ExfiltrationOverPhysicalMediumObtainCapabilitiesSearch OpenWebsites/Domains:Search EnginesExecutionGuardrails:EnvironmentalKeyingValidAccounts:CloudAccountsIndicatorRemoval:ClearPersistenceBoot or LogonAutostartExecution:WinlogonHelper DLLSystemTimeDiscoveryExfiltration OverAlternativeProtocol:Exfiltration OverSymmetricEncrypted Non-C2ProtocolHideArtifacts:NTFS FileAttributesStageCapabilitiesInter-ProcessCommunicationBITSJobsValidAccounts:LocalAccountsGather VictimOrgInformation:DeterminePhysicalLocationsGather VictimHostInformation:ClientConfigurationsBrowserExtensionsDefacementAcquireInfrastructure:DNS ServerServerSoftwareComponent:IISComponentsRemoteServices:DistributedComponentObject ModelAcquireInfrastructure:ServerServerSoftwareComponent:TerminalServices DLLSystemBinary ProxyExecution:VerclsidPhishing forInformation:SpearphishingAttachmentNativeAPIDataTransferSizeLimitsPowerSettingsBruteForce:PasswordGuessingGroupPolicyDiscoveryHijackExecution Flow:Services FilePermissionsWeaknessHijackExecution Flow:ServicesRegistryPermissionsWeaknessHideArtifacts:Run VirtualInstanceWeakenEncryption:DisableCryptoHardwareDeployContainerSharedModulesHijackExecutionFlowSystemBinaryProxyExecutionHijack ExecutionFlow:KernelCallbackTableExploitationforPrivilegeEscalationProcessInjection:ProcessDoppelgängingFile and DirectoryPermissionsModification: Linuxand Mac File andDirectoryPermissionsModificationIndicatorRemoval:ClearWindowsEvent LogsBoot or LogonAutostartExecution:AuthenticationPackageHideArtifacts:Hidden FileSystemDebuggerEvasionCredentialsfrom PasswordStores: CloudSecretsManagementStoresEvent TriggeredExecution: UnixShellConfigurationModificationTrafficSignaling:PortKnockingMasquerading:Break ProcessTreesExploitationforCredentialAccessSystemBinary ProxyExecution:ControlPanelSearchOpenTechnicalDatabasesModify CloudComputeInfrastructure:CreateSnapshotScheduledTask/JobData fromConfigurationRepositoryEvent TriggeredExecution:ComponentObject ModelHijackingAbuse ElevationControlMechanism:TemporaryElevated CloudAccessAcquireInfrastructure:Virtual PrivateServerHardwareAdditionsSystemServices:ServiceExecutionEventTriggeredExecution:EmondDrive-byCompromiseStealApplicationAccessTokenDynamicResolution:Fast FluxDNSHijackExecutionFlow: PathInterception byUnquoted PathObfuscatedFiles orInformation:StrippedPayloadsDataObfuscation:Protocol orServiceImpersonationGatherVictimIdentityInformation:CredentialsNon-StandardPortModifyAuthenticationProcess:NetworkProvider DLLUse AlternateAuthenticationMaterial: WebSessionCookieScheduledTask/Job:SystemdTimersProxyBoot orLogonAutostartExecutionAbuse ElevationControlMechanism:ElevatedExecution withPromptMasquerading:MasqueradeTask orServiceProcessInjection:AsynchronousProcedureCallCreate orModify SystemProcess:WindowsServiceIndicatorRemoval:Clear Linuxor MacSystem LogsActiveScanning:VulnerabilityScanningServerSoftwareComponent:SQL StoredProceduresOfficeApplicationStartup:OutlookHome PageTemplateInjectionBoot or LogonAutostartExecution:SecuritySupportProviderRemoteSystemDiscoveryModifySystemImageExfiltrationOver OtherNetworkMedium:ExfiltrationOver BluetoothHijackExecutionFlow: DynamicLinkerHijackingOfficeApplicationStartupGather VictimOrgInformation:BusinessRelationshipsSystemBinary ProxyExecution:OdbcconfRemoteServiceSessionHijacking:SSH HijackingSteal orForgeKerberosTickets:Ccache FilesSearchClosedSourcesBoot or LogonAutostartExecution:TimeProvidersModify CloudComputeInfrastructure:Delete CloudInstanceVirtualization/SandboxEvasionServerSoftwareComponent:TransportAgentAccessTokenManipulation:SID-HistoryInjectionAutomatedExfiltrationUse AlternateAuthenticationMaterial: Passthe HashWindowsManagementInstrumentationData fromNetworkSharedDriveEvent TriggeredExecution:LC_LOAD_DYLIBAdditionUnsecuredCredentials:Group PolicyPreferencesCloudStorageObjectDiscoverySupply ChainCompromise:CompromiseSoftwareSupply ChainStageCapabilities:SEOPoisoningPermissionGroupsDiscovery:CloudGroupsSystemBinary ProxyExecution:CompiledHTML FileAcquireInfrastructureFile andDirectoryPermissionsModificationEscapeto HostCompromiseInfrastructure:Web ServicesAccountDiscoveryCloudServiceDashboardEstablishAccounts:Social MediaAccountsAccountDiscovery:CloudAccountProxy:ExternalProxySystemShutdown/RebootExfiltration OverAlternativeProtocol:Exfiltration OverAsymmetricEncrypted Non-C2ProtocolOfficeApplicationStartup: OfficeTemplateMacrosOSCredentialDumping:LSA SecretsProxy:InternalProxyCompromiseInfrastructure:DNS ServerModifyAuthenticationProcess:ReversibleEncryptionRemoteServices:RemoteDesktopProtocolRemoteServices:CloudServicesImplantInternalImageIndicatorRemoval:ClearCommandHistorySubvertTrustControls:Mark-of-the-Web BypassProcessDiscoveryEventTriggeredExecution:TrapEmailCollectionUnsecuredCredentials:Credentialsin RegistrySystemServiceDiscoveryUserExecution:MaliciousImageProtocolTunnelingOS CredentialDumping:CachedDomainCredentialsNetworkDenial ofService: DirectNetwork FloodEvent TriggeredExecution:Change DefaultFile AssociationTrafficSignalingPre-OSBoot:ROMMONkitHideArtifacts:File/PathExclusionsAbuseElevationControlMechanismHideArtifacts:VBAStompingObtainCapabilities:VulnerabilitiesApplicationWindowDiscoveryEncryptedChannel:SymmetricCryptographyObfuscatedFiles orInformation:BinaryPaddingNetworkSniffingSystemServicesEmailCollection:RemoteEmailCollectionSupply ChainCompromise:CompromiseSoftwareDependencies andDevelopmentToolsVirtualization/SandboxEvasion: SystemChecksTrustedRelationshipApplicationLayerProtocol:MailProtocolsCommandand ScriptingInterpreter:PowerShellVideoCaptureValidAccounts:DefaultAccountsSystemNetworkConfigurationDiscoveryValidAccounts:DomainAccountsIngressToolTransferEventTriggeredExecution:AccessibilityFeaturesPre-OSBoot:BootkitPre-OSBoot:TFTPBootAccess TokenManipulation:CreateProcess withTokenBoot orLogonInitializationScripts:Login HookBoot or LogonAutostartExecution:PrintProcessorsPermissionGroupsDiscoveryOfficeApplicationStartup:OutlookRulesBruteForce:PasswordCrackingTransferData toCloudAccountScheduledTask/Job:ScheduledTaskBoot or LogonAutostartExecution:XDG AutostartEntriesModifyRegistryVirtualization/SandboxEvasion: Time BasedEvasionAdversary-in-the-Middle:LLMNR/NBT-NS Poisoningand SMB RelayExfiltrationOver WebService:Exfiltration toCloud StorageFirmwareCorruptionPhishingforInformationResourceHijackingExfiltrationOver WebService:Exfiltration toCodeRepositoryExfiltrationOver WebServiceFile andDirectoryDiscoverySupply ChainCompromise:CompromiseHardwareSupply ChainExecutionGuardrails:MutualExclusionSupplyChainCompromiseGatherVictimIdentityInformationData fromInformationRepositoriesStageCapabilities:Install DigitalCertificateHijack ExecutionFlow: PathInterception byPATHEnvironmentVariableCloudAdministrationCommandRemoteServices:Direct CloudVMConnectionsQueryRegistryCommand andScriptingInterpreter:WindowsCommandShellCommandand ScriptingInterpreter:JavaScriptAccess TokenManipulation:Make andImpersonateTokenUnsecuredCredentials:CredentialsIn FilesData fromCloudStorageForcedAuthenticationWebService:Dead DropResolverAccountManipulation:AdditionalEmail DelegatePermissionsAdversary-in-the-Middle:Evil TwinWeakenEncryption:ReduceKey SpaceSteal orForgeKerberosTickets:Silver TicketOSCredentialDumping:ProcFilesystemEventTriggeredExecution:InstallerPackagesObfuscatedFiles orInformation:SoftwarePackingIndicatorRemoval:Network ShareConnectionRemovalResourceHijacking:CloudServiceHijackingImpairDefensesAudioCaptureSystemOwner/UserDiscoverySystemNetworkConnectionsDiscoveryBoot or LogonAutostartExecution:Re-openedApplicationsEndpointDenial ofServiceFallbackChannelsAutomatedExfiltration:TrafficDuplicationScreenCaptureAccessTokenManipulationCreateAccountGather VictimIdentityInformation:EmailAddressesMasquerading:MatchLegitimateName orLocationCommandand ScriptingInterpreter:Unix ShellBrowserInformationDiscoveryInter-ProcessCommunication:XPC ServicesStageCapabilities:Link TargetRemoteAccessSoftwareAccountManipulation:Additional Localor DomainGroupsAccountDiscovery:DomainAccountNetworkServiceDiscoveryInputCapture:CredentialAPI HookingSearch OpenWebsites/Domains:Social MediaData fromInformationRepositories:SharepointForge WebCredentials:SAMLTokensSearchClosedSources:Threat IntelVendorsProcessInjection:Thread LocalStorageBoot or LogonAutostartExecution:LSASS DriverProxy:DomainFrontingDataEncryptedfor ImpactIndicatorRemovalAccountManipulation:DeviceRegistrationPhishing forInformation:SpearphishingLinkExfiltrationOver PhysicalMedium:Exfiltrationover USBRemoteServiceSessionHijackingDataObfuscation:SteganographyCloudInfrastructureDiscoveryHideArtifacts:Hidden FilesandDirectoriesCommandand ScriptingInterpreter:Cloud APIApplicationLayerProtocol:DNSHijack ExecutionFlow:COR_PROFILERDataManipulation:Runtime DataManipulationSystemScript ProxyExecution:PubPrnProcessInjection:ThreadExecutionHijackingInter-ProcessCommunication:Dynamic DataExchangePre-OSBoot:SystemFirmwareModifyAuthenticationProcess:DomainControllerAuthenticationEstablishAccounts:CloudAccountsContainerAdministrationCommandImpairDefenses:Disable orModify LinuxAudit SystemPermissionGroupsDiscovery:DomainGroupsArchiveCollectedDataProcessInjection:ProcessHollowingImpairDefenses:Disable orModify CloudLogsObtainCapabilities:MalwareUnsecuredCredentials:CloudInstanceMetadata APICreate orModify SystemProcess:LaunchDaemonIndicatorRemoval:RelocateMalwareObfuscatedFiles orInformation:Compile AfterDeliveryApplicationLayerProtocolSearch OpenTechnicalDatabases:ScanDatabasesBoot orLogonAutostartExecution:Port MonitorsAcquireAccessHideInfrastructureInhibitSystemRecoveryImpairDefenses:SpoofSecurityAlertingOS CredentialDumping:SecurityAccountManagerGatherVictim OrgInformationDevelopCapabilities:CodeSigningCertificatesAccountManipulation:AdditionalCloudCredentialsSoftwareDiscoveryExfiltrationOver OtherNetworkMediumEncryptedChannelGather VictimNetworkInformation:IP AddressesReflectiveCodeLoadingMulti-FactorAuthenticationInterceptionGather VictimNetworkInformation:DomainPropertiesMasquerading:RenameSystemUtilitiesIndicatorRemoval:TimestompObfuscatedFiles orInformation:EmbeddedPayloadsEventTriggeredExecution:AppCertDLLsGatherVictim OrgInformation:IdentifyRolesSubvert TrustControls: SIPand TrustProviderHijackingNon-ApplicationLayerProtocolPeripheralDeviceDiscoveryGather VictimNetworkInformation:Network TrustDependenciesNetworkDenial ofService:ReflectionAmplificationEncryptedChannel:AsymmetricCryptographyApplicationLayerProtocol:WebProtocolsUnused/UnsupportedCloud RegionsRemoteServices:SSHAdversary-in-the-Middle:DHCPSpoofingEventTriggeredExecution:Udev RulesMasqueradingExfiltrationOver WebService:ExfiltrationOver WebhookServerSoftwareComponentSearch OpenTechnicalDatabases:DigitalCertificatesSubvertTrustControls:Install RootCertificateCredentialsfrom PasswordStores:Credentialsfrom WebBrowsersDevelopCapabilities:DigitalCertificatesDataManipulation:TransmittedDataManipulationDynamicResolutionHijackExecutionFlow: DLLSide-LoadingOfficeApplicationStartup:Office TestObfuscated Files orInformation:Encrypted/EncodedFileRemoteServicesInputCapture:GUI InputCaptureAccountManipulation:AdditionalCloud RolesOfficeApplicationStartup:Add-insProxy:Multi-hopProxyPhishing forInformation:SpearphishingVoiceCompromiseInfrastructure:ServerlessTrustedDeveloperUtilities ProxyExecution:ClickOnceProcessInjection:ProcMemoryWeb Service:BidirectionalCommunicationIndirectCommandExecutionGatherVictimHostInformationDataStaged:Local DataStagingForge WebCredentials:WebCookiesHideArtifacts:HiddenWindowInputCaptureDomain orTenant PolicyModification:TrustModificationLateralToolTransferSystemBinary ProxyExecution:CMSTPSearch OpenWebsites/DomainsData fromInformationRepositories:ConfluenceEvent TriggeredExecution:WindowsManagementInstrumentationEvent SubscriptionObtainCapabilities:CodeSigningCertificatesDeobfuscate/DecodeFiles or InformationBoot or LogonInitializationScripts:NetworkLogon ScriptGather VictimOrgInformation:IdentifyBusinessTempoCompromiseHostSoftwareBinaryGather VictimIdentityInformation:EmployeeNamesSystemBinary ProxyExecution:MsiexecDataManipulationIndicatorRemoval:FileDeletionEventTriggeredExecution:Netsh HelperDLLAccountDiscovery:LocalAccountDevelopCapabilitiesImpairDefenses:Disable orModify CloudFirewallDynamicResolution:DNSCalculationExploitationfor DefenseEvasionExploitPublic-FacingApplicationDataObfuscation:Junk DataAcquireInfrastructure:Web ServicesSystemNetworkConfigurationDiscovery: Wi-Fi DiscoveryBoot orLogonInitializationScriptsData fromConfigurationRepository:SNMP (MIBDump)Endpoint Denialof Service:Application orSystemExploitationModify CloudComputeInfrastructure:Revert CloudInstanceCommandand ScriptingInterpreter:NetworkDevice CLIModifyAuthenticationProcess:Network DeviceAuthenticationData fromConfigurationRepository:Network DeviceConfigurationDumpSubvert TrustControls:Code SigningPolicyModificationPhishing:Spearphishingvia ServiceDataDestruction:Lifecycle-TriggeredDeletionStageCapabilities:Drive-byTargetOSCredentialDumping:NTDSOSCredentialDumping:LSASSMemorySteal orForgeKerberosTicketsSteal or ForgeKerberosTickets: AS-REP RoastingHideArtifacts:IgnoreProcessInterruptsUnsecuredCredentialsArchiveCollectedData:Archive viaUtilityHijackExecution Flow:PathInterception bySearch OrderHijackingDataManipulation:Stored DataManipulationObfuscatedFiles orInformationObtainCapabilities:ArtificialIntelligenceBruteForceCreateAccount:CloudAccountMasquerading:Invalid CodeSignatureUnsecuredCredentials:ChatMessagesHijackExecutionFlow: DylibHijackingActiveScanning:ScanningIP BlocksActiveScanningSubvertTrustControlsDataEncoding:StandardEncodingBrowserSessionHijackingValidAccountsCompromiseInfrastructureHijackExecutionFlow: DLLSearch OrderHijackingAdversary-in-the-MiddleCompromiseInfrastructure:BotnetSearch OpenTechnicalDatabases:DNS/PassiveDNSCompromiseAccounts:EmailAccountsProcessInjectionSearch ClosedSources:PurchaseTechnical DataExploitationfor ClientExecutionProcessInjection:VDSOHijackingHideArtifacts:ProcessArgumentSpoofingMasquerading:Right-to-LeftOverrideIndicatorRemoval:ClearMailbox DataSubvertTrustControls:GatekeeperBypassObfuscatedFiles orInformation:LNK IconSmugglingDefacement:InternalDefacementResourceHijacking:SMSPumpingCredentialsfrom PasswordStores:WindowsCredentialManagerData fromLocalSystemFile and DirectoryPermissionsModification:Windows File andDirectoryPermissionsModificationPhishingAbuseElevationControlMechanism:Setuid andSetgidEmailCollection:EmailForwardingRuleModifyAuthenticationProcess:PluggableAuthenticationModulesSystem BinaryProxy Execution:Regsvcs/RegasmHideArtifactsDiskWipeCompromiseAccountsSoftwareDiscovery:SecuritySoftwareDiscoveryData Staged:RemoteData StagingObfuscatedFiles orInformation:CommandObfuscationRemoteServiceSessionHijacking:RDP HijackingMasquerading:MasqueradeAccount NameDynamicResolution:DomainGenerationAlgorithmsSystemLocationDiscoveryOfficeApplicationStartup:OutlookFormsMasquerading:MasqueradeFile TypeObfuscatedFiles orInformation:IndicatorRemoval fromToolsMasquerading:Space afterFilenameUserExecutionDirectVolumeAccessApplicationLayerProtocol: FileTransferProtocolsData fromInformationRepositories:CodeRepositoriesMulti-StageChannelsArchiveCollectedData:Archive viaLibraryGather VictimNetworkInformation:NetworkSecurityAppliancesScheduledTransferModify CloudComputeInfrastructure:Modify CloudComputeConfigurationsCredentialsfromPasswordStores:KeychainCompromiseInfrastructure:NetworkDevicesAdversary-in-the-Middle: ARPCachePoisoningInputCapture:Web PortalCaptureSteal WebSessionCookieResourceHijacking:ComputeHijackingBoot or LogonAutostartExecution:ShortcutModificationAcquireInfrastructure:MalvertisingTrustedDeveloperUtilities ProxyExecution:MSBuildIndicatorRemoval: ClearNetworkConnectionHistory andConfigurationsAbuseElevationControlMechanism:Sudo and SudoCachingTrafficSignaling:SocketFiltersSteal or ForgeKerberosTickets:KerberoastingCredentialsfrom PasswordStores:SecuritydMemoryCloudServiceDiscoveryObfuscatedFiles orInformation:PolymorphicCodeApplication LayerProtocol:Publish/SubscribeProtocolsAccountDiscovery:EmailAccountSearchVictim-OwnedWebsitesEventTriggeredExecution:ApplicationShimmingModify CloudComputeInfrastructure:Create CloudInstanceUse AlternateAuthenticationMaterialCreate orModifySystemProcess:Launch AgentObfuscatedFiles orInformation:HTMLSmugglingUse AlternateAuthenticationMaterial: Passthe TicketExecutionGuardrailsObfuscatedFiles orInformation:Dynamic APIResolutionPhishing:SpearphishingVoiceData fromInformationRepositories:CustomerRelationshipManagementSoftwareObtainCapabilities:DigitalCertificatesExfiltrationOver WebService:Exfiltration toText StorageSitesDomain orTenantPolicyModificationUserExecution:MaliciousFileObtainCapabilities:ToolImpairDefenses:IndicatorBlockingSystemBinary ProxyExecution:Regsvr32GatherVictimNetworkInformationSystemServices:LaunchctlAbuse ElevationControlMechanism:Bypass UserAccount ControlCommandandScriptingInterpreterCreate orModifySystemProcessDataObfuscationCommandand ScriptingInterpreter:AppleScriptImpairDefenses:Safe ModeBootWebServiceGatherVictimNetworkInformation:DNSInputCapture:KeyloggingRemoteServices:WindowsRemoteManagementObfuscatedFiles orInformation:FilelessStorageModifyCloudResourceHierarchyNetworkDenial ofServiceCreateAccount:LocalAccountPlist FileModificationSubvertTrustControls:CodeSigningCredentialsfrom PasswordStores:PasswordManagersObfuscatedFiles orInformation:SteganographySystemLocationDiscovery:SystemLanguageDiscoveryOS CredentialDumping:/etc/passwdand/etc/shadowModifyAuthenticationProcess:Multi-FactorAuthenticationEventTriggeredExecution:PowerShellProfileScheduledTask/Job:AtDisk Wipe:DiskStructureWipeData fromRemovableMediaFinancialTheftBoot orLogonInitializationScripts: RCScriptsContainerandResourceDiscoveryRemoteServices:VNCAccountAccessRemovalAccessTokenManipulation:Parent PIDSpoofingBoot orLogonAutostartExecution:Login ItemsImpairDefenses:DowngradeAttackAutomatedCollectionImpersonationExfiltrationOverAlternativeProtocolPhishing forInformation:SpearphishingServiceNetworkShareDiscoveryModifyAuthenticationProcess:Hybrid IdentityProcessInjection:Extra WindowMemoryInjectionUserExecution:MaliciousLinkEstablishAccounts:EmailAccountsCommunicationThroughRemovableMediaProcessInjection:Dynamic-linkLibraryInjectionStageCapabilities:UploadMalwareSteal orForgeKerberosTickets:Golden TicketnameClipboardDataCompromiseInfrastructure:DomainsCreate orModify SystemProcess:ContainerServiceDevelopCapabilities:MalwarePermissionGroupsDiscovery:LocalGroupsWeakenEncryptionExfiltrationOver C2ChannelImpairDefenses:ImpairCommandHistory LoggingSearchOpenTechnicalDatabases:CDNsObtainCapabilities:ExploitsExternalRemoteServicesGatherVictim HostInformation:FirmwareCommandand ScriptingInterpreter:LuaCommandand ScriptingInterpreter:AutoHotKey& AutoITCreateAccount:DomainAccountServerSoftwareComponent:Web ShellEndpointDenial ofService: OSExhaustionFloodActiveScanning:WordlistScanningBoot or LogonAutostartExecution:Kernel Modulesand ExtensionsDisk Wipe:DiskContentWipeEstablishAccountsCompromiseInfrastructure:Virtual PrivateServerEndpoint Denialof Service:ServiceExhaustionFloodCreate orModify SystemProcess:SystemdServicePhishing:SpearphishingLinkUnsecuredCredentials:BashHistoryUse AlternateAuthenticationMaterial:ApplicationAccess TokenCommandand ScriptingInterpreter:Visual BasicCredentialsfromPasswordStoresProcessInjection:ListPlantingDomainTrustDiscoveryBoot or LogonAutostartExecution:Registry RunKeys / StartupFolderVirtualization/SandboxEvasion: User ActivityBased ChecksRootkitAccountManipulation:SSHAuthorizedKeysTrustedDeveloperUtilitiesProxyExecutionAcquireInfrastructure:ServerlessSystemScriptProxyExecutionHijack ExecutionFlow:AppDomainManagerInternalSpearphishingData fromInformationRepositories:MessagingApplicationsDefacement:ExternalDefacementMasquerading:Double FileExtensionSearch OpenWebsites/Domains:Code RepositoriesEventTriggeredExecution:ScreensaverGatherVictim HostInformation:HardwareEndpoint Denialof Service:ApplicationExhaustionFloodDevelopCapabilities:ExploitsGatherVictim HostInformation:SoftwareAccess TokenManipulation: TokenImpersonation/TheftXSL ScriptProcessingReplicationThroughRemovableMediaDataEncoding:Non-StandardEncodingBoot orLogonAutostartExecution:Active SetupAccountManipulationModifySystemImage:DowngradeSystem ImageSystemBinary ProxyExecution:MshtaImpairDefenses:DisableWindowsEvent LoggingCompromiseInfrastructure:ServerImpairDefenses:Disable orModify SystemFirewallDataDestructionAcquireInfrastructure:DomainsMulti-FactorAuthenticationRequestGenerationHideArtifacts:Email HidingRulesPhishing:SpearphishingAttachmentEventTriggeredExecution:AppInit DLLsHijackExecution Flow:ExecutableInstaller FilePermissionsWeaknessUnsecuredCredentials:ContainerAPIBoot or LogonInitializationScripts: LogonScript(Windows)Gather VictimNetworkInformation:NetworkTopologySystem Script ProxyExecution:SyncAppvPublishingServerExploitationof RemoteServicesSoftwareDeploymentToolsResourceHijacking:BandwidthHijackingDataEncodingExfiltration OverAlternativeProtocol:Exfiltration OverUnencryptedNon-C2 ProtocolScheduledTask/Job:ContainerOrchestrationJobSystem NetworkConfigurationDiscovery:InternetConnectionDiscoveryCommandand ScriptingInterpreter:PythonScheduledTask/Job:CronPasswordPolicyDiscoveryRemoteServices:SMB/WindowsAdmin SharesSystemBinary ProxyExecution:ElectronApplicationsAcquireInfrastructure:BotnetWeb Service:One-WayCommunicationServerlessExecutionPre-OSBoot:ComponentFirmwareOSCredentialDumpingCompromiseAccounts:CloudAccountsDomain orTenant PolicyModification:Group PolicyModificationRogueDomainControllerAccountManipulation:AdditionalContainerCluster RolesBoot orLogonInitializationScripts:Startup ItemsNetworkBoundaryBridgingServiceStopNetworkBoundaryBridging: NetworkAddressTranslationTraversalAbuseElevationControlMechanism:TCCManipulationDataStagedProcessInjection:PtraceSystem CallsArchiveCollectedData: Archivevia CustomMethodDeviceDriverDiscoveryTaintSharedContentProcessInjection:PortableExecutableInjectionModifyAuthenticationProcess:PasswordFilter DLLBruteForce:PasswordSprayingHideArtifacts:ResourceForkingCompromiseAccounts:Social MediaAccountsSystemInformationDiscoveryModifyAuthenticationProcessLogEnumerationEventTriggeredExecutionBuildImageon HostSystemBinary ProxyExecution:Rundll32HideArtifacts:HiddenUsersEvent TriggeredExecution:Image FileExecutionOptionsInjectionSearchOpenTechnicalDatabases:WHOISStageCapabilities:Upload ToolUnsecuredCredentials:PrivateKeysOSCredentialDumping:DCSyncSystemBinary ProxyExecution:MMCSystemBinary ProxyExecution:MavinjectForge WebCredentialsBruteForce:CredentialStuffingSteal or ForgeAuthenticationCertificatesInter-ProcessCommunication:ComponentObject ModelContentInjectionModifyAuthenticationProcess:ConditionalAccess PoliciesImpairDefenses:Disable orModify ToolsModifySystemImage: PatchSystemImageEmailCollection:Local EmailCollectionSystemBinary ProxyExecution:InstallUtilModify CloudComputeInfrastructurePre-OSBootExfiltrationOverPhysicalMediumObtainCapabilitiesSearch OpenWebsites/Domains:Search EnginesExecutionGuardrails:EnvironmentalKeyingValidAccounts:CloudAccountsIndicatorRemoval:ClearPersistenceBoot or LogonAutostartExecution:WinlogonHelper DLLSystemTimeDiscoveryExfiltration OverAlternativeProtocol:Exfiltration OverSymmetricEncrypted Non-C2ProtocolHideArtifacts:NTFS FileAttributesStageCapabilitiesInter-ProcessCommunicationBITSJobsValidAccounts:LocalAccountsGather VictimOrgInformation:DeterminePhysicalLocationsGather VictimHostInformation:ClientConfigurationsBrowserExtensionsDefacementAcquireInfrastructure:DNS ServerServerSoftwareComponent:IISComponentsRemoteServices:DistributedComponentObject ModelAcquireInfrastructure:ServerServerSoftwareComponent:TerminalServices DLLSystemBinary ProxyExecution:VerclsidPhishing forInformation:SpearphishingAttachmentNativeAPIDataTransferSizeLimitsPowerSettingsBruteForce:PasswordGuessingGroupPolicyDiscoveryHijackExecution Flow:Services FilePermissionsWeaknessHijackExecution Flow:ServicesRegistryPermissionsWeaknessHideArtifacts:Run VirtualInstanceWeakenEncryption:DisableCryptoHardwareDeployContainerSharedModulesHijackExecutionFlowSystemBinaryProxyExecutionHijack ExecutionFlow:KernelCallbackTableExploitationforPrivilegeEscalationProcessInjection:ProcessDoppelgängingFile and DirectoryPermissionsModification: Linuxand Mac File andDirectoryPermissionsModificationIndicatorRemoval:ClearWindowsEvent LogsBoot or LogonAutostartExecution:AuthenticationPackageHideArtifacts:Hidden FileSystemDebuggerEvasionCredentialsfrom PasswordStores: CloudSecretsManagementStoresEvent TriggeredExecution: UnixShellConfigurationModificationTrafficSignaling:PortKnockingMasquerading:Break ProcessTreesExploitationforCredentialAccessSystemBinary ProxyExecution:ControlPanelSearchOpenTechnicalDatabasesModify CloudComputeInfrastructure:CreateSnapshotScheduledTask/JobData fromConfigurationRepositoryEvent TriggeredExecution:ComponentObject ModelHijackingAbuse ElevationControlMechanism:TemporaryElevated CloudAccessAcquireInfrastructure:Virtual PrivateServerHardwareAdditionsSystemServices:ServiceExecutionEventTriggeredExecution:EmondDrive-byCompromiseStealApplicationAccessTokenDynamicResolution:Fast FluxDNSHijackExecutionFlow: PathInterception byUnquoted PathObfuscatedFiles orInformation:StrippedPayloadsDataObfuscation:Protocol orServiceImpersonationGatherVictimIdentityInformation:CredentialsNon-StandardPortModifyAuthenticationProcess:NetworkProvider DLLUse AlternateAuthenticationMaterial: WebSessionCookieScheduledTask/Job:SystemdTimersProxyBoot orLogonAutostartExecutionAbuse ElevationControlMechanism:ElevatedExecution withPromptMasquerading:MasqueradeTask orServiceProcessInjection:AsynchronousProcedureCallCreate orModify SystemProcess:WindowsServiceIndicatorRemoval:Clear Linuxor MacSystem LogsActiveScanning:VulnerabilityScanningServerSoftwareComponent:SQL StoredProceduresOfficeApplicationStartup:OutlookHome PageTemplateInjectionBoot or LogonAutostartExecution:SecuritySupportProviderRemoteSystemDiscoveryModifySystemImageExfiltrationOver OtherNetworkMedium:ExfiltrationOver BluetoothHijackExecutionFlow: DynamicLinkerHijackingOfficeApplicationStartupGather VictimOrgInformation:BusinessRelationshipsSystemBinary ProxyExecution:OdbcconfRemoteServiceSessionHijacking:SSH HijackingSteal orForgeKerberosTickets:Ccache FilesSearchClosedSourcesBoot or LogonAutostartExecution:TimeProvidersModify CloudComputeInfrastructure:Delete CloudInstanceVirtualization/SandboxEvasionServerSoftwareComponent:TransportAgentAccessTokenManipulation:SID-HistoryInjectionAutomatedExfiltrationUse AlternateAuthenticationMaterial: Passthe HashWindowsManagementInstrumentationData fromNetworkSharedDriveEvent TriggeredExecution:LC_LOAD_DYLIBAdditionUnsecuredCredentials:Group PolicyPreferencesCloudStorageObjectDiscoverySupply ChainCompromise:CompromiseSoftwareSupply ChainStageCapabilities:SEOPoisoningPermissionGroupsDiscovery:CloudGroupsSystemBinary ProxyExecution:CompiledHTML FileAcquireInfrastructureFile andDirectoryPermissionsModificationEscapeto HostCompromiseInfrastructure:Web ServicesAccountDiscoveryCloudServiceDashboardEstablishAccounts:Social MediaAccountsAccountDiscovery:CloudAccountProxy:ExternalProxySystemShutdown/RebootExfiltration OverAlternativeProtocol:Exfiltration OverAsymmetricEncrypted Non-C2ProtocolOfficeApplicationStartup: OfficeTemplateMacrosOSCredentialDumping:LSA SecretsProxy:InternalProxyCompromiseInfrastructure:DNS ServerModifyAuthenticationProcess:ReversibleEncryptionRemoteServices:RemoteDesktopProtocolRemoteServices:CloudServicesImplantInternalImageIndicatorRemoval:ClearCommandHistorySubvertTrustControls:Mark-of-the-Web BypassProcessDiscoveryEventTriggeredExecution:TrapEmailCollectionUnsecuredCredentials:Credentialsin RegistrySystemServiceDiscoveryUserExecution:MaliciousImageProtocolTunnelingOS CredentialDumping:CachedDomainCredentialsNetworkDenial ofService: DirectNetwork FloodEvent TriggeredExecution:Change DefaultFile AssociationTrafficSignalingPre-OSBoot:ROMMONkitHideArtifacts:File/PathExclusionsAbuseElevationControlMechanismHideArtifacts:VBAStompingObtainCapabilities:VulnerabilitiesApplicationWindowDiscoveryEncryptedChannel:SymmetricCryptographyObfuscatedFiles orInformation:BinaryPaddingNetworkSniffingSystemServicesEmailCollection:RemoteEmailCollectionSupply ChainCompromise:CompromiseSoftwareDependencies andDevelopmentToolsVirtualization/SandboxEvasion: SystemChecksTrustedRelationshipApplicationLayerProtocol:MailProtocolsCommandand ScriptingInterpreter:PowerShellVideoCaptureValidAccounts:DefaultAccountsSystemNetworkConfigurationDiscoveryValidAccounts:DomainAccountsIngressToolTransferEventTriggeredExecution:AccessibilityFeaturesPre-OSBoot:BootkitPre-OSBoot:TFTPBootAccess TokenManipulation:CreateProcess withTokenBoot orLogonInitializationScripts:Login HookBoot or LogonAutostartExecution:PrintProcessorsPermissionGroupsDiscoveryOfficeApplicationStartup:OutlookRulesBruteForce:PasswordCrackingTransferData toCloudAccountScheduledTask/Job:ScheduledTaskBoot or LogonAutostartExecution:XDG AutostartEntriesModifyRegistryVirtualization/SandboxEvasion: Time BasedEvasionAdversary-in-the-Middle:LLMNR/NBT-NS Poisoningand SMB RelayExfiltrationOver WebService:Exfiltration toCloud StorageFirmwareCorruptionPhishingforInformationResourceHijackingExfiltrationOver WebService:Exfiltration toCodeRepositoryExfiltrationOver WebServiceFile andDirectoryDiscoverySupply ChainCompromise:CompromiseHardwareSupply ChainExecutionGuardrails:MutualExclusionSupplyChainCompromiseGatherVictimIdentityInformationData fromInformationRepositoriesStageCapabilities:Install DigitalCertificateHijack ExecutionFlow: PathInterception byPATHEnvironmentVariableCloudAdministrationCommandRemoteServices:Direct CloudVMConnectionsQueryRegistryCommand andScriptingInterpreter:WindowsCommandShellCommandand ScriptingInterpreter:JavaScriptAccess TokenManipulation:Make andImpersonateTokenUnsecuredCredentials:CredentialsIn FilesData fromCloudStorageForcedAuthenticationWebService:Dead DropResolverAccountManipulation:AdditionalEmail DelegatePermissionsAdversary-in-the-Middle:Evil TwinWeakenEncryption:ReduceKey SpaceSteal orForgeKerberosTickets:Silver TicketOSCredentialDumping:ProcFilesystemEventTriggeredExecution:InstallerPackagesObfuscatedFiles orInformation:SoftwarePackingIndicatorRemoval:Network ShareConnectionRemovalResourceHijacking:CloudServiceHijackingImpairDefensesAudioCaptureSystemOwner/UserDiscoverySystemNetworkConnectionsDiscoveryBoot or LogonAutostartExecution:Re-openedApplicationsEndpointDenial ofServiceFallbackChannelsAutomatedExfiltration:TrafficDuplicationScreenCaptureAccessTokenManipulationCreateAccountGather VictimIdentityInformation:EmailAddressesMasquerading:MatchLegitimateName orLocationCommandand ScriptingInterpreter:Unix ShellBrowserInformationDiscoveryInter-ProcessCommunication:XPC ServicesStageCapabilities:Link TargetRemoteAccessSoftwareAccountManipulation:Additional Localor DomainGroupsAccountDiscovery:DomainAccountNetworkServiceDiscoveryInputCapture:CredentialAPI HookingSearch OpenWebsites/Domains:Social MediaData fromInformationRepositories:SharepointForge WebCredentials:SAMLTokensSearchClosedSources:Threat IntelVendorsProcessInjection:Thread LocalStorageBoot or LogonAutostartExecution:LSASS DriverProxy:DomainFrontingDataEncryptedfor ImpactIndicatorRemovalAccountManipulation:DeviceRegistrationPhishing forInformation:SpearphishingLinkExfiltrationOver PhysicalMedium:Exfiltrationover USBRemoteServiceSessionHijackingDataObfuscation:SteganographyCloudInfrastructureDiscoveryHideArtifacts:Hidden FilesandDirectoriesCommandand ScriptingInterpreter:Cloud APIApplicationLayerProtocol:DNSHijack ExecutionFlow:COR_PROFILERDataManipulation:Runtime DataManipulationSystemScript ProxyExecution:PubPrnProcessInjection:ThreadExecutionHijackingInter-ProcessCommunication:Dynamic DataExchangePre-OSBoot:SystemFirmwareModifyAuthenticationProcess:DomainControllerAuthenticationEstablishAccounts:CloudAccountsContainerAdministrationCommandImpairDefenses:Disable orModify LinuxAudit SystemPermissionGroupsDiscovery:DomainGroupsArchiveCollectedDataProcessInjection:ProcessHollowingImpairDefenses:Disable orModify CloudLogsObtainCapabilities:MalwareUnsecuredCredentials:CloudInstanceMetadata APICreate orModify SystemProcess:LaunchDaemonIndicatorRemoval:RelocateMalwareObfuscatedFiles orInformation:Compile AfterDeliveryApplicationLayerProtocolSearch OpenTechnicalDatabases:ScanDatabasesBoot orLogonAutostartExecution:Port MonitorsAcquireAccessHideInfrastructureInhibitSystemRecoveryImpairDefenses:SpoofSecurityAlertingOS CredentialDumping:SecurityAccountManagerGatherVictim OrgInformationDevelopCapabilities:CodeSigningCertificatesAccountManipulation:AdditionalCloudCredentialsSoftwareDiscoveryExfiltrationOver OtherNetworkMediumEncryptedChannelGather VictimNetworkInformation:IP AddressesReflectiveCodeLoadingMulti-FactorAuthenticationInterceptionGather VictimNetworkInformation:DomainPropertiesMasquerading:RenameSystemUtilitiesIndicatorRemoval:TimestompObfuscatedFiles orInformation:EmbeddedPayloadsEventTriggeredExecution:AppCertDLLsGatherVictim OrgInformation:IdentifyRolesSubvert TrustControls: SIPand TrustProviderHijackingNon-ApplicationLayerProtocolPeripheralDeviceDiscoveryGather VictimNetworkInformation:Network TrustDependenciesNetworkDenial ofService:ReflectionAmplificationEncryptedChannel:AsymmetricCryptographyApplicationLayerProtocol:WebProtocolsUnused/UnsupportedCloud RegionsRemoteServices:SSHAdversary-in-the-Middle:DHCPSpoofingEventTriggeredExecution:Udev RulesMasqueradingExfiltrationOver WebService:ExfiltrationOver WebhookServerSoftwareComponentSearch OpenTechnicalDatabases:DigitalCertificatesSubvertTrustControls:Install RootCertificateCredentialsfrom PasswordStores:Credentialsfrom WebBrowsersDevelopCapabilities:DigitalCertificatesDataManipulation:TransmittedDataManipulationDynamicResolutionHijackExecutionFlow: DLLSide-LoadingOfficeApplicationStartup:Office TestObfuscated Files orInformation:Encrypted/EncodedFileRemoteServicesInputCapture:GUI InputCaptureAccountManipulation:AdditionalCloud RolesOfficeApplicationStartup:Add-insProxy:Multi-hopProxyPhishing forInformation:SpearphishingVoiceCompromiseInfrastructure:ServerlessTrustedDeveloperUtilities ProxyExecution:ClickOnceProcessInjection:ProcMemoryWeb Service:BidirectionalCommunicationIndirectCommandExecutionGatherVictimHostInformationDataStaged:Local DataStagingForge WebCredentials:WebCookiesHideArtifacts:HiddenWindowInputCaptureDomain orTenant PolicyModification:TrustModificationLateralToolTransferSystemBinary ProxyExecution:CMSTPSearch OpenWebsites/DomainsData fromInformationRepositories:ConfluenceEvent TriggeredExecution:WindowsManagementInstrumentationEvent SubscriptionObtainCapabilities:CodeSigningCertificatesDeobfuscate/DecodeFiles or InformationBoot or LogonInitializationScripts:NetworkLogon ScriptGather VictimOrgInformation:IdentifyBusinessTempoCompromiseHostSoftwareBinaryGather VictimIdentityInformation:EmployeeNamesSystemBinary ProxyExecution:MsiexecDataManipulationIndicatorRemoval:FileDeletionEventTriggeredExecution:Netsh HelperDLLAccountDiscovery:LocalAccountDevelopCapabilitiesImpairDefenses:Disable orModify CloudFirewallDynamicResolution:DNSCalculationExploitationfor DefenseEvasionExploitPublic-FacingApplicationDataObfuscation:Junk DataAcquireInfrastructure:Web ServicesSystemNetworkConfigurationDiscovery: Wi-Fi DiscoveryBoot orLogonInitializationScriptsData fromConfigurationRepository:SNMP (MIBDump)Endpoint Denialof Service:Application orSystemExploitationModify CloudComputeInfrastructure:Revert CloudInstanceCommandand ScriptingInterpreter:NetworkDevice CLIModifyAuthenticationProcess:Network DeviceAuthenticationData fromConfigurationRepository:Network DeviceConfigurationDumpSubvert TrustControls:Code SigningPolicyModificationPhishing:Spearphishingvia ServiceDataDestruction:Lifecycle-TriggeredDeletionStageCapabilities:Drive-byTargetOSCredentialDumping:NTDSOSCredentialDumping:LSASSMemorySteal orForgeKerberosTicketsSteal or ForgeKerberosTickets: AS-REP RoastingHideArtifacts:IgnoreProcessInterruptsUnsecuredCredentialsArchiveCollectedData:Archive viaUtilityHijackExecution Flow:PathInterception bySearch OrderHijackingDataManipulation:Stored DataManipulationObfuscatedFiles orInformationObtainCapabilities:ArtificialIntelligenceBruteForceCreateAccount:CloudAccountMasquerading:Invalid CodeSignatureUnsecuredCredentials:ChatMessagesHijackExecutionFlow: DylibHijackingActiveScanning:ScanningIP BlocksActiveScanningSubvertTrustControlsDataEncoding:StandardEncodingBrowserSessionHijackingValidAccountsCompromiseInfrastructureHijackExecutionFlow: DLLSearch OrderHijackingAdversary-in-the-MiddleCompromiseInfrastructure:BotnetSearch OpenTechnicalDatabases:DNS/PassiveDNSCompromiseAccounts:EmailAccountsProcessInjectionSearch ClosedSources:PurchaseTechnical DataExploitationfor ClientExecutionProcessInjection:VDSOHijackingHideArtifacts:ProcessArgumentSpoofingMasquerading:Right-to-LeftOverrideIndicatorRemoval:ClearMailbox DataSubvertTrustControls:GatekeeperBypassObfuscatedFiles orInformation:LNK IconSmugglingDefacement:InternalDefacementResourceHijacking:SMSPumpingCredentialsfrom PasswordStores:WindowsCredentialManagerData fromLocalSystemFile and DirectoryPermissionsModification:Windows File andDirectoryPermissionsModificationPhishingAbuseElevationControlMechanism:Setuid andSetgidEmailCollection:EmailForwardingRuleModifyAuthenticationProcess:PluggableAuthenticationModulesSystem BinaryProxy Execution:Regsvcs/RegasmHideArtifactsDiskWipeCompromiseAccountsSoftwareDiscovery:SecuritySoftwareDiscoveryData Staged:RemoteData StagingObfuscatedFiles orInformation:CommandObfuscationRemoteServiceSessionHijacking:RDP HijackingMasquerading:MasqueradeAccount NameDynamicResolution:DomainGenerationAlgorithmsSystemLocationDiscoveryOfficeApplicationStartup:OutlookFormsMasquerading:MasqueradeFile TypeObfuscatedFiles orInformation:IndicatorRemoval fromToolsMasquerading:Space afterFilenameUserExecutionDirectVolumeAccessApplicationLayerProtocol: FileTransferProtocolsData fromInformationRepositories:CodeRepositoriesMulti-StageChannelsArchiveCollectedData:Archive viaLibraryGather VictimNetworkInformation:NetworkSecurityAppliancesScheduledTransferModify CloudComputeInfrastructure:Modify CloudComputeConfigurationsCredentialsfromPasswordStores:KeychainCompromiseInfrastructure:NetworkDevicesAdversary-in-the-Middle: ARPCachePoisoningInputCapture:Web PortalCaptureSteal WebSessionCookieResourceHijacking:ComputeHijackingBoot or LogonAutostartExecution:ShortcutModificationAcquireInfrastructure:MalvertisingTrustedDeveloperUtilities ProxyExecution:MSBuildIndicatorRemoval: ClearNetworkConnectionHistory andConfigurationsAbuseElevationControlMechanism:Sudo and SudoCachingTrafficSignaling:SocketFiltersSteal or ForgeKerberosTickets:KerberoastingCredentialsfrom PasswordStores:SecuritydMemoryCloudServiceDiscoveryObfuscatedFiles orInformation:PolymorphicCodeApplication LayerProtocol:Publish/SubscribeProtocolsAccountDiscovery:EmailAccountSearchVictim-OwnedWebsitesEventTriggeredExecution:ApplicationShimmingModify CloudComputeInfrastructure:Create CloudInstanceUse AlternateAuthenticationMaterialCreate orModifySystemProcess:Launch AgentObfuscatedFiles orInformation:HTMLSmugglingUse AlternateAuthenticationMaterial: Passthe TicketExecutionGuardrailsObfuscatedFiles orInformation:Dynamic APIResolutionPhishing:SpearphishingVoiceData fromInformationRepositories:CustomerRelationshipManagementSoftwareObtainCapabilities:DigitalCertificatesExfiltrationOver WebService:Exfiltration toText StorageSitesDomain orTenantPolicyModificationUserExecution:MaliciousFileObtainCapabilities:ToolImpairDefenses:IndicatorBlockingSystemBinary ProxyExecution:Regsvr32GatherVictimNetworkInformationSystemServices:LaunchctlAbuse ElevationControlMechanism:Bypass UserAccount ControlCommandandScriptingInterpreterCreate orModifySystemProcessDataObfuscationCommandand ScriptingInterpreter:AppleScriptImpairDefenses:Safe ModeBootWebServiceGatherVictimNetworkInformation:DNSInputCapture:KeyloggingRemoteServices:WindowsRemoteManagementObfuscatedFiles orInformation:FilelessStorageModifyCloudResourceHierarchyNetworkDenial ofServiceCreateAccount:LocalAccountPlist FileModificationSubvertTrustControls:CodeSigningCredentialsfrom PasswordStores:PasswordManagersObfuscatedFiles orInformation:SteganographySystemLocationDiscovery:SystemLanguageDiscoveryOS CredentialDumping:/etc/passwdand/etc/shadowModifyAuthenticationProcess:Multi-FactorAuthenticationEventTriggeredExecution:PowerShellProfileScheduledTask/Job:AtDisk Wipe:DiskStructureWipeData fromRemovableMediaFinancialTheftBoot orLogonInitializationScripts: RCScriptsContainerandResourceDiscoveryRemoteServices:VNCAccountAccessRemovalAccessTokenManipulation:Parent PIDSpoofingBoot orLogonAutostartExecution:Login ItemsImpairDefenses:DowngradeAttackAutomatedCollectionImpersonationExfiltrationOverAlternativeProtocolPhishing forInformation:SpearphishingServiceNetworkShareDiscoveryModifyAuthenticationProcess:Hybrid IdentityProcessInjection:Extra WindowMemoryInjectionUserExecution:MaliciousLinkEstablishAccounts:EmailAccountsCommunicationThroughRemovableMediaProcessInjection:Dynamic-linkLibraryInjectionStageCapabilities:UploadMalwareSteal orForgeKerberosTickets:Golden TicketnameClipboardDataCompromiseInfrastructure:DomainsCreate orModify SystemProcess:ContainerServiceDevelopCapabilities:MalwarePermissionGroupsDiscovery:LocalGroupsWeakenEncryptionExfiltrationOver C2ChannelImpairDefenses:ImpairCommandHistory LoggingSearchOpenTechnicalDatabases:CDNsObtainCapabilities:ExploitsExternalRemoteServicesGatherVictim HostInformation:FirmwareCommandand ScriptingInterpreter:LuaCommandand ScriptingInterpreter:AutoHotKey& AutoITCreateAccount:DomainAccountServerSoftwareComponent:Web ShellEndpointDenial ofService: OSExhaustionFloodActiveScanning:WordlistScanningBoot or LogonAutostartExecution:Kernel Modulesand ExtensionsDisk Wipe:DiskContentWipeEstablishAccountsCompromiseInfrastructure:Virtual PrivateServerEndpoint Denialof Service:ServiceExhaustionFloodCreate orModify SystemProcess:SystemdServicePhishing:SpearphishingLinkUnsecuredCredentials:BashHistoryUse AlternateAuthenticationMaterial:ApplicationAccess TokenCommandand ScriptingInterpreter:Visual BasicCredentialsfromPasswordStoresProcessInjection:ListPlantingDomainTrustDiscoveryBoot or LogonAutostartExecution:Registry RunKeys / StartupFolderVirtualization/SandboxEvasion: User ActivityBased ChecksRootkitAccountManipulation:SSHAuthorizedKeysTrustedDeveloperUtilitiesProxyExecutionAcquireInfrastructure:ServerlessSystemScriptProxyExecutionHijack ExecutionFlow:AppDomainManagerInternalSpearphishingData fromInformationRepositories:MessagingApplicationsDefacement:ExternalDefacementMasquerading:Double FileExtensionSearch OpenWebsites/Domains:Code RepositoriesEventTriggeredExecution:ScreensaverGatherVictim HostInformation:HardwareEndpoint Denialof Service:ApplicationExhaustionFloodDevelopCapabilities:ExploitsGatherVictim HostInformation:SoftwareAccess TokenManipulation: TokenImpersonation/TheftXSL ScriptProcessingReplicationThroughRemovableMediaDataEncoding:Non-StandardEncodingBoot orLogonAutostartExecution:Active SetupAccountManipulationModifySystemImage:DowngradeSystem ImageSystemBinary ProxyExecution:MshtaImpairDefenses:DisableWindowsEvent LoggingCompromiseInfrastructure:ServerImpairDefenses:Disable orModify SystemFirewallDataDestructionAcquireInfrastructure:DomainsMulti-FactorAuthenticationRequestGenerationHideArtifacts:Email HidingRulesPhishing:SpearphishingAttachmentEventTriggeredExecution:AppInit DLLsHijackExecution Flow:ExecutableInstaller FilePermissionsWeaknessUnsecuredCredentials:ContainerAPIBoot or LogonInitializationScripts: LogonScript(Windows)Gather VictimNetworkInformation:NetworkTopologySystem Script ProxyExecution:SyncAppvPublishingServerExploitationof RemoteServicesSoftwareDeploymentToolsResourceHijacking:BandwidthHijackingDataEncodingExfiltration OverAlternativeProtocol:Exfiltration OverUnencryptedNon-C2 ProtocolScheduledTask/Job:ContainerOrchestrationJobSystem NetworkConfigurationDiscovery:InternetConnectionDiscoveryCommandand ScriptingInterpreter:PythonScheduledTask/Job:CronPasswordPolicyDiscoveryRemoteServices:SMB/WindowsAdmin SharesSystemBinary ProxyExecution:ElectronApplicationsAcquireInfrastructure:BotnetWeb Service:One-WayCommunicationServerlessExecutionPre-OSBoot:ComponentFirmwareOSCredentialDumpingCompromiseAccounts:CloudAccountsDomain orTenant PolicyModification:Group PolicyModificationRogueDomainControllerAccountManipulation:AdditionalContainerCluster RolesBoot orLogonInitializationScripts:Startup ItemsNetworkBoundaryBridgingServiceStopNetworkBoundaryBridging: NetworkAddressTranslationTraversalAbuseElevationControlMechanism:TCCManipulationDataStagedProcessInjection:PtraceSystem CallsArchiveCollectedData: Archivevia CustomMethodDeviceDriverDiscoveryTaintSharedContentProcessInjection:PortableExecutableInjectionModifyAuthenticationProcess:PasswordFilter DLLBruteForce:PasswordSprayingHideArtifacts:ResourceForkingCompromiseAccounts:Social MediaAccountsSystemInformationDiscoveryModifyAuthenticationProcessLogEnumerationEventTriggeredExecutionBuildImageon HostSystemBinary ProxyExecution:Rundll32HideArtifacts:HiddenUsersEvent TriggeredExecution:Image FileExecutionOptionsInjectionSearchOpenTechnicalDatabases:WHOISStageCapabilities:Upload ToolUnsecuredCredentials:PrivateKeysOSCredentialDumping:DCSyncSystemBinary ProxyExecution:MMCSystemBinary ProxyExecution:MavinjectForge WebCredentialsBruteForce:CredentialStuffingSteal or ForgeAuthenticationCertificatesInter-ProcessCommunication:ComponentObject ModelContentInjectionModifyAuthenticationProcess:ConditionalAccess PoliciesImpairDefenses:Disable orModify ToolsModifySystemImage: PatchSystemImageEmailCollection:Local EmailCollectionSystemBinary ProxyExecution:InstallUtilModify CloudComputeInfrastructurePre-OSBoot

MITRE ATT&CK Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
  1. Exfiltration Over Physical Medium
  2. Obtain Capabilities
  3. Search Open Websites/Domains: Search Engines
  4. Execution Guardrails: Environmental Keying
  5. Valid Accounts: Cloud Accounts
  6. Indicator Removal: Clear Persistence
  7. Boot or Logon Autostart Execution: Winlogon Helper DLL
  8. System Time Discovery
  9. Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
  10. Hide Artifacts: NTFS File Attributes
  11. Stage Capabilities
  12. Inter-Process Communication
  13. BITS Jobs
  14. Valid Accounts: Local Accounts
  15. Gather Victim Org Information: Determine Physical Locations
  16. Gather Victim Host Information: Client Configurations
  17. Browser Extensions
  18. Defacement
  19. Acquire Infrastructure: DNS Server
  20. Server Software Component: IIS Components
  21. Remote Services: Distributed Component Object Model
  22. Acquire Infrastructure: Server
  23. Server Software Component: Terminal Services DLL
  24. System Binary Proxy Execution: Verclsid
  25. Phishing for Information: Spearphishing Attachment
  26. Native API
  27. Data Transfer Size Limits
  28. Power Settings
  29. Brute Force: Password Guessing
  30. Group Policy Discovery
  31. Hijack Execution Flow: Services File Permissions Weakness
  32. Hijack Execution Flow: Services Registry Permissions Weakness
  33. Hide Artifacts: Run Virtual Instance
  34. Weaken Encryption: Disable Crypto Hardware
  35. Deploy Container
  36. Shared Modules
  37. Hijack Execution Flow
  38. System Binary Proxy Execution
  39. Hijack Execution Flow: KernelCallbackTable
  40. Exploitation for Privilege Escalation
  41. Process Injection: Process Doppelgänging
  42. File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
  43. Indicator Removal: Clear Windows Event Logs
  44. Boot or Logon Autostart Execution: Authentication Package
  45. Hide Artifacts: Hidden File System
  46. Debugger Evasion
  47. Credentials from Password Stores: Cloud Secrets Management Stores
  48. Event Triggered Execution: Unix Shell Configuration Modification
  49. Traffic Signaling: Port Knocking
  50. Masquerading: Break Process Trees
  51. Exploitation for Credential Access
  52. System Binary Proxy Execution: Control Panel
  53. Search Open Technical Databases
  54. Modify Cloud Compute Infrastructure: Create Snapshot
  55. Scheduled Task/Job
  56. Data from Configuration Repository
  57. Event Triggered Execution: Component Object Model Hijacking
  58. Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access
  59. Acquire Infrastructure: Virtual Private Server
  60. Hardware Additions
  61. System Services: Service Execution
  62. Event Triggered Execution: Emond
  63. Drive-by Compromise
  64. Steal Application Access Token
  65. Dynamic Resolution: Fast Flux DNS
  66. Hijack Execution Flow: Path Interception by Unquoted Path
  67. Obfuscated Files or Information: Stripped Payloads
  68. Data Obfuscation: Protocol or Service Impersonation
  69. Gather Victim Identity Information: Credentials
  70. Non-Standard Port
  71. Modify Authentication Process: Network Provider DLL
  72. Use Alternate Authentication Material: Web Session Cookie
  73. Scheduled Task/Job: Systemd Timers
  74. Proxy
  75. Boot or Logon Autostart Execution
  76. Abuse Elevation Control Mechanism: Elevated Execution with Prompt
  77. Masquerading: Masquerade Task or Service
  78. Process Injection: Asynchronous Procedure Call
  79. Create or Modify System Process: Windows Service
  80. Indicator Removal: Clear Linux or Mac System Logs
  81. Active Scanning: Vulnerability Scanning
  82. Server Software Component: SQL Stored Procedures
  83. Office Application Startup: Outlook Home Page
  84. Template Injection
  85. Boot or Logon Autostart Execution: Security Support Provider
  86. Remote System Discovery
  87. Modify System Image
  88. Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
  89. Hijack Execution Flow: Dynamic Linker Hijacking
  90. Office Application Startup
  91. Gather Victim Org Information: Business Relationships
  92. System Binary Proxy Execution: Odbcconf
  93. Remote Service Session Hijacking: SSH Hijacking
  94. Steal or Forge Kerberos Tickets: Ccache Files
  95. Search Closed Sources
  96. Boot or Logon Autostart Execution: Time Providers
  97. Modify Cloud Compute Infrastructure: Delete Cloud Instance
  98. Virtualization/Sandbox Evasion
  99. Server Software Component: Transport Agent
  100. Access Token Manipulation: SID-History Injection
  101. Automated Exfiltration
  102. Use Alternate Authentication Material: Pass the Hash
  103. Windows Management Instrumentation
  104. Data from Network Shared Drive
  105. Event Triggered Execution: LC_LOAD_DYLIB Addition
  106. Unsecured Credentials: Group Policy Preferences
  107. Cloud Storage Object Discovery
  108. Supply Chain Compromise: Compromise Software Supply Chain
  109. Stage Capabilities: SEO Poisoning
  110. Permission Groups Discovery: Cloud Groups
  111. System Binary Proxy Execution: Compiled HTML File
  112. Acquire Infrastructure
  113. File and Directory Permissions Modification
  114. Escape to Host
  115. Compromise Infrastructure: Web Services
  116. Account Discovery
  117. Cloud Service Dashboard
  118. Establish Accounts: Social Media Accounts
  119. Account Discovery: Cloud Account
  120. Proxy: External Proxy
  121. System Shutdown/Reboot
  122. Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
  123. Office Application Startup: Office Template Macros
  124. OS Credential Dumping: LSA Secrets
  125. Proxy: Internal Proxy
  126. Compromise Infrastructure: DNS Server
  127. Modify Authentication Process: Reversible Encryption
  128. Remote Services: Remote Desktop Protocol
  129. Remote Services: Cloud Services
  130. Implant Internal Image
  131. Indicator Removal: Clear Command History
  132. Subvert Trust Controls: Mark-of-the-Web Bypass
  133. Process Discovery
  134. Event Triggered Execution: Trap
  135. Email Collection
  136. Unsecured Credentials: Credentials in Registry
  137. System Service Discovery
  138. User Execution: Malicious Image
  139. Protocol Tunneling
  140. OS Credential Dumping: Cached Domain Credentials
  141. Network Denial of Service: Direct Network Flood
  142. Event Triggered Execution: Change Default File Association
  143. Traffic Signaling
  144. Pre-OS Boot: ROMMONkit
  145. Hide Artifacts: File/Path Exclusions
  146. Abuse Elevation Control Mechanism
  147. Hide Artifacts: VBA Stomping
  148. Obtain Capabilities: Vulnerabilities
  149. Application Window Discovery
  150. Encrypted Channel: Symmetric Cryptography
  151. Obfuscated Files or Information: Binary Padding
  152. Network Sniffing
  153. System Services
  154. Email Collection: Remote Email Collection
  155. Supply Chain Compromise: Compromise Software Dependencies and Development Tools
  156. Virtualization/Sandbox Evasion: System Checks
  157. Trusted Relationship
  158. Application Layer Protocol: Mail Protocols
  159. Command and Scripting Interpreter: PowerShell
  160. Video Capture
  161. Valid Accounts: Default Accounts
  162. System Network Configuration Discovery
  163. Valid Accounts: Domain Accounts
  164. Ingress Tool Transfer
  165. Event Triggered Execution: Accessibility Features
  166. Pre-OS Boot: Bootkit
  167. Pre-OS Boot: TFTP Boot
  168. Access Token Manipulation: Create Process with Token
  169. Boot or Logon Initialization Scripts: Login Hook
  170. Boot or Logon Autostart Execution: Print Processors
  171. Permission Groups Discovery
  172. Office Application Startup: Outlook Rules
  173. Brute Force: Password Cracking
  174. Transfer Data to Cloud Account
  175. Scheduled Task/Job: Scheduled Task
  176. Boot or Logon Autostart Execution: XDG Autostart Entries
  177. Modify Registry
  178. Virtualization/Sandbox Evasion: Time Based Evasion
  179. Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
  180. Exfiltration Over Web Service: Exfiltration to Cloud Storage
  181. Firmware Corruption
  182. Phishing for Information
  183. Resource Hijacking
  184. Exfiltration Over Web Service: Exfiltration to Code Repository
  185. Exfiltration Over Web Service
  186. File and Directory Discovery
  187. Supply Chain Compromise: Compromise Hardware Supply Chain
  188. Execution Guardrails: Mutual Exclusion
  189. Supply Chain Compromise
  190. Gather Victim Identity Information
  191. Data from Information Repositories
  192. Stage Capabilities: Install Digital Certificate
  193. Hijack Execution Flow: Path Interception by PATH Environment Variable
  194. Cloud Administration Command
  195. Remote Services: Direct Cloud VM Connections
  196. Query Registry
  197. Command and Scripting Interpreter: Windows Command Shell
  198. Command and Scripting Interpreter: JavaScript
  199. Access Token Manipulation: Make and Impersonate Token
  200. Unsecured Credentials: Credentials In Files
  201. Data from Cloud Storage
  202. Forced Authentication
  203. Web Service: Dead Drop Resolver
  204. Account Manipulation: Additional Email Delegate Permissions
  205. Adversary-in-the-Middle: Evil Twin
  206. Weaken Encryption: Reduce Key Space
  207. Steal or Forge Kerberos Tickets: Silver Ticket
  208. OS Credential Dumping: Proc Filesystem
  209. Event Triggered Execution: Installer Packages
  210. Obfuscated Files or Information: Software Packing
  211. Indicator Removal: Network Share Connection Removal
  212. Resource Hijacking: Cloud Service Hijacking
  213. Impair Defenses
  214. Audio Capture
  215. System Owner/User Discovery
  216. System Network Connections Discovery
  217. Boot or Logon Autostart Execution: Re-opened Applications
  218. Endpoint Denial of Service
  219. Fallback Channels
  220. Automated Exfiltration: Traffic Duplication
  221. Screen Capture
  222. Access Token Manipulation
  223. Create Account
  224. Gather Victim Identity Information: Email Addresses
  225. Masquerading: Match Legitimate Name or Location
  226. Command and Scripting Interpreter: Unix Shell
  227. Browser Information Discovery
  228. Inter-Process Communication: XPC Services
  229. Stage Capabilities: Link Target
  230. Remote Access Software
  231. Account Manipulation: Additional Local or Domain Groups
  232. Account Discovery: Domain Account
  233. Network Service Discovery
  234. Input Capture: Credential API Hooking
  235. Search Open Websites/Domains: Social Media
  236. Data from Information Repositories: Sharepoint
  237. Forge Web Credentials: SAML Tokens
  238. Search Closed Sources: Threat Intel Vendors
  239. Process Injection: Thread Local Storage
  240. Boot or Logon Autostart Execution: LSASS Driver
  241. Proxy: Domain Fronting
  242. Data Encrypted for Impact
  243. Indicator Removal
  244. Account Manipulation: Device Registration
  245. Phishing for Information: Spearphishing Link
  246. Exfiltration Over Physical Medium: Exfiltration over USB
  247. Remote Service Session Hijacking
  248. Data Obfuscation: Steganography
  249. Cloud Infrastructure Discovery
  250. Hide Artifacts: Hidden Files and Directories
  251. Command and Scripting Interpreter: Cloud API
  252. Application Layer Protocol: DNS
  253. Hijack Execution Flow: COR_PROFILER
  254. Data Manipulation: Runtime Data Manipulation
  255. System Script Proxy Execution: PubPrn
  256. Process Injection: Thread Execution Hijacking
  257. Inter-Process Communication: Dynamic Data Exchange
  258. Pre-OS Boot: System Firmware
  259. Modify Authentication Process: Domain Controller Authentication
  260. Establish Accounts: Cloud Accounts
  261. Container Administration Command
  262. Impair Defenses: Disable or Modify Linux Audit System
  263. Permission Groups Discovery: Domain Groups
  264. Archive Collected Data
  265. Process Injection: Process Hollowing
  266. Impair Defenses: Disable or Modify Cloud Logs
  267. Obtain Capabilities: Malware
  268. Unsecured Credentials: Cloud Instance Metadata API
  269. Create or Modify System Process: Launch Daemon
  270. Indicator Removal: Relocate Malware
  271. Obfuscated Files or Information: Compile After Delivery
  272. Application Layer Protocol
  273. Search Open Technical Databases: Scan Databases
  274. Boot or Logon Autostart Execution: Port Monitors
  275. Acquire Access
  276. Hide Infrastructure
  277. Inhibit System Recovery
  278. Impair Defenses: Spoof Security Alerting
  279. OS Credential Dumping: Security Account Manager
  280. Gather Victim Org Information
  281. Develop Capabilities: Code Signing Certificates
  282. Account Manipulation: Additional Cloud Credentials
  283. Software Discovery
  284. Exfiltration Over Other Network Medium
  285. Encrypted Channel
  286. Gather Victim Network Information: IP Addresses
  287. Reflective Code Loading
  288. Multi-Factor Authentication Interception
  289. Gather Victim Network Information: Domain Properties
  290. Masquerading: Rename System Utilities
  291. Indicator Removal: Timestomp
  292. Obfuscated Files or Information: Embedded Payloads
  293. Event Triggered Execution: AppCert DLLs
  294. Gather Victim Org Information: Identify Roles
  295. Subvert Trust Controls: SIP and Trust Provider Hijacking
  296. Non-Application Layer Protocol
  297. Peripheral Device Discovery
  298. Gather Victim Network Information: Network Trust Dependencies
  299. Network Denial of Service: Reflection Amplification
  300. Encrypted Channel: Asymmetric Cryptography
  301. Application Layer Protocol: Web Protocols
  302. Unused/Unsupported Cloud Regions
  303. Remote Services: SSH
  304. Adversary-in-the-Middle: DHCP Spoofing
  305. Event Triggered Execution: Udev Rules
  306. Masquerading
  307. Exfiltration Over Web Service: Exfiltration Over Webhook
  308. Server Software Component
  309. Search Open Technical Databases: Digital Certificates
  310. Subvert Trust Controls: Install Root Certificate
  311. Credentials from Password Stores: Credentials from Web Browsers
  312. Develop Capabilities: Digital Certificates
  313. Data Manipulation: Transmitted Data Manipulation
  314. Dynamic Resolution
  315. Hijack Execution Flow: DLL Side-Loading
  316. Office Application Startup: Office Test
  317. Obfuscated Files or Information: Encrypted/Encoded File
  318. Remote Services
  319. Input Capture: GUI Input Capture
  320. Account Manipulation: Additional Cloud Roles
  321. Office Application Startup: Add-ins
  322. Proxy: Multi-hop Proxy
  323. Phishing for Information: Spearphishing Voice
  324. Compromise Infrastructure: Serverless
  325. Trusted Developer Utilities Proxy Execution: ClickOnce
  326. Process Injection: Proc Memory
  327. Web Service: Bidirectional Communication
  328. Indirect Command Execution
  329. Gather Victim Host Information
  330. Data Staged: Local Data Staging
  331. Forge Web Credentials: Web Cookies
  332. Hide Artifacts: Hidden Window
  333. Input Capture
  334. Domain or Tenant Policy Modification: Trust Modification
  335. Lateral Tool Transfer
  336. System Binary Proxy Execution: CMSTP
  337. Search Open Websites/Domains
  338. Data from Information Repositories: Confluence
  339. Event Triggered Execution: Windows Management Instrumentation Event Subscription
  340. Obtain Capabilities: Code Signing Certificates
  341. Deobfuscate/Decode Files or Information
  342. Boot or Logon Initialization Scripts: Network Logon Script
  343. Gather Victim Org Information: Identify Business Tempo
  344. Compromise Host Software Binary
  345. Gather Victim Identity Information: Employee Names
  346. System Binary Proxy Execution: Msiexec
  347. Data Manipulation
  348. Indicator Removal: File Deletion
  349. Event Triggered Execution: Netsh Helper DLL
  350. Account Discovery: Local Account
  351. Develop Capabilities
  352. Impair Defenses: Disable or Modify Cloud Firewall
  353. Dynamic Resolution: DNS Calculation
  354. Exploitation for Defense Evasion
  355. Exploit Public-Facing Application
  356. Data Obfuscation: Junk Data
  357. Acquire Infrastructure: Web Services
  358. System Network Configuration Discovery: Wi-Fi Discovery
  359. Boot or Logon Initialization Scripts
  360. Data from Configuration Repository: SNMP (MIB Dump)
  361. Endpoint Denial of Service: Application or System Exploitation
  362. Modify Cloud Compute Infrastructure: Revert Cloud Instance
  363. Command and Scripting Interpreter: Network Device CLI
  364. Modify Authentication Process: Network Device Authentication
  365. Data from Configuration Repository: Network Device Configuration Dump
  366. Subvert Trust Controls: Code Signing Policy Modification
  367. Phishing: Spearphishing via Service
  368. Data Destruction: Lifecycle-Triggered Deletion
  369. Stage Capabilities: Drive-by Target
  370. OS Credential Dumping: NTDS
  371. OS Credential Dumping: LSASS Memory
  372. Steal or Forge Kerberos Tickets
  373. Steal or Forge Kerberos Tickets: AS-REP Roasting
  374. Hide Artifacts: Ignore Process Interrupts
  375. Unsecured Credentials
  376. Archive Collected Data: Archive via Utility
  377. Hijack Execution Flow: Path Interception by Search Order Hijacking
  378. Data Manipulation: Stored Data Manipulation
  379. Obfuscated Files or Information
  380. Obtain Capabilities: Artificial Intelligence
  381. Brute Force
  382. Create Account: Cloud Account
  383. Masquerading: Invalid Code Signature
  384. Unsecured Credentials: Chat Messages
  385. Hijack Execution Flow: Dylib Hijacking
  386. Active Scanning: Scanning IP Blocks
  387. Active Scanning
  388. Subvert Trust Controls
  389. Data Encoding: Standard Encoding
  390. Browser Session Hijacking
  391. Valid Accounts
  392. Compromise Infrastructure
  393. Hijack Execution Flow: DLL Search Order Hijacking
  394. Adversary-in-the-Middle
  395. Compromise Infrastructure: Botnet
  396. Search Open Technical Databases: DNS/Passive DNS
  397. Compromise Accounts: Email Accounts
  398. Process Injection
  399. Search Closed Sources: Purchase Technical Data
  400. Exploitation for Client Execution
  401. Process Injection: VDSO Hijacking
  402. Hide Artifacts: Process Argument Spoofing
  403. Masquerading: Right-to-Left Override
  404. Indicator Removal: Clear Mailbox Data
  405. Subvert Trust Controls: Gatekeeper Bypass
  406. Obfuscated Files or Information: LNK Icon Smuggling
  407. Defacement: Internal Defacement
  408. Resource Hijacking: SMS Pumping
  409. Credentials from Password Stores: Windows Credential Manager
  410. Data from Local System
  411. File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  412. Phishing
  413. Abuse Elevation Control Mechanism: Setuid and Setgid
  414. Email Collection: Email Forwarding Rule
  415. Modify Authentication Process: Pluggable Authentication Modules
  416. System Binary Proxy Execution: Regsvcs/Regasm
  417. Hide Artifacts
  418. Disk Wipe
  419. Compromise Accounts
  420. Software Discovery: Security Software Discovery
  421. Data Staged: Remote Data Staging
  422. Obfuscated Files or Information: Command Obfuscation
  423. Remote Service Session Hijacking: RDP Hijacking
  424. Masquerading: Masquerade Account Name
  425. Dynamic Resolution: Domain Generation Algorithms
  426. System Location Discovery
  427. Office Application Startup: Outlook Forms
  428. Masquerading: Masquerade File Type
  429. Obfuscated Files or Information: Indicator Removal from Tools
  430. Masquerading: Space after Filename
  431. User Execution
  432. Direct Volume Access
  433. Application Layer Protocol: File Transfer Protocols
  434. Data from Information Repositories: Code Repositories
  435. Multi-Stage Channels
  436. Archive Collected Data: Archive via Library
  437. Gather Victim Network Information: Network Security Appliances
  438. Scheduled Transfer
  439. Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations
  440. Credentials from Password Stores: Keychain
  441. Compromise Infrastructure: Network Devices
  442. Adversary-in-the-Middle: ARP Cache Poisoning
  443. Input Capture: Web Portal Capture
  444. Steal Web Session Cookie
  445. Resource Hijacking: Compute Hijacking
  446. Boot or Logon Autostart Execution: Shortcut Modification
  447. Acquire Infrastructure: Malvertising
  448. Trusted Developer Utilities Proxy Execution: MSBuild
  449. Indicator Removal: Clear Network Connection History and Configurations
  450. Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  451. Traffic Signaling: Socket Filters
  452. Steal or Forge Kerberos Tickets: Kerberoasting
  453. Credentials from Password Stores: Securityd Memory
  454. Cloud Service Discovery
  455. Obfuscated Files or Information: Polymorphic Code
  456. Application Layer Protocol: Publish/Subscribe Protocols
  457. Account Discovery: Email Account
  458. Search Victim-Owned Websites
  459. Event Triggered Execution: Application Shimming
  460. Modify Cloud Compute Infrastructure: Create Cloud Instance
  461. Use Alternate Authentication Material
  462. Create or Modify System Process: Launch Agent
  463. Obfuscated Files or Information: HTML Smuggling
  464. Use Alternate Authentication Material: Pass the Ticket
  465. Execution Guardrails
  466. Obfuscated Files or Information: Dynamic API Resolution
  467. Phishing: Spearphishing Voice
  468. Data from Information Repositories: Customer Relationship Management Software
  469. Obtain Capabilities: Digital Certificates
  470. Exfiltration Over Web Service: Exfiltration to Text Storage Sites
  471. Domain or Tenant Policy Modification
  472. User Execution: Malicious File
  473. Obtain Capabilities: Tool
  474. Impair Defenses: Indicator Blocking
  475. System Binary Proxy Execution: Regsvr32
  476. Gather Victim Network Information
  477. System Services: Launchctl
  478. Abuse Elevation Control Mechanism: Bypass User Account Control
  479. Command and Scripting Interpreter
  480. Create or Modify System Process
  481. Data Obfuscation
  482. Command and Scripting Interpreter: AppleScript
  483. Impair Defenses: Safe Mode Boot
  484. Web Service
  485. Gather Victim Network Information: DNS
  486. Input Capture: Keylogging
  487. Remote Services: Windows Remote Management
  488. Obfuscated Files or Information: Fileless Storage
  489. Modify Cloud Resource Hierarchy
  490. Network Denial of Service
  491. Create Account: Local Account
  492. Plist File Modification
  493. Subvert Trust Controls: Code Signing
  494. Credentials from Password Stores: Password Managers
  495. Obfuscated Files or Information: Steganography
  496. System Location Discovery: System Language Discovery
  497. OS Credential Dumping: /etc/passwd and /etc/shadow
  498. Modify Authentication Process: Multi-Factor Authentication
  499. Event Triggered Execution: PowerShell Profile
  500. Scheduled Task/Job: At
  501. Disk Wipe: Disk Structure Wipe
  502. Data from Removable Media
  503. Financial Theft
  504. Boot or Logon Initialization Scripts: RC Scripts
  505. Container and Resource Discovery
  506. Remote Services: VNC
  507. Account Access Removal
  508. Access Token Manipulation: Parent PID Spoofing
  509. Boot or Logon Autostart Execution: Login Items
  510. Impair Defenses: Downgrade Attack
  511. Automated Collection
  512. Impersonation
  513. Exfiltration Over Alternative Protocol
  514. Phishing for Information: Spearphishing Service
  515. Network Share Discovery
  516. Modify Authentication Process: Hybrid Identity
  517. Process Injection: Extra Window Memory Injection
  518. User Execution: Malicious Link
  519. Establish Accounts: Email Accounts
  520. Communication Through Removable Media
  521. Process Injection: Dynamic-link Library Injection
  522. Stage Capabilities: Upload Malware
  523. Steal or Forge Kerberos Tickets: Golden Ticket
  524. name
  525. Clipboard Data
  526. Compromise Infrastructure: Domains
  527. Create or Modify System Process: Container Service
  528. Develop Capabilities: Malware
  529. Permission Groups Discovery: Local Groups
  530. Weaken Encryption
  531. Exfiltration Over C2 Channel
  532. Impair Defenses: Impair Command History Logging
  533. Search Open Technical Databases: CDNs
  534. Obtain Capabilities: Exploits
  535. External Remote Services
  536. Gather Victim Host Information: Firmware
  537. Command and Scripting Interpreter: Lua
  538. Command and Scripting Interpreter: AutoHotKey & AutoIT
  539. Create Account: Domain Account
  540. Server Software Component: Web Shell
  541. Endpoint Denial of Service: OS Exhaustion Flood
  542. Active Scanning: Wordlist Scanning
  543. Boot or Logon Autostart Execution: Kernel Modules and Extensions
  544. Disk Wipe: Disk Content Wipe
  545. Establish Accounts
  546. Compromise Infrastructure: Virtual Private Server
  547. Endpoint Denial of Service: Service Exhaustion Flood
  548. Create or Modify System Process: Systemd Service
  549. Phishing: Spearphishing Link
  550. Unsecured Credentials: Bash History
  551. Use Alternate Authentication Material: Application Access Token
  552. Command and Scripting Interpreter: Visual Basic
  553. Credentials from Password Stores
  554. Process Injection: ListPlanting
  555. Domain Trust Discovery
  556. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
  557. Virtualization/Sandbox Evasion: User Activity Based Checks
  558. Rootkit
  559. Account Manipulation: SSH Authorized Keys
  560. Trusted Developer Utilities Proxy Execution
  561. Acquire Infrastructure: Serverless
  562. System Script Proxy Execution
  563. Hijack Execution Flow: AppDomainManager
  564. Internal Spearphishing
  565. Data from Information Repositories: Messaging Applications
  566. Defacement: External Defacement
  567. Masquerading: Double File Extension
  568. Search Open Websites/Domains: Code Repositories
  569. Event Triggered Execution: Screensaver
  570. Gather Victim Host Information: Hardware
  571. Endpoint Denial of Service: Application Exhaustion Flood
  572. Develop Capabilities: Exploits
  573. Gather Victim Host Information: Software
  574. Access Token Manipulation: Token Impersonation/Theft
  575. XSL Script Processing
  576. Replication Through Removable Media
  577. Data Encoding: Non-Standard Encoding
  578. Boot or Logon Autostart Execution: Active Setup
  579. Account Manipulation
  580. Modify System Image: Downgrade System Image
  581. System Binary Proxy Execution: Mshta
  582. Impair Defenses: Disable Windows Event Logging
  583. Compromise Infrastructure: Server
  584. Impair Defenses: Disable or Modify System Firewall
  585. Data Destruction
  586. Acquire Infrastructure: Domains
  587. Multi-Factor Authentication Request Generation
  588. Hide Artifacts: Email Hiding Rules
  589. Phishing: Spearphishing Attachment
  590. Event Triggered Execution: AppInit DLLs
  591. Hijack Execution Flow: Executable Installer File Permissions Weakness
  592. Unsecured Credentials: Container API
  593. Boot or Logon Initialization Scripts: Logon Script (Windows)
  594. Gather Victim Network Information: Network Topology
  595. System Script Proxy Execution: SyncAppvPublishingServer
  596. Exploitation of Remote Services
  597. Software Deployment Tools
  598. Resource Hijacking: Bandwidth Hijacking
  599. Data Encoding
  600. Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
  601. Scheduled Task/Job: Container Orchestration Job
  602. System Network Configuration Discovery: Internet Connection Discovery
  603. Command and Scripting Interpreter: Python
  604. Scheduled Task/Job: Cron
  605. Password Policy Discovery
  606. Remote Services: SMB/Windows Admin Shares
  607. System Binary Proxy Execution: Electron Applications
  608. Acquire Infrastructure: Botnet
  609. Web Service: One-Way Communication
  610. Serverless Execution
  611. Pre-OS Boot: Component Firmware
  612. OS Credential Dumping
  613. Compromise Accounts: Cloud Accounts
  614. Domain or Tenant Policy Modification: Group Policy Modification
  615. Rogue Domain Controller
  616. Account Manipulation: Additional Container Cluster Roles
  617. Boot or Logon Initialization Scripts: Startup Items
  618. Network Boundary Bridging
  619. Service Stop
  620. Network Boundary Bridging: Network Address Translation Traversal
  621. Abuse Elevation Control Mechanism: TCC Manipulation
  622. Data Staged
  623. Process Injection: Ptrace System Calls
  624. Archive Collected Data: Archive via Custom Method
  625. Device Driver Discovery
  626. Taint Shared Content
  627. Process Injection: Portable Executable Injection
  628. Modify Authentication Process: Password Filter DLL
  629. Brute Force: Password Spraying
  630. Hide Artifacts: Resource Forking
  631. Compromise Accounts: Social Media Accounts
  632. System Information Discovery
  633. Modify Authentication Process
  634. Log Enumeration
  635. Event Triggered Execution
  636. Build Image on Host
  637. System Binary Proxy Execution: Rundll32
  638. Hide Artifacts: Hidden Users
  639. Event Triggered Execution: Image File Execution Options Injection
  640. Search Open Technical Databases: WHOIS
  641. Stage Capabilities: Upload Tool
  642. Unsecured Credentials: Private Keys
  643. OS Credential Dumping: DCSync
  644. System Binary Proxy Execution: MMC
  645. System Binary Proxy Execution: Mavinject
  646. Forge Web Credentials
  647. Brute Force: Credential Stuffing
  648. Steal or Forge Authentication Certificates
  649. Inter-Process Communication: Component Object Model
  650. Content Injection
  651. Modify Authentication Process: Conditional Access Policies
  652. Impair Defenses: Disable or Modify Tools
  653. Modify System Image: Patch System Image
  654. Email Collection: Local Email Collection
  655. System Binary Proxy Execution: InstallUtil
  656. Modify Cloud Compute Infrastructure
  657. Pre-OS Boot