HijackExecutionFlow: DLLSide-LoadingFile andDirectoryPermissionsModificationMasquerading:MasqueradeFile TypeBoot or LogonAutostartExecution:WinlogonHelper DLLApplication LayerProtocol:Publish/SubscribeProtocolsHijackExecution Flow:Services FilePermissionsWeaknessOfficeApplicationStartup:OutlookFormsBoot orLogonAutostartExecution:Port MonitorsEmailCollection:EmailForwardingRuleObfuscatedFiles orInformation:StrippedPayloadsObfuscatedFiles orInformation:SteganographyUse AlternateAuthenticationMaterial: Passthe HashIndicatorRemoval:Network ShareConnectionRemovalResourceHijacking:BandwidthHijackingPlist FileModificationAcquireInfrastructure:DNS ServerGather VictimNetworkInformation:DomainPropertiesContentInjectionGatherVictimHostInformationProxy:DomainFrontingPowerSettingsForge WebCredentials:SAMLTokensObtainCapabilitiesCompromiseInfrastructure:NetworkDevicesDataManipulation:TransmittedDataManipulationSystem BinaryProxy Execution:Regsvcs/RegasmProxy:ExternalProxySystem Script ProxyExecution:SyncAppvPublishingServerCompromiseInfrastructure:ServerEventTriggeredExecution:ApplicationShimmingMulti-FactorAuthenticationInterceptionSystemBinary ProxyExecution:Rundll32IndirectCommandExecutionAbuse ElevationControlMechanism:ElevatedExecution withPromptCommandand ScriptingInterpreter:Visual BasicAccountDiscovery:EmailAccountProcessInjection:ProcessHollowingFile and DirectoryPermissionsModification: Linuxand Mac File andDirectoryPermissionsModificationPasswordPolicyDiscoveryCompromiseAccounts:EmailAccountsBoot orLogonAutostartExecution:Active SetupModifySystemImage:DowngradeSystem ImageBoot orLogonInitializationScripts:Startup ItemsIndicatorRemovalGatherVictimNetworkInformation:DNSEventTriggeredExecution:InstallerPackagesDrive-byCompromiseExecutionGuardrailsCloudServiceDiscoveryNetworkBoundaryBridgingSystemBinary ProxyExecution:MsiexecReflectiveCodeLoadingDataManipulation:Runtime DataManipulationModifyAuthenticationProcess:Hybrid IdentityCreate orModifySystemProcess:Launch AgentObfuscated Files orInformation:Encrypted/EncodedFileServerSoftwareComponent:SQL StoredProceduresVirtualization/SandboxEvasion: User ActivityBased ChecksData fromConfigurationRepositoryModifySystemImage: PatchSystemImageModify CloudComputeInfrastructure:Revert CloudInstanceDataEncodingOfficeApplicationStartup:OutlookRulesNetworkShareDiscoveryDataManipulation:Stored DataManipulationWebService:Dead DropResolverBrowserExtensionsImpairDefenses:Safe ModeBootDataManipulationCommandand ScriptingInterpreter:Unix ShellVirtualization/SandboxEvasionExfiltration OverAlternativeProtocol:Exfiltration OverAsymmetricEncrypted Non-C2ProtocolTrustedDeveloperUtilities ProxyExecution:MSBuildProcessInjection:ThreadExecutionHijackingOSCredentialDumpingNativeAPIUse AlternateAuthenticationMaterial:ApplicationAccess TokenObfuscatedFiles orInformation:HTMLSmugglingCreateAccountDataEncryptedfor ImpactPhishing:SpearphishingVoiceGather VictimNetworkInformation:Network TrustDependenciesSystemBinary ProxyExecution:MavinjectTrafficSignaling:PortKnockingPhishing forInformation:SpearphishingLinkActiveScanningBoot or LogonInitializationScripts:NetworkLogon ScriptResourceHijacking:SMSPumpingEndpoint Denialof Service:ApplicationExhaustionFloodCommandand ScriptingInterpreter:LuaEmailCollection:Local EmailCollectionObtainCapabilities:ExploitsOSCredentialDumping:DCSyncTrafficSignaling:SocketFiltersFile and DirectoryPermissionsModification:Windows File andDirectoryPermissionsModificationHideArtifacts:HiddenUsersEndpoint Denialof Service:ServiceExhaustionFloodEventTriggeredExecution:ScreensaverMasqueradingAccountManipulation:AdditionalCloud RolesBoot or LogonAutostartExecution:SecuritySupportProviderServerSoftwareComponent:IISComponentsTrustedRelationshipAcquireInfrastructure:Web ServicesUnsecuredCredentials:BashHistoryApplicationLayerProtocolScheduledTask/Job:SystemdTimersForge WebCredentialsOSCredentialDumping:NTDSRemoteServices:SMB/WindowsAdmin SharesSoftwareDiscovery:SecuritySoftwareDiscoveryBoot orLogonInitializationScripts:Login HookPhishing forInformation:SpearphishingServiceImpairDefenses:DowngradeAttackOS CredentialDumping:SecurityAccountManagerAcquireInfrastructure:MalvertisingEmailCollection:RemoteEmailCollectionModifyAuthenticationProcessPre-OSBootIngressToolTransferActiveScanning:WordlistScanningObtainCapabilities:VulnerabilitiesSystemBinary ProxyExecution:MshtaUserExecution:MaliciousImageAccess TokenManipulation:CreateProcess withTokenRootkitApplicationLayerProtocol:MailProtocolsWeakenEncryption:ReduceKey SpaceData fromCloudStorageExecutionGuardrails:MutualExclusionCloudInfrastructureDiscoveryHideArtifacts:Email HidingRulesCredentialsfromPasswordStores:KeychainInternalSpearphishingnameGatherVictim HostInformation:HardwareExfiltrationOverPhysicalMediumOfficeApplicationStartup:OutlookHome PageOfficeApplicationStartup:Add-insSupply ChainCompromise:CompromiseSoftwareDependencies andDevelopmentToolsSystemNetworkConfigurationDiscoveryValidAccounts:DomainAccountsObfuscatedFiles orInformationNetworkDenial ofServiceObtainCapabilities:CodeSigningCertificatesAccountDiscovery:LocalAccountCreate orModify SystemProcess:LaunchDaemonAutomatedCollectionImpairDefensesModifySystemImageAutomatedExfiltrationDataEncoding:StandardEncodingDataObfuscation:Junk DataResourceHijacking:CloudServiceHijackingCommandand ScriptingInterpreter:AutoHotKey& AutoITExploitationforCredentialAccessProcessInjection:ProcMemoryMasquerading:Invalid CodeSignatureApplicationLayerProtocol:WebProtocolsAbuseElevationControlMechanism:TCCManipulationDevelopCapabilities:MalwareDirectVolumeAccessOfficeApplicationStartup: OfficeTemplateMacrosImpairDefenses:Disable orModify SystemFirewallAudioCaptureAdversary-in-the-Middle:DHCPSpoofingDevelopCapabilities:ExploitsBoot or LogonAutostartExecution:ShortcutModificationBruteForce:CredentialStuffingCommand andScriptingInterpreter:WindowsCommandShellRemoteServices:RemoteDesktopProtocolInter-ProcessCommunication:ComponentObject ModelVideoCaptureEventTriggeredExecution:Udev RulesHideArtifacts:ProcessArgumentSpoofingDataObfuscation:Protocol orServiceImpersonationStageCapabilitiesSystemBinary ProxyExecution:CMSTPCredentialsfrom PasswordStores:WindowsCredentialManagerSearch ClosedSources:PurchaseTechnical DataIndicatorRemoval:ClearCommandHistoryNetworkSniffingUnsecuredCredentialsGather VictimOrgInformation:IdentifyBusinessTempoSystemBinary ProxyExecution:VerclsidCredentialsfrom PasswordStores:PasswordManagersEventTriggeredExecution:AppCertDLLsObfuscatedFiles orInformation:BinaryPaddingExploitationforPrivilegeEscalationImpairDefenses:Disable orModify CloudLogsData fromInformationRepositories:CodeRepositoriesGather VictimIdentityInformation:EmployeeNamesExfiltrationOver WebService:Exfiltration toText StorageSitesCloudServiceDashboardEventTriggeredExecutionCommandand ScriptingInterpreter:JavaScriptSteal or ForgeAuthenticationCertificatesTaintSharedContentOS CredentialDumping:/etc/passwdand/etc/shadowNetworkDenial ofService:ReflectionAmplificationSearchOpenTechnicalDatabasesSubvert TrustControls: SIPand TrustProviderHijackingAccessTokenManipulationSystemOwner/UserDiscoveryDiskWipeCommandandScriptingInterpreterModifyAuthenticationProcess:Network DeviceAuthenticationForcedAuthenticationDomain orTenant PolicyModification:TrustModificationHijackExecution Flow:ExecutableInstaller FilePermissionsWeaknessEscapeto HostUse AlternateAuthenticationMaterialSearch OpenTechnicalDatabases:DNS/PassiveDNSGatherVictim OrgInformationSystemBinary ProxyExecution:Regsvr32RemoteServices:Direct CloudVMConnectionsRemoteServices:VNCStageCapabilities:Install DigitalCertificateMasquerading:Break ProcessTreesInputCapture:Web PortalCaptureUnsecuredCredentials:ContainerAPISupplyChainCompromiseExfiltrationOver WebService:ExfiltrationOver WebhookSearchClosedSources:Threat IntelVendorsSteal orForgeKerberosTickets:Ccache FilesBoot or LogonAutostartExecution:TimeProvidersCreateAccount:DomainAccountEstablishAccounts:CloudAccountsSearchClosedSourcesEndpointDenial ofServiceCompromiseInfrastructure:Virtual PrivateServerInputCaptureRemoteServices:WindowsRemoteManagementImpairDefenses:SpoofSecurityAlertingModifyAuthenticationProcess:NetworkProvider DLLObfuscatedFiles orInformation:PolymorphicCodeModifyAuthenticationProcess:PasswordFilter DLLCompromiseHostSoftwareBinaryPhishing forInformation:SpearphishingAttachmentHideArtifacts:IgnoreProcessInterruptsDevelopCapabilitiesScheduledTask/Job:CronPre-OSBoot:SystemFirmwareHijack ExecutionFlow:KernelCallbackTableEventTriggeredExecution:PowerShellProfileSteal WebSessionCookieArchiveCollectedData:Archive viaLibraryDataDestructionCommunicationThroughRemovableMediaAdversary-in-the-Middle: ARPCachePoisoningIndicatorRemoval: ClearNetworkConnectionHistory andConfigurationsAccessTokenManipulation:Parent PIDSpoofingScheduledTask/Job:ContainerOrchestrationJobWebServiceCreateAccount:LocalAccountModify CloudComputeInfrastructureObtainCapabilities:ArtificialIntelligenceResourceHijacking:ComputeHijackingAccountAccessRemovalDefacementApplicationWindowDiscoveryPre-OSBoot:ROMMONkitStealApplicationAccessTokenDeployContainerObtainCapabilities:ToolImpairDefenses:Disable orModify LinuxAudit SystemValidAccounts:DefaultAccountsCredentialsfrom PasswordStores: CloudSecretsManagementStoresValidAccounts:LocalAccountsGather VictimOrgInformation:DeterminePhysicalLocationsProcessInjection:VDSOHijackingBoot orLogonInitializationScriptsSystemBinary ProxyExecution:InstallUtilForge WebCredentials:WebCookiesSystemBinary ProxyExecution:OdbcconfStageCapabilities:Upload ToolDisk Wipe:DiskContentWipeExploitationfor DefenseEvasionObfuscatedFiles orInformation:SoftwarePackingBoot orLogonAutostartExecution:Login ItemsAccountManipulation:AdditionalEmail DelegatePermissionsFallbackChannelsScheduledTask/Job:ScheduledTaskModify CloudComputeInfrastructure:Modify CloudComputeConfigurationsRemoteServiceSessionHijackingModifyAuthenticationProcess:ReversibleEncryptionSystemServices:LaunchctlExploitationfor ClientExecutionSystemBinary ProxyExecution:ControlPanelEvent TriggeredExecution:Change DefaultFile AssociationDynamicResolution:DomainGenerationAlgorithmsEncryptedChannel:AsymmetricCryptographyHijackExecution Flow:ServicesRegistryPermissionsWeaknessSubvertTrustControls:Install RootCertificateAdversary-in-the-Middle:Evil TwinInter-ProcessCommunication:XPC ServicesExfiltrationOver C2ChannelHideArtifacts:Run VirtualInstanceSystem NetworkConfigurationDiscovery:InternetConnectionDiscoveryObfuscatedFiles orInformation:Compile AfterDeliverySharedModulesDynamicResolutionPhishingforInformationStageCapabilities:SEOPoisoningAccountManipulation:AdditionalCloudCredentialsHijackExecutionFlow: DLLSearch OrderHijackingRemoteSystemDiscoveryDevelopCapabilities:DigitalCertificatesEmailCollectionProcessInjection:Dynamic-linkLibraryInjectionUnsecuredCredentials:Credentialsin RegistryData fromInformationRepositories:SharepointEstablishAccounts:Social MediaAccountsCredentialsfromPasswordStoresModifyAuthenticationProcess:ConditionalAccess PoliciesImpersonationGroupPolicyDiscoverySystemServices:ServiceExecutionPre-OSBoot:BootkitExecutionGuardrails:EnvironmentalKeyingAccountManipulationEncryptedChannelLateralToolTransferCreate orModifySystemProcessDisk Wipe:DiskStructureWipeNon-ApplicationLayerProtocolSupply ChainCompromise:CompromiseHardwareSupply ChainProcessInjection:PtraceSystem CallsCommandand ScriptingInterpreter:PowerShellHijack ExecutionFlow: PathInterception byPATHEnvironmentVariableActiveScanning:ScanningIP BlocksBoot or LogonAutostartExecution:XDG AutostartEntriesImplantInternalImagePre-OSBoot:ComponentFirmwareSearch OpenWebsites/Domains:Social MediaValidAccounts:CloudAccountsArchiveCollectedDataWindowsManagementInstrumentationPhishing:SpearphishingLinkEventTriggeredExecution:Netsh HelperDLLDefacement:InternalDefacementEndpointDenial ofService: OSExhaustionFloodOS CredentialDumping:CachedDomainCredentialsExploitationof RemoteServicesDataStaged:Local DataStagingProxy:InternalProxyDebuggerEvasionIndicatorRemoval:RelocateMalwareArchiveCollectedData: Archivevia CustomMethodCompromiseAccounts:CloudAccountsScheduledTask/JobObfuscatedFiles orInformation:CommandObfuscationSteal orForgeKerberosTickets:Golden TicketOfficeApplicationStartup:Office TestBoot or LogonAutostartExecution:AuthenticationPackageOSCredentialDumping:LSA SecretsDataObfuscationProxy:Multi-hopProxyCompromiseInfrastructure:BotnetCommandand ScriptingInterpreter:Cloud APIImpairDefenses:Disable orModify ToolsData fromInformationRepositoriesData fromInformationRepositories:CustomerRelationshipManagementSoftwareAcquireInfrastructure:ServerEvent TriggeredExecution:Image FileExecutionOptionsInjectionAbuse ElevationControlMechanism:TemporaryElevated CloudAccessData fromInformationRepositories:MessagingApplicationsUnsecuredCredentials:PrivateKeysSystemBinary ProxyExecution:CompiledHTML FileSystemNetworkConfigurationDiscovery: Wi-Fi DiscoveryCompromiseAccounts:Social MediaAccountsUnsecuredCredentials:CredentialsIn FilesAbuseElevationControlMechanism:Sudo and SudoCachingVirtualization/SandboxEvasion: Time BasedEvasionData fromNetworkSharedDriveSearch OpenWebsites/DomainsGather VictimNetworkInformation:NetworkTopologyServerSoftwareComponent:Web ShellEvent TriggeredExecution: UnixShellConfigurationModificationCompromiseInfrastructureUserExecution:MaliciousFileDynamicResolution:Fast FluxDNSSearchVictim-OwnedWebsitesSteal orForgeKerberosTicketsContainerAdministrationCommandStageCapabilities:Drive-byTargetSearch OpenTechnicalDatabases:ScanDatabasesUse AlternateAuthenticationMaterial: WebSessionCookieCloudStorageObjectDiscoveryBITSJobsProcessInjection:Extra WindowMemoryInjectionAcquireInfrastructure:DomainsGather VictimNetworkInformation:NetworkSecurityAppliancesLogEnumerationModifyCloudResourceHierarchyHijack ExecutionFlow:COR_PROFILERNetworkDenial ofService: DirectNetwork FloodObfuscatedFiles orInformation:IndicatorRemoval fromToolsGather VictimOrgInformation:BusinessRelationshipsExternalRemoteServicesDataObfuscation:SteganographyHideArtifacts:VBAStompingXSL ScriptProcessingOfficeApplicationStartupUnsecuredCredentials:ChatMessagesData fromLocalSystemProtocolTunnelingAccountManipulation:AdditionalContainerCluster RolesUserExecutionSystemServicesServerSoftwareComponent:TerminalServices DLLAccountManipulation:DeviceRegistrationAdversary-in-the-MiddleModifyAuthenticationProcess:Multi-FactorAuthenticationNetworkServiceDiscoveryHideArtifactsEventTriggeredExecution:AppInit DLLsMulti-FactorAuthenticationRequestGenerationHijackExecutionFlow: DylibHijackingClipboardDataIndicatorRemoval:Clear Linuxor MacSystem LogsSupply ChainCompromise:CompromiseSoftwareSupply ChainSystemInformationDiscoveryRemoteServiceSessionHijacking:RDP HijackingCreate orModify SystemProcess:WindowsServicePermissionGroupsDiscovery:LocalGroupsSystemShutdown/RebootFile andDirectoryDiscoveryBoot or LogonAutostartExecution:LSASS DriverStageCapabilities:Link TargetMasquerading:MasqueradeAccount NameEndpoint Denialof Service:Application orSystemExploitationBrowserSessionHijackingTrustedDeveloperUtilities ProxyExecution:ClickOnceRogueDomainControllerDeviceDriverDiscoveryProcessInjection:PortableExecutableInjectionUserExecution:MaliciousLinkModify CloudComputeInfrastructure:CreateSnapshotRemoteServiceSessionHijacking:SSH HijackingSubvertTrustControls:GatekeeperBypassPre-OSBoot:TFTPBootImpairDefenses:IndicatorBlockingCompromiseAccountsGatherVictimNetworkInformationArchiveCollectedData:Archive viaUtilityRemoteAccessSoftwareSearch OpenWebsites/Domains:Code RepositoriesModify CloudComputeInfrastructure:Create CloudInstanceSystemScriptProxyExecutionSystemBinary ProxyExecution:ElectronApplicationsExfiltration OverAlternativeProtocol:Exfiltration OverSymmetricEncrypted Non-C2ProtocolUnsecuredCredentials:Group PolicyPreferencesVirtualization/SandboxEvasion: SystemChecksCommandand ScriptingInterpreter:AppleScriptApplicationLayerProtocol:DNSUnsecuredCredentials:CloudInstanceMetadata APIPermissionGroupsDiscoveryBruteForce:PasswordGuessingHijackExecutionFlow: DynamicLinkerHijackingProcessInjection:ProcessDoppelgängingSubvertTrustControlsInputCapture:GUI InputCaptureObfuscatedFiles orInformation:LNK IconSmugglingImpairDefenses:Disable orModify CloudFirewallApplicationLayerProtocol: FileTransferProtocolsDevelopCapabilities:CodeSigningCertificatesPhishing:SpearphishingAttachmentServiceStopPhishingData fromConfigurationRepository:SNMP (MIBDump)PermissionGroupsDiscovery:CloudGroupsMulti-StageChannelsHijackExecution Flow:PathInterception bySearch OrderHijackingGather VictimHostInformation:ClientConfigurationsAbuseElevationControlMechanism:Setuid andSetgidData fromRemovableMediaHideArtifacts:ResourceForkingObfuscatedFiles orInformation:EmbeddedPayloadsImpairDefenses:ImpairCommandHistory LoggingInhibitSystemRecoveryMasquerading:RenameSystemUtilitiesMasquerading:Right-to-LeftOverrideAutomatedExfiltration:TrafficDuplicationBrowserInformationDiscoveryHijackExecutionFlowSubvertTrustControls:Mark-of-the-Web BypassEventTriggeredExecution:EmondAcquireInfrastructure:ServerlessWeakenEncryptionSoftwareDeploymentToolsServerSoftwareComponentEvent TriggeredExecution:WindowsManagementInstrumentationEvent SubscriptionProcessDiscoveryExfiltrationOverAlternativeProtocolSearch OpenWebsites/Domains:Search EnginesSystemLocationDiscovery:SystemLanguageDiscoveryEstablishAccounts:EmailAccountsData fromInformationRepositories:ConfluenceInter-ProcessCommunication:Dynamic DataExchangeAccountDiscoveryHideArtifacts:NTFS FileAttributesScreenCaptureDataTransferSizeLimitsInter-ProcessCommunicationModifyAuthenticationProcess:DomainControllerAuthenticationBoot or LogonAutostartExecution:Kernel Modulesand ExtensionsObtainCapabilities:MalwareAcquireAccessEventTriggeredExecution:TrapModify CloudComputeInfrastructure:Delete CloudInstanceExploitPublic-FacingApplicationIndicatorRemoval:ClearPersistenceSoftwareDiscoverySystemBinaryProxyExecutionModifyAuthenticationProcess:PluggableAuthenticationModulesFirmwareCorruptionHideArtifacts:File/PathExclusionsCloudAdministrationCommandSearch OpenTechnicalDatabases:DigitalCertificatesDataDestruction:Lifecycle-TriggeredDeletionQueryRegistryProcessInjection:ListPlantingData Staged:RemoteData StagingGatherVictim HostInformation:SoftwareIndicatorRemoval:ClearMailbox DataTemplateInjectionBoot or LogonAutostartExecution:Re-openedApplicationsEvent TriggeredExecution:LC_LOAD_DYLIBAdditionDomain orTenant PolicyModification:Group PolicyModificationAbuseElevationControlMechanismSteal orForgeKerberosTickets:Silver TicketAccountManipulation:SSHAuthorizedKeysProcessInjectionRemoteServices:SSHBruteForce:PasswordSprayingDynamicResolution:DNSCalculationDeobfuscate/DecodeFiles or InformationAccess TokenManipulation: TokenImpersonation/TheftSystemScript ProxyExecution:PubPrnDataEncoding:Non-StandardEncodingGather VictimIdentityInformation:EmailAddressesSubvertTrustControls:CodeSigningHijack ExecutionFlow:AppDomainManagerAcquireInfrastructureMasquerading:Space afterFilenameExfiltrationOver WebService:Exfiltration toCloud StorageCompromiseInfrastructure:Web ServicesEncryptedChannel:SymmetricCryptographyHideArtifacts:Hidden FilesandDirectoriesSystemTimeDiscoveryEstablishAccountsOSCredentialDumping:LSASSMemoryProcessInjection:Thread LocalStorageCommandand ScriptingInterpreter:NetworkDevice CLIAcquireInfrastructure:BotnetWeakenEncryption:DisableCryptoHardwareSubvert TrustControls:Code SigningPolicyModificationCreate orModify SystemProcess:ContainerServiceGatherVictim OrgInformation:IdentifyRolesBruteForce:PasswordCrackingGatherVictimIdentityInformationContainerandResourceDiscoveryPermissionGroupsDiscovery:DomainGroupsBruteForceHijackExecutionFlow: PathInterception byUnquoted PathIndicatorRemoval:TimestompDomain orTenantPolicyModificationTransferData toCloudAccountAccess TokenManipulation:Make andImpersonateTokenServerSoftwareComponent:TransportAgentWeb Service:BidirectionalCommunicationIndicatorRemoval:FileDeletionDefacement:ExternalDefacementSteal or ForgeKerberosTickets: AS-REP RoastingImpairDefenses:DisableWindowsEvent LoggingServerlessExecutionCompromiseInfrastructure:ServerlessBuildImageon HostPhishing:Spearphishingvia ServiceAcquireInfrastructure:Virtual PrivateServerEvent TriggeredExecution:ComponentObject ModelHijackingIndicatorRemoval:ClearWindowsEvent LogsTrafficSignalingNetworkBoundaryBridging: NetworkAddressTranslationTraversalSystemServiceDiscoveryUse AlternateAuthenticationMaterial: Passthe TicketTrustedDeveloperUtilitiesProxyExecutionPhishing forInformation:SpearphishingVoiceEventTriggeredExecution:AccessibilityFeaturesSystemNetworkConnectionsDiscoveryNon-StandardPortCreate orModify SystemProcess:SystemdServiceSearchOpenTechnicalDatabases:CDNsSystemBinary ProxyExecution:MMCHideArtifacts:HiddenWindowExfiltrationOver OtherNetworkMedium:ExfiltrationOver BluetoothAccountDiscovery:CloudAccountMasquerading:MasqueradeTask orServiceBoot orLogonAutostartExecutionDomainTrustDiscoveryProcessInjection:AsynchronousProcedureCallCredentialsfrom PasswordStores:SecuritydMemoryScheduledTransferBoot or LogonAutostartExecution:PrintProcessorsObtainCapabilities:DigitalCertificatesModifyRegistryRemoteServicesSteal or ForgeKerberosTickets:KerberoastingMasquerading:Double FileExtensionBoot or LogonAutostartExecution:Registry RunKeys / StartupFolderObfuscatedFiles orInformation:Dynamic APIResolutionRemoteServices:CloudServicesUnused/UnsupportedCloud RegionsMasquerading:MatchLegitimateName orLocationValidAccountsAdversary-in-the-Middle:LLMNR/NBT-NS Poisoningand SMB RelayRemoteServices:DistributedComponentObject ModelWeb Service:One-WayCommunicationOSCredentialDumping:ProcFilesystemAbuse ElevationControlMechanism:Bypass UserAccount ControlExfiltrationOver WebServiceBoot orLogonInitializationScripts: RCScriptsStageCapabilities:UploadMalwareSystemLocationDiscoveryObfuscatedFiles orInformation:FilelessStorageFinancialTheftCredentialsfrom PasswordStores:Credentialsfrom WebBrowsersGatherVictimIdentityInformation:CredentialsActiveScanning:VulnerabilityScanningDataStagedHideInfrastructureData fromConfigurationRepository:Network DeviceConfigurationDumpScheduledTask/Job:AtExfiltrationOver OtherNetworkMediumCompromiseInfrastructure:DomainsCompromiseInfrastructure:DNS ServerInputCapture:CredentialAPI HookingExfiltration OverAlternativeProtocol:Exfiltration OverUnencryptedNon-C2 ProtocolPeripheralDeviceDiscoveryProxySearchOpenTechnicalDatabases:WHOISAccessTokenManipulation:SID-HistoryInjectionBoot or LogonInitializationScripts: LogonScript(Windows)AccountManipulation:Additional Localor DomainGroupsCreateAccount:CloudAccountExfiltrationOver WebService:Exfiltration toCodeRepositoryReplicationThroughRemovableMediaResourceHijackingExfiltrationOver PhysicalMedium:Exfiltrationover USBGatherVictim HostInformation:FirmwareHideArtifacts:Hidden FileSystemInputCapture:KeyloggingGather VictimNetworkInformation:IP AddressesHardwareAdditionsAccountDiscovery:DomainAccountCommandand ScriptingInterpreter:PythonHijackExecutionFlow: DLLSide-LoadingFile andDirectoryPermissionsModificationMasquerading:MasqueradeFile TypeBoot or LogonAutostartExecution:WinlogonHelper DLLApplication LayerProtocol:Publish/SubscribeProtocolsHijackExecution Flow:Services FilePermissionsWeaknessOfficeApplicationStartup:OutlookFormsBoot orLogonAutostartExecution:Port MonitorsEmailCollection:EmailForwardingRuleObfuscatedFiles orInformation:StrippedPayloadsObfuscatedFiles orInformation:SteganographyUse AlternateAuthenticationMaterial: Passthe HashIndicatorRemoval:Network ShareConnectionRemovalResourceHijacking:BandwidthHijackingPlist FileModificationAcquireInfrastructure:DNS ServerGather VictimNetworkInformation:DomainPropertiesContentInjectionGatherVictimHostInformationProxy:DomainFrontingPowerSettingsForge WebCredentials:SAMLTokensObtainCapabilitiesCompromiseInfrastructure:NetworkDevicesDataManipulation:TransmittedDataManipulationSystem BinaryProxy Execution:Regsvcs/RegasmProxy:ExternalProxySystem Script ProxyExecution:SyncAppvPublishingServerCompromiseInfrastructure:ServerEventTriggeredExecution:ApplicationShimmingMulti-FactorAuthenticationInterceptionSystemBinary ProxyExecution:Rundll32IndirectCommandExecutionAbuse ElevationControlMechanism:ElevatedExecution withPromptCommandand ScriptingInterpreter:Visual BasicAccountDiscovery:EmailAccountProcessInjection:ProcessHollowingFile and DirectoryPermissionsModification: Linuxand Mac File andDirectoryPermissionsModificationPasswordPolicyDiscoveryCompromiseAccounts:EmailAccountsBoot orLogonAutostartExecution:Active SetupModifySystemImage:DowngradeSystem ImageBoot orLogonInitializationScripts:Startup ItemsIndicatorRemovalGatherVictimNetworkInformation:DNSEventTriggeredExecution:InstallerPackagesDrive-byCompromiseExecutionGuardrailsCloudServiceDiscoveryNetworkBoundaryBridgingSystemBinary ProxyExecution:MsiexecReflectiveCodeLoadingDataManipulation:Runtime DataManipulationModifyAuthenticationProcess:Hybrid IdentityCreate orModifySystemProcess:Launch AgentObfuscated Files orInformation:Encrypted/EncodedFileServerSoftwareComponent:SQL StoredProceduresVirtualization/SandboxEvasion: User ActivityBased ChecksData fromConfigurationRepositoryModifySystemImage: PatchSystemImageModify CloudComputeInfrastructure:Revert CloudInstanceDataEncodingOfficeApplicationStartup:OutlookRulesNetworkShareDiscoveryDataManipulation:Stored DataManipulationWebService:Dead DropResolverBrowserExtensionsImpairDefenses:Safe ModeBootDataManipulationCommandand ScriptingInterpreter:Unix ShellVirtualization/SandboxEvasionExfiltration OverAlternativeProtocol:Exfiltration OverAsymmetricEncrypted Non-C2ProtocolTrustedDeveloperUtilities ProxyExecution:MSBuildProcessInjection:ThreadExecutionHijackingOSCredentialDumpingNativeAPIUse AlternateAuthenticationMaterial:ApplicationAccess TokenObfuscatedFiles orInformation:HTMLSmugglingCreateAccountDataEncryptedfor ImpactPhishing:SpearphishingVoiceGather VictimNetworkInformation:Network TrustDependenciesSystemBinary ProxyExecution:MavinjectTrafficSignaling:PortKnockingPhishing forInformation:SpearphishingLinkActiveScanningBoot or LogonInitializationScripts:NetworkLogon ScriptResourceHijacking:SMSPumpingEndpoint Denialof Service:ApplicationExhaustionFloodCommandand ScriptingInterpreter:LuaEmailCollection:Local EmailCollectionObtainCapabilities:ExploitsOSCredentialDumping:DCSyncTrafficSignaling:SocketFiltersFile and DirectoryPermissionsModification:Windows File andDirectoryPermissionsModificationHideArtifacts:HiddenUsersEndpoint Denialof Service:ServiceExhaustionFloodEventTriggeredExecution:ScreensaverMasqueradingAccountManipulation:AdditionalCloud RolesBoot or LogonAutostartExecution:SecuritySupportProviderServerSoftwareComponent:IISComponentsTrustedRelationshipAcquireInfrastructure:Web ServicesUnsecuredCredentials:BashHistoryApplicationLayerProtocolScheduledTask/Job:SystemdTimersForge WebCredentialsOSCredentialDumping:NTDSRemoteServices:SMB/WindowsAdmin SharesSoftwareDiscovery:SecuritySoftwareDiscoveryBoot orLogonInitializationScripts:Login HookPhishing forInformation:SpearphishingServiceImpairDefenses:DowngradeAttackOS CredentialDumping:SecurityAccountManagerAcquireInfrastructure:MalvertisingEmailCollection:RemoteEmailCollectionModifyAuthenticationProcessPre-OSBootIngressToolTransferActiveScanning:WordlistScanningObtainCapabilities:VulnerabilitiesSystemBinary ProxyExecution:MshtaUserExecution:MaliciousImageAccess TokenManipulation:CreateProcess withTokenRootkitApplicationLayerProtocol:MailProtocolsWeakenEncryption:ReduceKey SpaceData fromCloudStorageExecutionGuardrails:MutualExclusionCloudInfrastructureDiscoveryHideArtifacts:Email HidingRulesCredentialsfromPasswordStores:KeychainInternalSpearphishingnameGatherVictim HostInformation:HardwareExfiltrationOverPhysicalMediumOfficeApplicationStartup:OutlookHome PageOfficeApplicationStartup:Add-insSupply ChainCompromise:CompromiseSoftwareDependencies andDevelopmentToolsSystemNetworkConfigurationDiscoveryValidAccounts:DomainAccountsObfuscatedFiles orInformationNetworkDenial ofServiceObtainCapabilities:CodeSigningCertificatesAccountDiscovery:LocalAccountCreate orModify SystemProcess:LaunchDaemonAutomatedCollectionImpairDefensesModifySystemImageAutomatedExfiltrationDataEncoding:StandardEncodingDataObfuscation:Junk DataResourceHijacking:CloudServiceHijackingCommandand ScriptingInterpreter:AutoHotKey& AutoITExploitationforCredentialAccessProcessInjection:ProcMemoryMasquerading:Invalid CodeSignatureApplicationLayerProtocol:WebProtocolsAbuseElevationControlMechanism:TCCManipulationDevelopCapabilities:MalwareDirectVolumeAccessOfficeApplicationStartup: OfficeTemplateMacrosImpairDefenses:Disable orModify SystemFirewallAudioCaptureAdversary-in-the-Middle:DHCPSpoofingDevelopCapabilities:ExploitsBoot or LogonAutostartExecution:ShortcutModificationBruteForce:CredentialStuffingCommand andScriptingInterpreter:WindowsCommandShellRemoteServices:RemoteDesktopProtocolInter-ProcessCommunication:ComponentObject ModelVideoCaptureEventTriggeredExecution:Udev RulesHideArtifacts:ProcessArgumentSpoofingDataObfuscation:Protocol orServiceImpersonationStageCapabilitiesSystemBinary ProxyExecution:CMSTPCredentialsfrom PasswordStores:WindowsCredentialManagerSearch ClosedSources:PurchaseTechnical DataIndicatorRemoval:ClearCommandHistoryNetworkSniffingUnsecuredCredentialsGather VictimOrgInformation:IdentifyBusinessTempoSystemBinary ProxyExecution:VerclsidCredentialsfrom PasswordStores:PasswordManagersEventTriggeredExecution:AppCertDLLsObfuscatedFiles orInformation:BinaryPaddingExploitationforPrivilegeEscalationImpairDefenses:Disable orModify CloudLogsData fromInformationRepositories:CodeRepositoriesGather VictimIdentityInformation:EmployeeNamesExfiltrationOver WebService:Exfiltration toText StorageSitesCloudServiceDashboardEventTriggeredExecutionCommandand ScriptingInterpreter:JavaScriptSteal or ForgeAuthenticationCertificatesTaintSharedContentOS CredentialDumping:/etc/passwdand/etc/shadowNetworkDenial ofService:ReflectionAmplificationSearchOpenTechnicalDatabasesSubvert TrustControls: SIPand TrustProviderHijackingAccessTokenManipulationSystemOwner/UserDiscoveryDiskWipeCommandandScriptingInterpreterModifyAuthenticationProcess:Network DeviceAuthenticationForcedAuthenticationDomain orTenant PolicyModification:TrustModificationHijackExecution Flow:ExecutableInstaller FilePermissionsWeaknessEscapeto HostUse AlternateAuthenticationMaterialSearch OpenTechnicalDatabases:DNS/PassiveDNSGatherVictim OrgInformationSystemBinary ProxyExecution:Regsvr32RemoteServices:Direct CloudVMConnectionsRemoteServices:VNCStageCapabilities:Install DigitalCertificateMasquerading:Break ProcessTreesInputCapture:Web PortalCaptureUnsecuredCredentials:ContainerAPISupplyChainCompromiseExfiltrationOver WebService:ExfiltrationOver WebhookSearchClosedSources:Threat IntelVendorsSteal orForgeKerberosTickets:Ccache FilesBoot or LogonAutostartExecution:TimeProvidersCreateAccount:DomainAccountEstablishAccounts:CloudAccountsSearchClosedSourcesEndpointDenial ofServiceCompromiseInfrastructure:Virtual PrivateServerInputCaptureRemoteServices:WindowsRemoteManagementImpairDefenses:SpoofSecurityAlertingModifyAuthenticationProcess:NetworkProvider DLLObfuscatedFiles orInformation:PolymorphicCodeModifyAuthenticationProcess:PasswordFilter DLLCompromiseHostSoftwareBinaryPhishing forInformation:SpearphishingAttachmentHideArtifacts:IgnoreProcessInterruptsDevelopCapabilitiesScheduledTask/Job:CronPre-OSBoot:SystemFirmwareHijack ExecutionFlow:KernelCallbackTableEventTriggeredExecution:PowerShellProfileSteal WebSessionCookieArchiveCollectedData:Archive viaLibraryDataDestructionCommunicationThroughRemovableMediaAdversary-in-the-Middle: ARPCachePoisoningIndicatorRemoval: ClearNetworkConnectionHistory andConfigurationsAccessTokenManipulation:Parent PIDSpoofingScheduledTask/Job:ContainerOrchestrationJobWebServiceCreateAccount:LocalAccountModify CloudComputeInfrastructureObtainCapabilities:ArtificialIntelligenceResourceHijacking:ComputeHijackingAccountAccessRemovalDefacementApplicationWindowDiscoveryPre-OSBoot:ROMMONkitStealApplicationAccessTokenDeployContainerObtainCapabilities:ToolImpairDefenses:Disable orModify LinuxAudit SystemValidAccounts:DefaultAccountsCredentialsfrom PasswordStores: CloudSecretsManagementStoresValidAccounts:LocalAccountsGather VictimOrgInformation:DeterminePhysicalLocationsProcessInjection:VDSOHijackingBoot orLogonInitializationScriptsSystemBinary ProxyExecution:InstallUtilForge WebCredentials:WebCookiesSystemBinary ProxyExecution:OdbcconfStageCapabilities:Upload ToolDisk Wipe:DiskContentWipeExploitationfor DefenseEvasionObfuscatedFiles orInformation:SoftwarePackingBoot orLogonAutostartExecution:Login ItemsAccountManipulation:AdditionalEmail DelegatePermissionsFallbackChannelsScheduledTask/Job:ScheduledTaskModify CloudComputeInfrastructure:Modify CloudComputeConfigurationsRemoteServiceSessionHijackingModifyAuthenticationProcess:ReversibleEncryptionSystemServices:LaunchctlExploitationfor ClientExecutionSystemBinary ProxyExecution:ControlPanelEvent TriggeredExecution:Change DefaultFile AssociationDynamicResolution:DomainGenerationAlgorithmsEncryptedChannel:AsymmetricCryptographyHijackExecution Flow:ServicesRegistryPermissionsWeaknessSubvertTrustControls:Install RootCertificateAdversary-in-the-Middle:Evil TwinInter-ProcessCommunication:XPC ServicesExfiltrationOver C2ChannelHideArtifacts:Run VirtualInstanceSystem NetworkConfigurationDiscovery:InternetConnectionDiscoveryObfuscatedFiles orInformation:Compile AfterDeliverySharedModulesDynamicResolutionPhishingforInformationStageCapabilities:SEOPoisoningAccountManipulation:AdditionalCloudCredentialsHijackExecutionFlow: DLLSearch OrderHijackingRemoteSystemDiscoveryDevelopCapabilities:DigitalCertificatesEmailCollectionProcessInjection:Dynamic-linkLibraryInjectionUnsecuredCredentials:Credentialsin RegistryData fromInformationRepositories:SharepointEstablishAccounts:Social MediaAccountsCredentialsfromPasswordStoresModifyAuthenticationProcess:ConditionalAccess PoliciesImpersonationGroupPolicyDiscoverySystemServices:ServiceExecutionPre-OSBoot:BootkitExecutionGuardrails:EnvironmentalKeyingAccountManipulationEncryptedChannelLateralToolTransferCreate orModifySystemProcessDisk Wipe:DiskStructureWipeNon-ApplicationLayerProtocolSupply ChainCompromise:CompromiseHardwareSupply ChainProcessInjection:PtraceSystem CallsCommandand ScriptingInterpreter:PowerShellHijack ExecutionFlow: PathInterception byPATHEnvironmentVariableActiveScanning:ScanningIP BlocksBoot or LogonAutostartExecution:XDG AutostartEntriesImplantInternalImagePre-OSBoot:ComponentFirmwareSearch OpenWebsites/Domains:Social MediaValidAccounts:CloudAccountsArchiveCollectedDataWindowsManagementInstrumentationPhishing:SpearphishingLinkEventTriggeredExecution:Netsh HelperDLLDefacement:InternalDefacementEndpointDenial ofService: OSExhaustionFloodOS CredentialDumping:CachedDomainCredentialsExploitationof RemoteServicesDataStaged:Local DataStagingProxy:InternalProxyDebuggerEvasionIndicatorRemoval:RelocateMalwareArchiveCollectedData: Archivevia CustomMethodCompromiseAccounts:CloudAccountsScheduledTask/JobObfuscatedFiles orInformation:CommandObfuscationSteal orForgeKerberosTickets:Golden TicketOfficeApplicationStartup:Office TestBoot or LogonAutostartExecution:AuthenticationPackageOSCredentialDumping:LSA SecretsDataObfuscationProxy:Multi-hopProxyCompromiseInfrastructure:BotnetCommandand ScriptingInterpreter:Cloud APIImpairDefenses:Disable orModify ToolsData fromInformationRepositoriesData fromInformationRepositories:CustomerRelationshipManagementSoftwareAcquireInfrastructure:ServerEvent TriggeredExecution:Image FileExecutionOptionsInjectionAbuse ElevationControlMechanism:TemporaryElevated CloudAccessData fromInformationRepositories:MessagingApplicationsUnsecuredCredentials:PrivateKeysSystemBinary ProxyExecution:CompiledHTML FileSystemNetworkConfigurationDiscovery: Wi-Fi DiscoveryCompromiseAccounts:Social MediaAccountsUnsecuredCredentials:CredentialsIn FilesAbuseElevationControlMechanism:Sudo and SudoCachingVirtualization/SandboxEvasion: Time BasedEvasionData fromNetworkSharedDriveSearch OpenWebsites/DomainsGather VictimNetworkInformation:NetworkTopologyServerSoftwareComponent:Web ShellEvent TriggeredExecution: UnixShellConfigurationModificationCompromiseInfrastructureUserExecution:MaliciousFileDynamicResolution:Fast FluxDNSSearchVictim-OwnedWebsitesSteal orForgeKerberosTicketsContainerAdministrationCommandStageCapabilities:Drive-byTargetSearch OpenTechnicalDatabases:ScanDatabasesUse AlternateAuthenticationMaterial: WebSessionCookieCloudStorageObjectDiscoveryBITSJobsProcessInjection:Extra WindowMemoryInjectionAcquireInfrastructure:DomainsGather VictimNetworkInformation:NetworkSecurityAppliancesLogEnumerationModifyCloudResourceHierarchyHijack ExecutionFlow:COR_PROFILERNetworkDenial ofService: DirectNetwork FloodObfuscatedFiles orInformation:IndicatorRemoval fromToolsGather VictimOrgInformation:BusinessRelationshipsExternalRemoteServicesDataObfuscation:SteganographyHideArtifacts:VBAStompingXSL ScriptProcessingOfficeApplicationStartupUnsecuredCredentials:ChatMessagesData fromLocalSystemProtocolTunnelingAccountManipulation:AdditionalContainerCluster RolesUserExecutionSystemServicesServerSoftwareComponent:TerminalServices DLLAccountManipulation:DeviceRegistrationAdversary-in-the-MiddleModifyAuthenticationProcess:Multi-FactorAuthenticationNetworkServiceDiscoveryHideArtifactsEventTriggeredExecution:AppInit DLLsMulti-FactorAuthenticationRequestGenerationHijackExecutionFlow: DylibHijackingClipboardDataIndicatorRemoval:Clear Linuxor MacSystem LogsSupply ChainCompromise:CompromiseSoftwareSupply ChainSystemInformationDiscoveryRemoteServiceSessionHijacking:RDP HijackingCreate orModify SystemProcess:WindowsServicePermissionGroupsDiscovery:LocalGroupsSystemShutdown/RebootFile andDirectoryDiscoveryBoot or LogonAutostartExecution:LSASS DriverStageCapabilities:Link TargetMasquerading:MasqueradeAccount NameEndpoint Denialof Service:Application orSystemExploitationBrowserSessionHijackingTrustedDeveloperUtilities ProxyExecution:ClickOnceRogueDomainControllerDeviceDriverDiscoveryProcessInjection:PortableExecutableInjectionUserExecution:MaliciousLinkModify CloudComputeInfrastructure:CreateSnapshotRemoteServiceSessionHijacking:SSH HijackingSubvertTrustControls:GatekeeperBypassPre-OSBoot:TFTPBootImpairDefenses:IndicatorBlockingCompromiseAccountsGatherVictimNetworkInformationArchiveCollectedData:Archive viaUtilityRemoteAccessSoftwareSearch OpenWebsites/Domains:Code RepositoriesModify CloudComputeInfrastructure:Create CloudInstanceSystemScriptProxyExecutionSystemBinary ProxyExecution:ElectronApplicationsExfiltration OverAlternativeProtocol:Exfiltration OverSymmetricEncrypted Non-C2ProtocolUnsecuredCredentials:Group PolicyPreferencesVirtualization/SandboxEvasion: SystemChecksCommandand ScriptingInterpreter:AppleScriptApplicationLayerProtocol:DNSUnsecuredCredentials:CloudInstanceMetadata APIPermissionGroupsDiscoveryBruteForce:PasswordGuessingHijackExecutionFlow: DynamicLinkerHijackingProcessInjection:ProcessDoppelgängingSubvertTrustControlsInputCapture:GUI InputCaptureObfuscatedFiles orInformation:LNK IconSmugglingImpairDefenses:Disable orModify CloudFirewallApplicationLayerProtocol: FileTransferProtocolsDevelopCapabilities:CodeSigningCertificatesPhishing:SpearphishingAttachmentServiceStopPhishingData fromConfigurationRepository:SNMP (MIBDump)PermissionGroupsDiscovery:CloudGroupsMulti-StageChannelsHijackExecution Flow:PathInterception bySearch OrderHijackingGather VictimHostInformation:ClientConfigurationsAbuseElevationControlMechanism:Setuid andSetgidData fromRemovableMediaHideArtifacts:ResourceForkingObfuscatedFiles orInformation:EmbeddedPayloadsImpairDefenses:ImpairCommandHistory LoggingInhibitSystemRecoveryMasquerading:RenameSystemUtilitiesMasquerading:Right-to-LeftOverrideAutomatedExfiltration:TrafficDuplicationBrowserInformationDiscoveryHijackExecutionFlowSubvertTrustControls:Mark-of-the-Web BypassEventTriggeredExecution:EmondAcquireInfrastructure:ServerlessWeakenEncryptionSoftwareDeploymentToolsServerSoftwareComponentEvent TriggeredExecution:WindowsManagementInstrumentationEvent SubscriptionProcessDiscoveryExfiltrationOverAlternativeProtocolSearch OpenWebsites/Domains:Search EnginesSystemLocationDiscovery:SystemLanguageDiscoveryEstablishAccounts:EmailAccountsData fromInformationRepositories:ConfluenceInter-ProcessCommunication:Dynamic DataExchangeAccountDiscoveryHideArtifacts:NTFS FileAttributesScreenCaptureDataTransferSizeLimitsInter-ProcessCommunicationModifyAuthenticationProcess:DomainControllerAuthenticationBoot or LogonAutostartExecution:Kernel Modulesand ExtensionsObtainCapabilities:MalwareAcquireAccessEventTriggeredExecution:TrapModify CloudComputeInfrastructure:Delete CloudInstanceExploitPublic-FacingApplicationIndicatorRemoval:ClearPersistenceSoftwareDiscoverySystemBinaryProxyExecutionModifyAuthenticationProcess:PluggableAuthenticationModulesFirmwareCorruptionHideArtifacts:File/PathExclusionsCloudAdministrationCommandSearch OpenTechnicalDatabases:DigitalCertificatesDataDestruction:Lifecycle-TriggeredDeletionQueryRegistryProcessInjection:ListPlantingData Staged:RemoteData StagingGatherVictim HostInformation:SoftwareIndicatorRemoval:ClearMailbox DataTemplateInjectionBoot or LogonAutostartExecution:Re-openedApplicationsEvent TriggeredExecution:LC_LOAD_DYLIBAdditionDomain orTenant PolicyModification:Group PolicyModificationAbuseElevationControlMechanismSteal orForgeKerberosTickets:Silver TicketAccountManipulation:SSHAuthorizedKeysProcessInjectionRemoteServices:SSHBruteForce:PasswordSprayingDynamicResolution:DNSCalculationDeobfuscate/DecodeFiles or InformationAccess TokenManipulation: TokenImpersonation/TheftSystemScript ProxyExecution:PubPrnDataEncoding:Non-StandardEncodingGather VictimIdentityInformation:EmailAddressesSubvertTrustControls:CodeSigningHijack ExecutionFlow:AppDomainManagerAcquireInfrastructureMasquerading:Space afterFilenameExfiltrationOver WebService:Exfiltration toCloud StorageCompromiseInfrastructure:Web ServicesEncryptedChannel:SymmetricCryptographyHideArtifacts:Hidden FilesandDirectoriesSystemTimeDiscoveryEstablishAccountsOSCredentialDumping:LSASSMemoryProcessInjection:Thread LocalStorageCommandand ScriptingInterpreter:NetworkDevice CLIAcquireInfrastructure:BotnetWeakenEncryption:DisableCryptoHardwareSubvert TrustControls:Code SigningPolicyModificationCreate orModify SystemProcess:ContainerServiceGatherVictim OrgInformation:IdentifyRolesBruteForce:PasswordCrackingGatherVictimIdentityInformationContainerandResourceDiscoveryPermissionGroupsDiscovery:DomainGroupsBruteForceHijackExecutionFlow: PathInterception byUnquoted PathIndicatorRemoval:TimestompDomain orTenantPolicyModificationTransferData toCloudAccountAccess TokenManipulation:Make andImpersonateTokenServerSoftwareComponent:TransportAgentWeb Service:BidirectionalCommunicationIndicatorRemoval:FileDeletionDefacement:ExternalDefacementSteal or ForgeKerberosTickets: AS-REP RoastingImpairDefenses:DisableWindowsEvent LoggingServerlessExecutionCompromiseInfrastructure:ServerlessBuildImageon HostPhishing:Spearphishingvia ServiceAcquireInfrastructure:Virtual PrivateServerEvent TriggeredExecution:ComponentObject ModelHijackingIndicatorRemoval:ClearWindowsEvent LogsTrafficSignalingNetworkBoundaryBridging: NetworkAddressTranslationTraversalSystemServiceDiscoveryUse AlternateAuthenticationMaterial: Passthe TicketTrustedDeveloperUtilitiesProxyExecutionPhishing forInformation:SpearphishingVoiceEventTriggeredExecution:AccessibilityFeaturesSystemNetworkConnectionsDiscoveryNon-StandardPortCreate orModify SystemProcess:SystemdServiceSearchOpenTechnicalDatabases:CDNsSystemBinary ProxyExecution:MMCHideArtifacts:HiddenWindowExfiltrationOver OtherNetworkMedium:ExfiltrationOver BluetoothAccountDiscovery:CloudAccountMasquerading:MasqueradeTask orServiceBoot orLogonAutostartExecutionDomainTrustDiscoveryProcessInjection:AsynchronousProcedureCallCredentialsfrom PasswordStores:SecuritydMemoryScheduledTransferBoot or LogonAutostartExecution:PrintProcessorsObtainCapabilities:DigitalCertificatesModifyRegistryRemoteServicesSteal or ForgeKerberosTickets:KerberoastingMasquerading:Double FileExtensionBoot or LogonAutostartExecution:Registry RunKeys / StartupFolderObfuscatedFiles orInformation:Dynamic APIResolutionRemoteServices:CloudServicesUnused/UnsupportedCloud RegionsMasquerading:MatchLegitimateName orLocationValidAccountsAdversary-in-the-Middle:LLMNR/NBT-NS Poisoningand SMB RelayRemoteServices:DistributedComponentObject ModelWeb Service:One-WayCommunicationOSCredentialDumping:ProcFilesystemAbuse ElevationControlMechanism:Bypass UserAccount ControlExfiltrationOver WebServiceBoot orLogonInitializationScripts: RCScriptsStageCapabilities:UploadMalwareSystemLocationDiscoveryObfuscatedFiles orInformation:FilelessStorageFinancialTheftCredentialsfrom PasswordStores:Credentialsfrom WebBrowsersGatherVictimIdentityInformation:CredentialsActiveScanning:VulnerabilityScanningDataStagedHideInfrastructureData fromConfigurationRepository:Network DeviceConfigurationDumpScheduledTask/Job:AtExfiltrationOver OtherNetworkMediumCompromiseInfrastructure:DomainsCompromiseInfrastructure:DNS ServerInputCapture:CredentialAPI HookingExfiltration OverAlternativeProtocol:Exfiltration OverUnencryptedNon-C2 ProtocolPeripheralDeviceDiscoveryProxySearchOpenTechnicalDatabases:WHOISAccessTokenManipulation:SID-HistoryInjectionBoot or LogonInitializationScripts: LogonScript(Windows)AccountManipulation:Additional Localor DomainGroupsCreateAccount:CloudAccountExfiltrationOver WebService:Exfiltration toCodeRepositoryReplicationThroughRemovableMediaResourceHijackingExfiltrationOver PhysicalMedium:Exfiltrationover USBGatherVictim HostInformation:FirmwareHideArtifacts:Hidden FileSystemInputCapture:KeyloggingGather VictimNetworkInformation:IP AddressesHardwareAdditionsAccountDiscovery:DomainAccountCommandand ScriptingInterpreter:Python

MITRE ATT&CK Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
  1. Hijack Execution Flow: DLL Side-Loading
  2. File and Directory Permissions Modification
  3. Masquerading: Masquerade File Type
  4. Boot or Logon Autostart Execution: Winlogon Helper DLL
  5. Application Layer Protocol: Publish/Subscribe Protocols
  6. Hijack Execution Flow: Services File Permissions Weakness
  7. Office Application Startup: Outlook Forms
  8. Boot or Logon Autostart Execution: Port Monitors
  9. Email Collection: Email Forwarding Rule
  10. Obfuscated Files or Information: Stripped Payloads
  11. Obfuscated Files or Information: Steganography
  12. Use Alternate Authentication Material: Pass the Hash
  13. Indicator Removal: Network Share Connection Removal
  14. Resource Hijacking: Bandwidth Hijacking
  15. Plist File Modification
  16. Acquire Infrastructure: DNS Server
  17. Gather Victim Network Information: Domain Properties
  18. Content Injection
  19. Gather Victim Host Information
  20. Proxy: Domain Fronting
  21. Power Settings
  22. Forge Web Credentials: SAML Tokens
  23. Obtain Capabilities
  24. Compromise Infrastructure: Network Devices
  25. Data Manipulation: Transmitted Data Manipulation
  26. System Binary Proxy Execution: Regsvcs/Regasm
  27. Proxy: External Proxy
  28. System Script Proxy Execution: SyncAppvPublishingServer
  29. Compromise Infrastructure: Server
  30. Event Triggered Execution: Application Shimming
  31. Multi-Factor Authentication Interception
  32. System Binary Proxy Execution: Rundll32
  33. Indirect Command Execution
  34. Abuse Elevation Control Mechanism: Elevated Execution with Prompt
  35. Command and Scripting Interpreter: Visual Basic
  36. Account Discovery: Email Account
  37. Process Injection: Process Hollowing
  38. File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
  39. Password Policy Discovery
  40. Compromise Accounts: Email Accounts
  41. Boot or Logon Autostart Execution: Active Setup
  42. Modify System Image: Downgrade System Image
  43. Boot or Logon Initialization Scripts: Startup Items
  44. Indicator Removal
  45. Gather Victim Network Information: DNS
  46. Event Triggered Execution: Installer Packages
  47. Drive-by Compromise
  48. Execution Guardrails
  49. Cloud Service Discovery
  50. Network Boundary Bridging
  51. System Binary Proxy Execution: Msiexec
  52. Reflective Code Loading
  53. Data Manipulation: Runtime Data Manipulation
  54. Modify Authentication Process: Hybrid Identity
  55. Create or Modify System Process: Launch Agent
  56. Obfuscated Files or Information: Encrypted/Encoded File
  57. Server Software Component: SQL Stored Procedures
  58. Virtualization/Sandbox Evasion: User Activity Based Checks
  59. Data from Configuration Repository
  60. Modify System Image: Patch System Image
  61. Modify Cloud Compute Infrastructure: Revert Cloud Instance
  62. Data Encoding
  63. Office Application Startup: Outlook Rules
  64. Network Share Discovery
  65. Data Manipulation: Stored Data Manipulation
  66. Web Service: Dead Drop Resolver
  67. Browser Extensions
  68. Impair Defenses: Safe Mode Boot
  69. Data Manipulation
  70. Command and Scripting Interpreter: Unix Shell
  71. Virtualization/Sandbox Evasion
  72. Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
  73. Trusted Developer Utilities Proxy Execution: MSBuild
  74. Process Injection: Thread Execution Hijacking
  75. OS Credential Dumping
  76. Native API
  77. Use Alternate Authentication Material: Application Access Token
  78. Obfuscated Files or Information: HTML Smuggling
  79. Create Account
  80. Data Encrypted for Impact
  81. Phishing: Spearphishing Voice
  82. Gather Victim Network Information: Network Trust Dependencies
  83. System Binary Proxy Execution: Mavinject
  84. Traffic Signaling: Port Knocking
  85. Phishing for Information: Spearphishing Link
  86. Active Scanning
  87. Boot or Logon Initialization Scripts: Network Logon Script
  88. Resource Hijacking: SMS Pumping
  89. Endpoint Denial of Service: Application Exhaustion Flood
  90. Command and Scripting Interpreter: Lua
  91. Email Collection: Local Email Collection
  92. Obtain Capabilities: Exploits
  93. OS Credential Dumping: DCSync
  94. Traffic Signaling: Socket Filters
  95. File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  96. Hide Artifacts: Hidden Users
  97. Endpoint Denial of Service: Service Exhaustion Flood
  98. Event Triggered Execution: Screensaver
  99. Masquerading
  100. Account Manipulation: Additional Cloud Roles
  101. Boot or Logon Autostart Execution: Security Support Provider
  102. Server Software Component: IIS Components
  103. Trusted Relationship
  104. Acquire Infrastructure: Web Services
  105. Unsecured Credentials: Bash History
  106. Application Layer Protocol
  107. Scheduled Task/Job: Systemd Timers
  108. Forge Web Credentials
  109. OS Credential Dumping: NTDS
  110. Remote Services: SMB/Windows Admin Shares
  111. Software Discovery: Security Software Discovery
  112. Boot or Logon Initialization Scripts: Login Hook
  113. Phishing for Information: Spearphishing Service
  114. Impair Defenses: Downgrade Attack
  115. OS Credential Dumping: Security Account Manager
  116. Acquire Infrastructure: Malvertising
  117. Email Collection: Remote Email Collection
  118. Modify Authentication Process
  119. Pre-OS Boot
  120. Ingress Tool Transfer
  121. Active Scanning: Wordlist Scanning
  122. Obtain Capabilities: Vulnerabilities
  123. System Binary Proxy Execution: Mshta
  124. User Execution: Malicious Image
  125. Access Token Manipulation: Create Process with Token
  126. Rootkit
  127. Application Layer Protocol: Mail Protocols
  128. Weaken Encryption: Reduce Key Space
  129. Data from Cloud Storage
  130. Execution Guardrails: Mutual Exclusion
  131. Cloud Infrastructure Discovery
  132. Hide Artifacts: Email Hiding Rules
  133. Credentials from Password Stores: Keychain
  134. Internal Spearphishing
  135. name
  136. Gather Victim Host Information: Hardware
  137. Exfiltration Over Physical Medium
  138. Office Application Startup: Outlook Home Page
  139. Office Application Startup: Add-ins
  140. Supply Chain Compromise: Compromise Software Dependencies and Development Tools
  141. System Network Configuration Discovery
  142. Valid Accounts: Domain Accounts
  143. Obfuscated Files or Information
  144. Network Denial of Service
  145. Obtain Capabilities: Code Signing Certificates
  146. Account Discovery: Local Account
  147. Create or Modify System Process: Launch Daemon
  148. Automated Collection
  149. Impair Defenses
  150. Modify System Image
  151. Automated Exfiltration
  152. Data Encoding: Standard Encoding
  153. Data Obfuscation: Junk Data
  154. Resource Hijacking: Cloud Service Hijacking
  155. Command and Scripting Interpreter: AutoHotKey & AutoIT
  156. Exploitation for Credential Access
  157. Process Injection: Proc Memory
  158. Masquerading: Invalid Code Signature
  159. Application Layer Protocol: Web Protocols
  160. Abuse Elevation Control Mechanism: TCC Manipulation
  161. Develop Capabilities: Malware
  162. Direct Volume Access
  163. Office Application Startup: Office Template Macros
  164. Impair Defenses: Disable or Modify System Firewall
  165. Audio Capture
  166. Adversary-in-the-Middle: DHCP Spoofing
  167. Develop Capabilities: Exploits
  168. Boot or Logon Autostart Execution: Shortcut Modification
  169. Brute Force: Credential Stuffing
  170. Command and Scripting Interpreter: Windows Command Shell
  171. Remote Services: Remote Desktop Protocol
  172. Inter-Process Communication: Component Object Model
  173. Video Capture
  174. Event Triggered Execution: Udev Rules
  175. Hide Artifacts: Process Argument Spoofing
  176. Data Obfuscation: Protocol or Service Impersonation
  177. Stage Capabilities
  178. System Binary Proxy Execution: CMSTP
  179. Credentials from Password Stores: Windows Credential Manager
  180. Search Closed Sources: Purchase Technical Data
  181. Indicator Removal: Clear Command History
  182. Network Sniffing
  183. Unsecured Credentials
  184. Gather Victim Org Information: Identify Business Tempo
  185. System Binary Proxy Execution: Verclsid
  186. Credentials from Password Stores: Password Managers
  187. Event Triggered Execution: AppCert DLLs
  188. Obfuscated Files or Information: Binary Padding
  189. Exploitation for Privilege Escalation
  190. Impair Defenses: Disable or Modify Cloud Logs
  191. Data from Information Repositories: Code Repositories
  192. Gather Victim Identity Information: Employee Names
  193. Exfiltration Over Web Service: Exfiltration to Text Storage Sites
  194. Cloud Service Dashboard
  195. Event Triggered Execution
  196. Command and Scripting Interpreter: JavaScript
  197. Steal or Forge Authentication Certificates
  198. Taint Shared Content
  199. OS Credential Dumping: /etc/passwd and /etc/shadow
  200. Network Denial of Service: Reflection Amplification
  201. Search Open Technical Databases
  202. Subvert Trust Controls: SIP and Trust Provider Hijacking
  203. Access Token Manipulation
  204. System Owner/User Discovery
  205. Disk Wipe
  206. Command and Scripting Interpreter
  207. Modify Authentication Process: Network Device Authentication
  208. Forced Authentication
  209. Domain or Tenant Policy Modification: Trust Modification
  210. Hijack Execution Flow: Executable Installer File Permissions Weakness
  211. Escape to Host
  212. Use Alternate Authentication Material
  213. Search Open Technical Databases: DNS/Passive DNS
  214. Gather Victim Org Information
  215. System Binary Proxy Execution: Regsvr32
  216. Remote Services: Direct Cloud VM Connections
  217. Remote Services: VNC
  218. Stage Capabilities: Install Digital Certificate
  219. Masquerading: Break Process Trees
  220. Input Capture: Web Portal Capture
  221. Unsecured Credentials: Container API
  222. Supply Chain Compromise
  223. Exfiltration Over Web Service: Exfiltration Over Webhook
  224. Search Closed Sources: Threat Intel Vendors
  225. Steal or Forge Kerberos Tickets: Ccache Files
  226. Boot or Logon Autostart Execution: Time Providers
  227. Create Account: Domain Account
  228. Establish Accounts: Cloud Accounts
  229. Search Closed Sources
  230. Endpoint Denial of Service
  231. Compromise Infrastructure: Virtual Private Server
  232. Input Capture
  233. Remote Services: Windows Remote Management
  234. Impair Defenses: Spoof Security Alerting
  235. Modify Authentication Process: Network Provider DLL
  236. Obfuscated Files or Information: Polymorphic Code
  237. Modify Authentication Process: Password Filter DLL
  238. Compromise Host Software Binary
  239. Phishing for Information: Spearphishing Attachment
  240. Hide Artifacts: Ignore Process Interrupts
  241. Develop Capabilities
  242. Scheduled Task/Job: Cron
  243. Pre-OS Boot: System Firmware
  244. Hijack Execution Flow: KernelCallbackTable
  245. Event Triggered Execution: PowerShell Profile
  246. Steal Web Session Cookie
  247. Archive Collected Data: Archive via Library
  248. Data Destruction
  249. Communication Through Removable Media
  250. Adversary-in-the-Middle: ARP Cache Poisoning
  251. Indicator Removal: Clear Network Connection History and Configurations
  252. Access Token Manipulation: Parent PID Spoofing
  253. Scheduled Task/Job: Container Orchestration Job
  254. Web Service
  255. Create Account: Local Account
  256. Modify Cloud Compute Infrastructure
  257. Obtain Capabilities: Artificial Intelligence
  258. Resource Hijacking: Compute Hijacking
  259. Account Access Removal
  260. Defacement
  261. Application Window Discovery
  262. Pre-OS Boot: ROMMONkit
  263. Steal Application Access Token
  264. Deploy Container
  265. Obtain Capabilities: Tool
  266. Impair Defenses: Disable or Modify Linux Audit System
  267. Valid Accounts: Default Accounts
  268. Credentials from Password Stores: Cloud Secrets Management Stores
  269. Valid Accounts: Local Accounts
  270. Gather Victim Org Information: Determine Physical Locations
  271. Process Injection: VDSO Hijacking
  272. Boot or Logon Initialization Scripts
  273. System Binary Proxy Execution: InstallUtil
  274. Forge Web Credentials: Web Cookies
  275. System Binary Proxy Execution: Odbcconf
  276. Stage Capabilities: Upload Tool
  277. Disk Wipe: Disk Content Wipe
  278. Exploitation for Defense Evasion
  279. Obfuscated Files or Information: Software Packing
  280. Boot or Logon Autostart Execution: Login Items
  281. Account Manipulation: Additional Email Delegate Permissions
  282. Fallback Channels
  283. Scheduled Task/Job: Scheduled Task
  284. Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations
  285. Remote Service Session Hijacking
  286. Modify Authentication Process: Reversible Encryption
  287. System Services: Launchctl
  288. Exploitation for Client Execution
  289. System Binary Proxy Execution: Control Panel
  290. Event Triggered Execution: Change Default File Association
  291. Dynamic Resolution: Domain Generation Algorithms
  292. Encrypted Channel: Asymmetric Cryptography
  293. Hijack Execution Flow: Services Registry Permissions Weakness
  294. Subvert Trust Controls: Install Root Certificate
  295. Adversary-in-the-Middle: Evil Twin
  296. Inter-Process Communication: XPC Services
  297. Exfiltration Over C2 Channel
  298. Hide Artifacts: Run Virtual Instance
  299. System Network Configuration Discovery: Internet Connection Discovery
  300. Obfuscated Files or Information: Compile After Delivery
  301. Shared Modules
  302. Dynamic Resolution
  303. Phishing for Information
  304. Stage Capabilities: SEO Poisoning
  305. Account Manipulation: Additional Cloud Credentials
  306. Hijack Execution Flow: DLL Search Order Hijacking
  307. Remote System Discovery
  308. Develop Capabilities: Digital Certificates
  309. Email Collection
  310. Process Injection: Dynamic-link Library Injection
  311. Unsecured Credentials: Credentials in Registry
  312. Data from Information Repositories: Sharepoint
  313. Establish Accounts: Social Media Accounts
  314. Credentials from Password Stores
  315. Modify Authentication Process: Conditional Access Policies
  316. Impersonation
  317. Group Policy Discovery
  318. System Services: Service Execution
  319. Pre-OS Boot: Bootkit
  320. Execution Guardrails: Environmental Keying
  321. Account Manipulation
  322. Encrypted Channel
  323. Lateral Tool Transfer
  324. Create or Modify System Process
  325. Disk Wipe: Disk Structure Wipe
  326. Non-Application Layer Protocol
  327. Supply Chain Compromise: Compromise Hardware Supply Chain
  328. Process Injection: Ptrace System Calls
  329. Command and Scripting Interpreter: PowerShell
  330. Hijack Execution Flow: Path Interception by PATH Environment Variable
  331. Active Scanning: Scanning IP Blocks
  332. Boot or Logon Autostart Execution: XDG Autostart Entries
  333. Implant Internal Image
  334. Pre-OS Boot: Component Firmware
  335. Search Open Websites/Domains: Social Media
  336. Valid Accounts: Cloud Accounts
  337. Archive Collected Data
  338. Windows Management Instrumentation
  339. Phishing: Spearphishing Link
  340. Event Triggered Execution: Netsh Helper DLL
  341. Defacement: Internal Defacement
  342. Endpoint Denial of Service: OS Exhaustion Flood
  343. OS Credential Dumping: Cached Domain Credentials
  344. Exploitation of Remote Services
  345. Data Staged: Local Data Staging
  346. Proxy: Internal Proxy
  347. Debugger Evasion
  348. Indicator Removal: Relocate Malware
  349. Archive Collected Data: Archive via Custom Method
  350. Compromise Accounts: Cloud Accounts
  351. Scheduled Task/Job
  352. Obfuscated Files or Information: Command Obfuscation
  353. Steal or Forge Kerberos Tickets: Golden Ticket
  354. Office Application Startup: Office Test
  355. Boot or Logon Autostart Execution: Authentication Package
  356. OS Credential Dumping: LSA Secrets
  357. Data Obfuscation
  358. Proxy: Multi-hop Proxy
  359. Compromise Infrastructure: Botnet
  360. Command and Scripting Interpreter: Cloud API
  361. Impair Defenses: Disable or Modify Tools
  362. Data from Information Repositories
  363. Data from Information Repositories: Customer Relationship Management Software
  364. Acquire Infrastructure: Server
  365. Event Triggered Execution: Image File Execution Options Injection
  366. Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access
  367. Data from Information Repositories: Messaging Applications
  368. Unsecured Credentials: Private Keys
  369. System Binary Proxy Execution: Compiled HTML File
  370. System Network Configuration Discovery: Wi-Fi Discovery
  371. Compromise Accounts: Social Media Accounts
  372. Unsecured Credentials: Credentials In Files
  373. Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  374. Virtualization/Sandbox Evasion: Time Based Evasion
  375. Data from Network Shared Drive
  376. Search Open Websites/Domains
  377. Gather Victim Network Information: Network Topology
  378. Server Software Component: Web Shell
  379. Event Triggered Execution: Unix Shell Configuration Modification
  380. Compromise Infrastructure
  381. User Execution: Malicious File
  382. Dynamic Resolution: Fast Flux DNS
  383. Search Victim-Owned Websites
  384. Steal or Forge Kerberos Tickets
  385. Container Administration Command
  386. Stage Capabilities: Drive-by Target
  387. Search Open Technical Databases: Scan Databases
  388. Use Alternate Authentication Material: Web Session Cookie
  389. Cloud Storage Object Discovery
  390. BITS Jobs
  391. Process Injection: Extra Window Memory Injection
  392. Acquire Infrastructure: Domains
  393. Gather Victim Network Information: Network Security Appliances
  394. Log Enumeration
  395. Modify Cloud Resource Hierarchy
  396. Hijack Execution Flow: COR_PROFILER
  397. Network Denial of Service: Direct Network Flood
  398. Obfuscated Files or Information: Indicator Removal from Tools
  399. Gather Victim Org Information: Business Relationships
  400. External Remote Services
  401. Data Obfuscation: Steganography
  402. Hide Artifacts: VBA Stomping
  403. XSL Script Processing
  404. Office Application Startup
  405. Unsecured Credentials: Chat Messages
  406. Data from Local System
  407. Protocol Tunneling
  408. Account Manipulation: Additional Container Cluster Roles
  409. User Execution
  410. System Services
  411. Server Software Component: Terminal Services DLL
  412. Account Manipulation: Device Registration
  413. Adversary-in-the-Middle
  414. Modify Authentication Process: Multi-Factor Authentication
  415. Network Service Discovery
  416. Hide Artifacts
  417. Event Triggered Execution: AppInit DLLs
  418. Multi-Factor Authentication Request Generation
  419. Hijack Execution Flow: Dylib Hijacking
  420. Clipboard Data
  421. Indicator Removal: Clear Linux or Mac System Logs
  422. Supply Chain Compromise: Compromise Software Supply Chain
  423. System Information Discovery
  424. Remote Service Session Hijacking: RDP Hijacking
  425. Create or Modify System Process: Windows Service
  426. Permission Groups Discovery: Local Groups
  427. System Shutdown/Reboot
  428. File and Directory Discovery
  429. Boot or Logon Autostart Execution: LSASS Driver
  430. Stage Capabilities: Link Target
  431. Masquerading: Masquerade Account Name
  432. Endpoint Denial of Service: Application or System Exploitation
  433. Browser Session Hijacking
  434. Trusted Developer Utilities Proxy Execution: ClickOnce
  435. Rogue Domain Controller
  436. Device Driver Discovery
  437. Process Injection: Portable Executable Injection
  438. User Execution: Malicious Link
  439. Modify Cloud Compute Infrastructure: Create Snapshot
  440. Remote Service Session Hijacking: SSH Hijacking
  441. Subvert Trust Controls: Gatekeeper Bypass
  442. Pre-OS Boot: TFTP Boot
  443. Impair Defenses: Indicator Blocking
  444. Compromise Accounts
  445. Gather Victim Network Information
  446. Archive Collected Data: Archive via Utility
  447. Remote Access Software
  448. Search Open Websites/Domains: Code Repositories
  449. Modify Cloud Compute Infrastructure: Create Cloud Instance
  450. System Script Proxy Execution
  451. System Binary Proxy Execution: Electron Applications
  452. Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
  453. Unsecured Credentials: Group Policy Preferences
  454. Virtualization/Sandbox Evasion: System Checks
  455. Command and Scripting Interpreter: AppleScript
  456. Application Layer Protocol: DNS
  457. Unsecured Credentials: Cloud Instance Metadata API
  458. Permission Groups Discovery
  459. Brute Force: Password Guessing
  460. Hijack Execution Flow: Dynamic Linker Hijacking
  461. Process Injection: Process Doppelgänging
  462. Subvert Trust Controls
  463. Input Capture: GUI Input Capture
  464. Obfuscated Files or Information: LNK Icon Smuggling
  465. Impair Defenses: Disable or Modify Cloud Firewall
  466. Application Layer Protocol: File Transfer Protocols
  467. Develop Capabilities: Code Signing Certificates
  468. Phishing: Spearphishing Attachment
  469. Service Stop
  470. Phishing
  471. Data from Configuration Repository: SNMP (MIB Dump)
  472. Permission Groups Discovery: Cloud Groups
  473. Multi-Stage Channels
  474. Hijack Execution Flow: Path Interception by Search Order Hijacking
  475. Gather Victim Host Information: Client Configurations
  476. Abuse Elevation Control Mechanism: Setuid and Setgid
  477. Data from Removable Media
  478. Hide Artifacts: Resource Forking
  479. Obfuscated Files or Information: Embedded Payloads
  480. Impair Defenses: Impair Command History Logging
  481. Inhibit System Recovery
  482. Masquerading: Rename System Utilities
  483. Masquerading: Right-to-Left Override
  484. Automated Exfiltration: Traffic Duplication
  485. Browser Information Discovery
  486. Hijack Execution Flow
  487. Subvert Trust Controls: Mark-of-the-Web Bypass
  488. Event Triggered Execution: Emond
  489. Acquire Infrastructure: Serverless
  490. Weaken Encryption
  491. Software Deployment Tools
  492. Server Software Component
  493. Event Triggered Execution: Windows Management Instrumentation Event Subscription
  494. Process Discovery
  495. Exfiltration Over Alternative Protocol
  496. Search Open Websites/Domains: Search Engines
  497. System Location Discovery: System Language Discovery
  498. Establish Accounts: Email Accounts
  499. Data from Information Repositories: Confluence
  500. Inter-Process Communication: Dynamic Data Exchange
  501. Account Discovery
  502. Hide Artifacts: NTFS File Attributes
  503. Screen Capture
  504. Data Transfer Size Limits
  505. Inter-Process Communication
  506. Modify Authentication Process: Domain Controller Authentication
  507. Boot or Logon Autostart Execution: Kernel Modules and Extensions
  508. Obtain Capabilities: Malware
  509. Acquire Access
  510. Event Triggered Execution: Trap
  511. Modify Cloud Compute Infrastructure: Delete Cloud Instance
  512. Exploit Public-Facing Application
  513. Indicator Removal: Clear Persistence
  514. Software Discovery
  515. System Binary Proxy Execution
  516. Modify Authentication Process: Pluggable Authentication Modules
  517. Firmware Corruption
  518. Hide Artifacts: File/Path Exclusions
  519. Cloud Administration Command
  520. Search Open Technical Databases: Digital Certificates
  521. Data Destruction: Lifecycle-Triggered Deletion
  522. Query Registry
  523. Process Injection: ListPlanting
  524. Data Staged: Remote Data Staging
  525. Gather Victim Host Information: Software
  526. Indicator Removal: Clear Mailbox Data
  527. Template Injection
  528. Boot or Logon Autostart Execution: Re-opened Applications
  529. Event Triggered Execution: LC_LOAD_DYLIB Addition
  530. Domain or Tenant Policy Modification: Group Policy Modification
  531. Abuse Elevation Control Mechanism
  532. Steal or Forge Kerberos Tickets: Silver Ticket
  533. Account Manipulation: SSH Authorized Keys
  534. Process Injection
  535. Remote Services: SSH
  536. Brute Force: Password Spraying
  537. Dynamic Resolution: DNS Calculation
  538. Deobfuscate/Decode Files or Information
  539. Access Token Manipulation: Token Impersonation/Theft
  540. System Script Proxy Execution: PubPrn
  541. Data Encoding: Non-Standard Encoding
  542. Gather Victim Identity Information: Email Addresses
  543. Subvert Trust Controls: Code Signing
  544. Hijack Execution Flow: AppDomainManager
  545. Acquire Infrastructure
  546. Masquerading: Space after Filename
  547. Exfiltration Over Web Service: Exfiltration to Cloud Storage
  548. Compromise Infrastructure: Web Services
  549. Encrypted Channel: Symmetric Cryptography
  550. Hide Artifacts: Hidden Files and Directories
  551. System Time Discovery
  552. Establish Accounts
  553. OS Credential Dumping: LSASS Memory
  554. Process Injection: Thread Local Storage
  555. Command and Scripting Interpreter: Network Device CLI
  556. Acquire Infrastructure: Botnet
  557. Weaken Encryption: Disable Crypto Hardware
  558. Subvert Trust Controls: Code Signing Policy Modification
  559. Create or Modify System Process: Container Service
  560. Gather Victim Org Information: Identify Roles
  561. Brute Force: Password Cracking
  562. Gather Victim Identity Information
  563. Container and Resource Discovery
  564. Permission Groups Discovery: Domain Groups
  565. Brute Force
  566. Hijack Execution Flow: Path Interception by Unquoted Path
  567. Indicator Removal: Timestomp
  568. Domain or Tenant Policy Modification
  569. Transfer Data to Cloud Account
  570. Access Token Manipulation: Make and Impersonate Token
  571. Server Software Component: Transport Agent
  572. Web Service: Bidirectional Communication
  573. Indicator Removal: File Deletion
  574. Defacement: External Defacement
  575. Steal or Forge Kerberos Tickets: AS-REP Roasting
  576. Impair Defenses: Disable Windows Event Logging
  577. Serverless Execution
  578. Compromise Infrastructure: Serverless
  579. Build Image on Host
  580. Phishing: Spearphishing via Service
  581. Acquire Infrastructure: Virtual Private Server
  582. Event Triggered Execution: Component Object Model Hijacking
  583. Indicator Removal: Clear Windows Event Logs
  584. Traffic Signaling
  585. Network Boundary Bridging: Network Address Translation Traversal
  586. System Service Discovery
  587. Use Alternate Authentication Material: Pass the Ticket
  588. Trusted Developer Utilities Proxy Execution
  589. Phishing for Information: Spearphishing Voice
  590. Event Triggered Execution: Accessibility Features
  591. System Network Connections Discovery
  592. Non-Standard Port
  593. Create or Modify System Process: Systemd Service
  594. Search Open Technical Databases: CDNs
  595. System Binary Proxy Execution: MMC
  596. Hide Artifacts: Hidden Window
  597. Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
  598. Account Discovery: Cloud Account
  599. Masquerading: Masquerade Task or Service
  600. Boot or Logon Autostart Execution
  601. Domain Trust Discovery
  602. Process Injection: Asynchronous Procedure Call
  603. Credentials from Password Stores: Securityd Memory
  604. Scheduled Transfer
  605. Boot or Logon Autostart Execution: Print Processors
  606. Obtain Capabilities: Digital Certificates
  607. Modify Registry
  608. Remote Services
  609. Steal or Forge Kerberos Tickets: Kerberoasting
  610. Masquerading: Double File Extension
  611. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
  612. Obfuscated Files or Information: Dynamic API Resolution
  613. Remote Services: Cloud Services
  614. Unused/Unsupported Cloud Regions
  615. Masquerading: Match Legitimate Name or Location
  616. Valid Accounts
  617. Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
  618. Remote Services: Distributed Component Object Model
  619. Web Service: One-Way Communication
  620. OS Credential Dumping: Proc Filesystem
  621. Abuse Elevation Control Mechanism: Bypass User Account Control
  622. Exfiltration Over Web Service
  623. Boot or Logon Initialization Scripts: RC Scripts
  624. Stage Capabilities: Upload Malware
  625. System Location Discovery
  626. Obfuscated Files or Information: Fileless Storage
  627. Financial Theft
  628. Credentials from Password Stores: Credentials from Web Browsers
  629. Gather Victim Identity Information: Credentials
  630. Active Scanning: Vulnerability Scanning
  631. Data Staged
  632. Hide Infrastructure
  633. Data from Configuration Repository: Network Device Configuration Dump
  634. Scheduled Task/Job: At
  635. Exfiltration Over Other Network Medium
  636. Compromise Infrastructure: Domains
  637. Compromise Infrastructure: DNS Server
  638. Input Capture: Credential API Hooking
  639. Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
  640. Peripheral Device Discovery
  641. Proxy
  642. Search Open Technical Databases: WHOIS
  643. Access Token Manipulation: SID-History Injection
  644. Boot or Logon Initialization Scripts: Logon Script (Windows)
  645. Account Manipulation: Additional Local or Domain Groups
  646. Create Account: Cloud Account
  647. Exfiltration Over Web Service: Exfiltration to Code Repository
  648. Replication Through Removable Media
  649. Resource Hijacking
  650. Exfiltration Over Physical Medium: Exfiltration over USB
  651. Gather Victim Host Information: Firmware
  652. Hide Artifacts: Hidden File System
  653. Input Capture: Keylogging
  654. Gather Victim Network Information: IP Addresses
  655. Hardware Additions
  656. Account Discovery: Domain Account
  657. Command and Scripting Interpreter: Python