MITRE ATT&CK Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.

Format: Size

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

Account Manipulation: Device Registration
Data Obfuscation
Create or Modify System Process: Launch Agent
Web Service
Password Policy Discovery
Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
System Owner/User Discovery
Acquire Infrastructure: Server
System Time Discovery
Credentials from Password Stores: Cloud Secrets Management Stores
Process Injection: Thread Local Storage
Hijack Execution Flow: COR_PROFILER
Create Account
System Services
Serverless Execution
Phishing for Information: Spearphishing Attachment
Permission Groups Discovery: Domain Groups
Acquire Infrastructure: Web Services
Develop Capabilities: Code Signing Certificates
Rootkit
Gather Victim Identity Information: Email Addresses
Dynamic Resolution: Domain Generation Algorithms
Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access
Obfuscated Files or Information: LNK Icon Smuggling
Event Triggered Execution: Component Object Model Hijacking
Hijack Execution Flow: Services File Permissions Weakness
Indicator Removal: Clear Command History
Supply Chain Compromise: Compromise Software Supply Chain
Modify Authentication Process: Multi-Factor Authentication
Hardware Additions
Create or Modify System Process: Container Service
Compromise Accounts: Cloud Accounts
Obfuscated Files or Information: Polymorphic Code
Permission Groups Discovery: Cloud Groups
Search Open Technical Databases: Scan Databases
Obfuscated Files or Information: Fileless Storage
Proxy: Domain Fronting
Develop Capabilities: Digital Certificates
Network Share Discovery
Weaken Encryption: Reduce Key Space
Hide Artifacts: NTFS File Attributes
Boot or Logon Initialization Scripts
Proxy
System Binary Proxy Execution: Regsvcs/Regasm
Account Discovery: Cloud Account
Valid Accounts: Local Accounts
Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations
Search Open Websites/Domains: Code Repositories
Remote Access Software
Permission Groups Discovery
Establish Accounts: Social Media Accounts
Log Enumeration
Boot or Logon Initialization Scripts: Logon Script (Windows)
Modify Authentication Process: Network Device Authentication
Credentials from Password Stores: Keychain
Application Layer Protocol: File Transfer Protocols
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Valid Accounts: Domain Accounts
Command and Scripting Interpreter: AppleScript
Masquerading: Break Process Trees
Account Manipulation
Command and Scripting Interpreter: Lua
Remote Service Session Hijacking: SSH Hijacking
Search Closed Sources
System Binary Proxy Execution: Rundll32
Obfuscated Files or Information: Indicator Removal from Tools
Office Application Startup: Outlook Home Page
Unsecured Credentials: Cloud Instance Metadata API
Stage Capabilities: Install Digital Certificate
Gather Victim Host Information: Software
Data from Network Shared Drive
System Information Discovery
Remote Services: Direct Cloud VM Connections
Create or Modify System Process: Windows Service
Content Injection
Command and Scripting Interpreter: Python
Email Collection: Local Email Collection
Unsecured Credentials: Container API
Execution Guardrails
Data Staged: Local Data Staging
Server Software Component: Terminal Services DLL
Event Triggered Execution: PowerShell Profile
Office Application Startup: Outlook Rules
Steal or Forge Kerberos Tickets: Silver Ticket
Impair Defenses: Disable Windows Event Logging
Search Victim-Owned Websites
Resource Hijacking
Obfuscated Files or Information: Command Obfuscation
Obfuscated Files or Information: Encrypted/Encoded File
Modify Authentication Process: Pluggable Authentication Modules
Lateral Tool Transfer
Obtain Capabilities: Tool
Hide Artifacts: Hidden Users
Exploitation for Client Execution
Command and Scripting Interpreter: Visual Basic
Boot or Logon Autostart Execution: Time Providers
Adversary-in-the-Middle: ARP Cache Poisoning
Video Capture
Gather Victim Host Information: Client Configurations
Impersonation
Acquire Infrastructure: Botnet
Modify Cloud Compute Infrastructure: Delete Cloud Instance
Exfiltration Over Web Service
Defacement
Impair Defenses: Disable or Modify Cloud Logs
Masquerading: Invalid Code Signature
Remote Services: Windows Remote Management
Unsecured Credentials: Bash History
Impair Defenses: Indicator Blocking
Compromise Accounts
Brute Force: Password Spraying
Shared Modules
Indicator Removal
Phishing for Information: Spearphishing Voice
BITS Jobs
Virtualization/Sandbox Evasion: System Checks
Event Triggered Execution: Trap
Event Triggered Execution: Netsh Helper DLL
Transfer Data to Cloud Account
Data Transfer Size Limits
Steal or Forge Kerberos Tickets: Golden Ticket
Application Layer Protocol: Web Protocols
Hide Artifacts: Ignore Process Interrupts
Process Injection: Ptrace System Calls
Command and Scripting Interpreter: Unix Shell
Disk Wipe: Disk Structure Wipe
Data Staged: Remote Data Staging
Gather Victim Network Information: IP Addresses
Reflective Code Loading
System Binary Proxy Execution: Mavinject
Domain or Tenant Policy Modification: Group Policy Modification
Encrypted Channel: Symmetric Cryptography
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Create Account: Local Account
Brute Force: Credential Stuffing
Boot or Logon Autostart Execution: Print Processors
Peripheral Device Discovery
Domain Trust Discovery
Remote Services: VNC
Remote Services: Remote Desktop Protocol
Build Image on Host
Unsecured Credentials: Credentials in Registry
Obfuscated Files or Information
Stage Capabilities: Upload Tool
Cloud Storage Object Discovery
Access Token Manipulation: Make and Impersonate Token
Obfuscated Files or Information: Dynamic API Resolution
Hide Artifacts: VBA Stomping
Exploit Public-Facing Application
Steal or Forge Kerberos Tickets
Establish Accounts: Email Accounts
Escape to Host
Boot or Logon Autostart Execution
Access Token Manipulation
Obfuscated Files or Information: Embedded Payloads
Steal or Forge Kerberos Tickets: AS-REP Roasting
Obtain Capabilities: Digital Certificates
User Execution: Malicious Image
Indicator Removal: Clear Mailbox Data
Indicator Removal: Network Share Connection Removal
Office Application Startup
Internal Spearphishing
Gather Victim Identity Information
Gather Victim Identity Information: Credentials
Obtain Capabilities: Artificial Intelligence
Masquerading: Masquerade File Type
Create or Modify System Process: Launch Daemon
Account Manipulation: Additional Local or Domain Groups
Email Collection: Email Forwarding Rule
Stage Capabilities: Link Target
Data Encoding: Non-Standard Encoding
Process Injection: Proc Memory
Hide Artifacts: Resource Forking
Encrypted Channel: Asymmetric Cryptography
Endpoint Denial of Service: OS Exhaustion Flood
Inter-Process Communication
Hijack Execution Flow: Dynamic Linker Hijacking
Acquire Infrastructure: Serverless
Search Open Technical Databases: CDNs
Search Closed Sources: Threat Intel Vendors
Process Injection: Dynamic-link Library Injection
Data Obfuscation: Steganography
Remote Service Session Hijacking
Abuse Elevation Control Mechanism: Setuid and Setgid
Screen Capture
OS Credential Dumping: LSASS Memory
Indicator Removal: Timestomp
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Rogue Domain Controller
Search Open Websites/Domains
Dynamic Resolution: DNS Calculation
Resource Hijacking: SMS Pumping
Software Deployment Tools
Defacement: Internal Defacement
Software Discovery
Masquerading: Rename System Utilities
Pre-OS Boot: TFTP Boot
Obtain Capabilities
Financial Theft
Masquerading: Masquerade Account Name
System Network Configuration Discovery
Obtain Capabilities: Exploits
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Domain or Tenant Policy Modification
Gather Victim Identity Information: Employee Names
Data from Configuration Repository
Endpoint Denial of Service: Application Exhaustion Flood
Endpoint Denial of Service: Application or System Exploitation
Impair Defenses: Downgrade Attack
Steal Application Access Token
Modify Authentication Process: Reversible Encryption
Process Discovery
Obfuscated Files or Information: Stripped Payloads
Permission Groups Discovery: Local Groups
Acquire Infrastructure: DNS Server
Service Stop
Obfuscated Files or Information: HTML Smuggling
Disk Wipe
Proxy: Multi-hop Proxy
Modify Authentication Process
Automated Exfiltration: Traffic Duplication
Software Discovery: Security Software Discovery
System Binary Proxy Execution: Msiexec
Boot or Logon Autostart Execution: Security Support Provider
Compromise Infrastructure: Server
Pre-OS Boot: ROMMONkit
Application Window Discovery
Browser Extensions
Process Injection: Process Doppelgänging
Hijack Execution Flow: KernelCallbackTable
OS Credential Dumping: LSA Secrets
Hijack Execution Flow: Path Interception by Search Order Hijacking
Defacement: External Defacement
Automated Collection
Gather Victim Org Information: Determine Physical Locations
Unsecured Credentials: Private Keys
Command and Scripting Interpreter: PowerShell
Cloud Infrastructure Discovery
Application Layer Protocol: Mail Protocols
Dynamic Resolution
Event Triggered Execution: Change Default File Association
Resource Hijacking: Bandwidth Hijacking
Scheduled Task/Job: Container Orchestration Job
Hijack Execution Flow: Executable Installer File Permissions Weakness
User Execution: Malicious Link
Phishing for Information
Compromise Infrastructure: Web Services
Account Discovery: Local Account
Exfiltration Over Physical Medium
Exploitation for Defense Evasion
Obtain Capabilities: Malware
Boot or Logon Initialization Scripts: Network Logon Script
System Binary Proxy Execution: Odbcconf
Modify Authentication Process: Network Provider DLL
Input Capture: Web Portal Capture
Data Manipulation: Runtime Data Manipulation
Forge Web Credentials
Non-Standard Port
Modify Authentication Process: Conditional Access Policies
Use Alternate Authentication Material
Communication Through Removable Media
Subvert Trust Controls: Code Signing
Acquire Access
Virtualization/Sandbox Evasion
Exploitation of Remote Services
System Binary Proxy Execution: InstallUtil
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Process Injection: ListPlanting
Data Manipulation: Transmitted Data Manipulation
Traffic Signaling: Socket Filters
Phishing: Spearphishing Voice
Adversary-in-the-Middle
Search Open Websites/Domains: Social Media
Archive Collected Data: Archive via Utility
Boot or Logon Autostart Execution: Port Monitors
Credentials from Password Stores: Password Managers
File and Directory Permissions Modification
Gather Victim Org Information: Business Relationships
Compromise Host Software Binary
Valid Accounts
Multi-Stage Channels
Modify Authentication Process: Password Filter DLL
Command and Scripting Interpreter: AutoHotKey & AutoIT
Hijack Execution Flow: Path Interception by Unquoted Path
Ingress Tool Transfer
Acquire Infrastructure
Subvert Trust Controls: Install Root Certificate
Account Manipulation: Additional Cloud Credentials
Boot or Logon Autostart Execution: Authentication Package
Container and Resource Discovery
Exfiltration Over Alternative Protocol
Subvert Trust Controls: SIP and Trust Provider Hijacking
Data Encoding
Archive Collected Data
Abuse Elevation Control Mechanism: TCC Manipulation
Command and Scripting Interpreter: Network Device CLI
OS Credential Dumping: DCSync
Office Application Startup: Office Template Macros
Process Injection: Extra Window Memory Injection
Account Manipulation: Additional Email Delegate Permissions
Event Triggered Execution
Impair Defenses
Search Open Technical Databases
Unsecured Credentials: Credentials In Files
Access Token Manipulation: Create Process with Token
Forge Web Credentials: Web Cookies
Develop Capabilities: Exploits
Gather Victim Network Information: Network Topology
Abuse Elevation Control Mechanism: Elevated Execution with Prompt
Trusted Developer Utilities Proxy Execution: ClickOnce
Search Open Technical Databases: Digital Certificates
Scheduled Task/Job: Systemd Timers
Process Injection: Asynchronous Procedure Call
Application Layer Protocol: DNS
Proxy: Internal Proxy
Data Destruction
Command and Scripting Interpreter: Windows Command Shell
Active Scanning: Vulnerability Scanning
Impair Defenses: Spoof Security Alerting
Audio Capture
Indicator Removal: Clear Persistence
Phishing: Spearphishing via Service
Adversary-in-the-Middle: DHCP Spoofing
Pre-OS Boot: Component Firmware
Native API
Process Injection
Modify System Image
Event Triggered Execution: Udev Rules
Data Staged
System Binary Proxy Execution: Compiled HTML File
Gather Victim Network Information: DNS
Application Layer Protocol
Query Registry
Account Discovery
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Compromise Accounts: Social Media Accounts
Data from Information Repositories
Impair Defenses: Disable or Modify Cloud Firewall
Impair Defenses: Disable or Modify System Firewall
User Execution
Boot or Logon Autostart Execution: LSASS Driver
Office Application Startup: Office Test
XSL Script Processing
Credentials from Password Stores
Network Service Discovery
System Binary Proxy Execution: MMC
Trusted Relationship
Traffic Signaling
System Location Discovery: System Language Discovery
Valid Accounts: Default Accounts
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
Disk Wipe: Disk Content Wipe
Process Injection: Process Hollowing
Multi-Factor Authentication Request Generation
Access Token Manipulation: Token Impersonation/Theft
Network Boundary Bridging
Inhibit System Recovery
System Network Connections Discovery
Impair Defenses: Safe Mode Boot
Web Service: Dead Drop Resolver
Unsecured Credentials
Domain or Tenant Policy Modification: Trust Modification
Input Capture: Credential API Hooking
Account Manipulation: Additional Container Cluster Roles
Event Triggered Execution: Accessibility Features
Clipboard Data
User Execution: Malicious File
Hijack Execution Flow
System Service Discovery
Data Encrypted for Impact
Hide Artifacts: Hidden Window
Gather Victim Host Information
Steal or Forge Kerberos Tickets: Kerberoasting
Execution Guardrails: Mutual Exclusion
Account Manipulation: Additional Cloud Roles
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Trusted Developer Utilities Proxy Execution
Remote Services: SSH
Browser Session Hijacking
Taint Shared Content
Use Alternate Authentication Material: Application Access Token
Replication Through Removable Media
Office Application Startup: Outlook Forms
Remote Services: Distributed Component Object Model
Obfuscated Files or Information: Steganography
Gather Victim Network Information: Network Security Appliances
Inter-Process Communication: Dynamic Data Exchange
Hijack Execution Flow: DLL Search Order Hijacking
Hijack Execution Flow: AppDomainManager
Data from Configuration Repository: SNMP (MIB Dump)
Network Sniffing
Pre-OS Boot
Masquerading: Masquerade Task or Service
Device Driver Discovery
Compromise Infrastructure: Serverless
Masquerading: Space after Filename
System Script Proxy Execution: PubPrn
Cloud Service Discovery
Pre-OS Boot: System Firmware
Phishing
Event Triggered Execution: AppInit DLLs
Abuse Elevation Control Mechanism
Server Software Component: SQL Stored Procedures
Account Discovery: Domain Account
Access Token Manipulation: Parent PID Spoofing
Impair Defenses: Disable or Modify Tools
External Remote Services
Exploitation for Privilege Escalation
System Shutdown/Reboot
Scheduled Task/Job: Scheduled Task
Event Triggered Execution: AppCert DLLs
Compromise Infrastructure: Virtual Private Server
Deploy Container
Obfuscated Files or Information: Binary Padding
Remote Service Session Hijacking: RDP Hijacking
Boot or Logon Autostart Execution: Shortcut Modification
Hijack Execution Flow: Path Interception by PATH Environment Variable
Event Triggered Execution: Emond
Proxy: External Proxy
Supply Chain Compromise: Compromise Hardware Supply Chain
Modify System Image: Patch System Image
Data from Configuration Repository: Network Device Configuration Dump
Obtain Capabilities: Code Signing Certificates
Scheduled Task/Job: Cron
Phishing: Spearphishing Attachment
Remote System Discovery
Hide Artifacts: Hidden Files and Directories
Process Injection: Thread Execution Hijacking
Data from Cloud Storage
Impair Defenses: Disable or Modify Linux Audit System
Server Software Component: Web Shell
Drive-by Compromise
Modify Cloud Compute Infrastructure: Create Cloud Instance
Develop Capabilities
Data from Information Repositories: Code Repositories
Gather Victim Org Information: Identify Roles
Plist File Modification
Virtualization/Sandbox Evasion: Time Based Evasion
Resource Hijacking: Compute Hijacking
Scheduled Transfer
Search Open Websites/Domains: Search Engines
Supply Chain Compromise
Scheduled Task/Job
System Script Proxy Execution: SyncAppvPublishingServer
Exfiltration Over C2 Channel
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Create Account: Cloud Account
OS Credential Dumping: NTDS
Acquire Infrastructure: Domains
Remote Services
Data Obfuscation: Protocol or Service Impersonation
Cloud Administration Command
Compromise Infrastructure: DNS Server
Hide Infrastructure
Hide Artifacts
Container Administration Command
Acquire Infrastructure: Virtual Private Server
Application Layer Protocol: Publish/Subscribe Protocols
Input Capture
Browser Information Discovery
System Binary Proxy Execution: Regsvr32
Boot or Logon Autostart Execution: Active Setup
OS Credential Dumping: Proc Filesystem
Modify Cloud Compute Infrastructure
System Binary Proxy Execution: Control Panel
Unsecured Credentials: Group Policy Preferences
Data from Information Repositories: Sharepoint
Inter-Process Communication: Component Object Model
Event Triggered Execution: LC_LOAD_DYLIB Addition
Modify Authentication Process: Domain Controller Authentication
Weaken Encryption: Disable Crypto Hardware
Brute Force: Password Guessing
Event Triggered Execution: Application Shimming
Resource Hijacking: Cloud Service Hijacking
Boot or Logon Autostart Execution: Re-opened Applications
Unused/Unsupported Cloud Regions
Server Software Component: IIS Components
Masquerading: Double File Extension
Data Destruction: Lifecycle-Triggered Deletion
Email Collection
Obfuscated Files or Information: Compile After Delivery
Steal Web Session Cookie
Modify Cloud Resource Hierarchy
Use Alternate Authentication Material: Pass the Ticket
Brute Force: Password Cracking
Server Software Component: Transport Agent
Develop Capabilities: Malware
Active Scanning
Gather Victim Network Information
Command and Scripting Interpreter
Masquerading
Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
Data Manipulation
Create Account: Domain Account
Modify Registry
Pre-OS Boot: Bootkit
Remote Services: Cloud Services
Input Capture: GUI Input Capture
System Binary Proxy Execution: Mshta
System Binary Proxy Execution
name
Hide Artifacts: Hidden File System
Exfiltration Over Other Network Medium
Stage Capabilities: SEO Poisoning
Search Open Technical Databases: WHOIS
Data Encoding: Standard Encoding
Search Open Technical Databases: DNS/Passive DNS
Exfiltration Over Web Service: Exfiltration to Code Repository
Email Collection: Remote Email Collection
Hijack Execution Flow: DLL Side-Loading
Gather Victim Org Information: Identify Business Tempo
Hide Artifacts: Process Argument Spoofing
Boot or Logon Autostart Execution: Winlogon Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Masquerading: Right-to-Left Override
Masquerading: Match Legitimate Name or Location
Establish Accounts: Cloud Accounts
Multi-Factor Authentication Interception
OS Credential Dumping: Cached Domain Credentials
Fallback Channels
Establish Accounts
Access Token Manipulation: SID-History Injection
Subvert Trust Controls
Process Injection: VDSO Hijacking
OS Credential Dumping
Phishing: Spearphishing Link
System Services: Service Execution
Indicator Removal: Clear Windows Event Logs
System Script Proxy Execution
Acquire Infrastructure: Malvertising
Account Discovery: Email Account
Data from Information Repositories: Confluence
Use Alternate Authentication Material: Web Session Cookie
Hijack Execution Flow: Dylib Hijacking
Firmware Corruption
Gather Victim Network Information: Domain Properties
Process Injection: Portable Executable Injection
Indicator Removal: File Deletion
Weaken Encryption
Account Access Removal
Windows Management Instrumentation
Boot or Logon Initialization Scripts: Login Hook
OS Credential Dumping: /etc/passwd and /etc/shadow
Hide Artifacts: Run Virtual Instance
Indicator Removal: Clear Linux or Mac System Logs
Active Scanning: Wordlist Scanning
System Binary Proxy Execution: CMSTP
Data Obfuscation: Junk Data
Exfiltration Over Web Service: Exfiltration to Text Storage Sites
Cloud Service Dashboard
Active Scanning: Scanning IP Blocks
Web Service: One-Way Communication
Office Application Startup: Add-ins
Steal or Forge Kerberos Tickets: Ccache Files
Data from Local System
Event Triggered Execution: Screensaver
Obtain Capabilities: Vulnerabilities
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Steal or Forge Authentication Certificates
Command and Scripting Interpreter: JavaScript
Event Triggered Execution: Image File Execution Options Injection
Boot or Logon Autostart Execution: XDG Autostart Entries
Phishing for Information: Spearphishing Link
Subvert Trust Controls: Code Signing Policy Modification
Use Alternate Authentication Material: Pass the Hash
Hide Artifacts: Email Hiding Rules
System Binary Proxy Execution: Verclsid
Compromise Infrastructure: Domains
Hijack Execution Flow: Services Registry Permissions Weakness
Data from Removable Media
Modify Cloud Compute Infrastructure: Revert Cloud Instance
Inter-Process Communication: XPC Services
Subvert Trust Controls: Gatekeeper Bypass
Input Capture: Keylogging
Modify System Image: Downgrade System Image
Hide Artifacts: File/Path Exclusions
Data Manipulation: Stored Data Manipulation
Compromise Infrastructure: Network Devices
Trusted Developer Utilities Proxy Execution: MSBuild
System Services: Launchctl
Modify Authentication Process: Hybrid Identity
Obfuscated Files or Information: Software Packing
Implant Internal Image
Debugger Evasion
Stage Capabilities: Upload Malware
Stage Capabilities
Execution Guardrails: Environmental Keying
Indirect Command Execution
System Binary Proxy Execution: Electron Applications
Compromise Accounts: Email Accounts
Gather Victim Host Information: Hardware
Data from Information Repositories: Customer Relationship Management Software
Abuse Elevation Control Mechanism: Bypass User Account Control
Non-Application Layer Protocol
Indicator Removal: Clear Network Connection History and Configurations
OS Credential Dumping: Security Account Manager
Compromise Infrastructure: Botnet
Virtualization/Sandbox Evasion: User Activity Based Checks
Credentials from Password Stores: Securityd Memory
Network Denial of Service: Direct Network Flood
Brute Force
System Network Configuration Discovery: Internet Connection Discovery
Network Denial of Service: Reflection Amplification
Dynamic Resolution: Fast Flux DNS
Server Software Component
Modify Cloud Compute Infrastructure: Create Snapshot
Traffic Signaling: Port Knocking
Valid Accounts: Cloud Accounts
Credentials from Password Stores: Credentials from Web Browsers
Group Policy Discovery
Gather Victim Org Information
Encrypted Channel
Unsecured Credentials: Chat Messages
Adversary-in-the-Middle: Evil Twin
Event Triggered Execution: Installer Packages
Exfiltration Over Web Service: Exfiltration Over Webhook
Endpoint Denial of Service
Command and Scripting Interpreter: Cloud API
Phishing for Information: Spearphishing Service
Scheduled Task/Job: At
Web Service: Bidirectional Communication
Exfiltration Over Physical Medium: Exfiltration over USB
Remote Services: SMB/Windows Admin Shares
File and Directory Discovery
Direct Volume Access
Subvert Trust Controls: Mark-of-the-Web Bypass
Credentials from Password Stores: Windows Credential Manager
Archive Collected Data: Archive via Library
Endpoint Denial of Service: Service Exhaustion Flood
Network Boundary Bridging: Network Address Translation Traversal
Template Injection
Search Closed Sources: Purchase Technical Data
Create or Modify System Process: Systemd Service
Compromise Infrastructure
Archive Collected Data: Archive via Custom Method
Account Manipulation: SSH Authorized Keys
Gather Victim Host Information: Firmware
Boot or Logon Initialization Scripts: Startup Items
Boot or Logon Initialization Scripts: RC Scripts
Automated Exfiltration
Deobfuscate/Decode Files or Information
Forge Web Credentials: SAML Tokens
Forced Authentication
Stage Capabilities: Drive-by Target
Protocol Tunneling
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
Boot or Logon Autostart Execution: Login Items
System Location Discovery
Gather Victim Network Information: Network Trust Dependencies
Impair Defenses: Impair Command History Logging
Network Denial of Service
Indicator Removal: Relocate Malware
Exploitation for Credential Access
Create or Modify System Process
Power Settings
Event Triggered Execution: Unix Shell Configuration Modification
Data from Information Repositories: Messaging Applications