. Account Discovery
  625. Phishing for Information: Spearphishing Link
  626. Unsecured Credentials: Credentials In Files
  627. Compromise Accounts
  628. Direct Volume Access
  629. Create Account: Domain Account
  630. Steal or Forge Authentication Certificates
  631. Modify Authentication Process: Pluggable Authentication Modules
  632. Event Triggered Execution: LC_LOAD_DYLIB Addition
  633. Resource Hijacking: SMS Pumping
  634. Process Injection: Thread Local Storage
  635. Rootkit
  636. OS Credential Dumping: LSASS Memory
  637. Archive Collected Data
  638. Exploitation for Defense Evasion
  639. OS Credential Dumping: LSA Secrets
  640. Active Scanning
  641. Inter-Process Communication: XPC Services
  642. Permission Groups Discovery: Domain Groups
  643. Endpoint Denial of Service: OS Exhaustion Flood
  644. Masquerading: Space after Filename
  645. Trusted Developer Utilities Proxy Execution: MSBuild
  646. Compromise Infrastructure: Network Devices
  647. Indicator Removal: Relocate Malware
  648. Create Account
  649. Fallback Channels
  650. Process Injection: Thread Execution Hijacking
  651. Traffic Signaling: Port Knocking
  652. Command and Scripting Interpreter: Cloud API
  653. Boot or Logon Autostart Execution: Authentication Package
  654. Data Staged
  655. Impair Defenses: Safe Mode Boot
  656. Virtualization/Sandbox Evasion: System Checks
  657. Obtain Capabilities: Artificial Intelligence