MITRE ATT&CK Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.

Format: Size

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

Compromise Infrastructure: Virtual Private Server
Gather Victim Identity Information: Employee Names
Masquerading: Rename System Utilities
Data Manipulation: Runtime Data Manipulation
Acquire Infrastructure: Domains
Inhibit System Recovery
OS Credential Dumping: LSASS Memory
Fallback Channels
Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
Process Injection: Extra Window Memory Injection
Application Window Discovery
Process Injection: VDSO Hijacking
Endpoint Denial of Service: Application or System Exploitation
Event Triggered Execution: Unix Shell Configuration Modification
Hijack Execution Flow: COR_PROFILER
Use Alternate Authentication Material: Pass the Ticket
Event Triggered Execution
Impair Defenses: Impair Command History Logging
Search Open Technical Databases: CDNs
System Binary Proxy Execution: Electron Applications
OS Credential Dumping: NTDS
Obfuscated Files or Information: Binary Padding
File and Directory Discovery
Inter-Process Communication: XPC Services
Command and Scripting Interpreter: Windows Command Shell
OS Credential Dumping: DCSync
Account Manipulation: Additional Cloud Roles
Browser Information Discovery
Modify Authentication Process: Hybrid Identity
Application Layer Protocol: Publish/Subscribe Protocols
Create Account: Local Account
Valid Accounts: Cloud Accounts
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Unsecured Credentials: Credentials in Registry
Steal Web Session Cookie
Event Triggered Execution: Screensaver
Modify Cloud Resource Hierarchy
Data from Cloud Storage
Gather Victim Identity Information
Indicator Removal: Clear Persistence
Boot or Logon Autostart Execution: Re-opened Applications
Boot or Logon Autostart Execution: Winlogon Helper DLL
Impair Defenses: Spoof Security Alerting
Compromise Host Software Binary
Active Scanning
System Binary Proxy Execution: Compiled HTML File
Encrypted Channel: Symmetric Cryptography
Valid Accounts: Domain Accounts
Data Obfuscation: Steganography
Data Transfer Size Limits
Boot or Logon Autostart Execution: Port Monitors
Phishing for Information: Spearphishing Service
Compromise Infrastructure: Web Services
System Binary Proxy Execution: MMC
Impair Defenses: Disable or Modify Linux Audit System
Build Image on Host
Process Discovery
Defacement: Internal Defacement
Search Closed Sources
Command and Scripting Interpreter: Python
Pre-OS Boot: Bootkit
Phishing
Account Manipulation: Additional Cloud Credentials
Data Obfuscation
Steal or Forge Authentication Certificates
Remote Services: Cloud Services
System Network Configuration Discovery: Wi-Fi Discovery
Hijack Execution Flow: Path Interception by Search Order Hijacking
Event Triggered Execution: Trap
Indicator Removal: File Deletion
Archive Collected Data: Archive via Custom Method
Software Discovery: Security Software Discovery
Stage Capabilities: Upload Tool
Dynamic Resolution: Fast Flux DNS
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
Abuse Elevation Control Mechanism
Process Injection
Create Account: Domain Account
Inter-Process Communication: Component Object Model
Data Manipulation: Stored Data Manipulation
Process Injection: Ptrace System Calls
Event Triggered Execution: AppInit DLLs
Encrypted Channel: Asymmetric Cryptography
Trusted Developer Utilities Proxy Execution
Modify Authentication Process: Multi-Factor Authentication
Web Service: Bidirectional Communication
Access Token Manipulation: Parent PID Spoofing
Pre-OS Boot
Exfiltration Over C2 Channel
Pre-OS Boot: TFTP Boot
Indicator Removal: Clear Network Connection History and Configurations
Defacement: External Defacement
Escape to Host
Data from Information Repositories: Code Repositories
Modify Authentication Process: Pluggable Authentication Modules
File and Directory Permissions Modification
Exploitation for Client Execution
OS Credential Dumping
Subvert Trust Controls: Mark-of-the-Web Bypass
Boot or Logon Autostart Execution: Print Processors
System Owner/User Discovery
Non-Application Layer Protocol
Deploy Container
Obfuscated Files or Information
Search Open Websites/Domains: Search Engines
Application Layer Protocol
Impair Defenses: Disable or Modify Cloud Logs
Subvert Trust Controls: Install Root Certificate
Exfiltration Over Other Network Medium
Dynamic Resolution: DNS Calculation
Abuse Elevation Control Mechanism: Elevated Execution with Prompt
Phishing: Spearphishing Attachment
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Obfuscated Files or Information: Command Obfuscation
Cloud Service Discovery
Impair Defenses: Indicator Blocking
System Binary Proxy Execution: Control Panel
Stage Capabilities: Install Digital Certificate
Access Token Manipulation: Token Impersonation/Theft
Exfiltration Over Web Service
Peripheral Device Discovery
Debugger Evasion
Virtualization/Sandbox Evasion: User Activity Based Checks
Data Manipulation: Transmitted Data Manipulation
Valid Accounts: Local Accounts
Data Manipulation
Multi-Factor Authentication Request Generation
Input Capture: Web Portal Capture
Windows Management Instrumentation
Pre-OS Boot: ROMMONkit
Proxy: Multi-hop Proxy
Account Discovery: Cloud Account
Command and Scripting Interpreter
Data from Local System
Data from Information Repositories: Messaging Applications
Impair Defenses: Disable or Modify System Firewall
Event Triggered Execution: Application Shimming
Server Software Component
Stage Capabilities: Drive-by Target
Modify Authentication Process: Network Device Authentication
Disk Wipe: Disk Content Wipe
Command and Scripting Interpreter: PowerShell
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Container and Resource Discovery
System Service Discovery
Access Token Manipulation: Create Process with Token
Event Triggered Execution: Udev Rules
Log Enumeration
Permission Groups Discovery
Brute Force: Password Guessing
Execution Guardrails
Account Discovery: Email Account
Command and Scripting Interpreter: Cloud API
System Script Proxy Execution: SyncAppvPublishingServer
Search Victim-Owned Websites
Data from Information Repositories: Confluence
Automated Exfiltration: Traffic Duplication
Network Boundary Bridging
Software Discovery
Screen Capture
Search Open Technical Databases
Stage Capabilities: Link Target
Gather Victim Network Information: Network Security Appliances
Clipboard Data
Event Triggered Execution: Netsh Helper DLL
Data from Information Repositories
Event Triggered Execution: Emond
Obfuscated Files or Information: Indicator Removal from Tools
Data from Information Repositories: Sharepoint
Office Application Startup: Outlook Rules
Supply Chain Compromise: Compromise Software Supply Chain
Adversary-in-the-Middle: Evil Twin
Exploitation for Privilege Escalation
Access Token Manipulation: Make and Impersonate Token
Execution Guardrails: Mutual Exclusion
Permission Groups Discovery: Local Groups
Automated Exfiltration
Virtualization/Sandbox Evasion: System Checks
Command and Scripting Interpreter: JavaScript
Boot or Logon Autostart Execution
Data from Network Shared Drive
Modify Authentication Process: Reversible Encryption
Resource Hijacking: SMS Pumping
Permission Groups Discovery: Domain Groups
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Account Manipulation: Additional Email Delegate Permissions
name
Forced Authentication
Masquerading: Invalid Code Signature
Credentials from Password Stores: Credentials from Web Browsers
Data Encoding
Brute Force
Proxy
External Remote Services
Hide Artifacts: File/Path Exclusions
Trusted Developer Utilities Proxy Execution: MSBuild
Archive Collected Data
Brute Force: Password Cracking
Gather Victim Network Information: IP Addresses
Command and Scripting Interpreter: AppleScript
Remote Service Session Hijacking: RDP Hijacking
Phishing: Spearphishing Link
Forge Web Credentials: SAML Tokens
Cloud Storage Object Discovery
Non-Standard Port
Obtain Capabilities: Exploits
Create Account
Steal or Forge Kerberos Tickets: Kerberoasting
Command and Scripting Interpreter: AutoHotKey & AutoIT
Impair Defenses: Disable or Modify Tools
Modify Cloud Compute Infrastructure: Create Snapshot
Develop Capabilities: Code Signing Certificates
Office Application Startup: Add-ins
Domain or Tenant Policy Modification
System Script Proxy Execution
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Email Collection: Remote Email Collection
System Script Proxy Execution: PubPrn
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Impair Defenses: Disable or Modify Cloud Firewall
Gather Victim Org Information: Business Relationships
Forge Web Credentials: Web Cookies
Data Encrypted for Impact
Adversary-in-the-Middle: DHCP Spoofing
Modify Authentication Process: Conditional Access Policies
Modify Authentication Process: Password Filter DLL
Develop Capabilities
Search Closed Sources: Threat Intel Vendors
Protocol Tunneling
Supply Chain Compromise: Compromise Hardware Supply Chain
Process Injection: Thread Execution Hijacking
Remote Services: Distributed Component Object Model
Create Account: Cloud Account
Supply Chain Compromise
Input Capture: GUI Input Capture
Trusted Relationship
Gather Victim Host Information: Hardware
Lateral Tool Transfer
Compromise Infrastructure: Serverless
Application Layer Protocol: Web Protocols
Phishing for Information: Spearphishing Link
Active Scanning: Vulnerability Scanning
Resource Hijacking: Bandwidth Hijacking
Active Scanning: Scanning IP Blocks
Application Layer Protocol: DNS
Hide Artifacts: Ignore Process Interrupts
Container Administration Command
Gather Victim Org Information: Identify Roles
Gather Victim Host Information: Client Configurations
System Binary Proxy Execution: Verclsid
Shared Modules
Financial Theft
Plist File Modification
Exfiltration Over Web Service: Exfiltration Over Webhook
Hide Artifacts: Hidden Window
Obtain Capabilities: Artificial Intelligence
Modify Authentication Process
Email Collection: Email Forwarding Rule
Subvert Trust Controls: SIP and Trust Provider Hijacking
Unused/Unsupported Cloud Regions
Hide Artifacts
Phishing for Information
Hijack Execution Flow: KernelCallbackTable
Data Staged: Remote Data Staging
Obtain Capabilities: Digital Certificates
Remote Services: VNC
OS Credential Dumping: Security Account Manager
Firmware Corruption
Endpoint Denial of Service
Boot or Logon Autostart Execution: LSASS Driver
Office Application Startup: Office Template Macros
Gather Victim Org Information: Identify Business Tempo
Subvert Trust Controls: Code Signing
Subvert Trust Controls
Process Injection: Proc Memory
Remote Services
Search Open Websites/Domains: Social Media
Gather Victim Identity Information: Credentials
Data Staged: Local Data Staging
Process Injection: Process Doppelgänging
Proxy: External Proxy
Gather Victim Host Information: Software
Boot or Logon Autostart Execution: Login Items
Remote System Discovery
Impair Defenses: Disable Windows Event Logging
Obfuscated Files or Information: Compile After Delivery
Gather Victim Network Information: Domain Properties
Hide Artifacts: Hidden Files and Directories
Network Boundary Bridging: Network Address Translation Traversal
Scheduled Task/Job: At
Scheduled Task/Job: Scheduled Task
Establish Accounts: Email Accounts
Remote Services: Windows Remote Management
Data Encoding: Standard Encoding
System Binary Proxy Execution: Regsvcs/Regasm
Stage Capabilities
Weaken Encryption
Password Policy Discovery
Compromise Accounts: Social Media Accounts
Steal or Forge Kerberos Tickets: AS-REP Roasting
Resource Hijacking: Cloud Service Hijacking
Credentials from Password Stores: Securityd Memory
Network Sniffing
Process Injection: Process Hollowing
Data Obfuscation: Junk Data
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Use Alternate Authentication Material: Web Session Cookie
Indicator Removal: Clear Mailbox Data
Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
Resource Hijacking: Compute Hijacking
Access Token Manipulation
Native API
System Network Configuration Discovery
Query Registry
Data from Configuration Repository: SNMP (MIB Dump)
Scheduled Task/Job: Container Orchestration Job
Data Staged
Active Scanning: Wordlist Scanning
Command and Scripting Interpreter: Visual Basic
Hijack Execution Flow: AppDomainManager
Data Destruction: Lifecycle-Triggered Deletion
Execution Guardrails: Environmental Keying
Event Triggered Execution: Installer Packages
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Compromise Accounts: Email Accounts
Obtain Capabilities: Tool
Search Closed Sources: Purchase Technical Data
System Shutdown/Reboot
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: Network Device CLI
Account Manipulation: Device Registration
Acquire Infrastructure: Web Services
Hide Artifacts: Hidden File System
Steal or Forge Kerberos Tickets: Ccache Files
Gather Victim Network Information: Network Topology
Phishing: Spearphishing Voice
Deobfuscate/Decode Files or Information
Indirect Command Execution
System Information Discovery
Data from Configuration Repository
Hijack Execution Flow: Services File Permissions Weakness
Hijack Execution Flow: DLL Search Order Hijacking
Obfuscated Files or Information: Polymorphic Code
Obtain Capabilities: Malware
Obfuscated Files or Information: Fileless Storage
Use Alternate Authentication Material
Remote Services: Direct Cloud VM Connections
Proxy: Internal Proxy
System Binary Proxy Execution
Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access
Search Open Websites/Domains: Code Repositories
Gather Victim Network Information: DNS
Boot or Logon Initialization Scripts: Logon Script (Windows)
Credentials from Password Stores: Windows Credential Manager
Process Injection: Dynamic-link Library Injection
System Network Configuration Discovery: Internet Connection Discovery
Gather Victim Org Information: Determine Physical Locations
Masquerading: Double File Extension
Server Software Component: Web Shell
System Binary Proxy Execution: Rundll32
System Services
Traffic Signaling
User Execution
Office Application Startup: Outlook Home Page
User Execution: Malicious Image
Impersonation
Input Capture: Credential API Hooking
Hijack Execution Flow: Dynamic Linker Hijacking
Exploitation for Defense Evasion
Masquerading: Masquerade File Type
Valid Accounts
Device Driver Discovery
Develop Capabilities: Exploits
Video Capture
Create or Modify System Process: Container Service
Masquerading: Right-to-Left Override
Account Manipulation: SSH Authorized Keys
Exploitation of Remote Services
Obtain Capabilities: Vulnerabilities
System Binary Proxy Execution: Odbcconf
Compromise Infrastructure: Server
Disk Wipe: Disk Structure Wipe
Virtualization/Sandbox Evasion
Gather Victim Network Information: Network Trust Dependencies
Account Discovery: Local Account
Network Denial of Service
Boot or Logon Autostart Execution: Time Providers
Event Triggered Execution: Image File Execution Options Injection
System Binary Proxy Execution: Mshta
Hide Infrastructure
Impair Defenses: Downgrade Attack
Abuse Elevation Control Mechanism: TCC Manipulation
Masquerading: Masquerade Task or Service
Hide Artifacts: NTFS File Attributes
Boot or Logon Initialization Scripts: Login Hook
Office Application Startup: Outlook Forms
Impair Defenses
Data from Information Repositories: Customer Relationship Management Software
Develop Capabilities: Digital Certificates
Boot or Logon Initialization Scripts
Modify System Image: Downgrade System Image
Service Stop
Credentials from Password Stores: Cloud Secrets Management Stores
Forge Web Credentials
Search Open Technical Databases: Scan Databases
Brute Force: Credential Stuffing
Cloud Infrastructure Discovery
Compromise Accounts: Cloud Accounts
Steal or Forge Kerberos Tickets: Golden Ticket
Establish Accounts: Cloud Accounts
Remote Services: SSH
Server Software Component: SQL Stored Procedures
User Execution: Malicious File
Browser Extensions
Unsecured Credentials: Chat Messages
Web Service
System Location Discovery
Domain or Tenant Policy Modification: Group Policy Modification
Obfuscated Files or Information: Embedded Payloads
Implant Internal Image
Remote Access Software
Modify Cloud Compute Infrastructure
Endpoint Denial of Service: Service Exhaustion Flood
Create or Modify System Process
Weaken Encryption: Reduce Key Space
Process Injection: ListPlanting
OS Credential Dumping: /etc/passwd and /etc/shadow
Remote Services: SMB/Windows Admin Shares
Establish Accounts: Social Media Accounts
Scheduled Task/Job: Systemd Timers
Create or Modify System Process: Windows Service
Indicator Removal: Relocate Malware
Obfuscated Files or Information: Steganography
Data Obfuscation: Protocol or Service Impersonation
System Binary Proxy Execution: Regsvr32
Modify System Image: Patch System Image
Hide Artifacts: Process Argument Spoofing
Ingress Tool Transfer
Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations
Gather Victim Org Information
Gather Victim Identity Information: Email Addresses
Hide Artifacts: Email Hiding Rules
Defacement
OS Credential Dumping: Cached Domain Credentials
Remote Service Session Hijacking
Indicator Removal
Remote Service Session Hijacking: SSH Hijacking
Modify Registry
Hijack Execution Flow
Impair Defenses: Safe Mode Boot
Obfuscated Files or Information: Dynamic API Resolution
XSL Script Processing
Domain Trust Discovery
Unsecured Credentials
Hide Artifacts: Hidden Users
Masquerading
Brute Force: Password Spraying
Account Access Removal
Communication Through Removable Media
Access Token Manipulation: SID-History Injection
Inter-Process Communication
Cloud Administration Command
Hijack Execution Flow: Services Registry Permissions Weakness
Web Service: Dead Drop Resolver
Software Deployment Tools
Credentials from Password Stores: Password Managers
Hijack Execution Flow: Path Interception by Unquoted Path
Archive Collected Data: Archive via Utility
Virtualization/Sandbox Evasion: Time Based Evasion
Compromise Infrastructure: DNS Server
Boot or Logon Autostart Execution: Active Setup
Taint Shared Content
Compromise Infrastructure: Domains
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
Phishing for Information: Spearphishing Attachment
BITS Jobs
Compromise Infrastructure: Botnet
Phishing for Information: Spearphishing Voice
OS Credential Dumping: LSA Secrets
Inter-Process Communication: Dynamic Data Exchange
Application Layer Protocol: Mail Protocols
Credentials from Password Stores: Keychain
Indicator Removal: Clear Command History
Modify Authentication Process: Domain Controller Authentication
Search Open Technical Databases: Digital Certificates
Process Injection: Portable Executable Injection
System Binary Proxy Execution: InstallUtil
Hijack Execution Flow: DLL Side-Loading
Steal or Forge Kerberos Tickets
Boot or Logon Autostart Execution: Shortcut Modification
Create or Modify System Process: Launch Daemon
Unsecured Credentials: Container API
Create or Modify System Process: Launch Agent
System Binary Proxy Execution: Msiexec
Compromise Infrastructure
Account Discovery
Template Injection
Traffic Signaling: Port Knocking
Hijack Execution Flow: Path Interception by PATH Environment Variable
Server Software Component: Transport Agent
Account Manipulation: Additional Container Cluster Roles
Acquire Infrastructure: Serverless
Subvert Trust Controls: Code Signing Policy Modification
Steal or Forge Kerberos Tickets: Silver Ticket
Group Policy Discovery
Obfuscated Files or Information: HTML Smuggling
Masquerading: Match Legitimate Name or Location
Content Injection
Endpoint Denial of Service: Application Exhaustion Flood
Use Alternate Authentication Material: Application Access Token
Audio Capture
Reflective Code Loading
Multi-Stage Channels
Dynamic Resolution: Domain Generation Algorithms
Acquire Infrastructure: Botnet
Process Injection: Asynchronous Procedure Call
Command and Scripting Interpreter: Lua
Obfuscated Files or Information: Stripped Payloads
Gather Victim Host Information
Browser Session Hijacking
Acquire Access
Abuse Elevation Control Mechanism: Setuid and Setgid
Traffic Signaling: Socket Filters
Serverless Execution
Exploit Public-Facing Application
Automated Collection
Boot or Logon Autostart Execution: XDG Autostart Entries
Unsecured Credentials: Cloud Instance Metadata API
Valid Accounts: Default Accounts
Resource Hijacking
Drive-by Compromise
Unsecured Credentials: Group Policy Preferences
Office Application Startup: Office Test
Server Software Component: Terminal Services DLL
Data Encoding: Non-Standard Encoding
System Binary Proxy Execution: Mavinject
Phishing: Spearphishing via Service
Endpoint Denial of Service: OS Exhaustion Flood
Web Service: One-Way Communication
Replication Through Removable Media
Data from Configuration Repository: Network Device Configuration Dump
Command and Scripting Interpreter: Unix Shell
Hijack Execution Flow: Executable Installer File Permissions Weakness
Indicator Removal: Clear Linux or Mac System Logs
Acquire Infrastructure: Server
Pre-OS Boot: Component Firmware
Hardware Additions
Network Denial of Service: Direct Network Flood
Rootkit
Weaken Encryption: Disable Crypto Hardware
Acquire Infrastructure
Data Destruction
Hijack Execution Flow: Dylib Hijacking
System Time Discovery
Search Open Websites/Domains
Exfiltration Over Web Service: Exfiltration to Text Storage Sites
System Services: Launchctl
Search Open Technical Databases: WHOIS
Internal Spearphishing
Obtain Capabilities: Code Signing Certificates
Event Triggered Execution: LC_LOAD_DYLIB Addition
Account Discovery: Domain Account
Boot or Logon Initialization Scripts: Startup Items
Account Manipulation
Exfiltration Over Physical Medium: Exfiltration over USB
Boot or Logon Autostart Execution: Security Support Provider
Power Settings
Modify Cloud Compute Infrastructure: Delete Cloud Instance
Archive Collected Data: Archive via Library
Boot or Logon Initialization Scripts: RC Scripts
Input Capture: Keylogging
Trusted Developer Utilities Proxy Execution: ClickOnce
OS Credential Dumping: Proc Filesystem
Boot or Logon Autostart Execution: Authentication Package
Compromise Infrastructure: Network Devices
Exfiltration Over Web Service: Exfiltration to Code Repository
Hide Artifacts: Resource Forking
Unsecured Credentials: Private Keys
System Services: Service Execution
Event Triggered Execution: Component Object Model Hijacking
Proxy: Domain Fronting
Establish Accounts
System Binary Proxy Execution: CMSTP
Unsecured Credentials: Bash History
Data from Removable Media
Gather Victim Network Information
Stage Capabilities: Upload Malware
Boot or Logon Initialization Scripts: Network Logon Script
Obfuscated Files or Information: LNK Icon Smuggling
Indicator Removal: Network Share Connection Removal
Credentials from Password Stores
Compromise Accounts
System Network Connections Discovery
Steal Application Access Token
Network Share Discovery
Modify Authentication Process: Network Provider DLL
Office Application Startup
Stage Capabilities: SEO Poisoning
Adversary-in-the-Middle
Masquerading: Masquerade Account Name
Remote Services: Remote Desktop Protocol
Create or Modify System Process: Systemd Service
Account Manipulation: Additional Local or Domain Groups
Network Denial of Service: Reflection Amplification
Email Collection: Local Email Collection
Abuse Elevation Control Mechanism: Bypass User Account Control
Subvert Trust Controls: Gatekeeper Bypass
Gather Victim Host Information: Firmware
Application Layer Protocol: File Transfer Protocols
Multi-Factor Authentication Interception
Modify System Image
Adversary-in-the-Middle: ARP Cache Poisoning
Scheduled Task/Job: Cron
Disk Wipe
Acquire Infrastructure: Virtual Private Server
Masquerading: Space after Filename
Indicator Removal: Timestomp
Transfer Data to Cloud Account
Masquerading: Break Process Trees
Scheduled Task/Job
Pre-OS Boot: System Firmware
Event Triggered Execution: Change Default File Association
Obfuscated Files or Information: Encrypted/Encoded File
Dynamic Resolution
Use Alternate Authentication Material: Pass the Hash
Obtain Capabilities
Rogue Domain Controller
Permission Groups Discovery: Cloud Groups
Exfiltration Over Physical Medium
Event Triggered Execution: AppCert DLLs
Modify Cloud Compute Infrastructure: Create Cloud Instance
Server Software Component: IIS Components
Scheduled Transfer
Direct Volume Access
Network Service Discovery
Cloud Service Dashboard
Domain or Tenant Policy Modification: Trust Modification
Event Triggered Execution: Accessibility Features
System Location Discovery: System Language Discovery
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Acquire Infrastructure: DNS Server
Exploitation for Credential Access
Modify Cloud Compute Infrastructure: Revert Cloud Instance
Acquire Infrastructure: Malvertising
Input Capture
Indicator Removal: Clear Windows Event Logs
Search Open Technical Databases: DNS/Passive DNS
Hide Artifacts: VBA Stomping
Develop Capabilities: Malware
Exfiltration Over Alternative Protocol
Event Triggered Execution: PowerShell Profile
Process Injection: Thread Local Storage
Encrypted Channel
Obfuscated Files or Information: Software Packing
Hide Artifacts: Run Virtual Instance
Email Collection
User Execution: Malicious Link