MITRE ATT&CK Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.

1. Scheduled Task/Job: Systemd Timers
2. Modify Registry
3. Domain or Tenant Policy Modification: Group Policy Modification
4. Search Open Websites/Domains: Social Media
5. Obfuscated Files or Information: LNK Icon Smuggling
6. Gather Victim Network Information: Network Trust Dependencies
7. Phishing for Information
8. Process Injection: VDSO Hijacking
9. Event Triggered Execution: AppInit DLLs
10. Unsecured Credentials: Container API
11. Automated Exfiltration
12. Remote Services: VNC
13. Pre-OS Boot: ROMMONkit
14. Credentials from Password Stores
15. Stage Capabilities: Upload Malware
16. Process Injection: Proc Memory
17. Query Registry
18. Container and Resource Discovery
19. Endpoint Denial of Service: OS Exhaustion Flood
20. System Binary Proxy Execution: Regsvcs/Regasm
21. Endpoint Denial of Service: Application or System Exploitation
22. Gather Victim Org Information
23. User Execution: Malicious Link
24. Supply Chain Compromise: Compromise Hardware Supply Chain
25. Subvert Trust Controls: Code Signing Policy Modification
26. Modify System Image: Patch System Image
27. Hide Artifacts: Hidden Users
28. Forge Web Credentials: SAML Tokens
29. Compromise Accounts: Social Media Accounts
30. Network Share Discovery
31. Modify System Image
32. Office Application Startup: Office Test
33. Boot or Logon Initialization Scripts: RC Scripts
34. System Location Discovery
35. Command and Scripting Interpreter: Network Device CLI
36. Hijack Execution Flow: DLL Side-Loading
37. System Binary Proxy Execution: MMC
38. Use Alternate Authentication Material: Pass the Ticket
39. Non-Standard Port
40. Hardware Additions
41. Modify Cloud Compute Infrastructure
42. Office Application Startup
43. Scheduled Transfer
44. Exploitation for Client Execution
45. Server Software Component: Web Shell
46. Container Administration Command
47. Phishing: Spearphishing via Service
48. Hijack Execution Flow: Path Interception by Search Order Hijacking
49. Active Scanning: Vulnerability Scanning
50. Defacement
51. Input Capture: Keylogging
52. Unsecured Credentials: Credentials In Files
53. Create Account: Local Account
54. Gather Victim Org Information: Identify Business Tempo
55. Remote Services: Windows Remote Management
56. Event Triggered Execution: PowerShell Profile
57. Boot or Logon Autostart Execution: LSASS Driver
58. Establish Accounts: Social Media Accounts
59. Automated Exfiltration: Traffic Duplication
60. Valid Accounts
61. Email Collection: Remote Email Collection
62. Archive Collected Data: Archive via Library
63. Domain or Tenant Policy Modification
64. Phishing for Information: Spearphishing Link
65. Create Account: Domain Account
66. Internal Spearphishing
67. Network Denial of Service: Reflection Amplification
68. Compromise Infrastructure: DNS Server
69. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
70. Obtain Capabilities: Digital Certificates
71. Account Manipulation: Device Registration
72. Remote Service Session Hijacking: SSH Hijacking
73. Process Injection: Portable Executable Injection
74. Inter-Process Communication
75. Cloud Service Discovery
76. Hide Artifacts: Hidden File System
77. Obfuscated Files or Information: Fileless Storage
78. Unsecured Credentials: Group Policy Preferences
79. Protocol Tunneling
80. Data from Local System
81. Acquire Infrastructure: Malvertising
82. Web Service: One-Way Communication
83. Disk Wipe
84. Brute Force: Password Guessing
85. Credentials from Password Stores: Windows Credential Manager
86. Stage Capabilities: Install Digital Certificate
87. Modify Authentication Process: Network Device Authentication
88. Permission Groups Discovery: Local Groups
89. Credentials from Password Stores: Password Managers
90. Brute Force: Credential Stuffing
91. Domain Trust Discovery
92. Abuse Elevation Control Mechanism: Sudo and Sudo Caching
93. Indicator Removal: Clear Linux or Mac System Logs
94. Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
95. Hide Artifacts: Run Virtual Instance
96. Steal Web Session Cookie
97. Rootkit
98. System Services: Launchctl
99. Impair Defenses: Disable or Modify Cloud Logs
100. Subvert Trust Controls: Gatekeeper Bypass
101. Data from Information Repositories
102. Remote Services: Distributed Component Object Model
103. Email Collection: Local Email Collection
104. Obfuscated Files or Information: Encrypted/Encoded File
105. Direct Volume Access
106. System Location Discovery: System Language Discovery
107. Unsecured Credentials: Credentials in Registry
108. Establish Accounts: Email Accounts
109. Indicator Removal: Clear Persistence
110. Data Manipulation: Stored Data Manipulation
111. Modify Authentication Process: Multi-Factor Authentication
112. Valid Accounts: Domain Accounts
113. System Binary Proxy Execution: Compiled HTML File
114. System Binary Proxy Execution: Control Panel
115. Abuse Elevation Control Mechanism: Setuid and Setgid
116. Virtualization/Sandbox Evasion
117. Obtain Capabilities: Code Signing Certificates
118. Scheduled Task/Job: Container Orchestration Job
119. System Binary Proxy Execution: Verclsid
120. Remote Services: SMB/Windows Admin Shares
121. Active Scanning
122. Impair Defenses: Indicator Blocking
123. Obfuscated Files or Information: Indicator Removal from Tools
124. Traffic Signaling: Socket Filters
125. Clipboard Data
126. Data from Configuration Repository: SNMP (MIB Dump)
127. Remote Services: Direct Cloud VM Connections
128. OS Credential Dumping: Security Account Manager
129. Gather Victim Host Information: Software
130. System Binary Proxy Execution
131. Debugger Evasion
132. Application Layer Protocol: Mail Protocols
133. System Shutdown/Reboot
134. Deploy Container
135. Application Layer Protocol: DNS
136. Account Access Removal
137. Search Open Technical Databases
138. Exfiltration Over Web Service: Exfiltration to Cloud Storage
139. Process Injection: Extra Window Memory Injection
140. Hide Artifacts: File/Path Exclusions
141. Modify Cloud Compute Infrastructure: Delete Cloud Instance
142. Data Encoding: Non-Standard Encoding
143. Process Injection: Dynamic-link Library Injection
144. Abuse Elevation Control Mechanism: Elevated Execution with Prompt
145. Masquerading: Break Process Trees
146. Stage Capabilities: Link Target
147. Acquire Infrastructure: Virtual Private Server
148. Browser Extensions
149. Impair Defenses: Safe Mode Boot
150. Develop Capabilities: Code Signing Certificates
151. Acquire Infrastructure
152. Communication Through Removable Media
153. Hide Artifacts: NTFS File Attributes
154. Rogue Domain Controller
155. Browser Information Discovery
156. Dynamic Resolution: Domain Generation Algorithms
157. Phishing: Spearphishing Voice
158. Access Token Manipulation: Make and Impersonate Token
159. Event Triggered Execution: Installer Packages
160. Scheduled Task/Job: Cron
161. Modify System Image: Downgrade System Image
162. Impair Defenses: Disable or Modify System Firewall
163. Obtain Capabilities: Tool
164. Boot or Logon Autostart Execution: Re-opened Applications
165. Masquerading: Masquerade File Type
166. Impair Defenses: Disable Windows Event Logging
167. Event Triggered Execution: Netsh Helper DLL
168. Valid Accounts: Cloud Accounts
169. Log Enumeration
170. System Network Configuration Discovery: Internet Connection Discovery
171. Exfiltration Over Physical Medium
172. Input Capture: GUI Input Capture
173. Web Service: Dead Drop Resolver
174. Office Application Startup: Outlook Home Page
175. File and Directory Discovery
176. Compromise Infrastructure: Server
177. Search Open Websites/Domains
178. Pre-OS Boot: TFTP Boot
179. Data from Removable Media
180. Phishing: Spearphishing Attachment
181. Scheduled Task/Job: At
182. Exploitation of Remote Services
183. Obtain Capabilities: Artificial Intelligence
184. Automated Collection
185. Office Application Startup: Add-ins
186. Gather Victim Identity Information
187. Develop Capabilities: Malware
188. Defacement: External Defacement
189. Acquire Infrastructure: Serverless
190. Server Software Component: Terminal Services DLL
191. Weaken Encryption
192. Compromise Accounts
193. Execution Guardrails: Environmental Keying
194. Server Software Component
195. System Script Proxy Execution: SyncAppvPublishingServer
196. Dynamic Resolution
197. Indicator Removal: Clear Windows Event Logs
198. Search Open Technical Databases: DNS/Passive DNS
199. Exploitation for Credential Access
200. Search Closed Sources
201. Shared Modules
202. Remote Service Session Hijacking
203. Phishing for Information: Spearphishing Service
204. Event Triggered Execution: Component Object Model Hijacking
205. Lateral Tool Transfer
206. Impair Defenses: Downgrade Attack
207. Archive Collected Data
208. Develop Capabilities: Digital Certificates
209. Credentials from Password Stores: Cloud Secrets Management Stores
210. Establish Accounts
211. Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations
212. Encrypted Channel: Asymmetric Cryptography
213. System Owner/User Discovery
214. Event Triggered Execution: Change Default File Association
215. Content Injection
216. System Binary Proxy Execution: Odbcconf
217. Establish Accounts: Cloud Accounts
218. Hijack Execution Flow: DLL Search Order Hijacking
219. Command and Scripting Interpreter: Cloud API
220. Obfuscated Files or Information: Compile After Delivery
221. Data from Information Repositories: Sharepoint
222. Boot or Logon Initialization Scripts: Network Logon Script
223. Process Injection: Process Doppelgänging
224. System Services
225. External Remote Services
226. Data from Configuration Repository: Network Device Configuration Dump
227. Indicator Removal: Timestomp
228. Masquerading: Space after Filename
229. Compromise Infrastructure: Domains
230. Gather Victim Host Information
231. Acquire Infrastructure: Web Services
232. Stage Capabilities: SEO Poisoning
233. Event Triggered Execution
234. Acquire Access
235. Acquire Infrastructure: Domains
236. Boot or Logon Autostart Execution: Login Items
237. System Information Discovery
238. Remote Services
239. Acquire Infrastructure: Server
240. Modify Cloud Compute Infrastructure: Create Snapshot
241. Peripheral Device Discovery
242. Office Application Startup: Outlook Rules
243. Disk Wipe: Disk Structure Wipe
244. Data from Network Shared Drive
245. Credentials from Password Stores: Keychain
246. Account Discovery: Cloud Account
247. Boot or Logon Autostart Execution: Kernel Modules and Extensions
248. Search Open Technical Databases: WHOIS
249. Exploitation for Defense Evasion
250. Phishing: Spearphishing Link
251. Audio Capture
252. Hide Artifacts
253. Remote Services: SSH
254. Video Capture
255. Impair Defenses: Spoof Security Alerting
256. Active Scanning: Scanning IP Blocks
257. Software Discovery: Security Software Discovery
258. Modify Cloud Resource Hierarchy
259. Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access
260. Account Manipulation: Additional Container Cluster Roles
261. Remote Access Software
262. Event Triggered Execution: Application Shimming
263. Network Sniffing
264. Process Injection: Thread Local Storage
265. Email Collection
266. Access Token Manipulation: Parent PID Spoofing
267. Data Obfuscation: Protocol or Service Impersonation
268. XSL Script Processing
269. Archive Collected Data: Archive via Utility
270. Boot or Logon Autostart Execution: Active Setup
271. Steal Application Access Token
272. Brute Force
273. Boot or Logon Autostart Execution
274. Event Triggered Execution: Trap
275. Compromise Infrastructure: Network Devices
276. System Binary Proxy Execution: Rundll32
277. Pre-OS Boot: Component Firmware
278. Exfiltration Over Physical Medium: Exfiltration over USB
279. Event Triggered Execution: LC_LOAD_DYLIB Addition
280. Phishing for Information: Spearphishing Attachment
281. Impair Defenses: Disable or Modify Cloud Firewall
282. Gather Victim Identity Information: Credentials
283. Stage Capabilities: Drive-by Target
284. Use Alternate Authentication Material: Web Session Cookie
285. Multi-Stage Channels
286. Boot or Logon Autostart Execution: Port Monitors
287. Exploitation for Privilege Escalation
288. Inter-Process Communication: XPC Services
289. Reflective Code Loading
290. Search Open Technical Databases: Digital Certificates
291. Virtualization/Sandbox Evasion: Time Based Evasion
292. Indicator Removal: Relocate Malware
293. Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
294. Scheduled Task/Job: Scheduled Task
295. Access Token Manipulation: SID-History Injection
296. Masquerading: Invalid Code Signature
297. Indicator Removal
298. Obtain Capabilities: Vulnerabilities
299. Brute Force: Password Cracking
300. Boot or Logon Autostart Execution: Security Support Provider
301. Event Triggered Execution: AppCert DLLs
302. BITS Jobs
303. Obfuscated Files or Information: Steganography
304. Data from Information Repositories: Code Repositories
305. Hijack Execution Flow: Services Registry Permissions Weakness
306. Search Open Websites/Domains: Code Repositories
307. Compromise Accounts: Cloud Accounts
308. Proxy: External Proxy
309. Data Encoding
310. Gather Victim Host Information: Client Configurations
311. Boot or Logon Initialization Scripts
312. Implant Internal Image
313. Email Collection: Email Forwarding Rule
314. Exfiltration Over C2 Channel
315. Steal or Forge Kerberos Tickets: Kerberoasting
316. Archive Collected Data: Archive via Custom Method
317. Server Software Component: Transport Agent
318. Scheduled Task/Job
319. Obfuscated Files or Information: Dynamic API Resolution
320. Office Application Startup: Outlook Forms
321. Stage Capabilities: Upload Tool
322. Server Software Component: IIS Components
323. Subvert Trust Controls: Code Signing
324. Unsecured Credentials: Chat Messages
325. Traffic Signaling: Port Knocking
326. Obfuscated Files or Information: Polymorphic Code
327. Compromise Accounts: Email Accounts
328. Inhibit System Recovery
329. OS Credential Dumping: LSA Secrets
330. Data Staged
331. Replication Through Removable Media
332. Data Encrypted for Impact
333. Resource Hijacking: Cloud Service Hijacking
334. Gather Victim Network Information: Network Topology
335. Credentials from Password Stores: Credentials from Web Browsers
336. OS Credential Dumping: NTDS
337. Web Service: Bidirectional Communication
338. Dynamic Resolution: DNS Calculation
339. Pre-OS Boot
340. Brute Force: Password Spraying
341. Compromise Infrastructure: Botnet
342. Data Manipulation: Transmitted Data Manipulation
343. Compromise Infrastructure: Web Services
344. Hijack Execution Flow: Path Interception by Unquoted Path
345. Steal or Forge Kerberos Tickets
346. OS Credential Dumping: Cached Domain Credentials
347. Execution Guardrails: Mutual Exclusion
348. Gather Victim Network Information: Network Security Appliances
349. Boot or Logon Initialization Scripts: Login Hook
350. Virtualization/Sandbox Evasion: System Checks
351. Data Staged: Local Data Staging
352. Defacement: Internal Defacement
353. Pre-OS Boot: Bootkit
354. Phishing for Information: Spearphishing Voice
355. Steal or Forge Kerberos Tickets: AS-REP Roasting
356. System Services: Service Execution
357. Unsecured Credentials: Private Keys
358. System Time Discovery
359. Unused/Unsupported Cloud Regions
360. Data Staged: Remote Data Staging
361. Account Discovery: Local Account
362. Account Manipulation: Additional Cloud Roles
363. Password Policy Discovery
364. Account Manipulation: Additional Local or Domain Groups
365. Steal or Forge Kerberos Tickets: Ccache Files
366. Impersonation
367. Process Discovery
368. Proxy: Internal Proxy
369. Search Open Technical Databases: Scan Databases
370. Native API
371. Firmware Corruption
372. Obtain Capabilities: Exploits
373. Search Open Websites/Domains: Search Engines
374. Modify Authentication Process: Pluggable Authentication Modules
375. Unsecured Credentials: Cloud Instance Metadata API
376. Obfuscated Files or Information: HTML Smuggling
377. Modify Cloud Compute Infrastructure: Revert Cloud Instance
378. Subvert Trust Controls
379. Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
380. Encrypted Channel: Symmetric Cryptography
381. Data Transfer Size Limits
382. Plist File Modification
383. Application Layer Protocol: Web Protocols
384. Hijack Execution Flow: Services File Permissions Weakness
385. Obtain Capabilities
386. Screen Capture
387. Gather Victim Org Information: Business Relationships
388. Gather Victim Network Information: Domain Properties
389. Network Denial of Service
390. Group Policy Discovery
391. OS Credential Dumping
392. Obfuscated Files or Information: Stripped Payloads
393. Use Alternate Authentication Material: Application Access Token
394. Boot or Logon Initialization Scripts: Logon Script (Windows)
395. Resource Hijacking: SMS Pumping
396. Create or Modify System Process: Container Service
397. Hijack Execution Flow: AppDomainManager
398. Endpoint Denial of Service: Application Exhaustion Flood
399. Impair Defenses
400. Hide Artifacts: Hidden Window
401. Subvert Trust Controls: SIP and Trust Provider Hijacking
402. Virtualization/Sandbox Evasion: User Activity Based Checks
403. Abuse Elevation Control Mechanism
404. Subvert Trust Controls: Mark-of-the-Web Bypass
405. Modify Authentication Process
406. Modify Authentication Process: Reversible Encryption
407. Device Driver Discovery
408. Ingress Tool Transfer
409. Access Token Manipulation
410. Boot or Logon Initialization Scripts: Startup Items
411. Supply Chain Compromise
412. User Execution
413. Remote Service Session Hijacking: RDP Hijacking
414. Create or Modify System Process: Windows Service
415. Compromise Infrastructure: Virtual Private Server
416. Indicator Removal: Clear Command History
417. Valid Accounts: Local Accounts
418. Resource Hijacking
419. Service Stop
420. Develop Capabilities: Exploits
421. Command and Scripting Interpreter: JavaScript
422. Hijack Execution Flow: KernelCallbackTable
423. Use Alternate Authentication Material: Pass the Hash
424. Hide Artifacts: Resource Forking
425. Network Boundary Bridging
426. Process Injection: ListPlanting
427. Modify Cloud Compute Infrastructure: Create Cloud Instance
428. Masquerading
429. Inter-Process Communication: Dynamic Data Exchange
430. System Service Discovery
431. Hijack Execution Flow: Dynamic Linker Hijacking
432. Process Injection: Process Hollowing
433. Hide Infrastructure
434. Boot or Logon Autostart Execution: Time Providers
435. Traffic Signaling
436. Compromise Infrastructure: Serverless
437. Stage Capabilities
438. Event Triggered Execution: Udev Rules
439. Subvert Trust Controls: Install Root Certificate
440. Obtain Capabilities: Malware
441. Unsecured Credentials: Bash History
442. Account Discovery: Email Account
443. Supply Chain Compromise: Compromise Software Dependencies and Development Tools
444. Boot or Logon Autostart Execution: Authentication Package
445. Web Service
446. Deobfuscate/Decode Files or Information
447. Hijack Execution Flow: Executable Installer File Permissions Weakness
448. Transfer Data to Cloud Account
449. Execution Guardrails
450. Indirect Command Execution
451. Boot or Logon Autostart Execution: Print Processors
452. Proxy
453. Exfiltration Over Alternative Protocol
454. Obfuscated Files or Information: Binary Padding
455. Compromise Host Software Binary
456. Masquerading: Double File Extension
457. Non-Application Layer Protocol
458. Cloud Infrastructure Discovery
459. Masquerading: Right-to-Left Override
460. Cloud Administration Command
461. OS Credential Dumping: LSASS Memory
462. Exfiltration Over Other Network Medium
463. Command and Scripting Interpreter: PowerShell
464. System Binary Proxy Execution: Mshta
465. Data Manipulation
466. Hijack Execution Flow: Dylib Hijacking
467. Encrypted Channel
468. Multi-Factor Authentication Interception
469. Event Triggered Execution: Unix Shell Configuration Modification
470. File and Directory Permissions Modification
471. Create or Modify System Process: Launch Daemon
472. Permission Groups Discovery: Domain Groups
473. Multi-Factor Authentication Request Generation
474. Create Account: Cloud Account
475. Abuse Elevation Control Mechanism: Bypass User Account Control
476. Software Deployment Tools
477. Cloud Storage Object Discovery
478. User Execution: Malicious Image
479. Indicator Removal: Network Share Connection Removal
480. Application Layer Protocol: File Transfer Protocols
481. Permission Groups Discovery: Cloud Groups
482. Gather Victim Network Information: DNS
483. Data from Information Repositories: Customer Relationship Management Software
484. Exfiltration Over Web Service
485. Weaken Encryption: Reduce Key Space
486. Remote Services: Remote Desktop Protocol
487. Forge Web Credentials
488. Weaken Encryption: Disable Crypto Hardware
489. Forge Web Credentials: Web Cookies
490. OS Credential Dumping: Proc Filesystem
491. Supply Chain Compromise: Compromise Software Supply Chain
492. Modify Authentication Process: Network Provider DLL
493. Event Triggered Execution: Image File Execution Options Injection
494. Taint Shared Content
495. Obfuscated Files or Information
496. Use Alternate Authentication Material
497. Modify Authentication Process: Hybrid Identity
498. Obfuscated Files or Information: Embedded Payloads
499. Masquerading: Match Legitimate Name or Location
500. Hide Artifacts: Email Hiding Rules
501. Compromise Infrastructure
502. Obfuscated Files or Information: Command Obfuscation
503. Boot or Logon Autostart Execution: XDG Autostart Entries
504. Data from Cloud Storage
505. Browser Session Hijacking
506. System Network Configuration Discovery
507. System Binary Proxy Execution: Regsvr32
508. Account Manipulation
509. Data Encoding: Standard Encoding
510. Office Application Startup: Office Template Macros
511. Gather Victim Network Information: IP Addresses
512. Template Injection
513. Exfiltration Over Web Service: Exfiltration to Text Storage Sites
514. System Network Configuration Discovery: Wi-Fi Discovery
515. Command and Scripting Interpreter
516. Modify Authentication Process: Password Filter DLL
517. Input Capture: Credential API Hooking
518. File and Directory Permissions Modification: Windows File and Directory Permissions Modification
519. Adversary-in-the-Middle
520. Adversary-in-the-Middle: ARP Cache Poisoning
521. Forced Authentication
522. Financial Theft
523. name
524. Data Obfuscation
525. System Binary Proxy Execution: CMSTP
526. Hijack Execution Flow: Path Interception by PATH Environment Variable
527. Process Injection: Ptrace System Calls
528. Masquerading: Masquerade Account Name
529. Unsecured Credentials
530. Hide Artifacts: Ignore Process Interrupts
531. System Binary Proxy Execution: Msiexec
532. System Script Proxy Execution: PubPrn
533. Dynamic Resolution: Fast Flux DNS
534. Event Triggered Execution: Emond
535. Command and Scripting Interpreter: Lua
536. Process Injection: Asynchronous Procedure Call
537. Account Discovery
538. Permission Groups Discovery
539. Command and Scripting Interpreter: Unix Shell
540. Hide Artifacts: VBA Stomping
541. Impair Defenses: Disable or Modify Linux Audit System
542. Proxy: Multi-hop Proxy
543. Input Capture: Web Portal Capture
544. Hijack Execution Flow: COR_PROFILER
545. Masquerading: Masquerade Task or Service
546. Network Boundary Bridging: Network Address Translation Traversal
547. Trusted Relationship
548. Gather Victim Org Information: Determine Physical Locations
549. Cloud Service Dashboard
550. Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
551. Account Discovery: Domain Account
552. Software Discovery
553. Event Triggered Execution: Windows Management Instrumentation Event Subscription
554. Build Image on Host
555. OS Credential Dumping: DCSync
556. Acquire Infrastructure: DNS Server
557. Boot or Logon Autostart Execution: Shortcut Modification
558. Application Layer Protocol
559. Credentials from Password Stores: Securityd Memory
560. Search Open Technical Databases: CDNs
561. Search Victim-Owned Websites
562. User Execution: Malicious File
563. System Network Connections Discovery
564. Indicator Removal: Clear Mailbox Data
565. Steal or Forge Kerberos Tickets: Golden Ticket
566. Gather Victim Host Information: Firmware
567. Input Capture
568. Command and Scripting Interpreter: Python
569. Resource Hijacking: Bandwidth Hijacking
570. Application Window Discovery
571. Account Manipulation: Additional Email Delegate Permissions
572. Create or Modify System Process: Launch Agent
573. Event Triggered Execution: Accessibility Features
574. Trusted Developer Utilities Proxy Execution: MSBuild
575. Search Closed Sources: Threat Intel Vendors
576. Modify Authentication Process: Conditional Access Policies
577. System Binary Proxy Execution: Electron Applications
578. Masquerading: Rename System Utilities
579. Serverless Execution
580. Pre-OS Boot: System Firmware
581. Data from Information Repositories: Confluence
582. OS Credential Dumping: /etc/passwd and /etc/shadow
583. Trusted Developer Utilities Proxy Execution
584. Inter-Process Communication: Component Object Model
585. Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
586. Windows Management Instrumentation
587. Command and Scripting Interpreter: Visual Basic
588. Hide Artifacts: Hidden Files and Directories
589. Data Obfuscation: Junk Data
590. Event Triggered Execution: Screensaver
591. Exfiltration Over Web Service: Exfiltration Over Webhook
592. Gather Victim Identity Information: Email Addresses
593. Impair Defenses: Disable or Modify Tools
594. Adversary-in-the-Middle: DHCP Spoofing
595. Access Token Manipulation: Token Impersonation/Theft
596. Indicator Removal: File Deletion
597. Create or Modify System Process
598. Exploit Public-Facing Application
599. Access Token Manipulation: Create Process with Token
600. Steal or Forge Authentication Certificates
601. Resource Hijacking: Compute Hijacking
602. Create Account
603. File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
604. Data from Information Repositories: Messaging Applications
605. Obfuscated Files or Information: Software Packing
606. Adversary-in-the-Middle: Evil Twin
607. Escape to Host
608. Abuse Elevation Control Mechanism: TCC Manipulation
609. Remote System Discovery
610. Disk Wipe: Disk Content Wipe
611. Fallback Channels
612. Endpoint Denial of Service: Service Exhaustion Flood
613. Data Destruction
614. Proxy: Domain Fronting
615. System Script Proxy Execution
616. Command and Scripting Interpreter: Windows Command Shell
617. Account Manipulation: SSH Authorized Keys
618. Process Injection: Thread Execution Hijacking
619. Exfiltration Over Web Service: Exfiltration to Code Repository
620. Indicator Removal: Clear Network Connection History and Configurations
621. Valid Accounts: Default Accounts
622. Acquire Infrastructure: Botnet
623. Gather Victim Identity Information: Employee Names
624. Gather Victim Org Information: Identify Roles
625. Impair Defenses: Impair Command History Logging
626. Command and Scripting Interpreter: AutoHotKey & AutoIT
627. Process Injection
628. Modify Authentication Process: Domain Controller Authentication
629. Create or Modify System Process: Systemd Service
630. Endpoint Denial of Service
631. Network Service Discovery
632. Application Layer Protocol: Publish/Subscribe Protocols
633. Hide Artifacts: Process Argument Spoofing
634. Data Manipulation: Runtime Data Manipulation
635. Data from Configuration Repository
636. Power Settings
637. Hijack Execution Flow
638. Domain or Tenant Policy Modification: Trust Modification
639. Data Obfuscation: Steganography
640. Gather Victim Network Information
641. System Binary Proxy Execution: Mavinject
642. Develop Capabilities
643. Data Destruction: Lifecycle-Triggered Deletion
644. Steal or Forge Kerberos Tickets: Silver Ticket
645. Phishing
646. Server Software Component: SQL Stored Procedures
647. Boot or Logon Autostart Execution: Winlogon Helper DLL
648. Account Manipulation: Additional Cloud Credentials
649. Gather Victim Host Information: Hardware
650. Command and Scripting Interpreter: AppleScript
651. System Binary Proxy Execution: InstallUtil
652. Search Closed Sources: Purchase Technical Data
653. Remote Services: Cloud Services
654. Drive-by Compromise
655. Network Denial of Service: Direct Network Flood
656. Active Scanning: Wordlist Scanning
657. Trusted Developer Utilities Proxy Execution: ClickOnce