HijackExecutionFlowUse AlternateAuthenticationMaterialSystemBinary ProxyExecution:ControlPanelAdversary-in-the-Middle:LLMNR/NBT-NS Poisoningand SMB RelayObfuscatedFiles orInformation:HTMLSmugglingUnsecuredCredentials:CredentialsIn FilesScheduledTask/Job:ContainerOrchestrationJobScheduledTask/Job:AtGroupPolicyDiscoveryCommandand ScriptingInterpreter:Unix ShellBoot orLogonInitializationScripts: RCScriptsSearchVictim-OwnedWebsitesAcquireAccessMasquerading:MatchLegitimateName orLocationSearch OpenTechnicalDatabases:ScanDatabasesValidAccounts:LocalAccountsCommandandScriptingInterpreterGather VictimNetworkInformation:IP AddressesPre-OSBoot:SystemFirmwareCompromiseAccounts:EmailAccountsSoftwareDiscoveryDrive-byCompromiseHijack ExecutionFlow: PathInterception byPATHEnvironmentVariableFile andDirectoryDiscoveryCommandand ScriptingInterpreter:Visual BasicImpairDefenses:Disable orModify LinuxAudit SystemEventTriggeredExecution:Netsh HelperDLLInternalSpearphishingOfficeApplicationStartup:Add-insUnused/UnsupportedCloud RegionsEventTriggeredExecution:TrapDynamicResolutionModifyAuthenticationProcess:ReversibleEncryptionSystemTimeDiscoveryProxyProcessInjection:Dynamic-linkLibraryInjectionStealApplicationAccessTokenBruteForce:PasswordGuessingPhishing:SpearphishingAttachmentTrustedDeveloperUtilities ProxyExecution:ClickOnceDataStaged:Local DataStagingSteal WebSessionCookieBoot or LogonInitializationScripts:NetworkLogon ScriptSubvert TrustControls: SIPand TrustProviderHijackingModifyAuthenticationProcess:Hybrid IdentityObfuscated Files orInformation:Encrypted/EncodedFileObtainCapabilities:DigitalCertificatesExfiltration OverAlternativeProtocol:Exfiltration OverSymmetricEncrypted Non-C2ProtocolObtainCapabilitiesCreateAccount:LocalAccountTrustedDeveloperUtilitiesProxyExecutionForge WebCredentials:WebCookiesProtocolTunnelingDeobfuscate/DecodeFiles or InformationExecutionGuardrails:EnvironmentalKeyingCredentialsfrom PasswordStores:SecuritydMemoryEventTriggeredExecution:AppInit DLLsHijackExecutionFlow: DynamicLinkerHijackingResourceHijacking:ComputeHijackingMasquerading:Space afterFilenameEstablishAccounts:Social MediaAccountsStageCapabilities:Install DigitalCertificateData fromInformationRepositoriesData fromRemovableMediaActiveScanning:ScanningIP BlocksCreate orModify SystemProcess:LaunchDaemonDataObfuscation:SteganographyAccountManipulation:SSHAuthorizedKeysGather VictimOrgInformation:DeterminePhysicalLocationsBrowserSessionHijackingFile andDirectoryPermissionsModificationHijackExecutionFlow: DLLSearch OrderHijackingHideArtifacts:File/PathExclusionsIndicatorRemoval: ClearNetworkConnectionHistory andConfigurationsGatherVictim HostInformation:FirmwareModifyAuthenticationProcess:NetworkProvider DLLSystemServices:ServiceExecutionAcquireInfrastructure:Web ServicesStageCapabilities:Drive-byTargetEventTriggeredExecution:PowerShellProfileGatherVictimHostInformationSystemBinary ProxyExecution:Regsvr32ExfiltrationOver WebService:Exfiltration toCloud StorageBoot orLogonInitializationScripts:Startup ItemsPhishing forInformation:SpearphishingAttachmentObfuscatedFiles orInformation:Compile AfterDeliveryWeakenEncryption:ReduceKey SpaceHideArtifacts:Email HidingRulesSubvertTrustControls:CodeSigningStageCapabilities:SEOPoisoningMasquerading:Invalid CodeSignatureBoot or LogonAutostartExecution:PrintProcessorsAdversary-in-the-MiddleSearch OpenTechnicalDatabases:DNS/PassiveDNSIndicatorRemoval:TimestompSystemBinaryProxyExecutionData fromInformationRepositories:CustomerRelationshipManagementSoftwareHijackExecution Flow:Services FilePermissionsWeaknessEventTriggeredExecution:InstallerPackagesSubvertTrustControls:Mark-of-the-Web BypassObfuscatedFiles orInformation:PolymorphicCodeBoot or LogonAutostartExecution:Registry RunKeys / StartupFolderMulti-FactorAuthenticationInterceptionData fromInformationRepositories:ConfluenceHideArtifacts:HiddenWindowVirtualization/SandboxEvasion: SystemChecksServerSoftwareComponent:IISComponentsDomain orTenant PolicyModification:Group PolicyModificationImpersonationIndirectCommandExecutionAutomatedExfiltrationObtainCapabilities:CodeSigningCertificatesCommandand ScriptingInterpreter:Cloud APISystemServiceDiscoveryDisk Wipe:DiskStructureWipeAcquireInfrastructure:DNS ServerPhishing:Spearphishingvia ServiceSystemBinary ProxyExecution:CompiledHTML FileCommand andScriptingInterpreter:WindowsCommandShellScheduledTask/Job:CronExploitPublic-FacingApplicationSearchClosedSourcesSearchOpenTechnicalDatabasesOfficeApplicationStartup:OutlookRulesOfficeApplicationStartupSearchOpenTechnicalDatabases:WHOISPermissionGroupsDiscovery:DomainGroupsModifyAuthenticationProcess:PluggableAuthenticationModulesDataManipulation:TransmittedDataManipulationRootkitHijackExecutionFlow: DylibHijackingModify CloudComputeInfrastructure:Modify CloudComputeConfigurationsAccountManipulation:Additional Localor DomainGroupsBrowserInformationDiscoveryResourceHijacking:CloudServiceHijackingServerSoftwareComponent:SQL StoredProceduresSystemBinary ProxyExecution:MavinjectObfuscatedFiles orInformationObfuscatedFiles orInformation:CommandObfuscationDiskWipeNon-ApplicationLayerProtocolCreate orModify SystemProcess:ContainerServiceAccountManipulationAcquireInfrastructureCloudInfrastructureDiscoveryUserExecution:MaliciousFileImplantInternalImageRemoteServiceSessionHijacking:SSH HijackingModifyAuthenticationProcess:Multi-FactorAuthenticationProxy:ExternalProxyBoot or LogonAutostartExecution:XDG AutostartEntriesHideArtifacts:HiddenUsersCommandand ScriptingInterpreter:AppleScriptWeakenEncryptionIngressToolTransferCompromiseInfrastructure:Virtual PrivateServerWindowsManagementInstrumentationUnsecuredCredentials:PrivateKeysSharedModulesExfiltration OverAlternativeProtocol:Exfiltration OverAsymmetricEncrypted Non-C2ProtocolOSCredentialDumping:LSA SecretsCloudStorageObjectDiscoverySteal orForgeKerberosTicketsContainerandResourceDiscoveryDataManipulationIndicatorRemoval:Network ShareConnectionRemovalCommunicationThroughRemovableMediaModify CloudComputeInfrastructureExfiltrationOver WebService:Exfiltration toCodeRepositoryApplicationLayerProtocolModifySystemImageSystemScript ProxyExecution:PubPrnDataObfuscationOfficeApplicationStartup:OutlookFormsRemoteSystemDiscoveryObtainCapabilities:ExploitsSystemBinary ProxyExecution:Rundll32ObtainCapabilities:ToolCompromiseAccounts:CloudAccountsCommandand ScriptingInterpreter:NetworkDevice CLIWeb Service:One-WayCommunicationUnsecuredCredentials:ContainerAPIGatherVictim OrgInformation:IdentifyRolesSystemBinary ProxyExecution:MMCRemoteServices:VNCActiveScanning:WordlistScanningExploitationfor DefenseEvasionExploitationforPrivilegeEscalationInputCapture:CredentialAPI HookingEvent TriggeredExecution:WindowsManagementInstrumentationEvent SubscriptionData Staged:RemoteData StagingPhishingGather VictimNetworkInformation:Network TrustDependenciesBruteForceNetworkDenial ofService:ReflectionAmplificationSystemBinary ProxyExecution:CMSTPMasquerading:MasqueradeFile TypeVideoCaptureProcessInjection:Extra WindowMemoryInjectionObfuscatedFiles orInformation:BinaryPaddingModify CloudComputeInfrastructure:Revert CloudInstanceSystemServices:LaunchctlDomain orTenantPolicyModificationBoot or LogonAutostartExecution:AuthenticationPackageProxy:Multi-hopProxyAcquireInfrastructure:Virtual PrivateServerImpairDefenses:IndicatorBlockingCompromiseHostSoftwareBinaryBoot orLogonInitializationScriptsDataEncodingHideArtifacts:VBAStompingIndicatorRemoval:FileDeletionExfiltrationOver WebService:ExfiltrationOver WebhookIndicatorRemoval:ClearMailbox DataPhishing:SpearphishingLinkSystemScriptProxyExecutionInputCaptureExfiltrationOver WebService:Exfiltration toText StorageSitesAccountManipulation:AdditionalCloudCredentialsValidAccounts:DefaultAccountsCompromiseInfrastructure:ServerBoot or LogonAutostartExecution:Re-openedApplicationsSystem NetworkConfigurationDiscovery:InternetConnectionDiscoveryImpairDefenses:SpoofSecurityAlertingWeakenEncryption:DisableCryptoHardwareModifyAuthenticationProcess:PasswordFilter DLLObfuscatedFiles orInformation:SteganographyDataObfuscation:Junk DataAcquireInfrastructure:BotnetFinancialTheftGatherVictim HostInformation:SoftwareSystemInformationDiscoveryExternalRemoteServicesBruteForce:CredentialStuffingNon-StandardPortHideArtifacts:ProcessArgumentSpoofingBoot orLogonAutostartExecution:Port MonitorsData fromConfigurationRepository:Network DeviceConfigurationDumpSteal orForgeKerberosTickets:Silver TicketGatherVictimNetworkInformation:DNSCredentialsfrom PasswordStores: CloudSecretsManagementStoresNativeAPIMasquerading:Right-to-LeftOverrideOfficeApplicationStartup:OutlookHome PageImpairDefenses:DowngradeAttackProxy:InternalProxyObfuscatedFiles orInformation:EmbeddedPayloadsAccountAccessRemovalBoot or LogonAutostartExecution:TimeProvidersSearch ClosedSources:PurchaseTechnical DataSystemServicesEncryptedChannel:SymmetricCryptographyCreate orModifySystemProcess:Launch AgentExfiltration OverAlternativeProtocol:Exfiltration OverUnencryptedNon-C2 ProtocolEndpoint Denialof Service:Application orSystemExploitationSoftwareDeploymentToolsDefacement:InternalDefacementCredentialsfromPasswordStoresExecutionGuardrails:MutualExclusionSubvert TrustControls:Code SigningPolicyModificationGather VictimNetworkInformation:DomainPropertiesExploitationforCredentialAccessAcquireInfrastructure:MalvertisingSystemBinary ProxyExecution:VerclsidEvent TriggeredExecution:Change DefaultFile AssociationUserExecution:MaliciousImageEventTriggeredExecutionSystemBinary ProxyExecution:ElectronApplicationsAbuseElevationControlMechanismUse AlternateAuthenticationMaterial: Passthe HashMasquerading:MasqueradeTask orServiceSystemBinary ProxyExecution:OdbcconfOfficeApplicationStartup: OfficeTemplateMacrosDomain orTenant PolicyModification:TrustModificationLogEnumerationNetworkDenial ofServiceScheduledTask/Job:ScheduledTaskEndpointDenial ofService: OSExhaustionFloodProcessInjection:ProcMemorySearch OpenWebsites/DomainsEventTriggeredExecution:AccessibilityFeaturesRemoteServices:Direct CloudVMConnectionsResourceHijacking:BandwidthHijackingAutomatedExfiltration:TrafficDuplicationEscapeto HostTrustedDeveloperUtilities ProxyExecution:MSBuildNetworkServiceDiscoveryGather VictimOrgInformation:BusinessRelationshipsAcquireInfrastructure:ServerRemoteAccessSoftwareOS CredentialDumping:SecurityAccountManagerMasquerading:MasqueradeAccount NameUnsecuredCredentials:CloudInstanceMetadata APIPeripheralDeviceDiscoveryCreate orModify SystemProcess:SystemdServiceHideInfrastructureSupplyChainCompromisenameImpairDefenses:Disable orModify SystemFirewallGather VictimNetworkInformation:NetworkSecurityAppliancesBoot or LogonAutostartExecution:WinlogonHelper DLLValidAccounts:CloudAccountsObfuscatedFiles orInformation:IndicatorRemoval fromToolsGatherVictimIdentityInformationAccountManipulation:AdditionalEmail DelegatePermissionsEventTriggeredExecution:Udev RulesOfficeApplicationStartup:Office TestBruteForce:PasswordSprayingEstablishAccounts:CloudAccountsDataDestructionSystemBinary ProxyExecution:MshtaSystem BinaryProxy Execution:Regsvcs/RegasmPhishing forInformation:SpearphishingVoiceDataDestruction:Lifecycle-TriggeredDeletionBoot orLogonInitializationScripts:Login HookServerSoftwareComponentGather VictimHostInformation:ClientConfigurationsModify CloudComputeInfrastructure:CreateSnapshotSteal or ForgeKerberosTickets:KerberoastingResourceHijacking:SMSPumpingIndicatorRemoval:Clear Linuxor MacSystem LogsHijackExecution Flow:ExecutableInstaller FilePermissionsWeaknessObfuscatedFiles orInformation:SoftwarePackingPowerSettingsAcquireInfrastructure:DomainsCompromiseInfrastructureResourceHijackingAutomatedCollectionExfiltrationOver OtherNetworkMediumCreateAccount:DomainAccountExfiltrationOverPhysicalMediumExfiltrationOver WebServiceHideArtifacts:NTFS FileAttributesRogueDomainControllerHijack ExecutionFlow:COR_PROFILERData fromInformationRepositories:SharepointData fromCloudStorageAccessTokenManipulation:SID-HistoryInjectionIndicatorRemoval:ClearWindowsEvent LogsNetworkSniffingGatherVictim HostInformation:HardwareArchiveCollectedData:Archive viaUtilitySteal orForgeKerberosTickets:Golden TicketSupply ChainCompromise:CompromiseSoftwareDependencies andDevelopmentToolsProcessInjection:Thread LocalStorageModify CloudComputeInfrastructure:Create CloudInstanceDataObfuscation:Protocol orServiceImpersonationAccountManipulation:AdditionalCloud RolesEventTriggeredExecution:ApplicationShimmingSystemNetworkConfigurationDiscovery: Wi-Fi DiscoveryProcessInjection:AsynchronousProcedureCallStageCapabilities:Link TargetArchiveCollectedData:Archive viaLibraryPre-OSBoot:TFTPBootData fromNetworkSharedDriveModify CloudComputeInfrastructure:Delete CloudInstanceCompromiseAccountsDataTransferSizeLimitsSystemNetworkConfigurationDiscoveryHideArtifactsCommandand ScriptingInterpreter:AutoHotKey& AutoITHijackExecution Flow:PathInterception bySearch OrderHijackingServerSoftwareComponent:TerminalServices DLLHijackExecution Flow:ServicesRegistryPermissionsWeaknessScreenCaptureExfiltrationOver OtherNetworkMedium:ExfiltrationOver BluetoothEndpointDenial ofServiceData fromConfigurationRepositoryDataManipulation:Stored DataManipulationObfuscatedFiles orInformation:Dynamic APIResolutionFile and DirectoryPermissionsModification:Windows File andDirectoryPermissionsModificationMasquerading:Break ProcessTreesModifyAuthenticationProcess:Network DeviceAuthenticationDomainTrustDiscoveryContainerAdministrationCommandAccountDiscovery:EmailAccountAccountDiscoveryHideArtifacts:Hidden FilesandDirectoriesImpairDefenses:ImpairCommandHistory LoggingRemoteServicesArchiveCollectedData: Archivevia CustomMethodModifyAuthenticationProcess:DomainControllerAuthenticationQueryRegistryProcessInjection:PtraceSystem CallsHijack ExecutionFlow:KernelCallbackTableUnsecuredCredentials:Credentialsin RegistryIndicatorRemoval:ClearPersistenceSearchOpenTechnicalDatabases:CDNsSubvertTrustControls:GatekeeperBypassBoot orLogonAutostartExecution:Active SetupObfuscatedFiles orInformation:FilelessStorageCompromiseInfrastructure:Web ServicesTrafficSignalingEncryptedChannel:AsymmetricCryptographyPermissionGroupsDiscoveryEventTriggeredExecution:ScreensaverCompromiseInfrastructure:ServerlessCommandand ScriptingInterpreter:PythonAccountManipulation:DeviceRegistrationAbuseElevationControlMechanism:Sudo and SudoCachingImpairDefenses:Safe ModeBootExecutionGuardrailsInhibitSystemRecoverySoftwareDiscovery:SecuritySoftwareDiscoveryAccountDiscovery:CloudAccountDynamicResolution:DomainGenerationAlgorithmsModifySystemImage:DowngradeSystem ImageSubvertTrustControlsDirectVolumeAccessHideArtifacts:IgnoreProcessInterruptsSteal or ForgeKerberosTickets: AS-REP RoastingDataEncoding:Non-StandardEncodingWebService:Dead DropResolverData fromLocalSystemAccessTokenManipulation:Parent PIDSpoofingPre-OSBoot:ComponentFirmwareMasquerading:Double FileExtensionHideArtifacts:Hidden FileSystemCommandand ScriptingInterpreter:PowerShellCredentialsfromPasswordStores:KeychainVirtualization/SandboxEvasion: Time BasedEvasionEmailCollectionNetworkBoundaryBridging: NetworkAddressTranslationTraversalEvent TriggeredExecution:LC_LOAD_DYLIBAdditionAccess TokenManipulation: TokenImpersonation/TheftActiveScanningImpairDefenses:Disable orModify ToolsAcquireInfrastructure:ServerlessPre-OSBoot:ROMMONkitGatherVictimNetworkInformationStageCapabilitiesModifyRegistryValidAccounts:DomainAccountsNetworkDenial ofService: DirectNetwork FloodInter-ProcessCommunication:ComponentObject ModelApplicationLayerProtocol:MailProtocolsCredentialsfrom PasswordStores:WindowsCredentialManagerDynamicResolution:Fast FluxDNSStageCapabilities:Upload ToolGather VictimIdentityInformation:EmailAddressesIndicatorRemoval:ClearCommandHistoryXSL ScriptProcessingMulti-StageChannelsSubvertTrustControls:Install RootCertificateUserExecutionCredentialsfrom PasswordStores:Credentialsfrom WebBrowsersModifyCloudResourceHierarchyRemoteServices:SMB/WindowsAdmin SharesTrafficSignaling:PortKnockingSystemLocationDiscoveryBuildImageon HostAbuse ElevationControlMechanism:TemporaryElevated CloudAccessObtainCapabilities:MalwareRemoteServices:RemoteDesktopProtocolPre-OSBootEvent TriggeredExecution: UnixShellConfigurationModificationEmailCollection:EmailForwardingRuleEmailCollection:Local EmailCollectionDisk Wipe:DiskContentWipeBoot or LogonAutostartExecution:ShortcutModificationGather VictimIdentityInformation:EmployeeNamesSystem Script ProxyExecution:SyncAppvPublishingServerDataEncoding:StandardEncodingModifySystemImage: PatchSystemImagePre-OSBoot:BootkitValidAccountsSearch OpenWebsites/Domains:Social MediaPlist FileModificationNetworkShareDiscoveryProcessInjection:VDSOHijackingObtainCapabilities:ArtificialIntelligenceSearch OpenTechnicalDatabases:DigitalCertificatesLateralToolTransferAdversary-in-the-Middle:DHCPSpoofingDevelopCapabilities:MalwareSystemBinary ProxyExecution:InstallUtilCompromiseInfrastructure:BotnetBoot orLogonAutostartExecution:Login ItemsImpairDefenses:Disable orModify CloudLogsEstablishAccounts:EmailAccountsCompromiseInfrastructure:DomainsOSCredentialDumping:LSASSMemoryServerlessExecutionApplication LayerProtocol:Publish/SubscribeProtocolsRemoteServiceSessionHijackingDynamicResolution:DNSCalculationApplicationWindowDiscoveryOSCredentialDumping:ProcFilesystemGatherVictimIdentityInformation:CredentialsForge WebCredentials:SAMLTokensProcessInjection:ThreadExecutionHijackingData fromInformationRepositories:MessagingApplicationsOSCredentialDumping:DCSyncGatherVictim OrgInformationContentInjectionExfiltrationOver C2ChannelStageCapabilities:UploadMalwareRemoteServices:WindowsRemoteManagementProcessInjectionIndicatorRemovalFile and DirectoryPermissionsModification: Linuxand Mac File andDirectoryPermissionsModificationAdversary-in-the-Middle: ARPCachePoisoningObfuscatedFiles orInformation:LNK IconSmugglingTrustedRelationshipVirtualization/SandboxEvasion: User ActivityBased ChecksDefacementAccessTokenManipulationBoot or LogonInitializationScripts: LogonScript(Windows)Use AlternateAuthenticationMaterial: Passthe TicketEstablishAccountsRemoteServices:SSHWebServiceCommandand ScriptingInterpreter:LuaGather VictimOrgInformation:IdentifyBusinessTempoScheduledTask/JobOS CredentialDumping:/etc/passwdand/etc/shadowAbuse ElevationControlMechanism:ElevatedExecution withPromptImpairDefenses:DisableWindowsEvent LoggingSteal orForgeKerberosTickets:Ccache FilesUnsecuredCredentials:ChatMessagesAccountDiscovery:LocalAccountCloudAdministrationCommandUnsecuredCredentials:Group PolicyPreferencesInputCapture:KeyloggingClipboardDataSupply ChainCompromise:CompromiseSoftwareSupply ChainTransferData toCloudAccountDeployContainerScheduledTransferWeb Service:BidirectionalCommunicationSystemShutdown/RebootPhishingforInformationMasquerading:RenameSystemUtilitiesScheduledTask/Job:SystemdTimersHardwareAdditionsDevelopCapabilities:CodeSigningCertificatesFallbackChannelsCreateAccountSystemNetworkConnectionsDiscoveryFirmwareCorruptionBoot or LogonAutostartExecution:LSASS DriverHideArtifacts:ResourceForkingCommandand ScriptingInterpreter:JavaScriptReplicationThroughRemovableMediaDataEncryptedfor ImpactForge WebCredentialsAccountDiscovery:DomainAccountApplicationLayerProtocol:DNSCreateAccount:CloudAccountIndicatorRemoval:RelocateMalwareCompromiseAccounts:Social MediaAccountsTemplateInjectionArchiveCollectedDataHideArtifacts:Run VirtualInstanceSystemBinary ProxyExecution:MsiexecCompromiseInfrastructure:DNS ServerDevelopCapabilities:ExploitsEndpoint Denialof Service:ApplicationExhaustionFloodTaintSharedContentExploitationfor ClientExecutionImpairDefenses:Disable orModify CloudFirewallExfiltrationOver PhysicalMedium:Exfiltrationover USBVirtualization/SandboxEvasionSystemOwner/UserDiscoveryEncryptedChannelAbuse ElevationControlMechanism:Bypass UserAccount ControlDevelopCapabilities:DigitalCertificatesDataStagedDebuggerEvasionServiceStopTrafficSignaling:SocketFiltersExfiltrationOverAlternativeProtocolBruteForce:PasswordCrackingServerSoftwareComponent:TransportAgentMasqueradingHijackExecutionFlow: DLLSide-LoadingPermissionGroupsDiscovery:LocalGroupsInputCapture:Web PortalCaptureUnsecuredCredentialsHijack ExecutionFlow:AppDomainManagerOSCredentialDumping:NTDSSupply ChainCompromise:CompromiseHardwareSupply ChainRemoteServices:CloudServicesPhishing:SpearphishingVoiceModifyAuthenticationProcess:ConditionalAccess PoliciesDataManipulation:Runtime DataManipulationProxy:DomainFrontingReflectiveCodeLoadingPhishing forInformation:SpearphishingServiceOS CredentialDumping:CachedDomainCredentialsInputCapture:GUI InputCaptureSearch OpenWebsites/Domains:Search EnginesAccess TokenManipulation:Make andImpersonateTokenProcessInjection:ProcessDoppelgängingSearchClosedSources:Threat IntelVendorsPhishing forInformation:SpearphishingLinkCloudServiceDashboardOSCredentialDumpingModifyAuthenticationProcessCompromiseInfrastructure:NetworkDevicesAudioCaptureBoot or LogonAutostartExecution:Kernel Modulesand ExtensionsInter-ProcessCommunication:Dynamic DataExchangeBrowserExtensionsData fromInformationRepositories:CodeRepositoriesUserExecution:MaliciousLinkAccountManipulation:AdditionalContainerCluster RolesUse AlternateAuthenticationMaterial: WebSessionCookieApplicationLayerProtocol: FileTransferProtocolsCreate orModifySystemProcessProcessInjection:ListPlantingSearch OpenWebsites/Domains:Code RepositoriesEventTriggeredExecution:AppCertDLLsServerSoftwareComponent:Web ShellUse AlternateAuthenticationMaterial:ApplicationAccess TokenAccess TokenManipulation:CreateProcess withTokenAbuseElevationControlMechanism:TCCManipulationObtainCapabilities:VulnerabilitiesForcedAuthenticationAdversary-in-the-Middle:Evil TwinMulti-FactorAuthenticationRequestGenerationEventTriggeredExecution:EmondCredentialsfrom PasswordStores:PasswordManagersInter-ProcessCommunicationApplicationLayerProtocol:WebProtocolsDevelopCapabilitiesRemoteServiceSessionHijacking:RDP HijackingDeviceDriverDiscoveryDefacement:ExternalDefacementBoot orLogonAutostartExecutionAbuseElevationControlMechanism:Setuid andSetgidActiveScanning:VulnerabilityScanningProcessInjection:ProcessHollowingEmailCollection:RemoteEmailCollectionObfuscatedFiles orInformation:StrippedPayloadsInter-ProcessCommunication:XPC ServicesCreate orModify SystemProcess:WindowsServiceGather VictimNetworkInformation:NetworkTopologyRemoteServices:DistributedComponentObject ModelProcessInjection:PortableExecutableInjectionNetworkBoundaryBridgingData fromConfigurationRepository:SNMP (MIBDump)Event TriggeredExecution:Image FileExecutionOptionsInjectionEvent TriggeredExecution:ComponentObject ModelHijackingProcessDiscoveryBoot or LogonAutostartExecution:SecuritySupportProviderBITSJobsImpairDefensesEndpoint Denialof Service:ServiceExhaustionFloodHijackExecutionFlow: PathInterception byUnquoted PathCloudServiceDiscoveryPasswordPolicyDiscoveryExploitationof RemoteServicesSystemLocationDiscovery:SystemLanguageDiscoverySteal or ForgeAuthenticationCertificatesPermissionGroupsDiscovery:CloudGroupsUnsecuredCredentials:BashHistoryHijackExecutionFlowUse AlternateAuthenticationMaterialSystemBinary ProxyExecution:ControlPanelAdversary-in-the-Middle:LLMNR/NBT-NS Poisoningand SMB RelayObfuscatedFiles orInformation:HTMLSmugglingUnsecuredCredentials:CredentialsIn FilesScheduledTask/Job:ContainerOrchestrationJobScheduledTask/Job:AtGroupPolicyDiscoveryCommandand ScriptingInterpreter:Unix ShellBoot orLogonInitializationScripts: RCScriptsSearchVictim-OwnedWebsitesAcquireAccessMasquerading:MatchLegitimateName orLocationSearch OpenTechnicalDatabases:ScanDatabasesValidAccounts:LocalAccountsCommandandScriptingInterpreterGather VictimNetworkInformation:IP AddressesPre-OSBoot:SystemFirmwareCompromiseAccounts:EmailAccountsSoftwareDiscoveryDrive-byCompromiseHijack ExecutionFlow: PathInterception byPATHEnvironmentVariableFile andDirectoryDiscoveryCommandand ScriptingInterpreter:Visual BasicImpairDefenses:Disable orModify LinuxAudit SystemEventTriggeredExecution:Netsh HelperDLLInternalSpearphishingOfficeApplicationStartup:Add-insUnused/UnsupportedCloud RegionsEventTriggeredExecution:TrapDynamicResolutionModifyAuthenticationProcess:ReversibleEncryptionSystemTimeDiscoveryProxyProcessInjection:Dynamic-linkLibraryInjectionStealApplicationAccessTokenBruteForce:PasswordGuessingPhishing:SpearphishingAttachmentTrustedDeveloperUtilities ProxyExecution:ClickOnceDataStaged:Local DataStagingSteal WebSessionCookieBoot or LogonInitializationScripts:NetworkLogon ScriptSubvert TrustControls: SIPand TrustProviderHijackingModifyAuthenticationProcess:Hybrid IdentityObfuscated Files orInformation:Encrypted/EncodedFileObtainCapabilities:DigitalCertificatesExfiltration OverAlternativeProtocol:Exfiltration OverSymmetricEncrypted Non-C2ProtocolObtainCapabilitiesCreateAccount:LocalAccountTrustedDeveloperUtilitiesProxyExecutionForge WebCredentials:WebCookiesProtocolTunnelingDeobfuscate/DecodeFiles or InformationExecutionGuardrails:EnvironmentalKeyingCredentialsfrom PasswordStores:SecuritydMemoryEventTriggeredExecution:AppInit DLLsHijackExecutionFlow: DynamicLinkerHijackingResourceHijacking:ComputeHijackingMasquerading:Space afterFilenameEstablishAccounts:Social MediaAccountsStageCapabilities:Install DigitalCertificateData fromInformationRepositoriesData fromRemovableMediaActiveScanning:ScanningIP BlocksCreate orModify SystemProcess:LaunchDaemonDataObfuscation:SteganographyAccountManipulation:SSHAuthorizedKeysGather VictimOrgInformation:DeterminePhysicalLocationsBrowserSessionHijackingFile andDirectoryPermissionsModificationHijackExecutionFlow: DLLSearch OrderHijackingHideArtifacts:File/PathExclusionsIndicatorRemoval: ClearNetworkConnectionHistory andConfigurationsGatherVictim HostInformation:FirmwareModifyAuthenticationProcess:NetworkProvider DLLSystemServices:ServiceExecutionAcquireInfrastructure:Web ServicesStageCapabilities:Drive-byTargetEventTriggeredExecution:PowerShellProfileGatherVictimHostInformationSystemBinary ProxyExecution:Regsvr32ExfiltrationOver WebService:Exfiltration toCloud StorageBoot orLogonInitializationScripts:Startup ItemsPhishing forInformation:SpearphishingAttachmentObfuscatedFiles orInformation:Compile AfterDeliveryWeakenEncryption:ReduceKey SpaceHideArtifacts:Email HidingRulesSubvertTrustControls:CodeSigningStageCapabilities:SEOPoisoningMasquerading:Invalid CodeSignatureBoot or LogonAutostartExecution:PrintProcessorsAdversary-in-the-MiddleSearch OpenTechnicalDatabases:DNS/PassiveDNSIndicatorRemoval:TimestompSystemBinaryProxyExecutionData fromInformationRepositories:CustomerRelationshipManagementSoftwareHijackExecution Flow:Services FilePermissionsWeaknessEventTriggeredExecution:InstallerPackagesSubvertTrustControls:Mark-of-the-Web BypassObfuscatedFiles orInformation:PolymorphicCodeBoot or LogonAutostartExecution:Registry RunKeys / StartupFolderMulti-FactorAuthenticationInterceptionData fromInformationRepositories:ConfluenceHideArtifacts:HiddenWindowVirtualization/SandboxEvasion: SystemChecksServerSoftwareComponent:IISComponentsDomain orTenant PolicyModification:Group PolicyModificationImpersonationIndirectCommandExecutionAutomatedExfiltrationObtainCapabilities:CodeSigningCertificatesCommandand ScriptingInterpreter:Cloud APISystemServiceDiscoveryDisk Wipe:DiskStructureWipeAcquireInfrastructure:DNS ServerPhishing:Spearphishingvia ServiceSystemBinary ProxyExecution:CompiledHTML FileCommand andScriptingInterpreter:WindowsCommandShellScheduledTask/Job:CronExploitPublic-FacingApplicationSearchClosedSourcesSearchOpenTechnicalDatabasesOfficeApplicationStartup:OutlookRulesOfficeApplicationStartupSearchOpenTechnicalDatabases:WHOISPermissionGroupsDiscovery:DomainGroupsModifyAuthenticationProcess:PluggableAuthenticationModulesDataManipulation:TransmittedDataManipulationRootkitHijackExecutionFlow: DylibHijackingModify CloudComputeInfrastructure:Modify CloudComputeConfigurationsAccountManipulation:Additional Localor DomainGroupsBrowserInformationDiscoveryResourceHijacking:CloudServiceHijackingServerSoftwareComponent:SQL StoredProceduresSystemBinary ProxyExecution:MavinjectObfuscatedFiles orInformationObfuscatedFiles orInformation:CommandObfuscationDiskWipeNon-ApplicationLayerProtocolCreate orModify SystemProcess:ContainerServiceAccountManipulationAcquireInfrastructureCloudInfrastructureDiscoveryUserExecution:MaliciousFileImplantInternalImageRemoteServiceSessionHijacking:SSH HijackingModifyAuthenticationProcess:Multi-FactorAuthenticationProxy:ExternalProxyBoot or LogonAutostartExecution:XDG AutostartEntriesHideArtifacts:HiddenUsersCommandand ScriptingInterpreter:AppleScriptWeakenEncryptionIngressToolTransferCompromiseInfrastructure:Virtual PrivateServerWindowsManagementInstrumentationUnsecuredCredentials:PrivateKeysSharedModulesExfiltration OverAlternativeProtocol:Exfiltration OverAsymmetricEncrypted Non-C2ProtocolOSCredentialDumping:LSA SecretsCloudStorageObjectDiscoverySteal orForgeKerberosTicketsContainerandResourceDiscoveryDataManipulationIndicatorRemoval:Network ShareConnectionRemovalCommunicationThroughRemovableMediaModify CloudComputeInfrastructureExfiltrationOver WebService:Exfiltration toCodeRepositoryApplicationLayerProtocolModifySystemImageSystemScript ProxyExecution:PubPrnDataObfuscationOfficeApplicationStartup:OutlookFormsRemoteSystemDiscoveryObtainCapabilities:ExploitsSystemBinary ProxyExecution:Rundll32ObtainCapabilities:ToolCompromiseAccounts:CloudAccountsCommandand ScriptingInterpreter:NetworkDevice CLIWeb Service:One-WayCommunicationUnsecuredCredentials:ContainerAPIGatherVictim OrgInformation:IdentifyRolesSystemBinary ProxyExecution:MMCRemoteServices:VNCActiveScanning:WordlistScanningExploitationfor DefenseEvasionExploitationforPrivilegeEscalationInputCapture:CredentialAPI HookingEvent TriggeredExecution:WindowsManagementInstrumentationEvent SubscriptionData Staged:RemoteData StagingPhishingGather VictimNetworkInformation:Network TrustDependenciesBruteForceNetworkDenial ofService:ReflectionAmplificationSystemBinary ProxyExecution:CMSTPMasquerading:MasqueradeFile TypeVideoCaptureProcessInjection:Extra WindowMemoryInjectionObfuscatedFiles orInformation:BinaryPaddingModify CloudComputeInfrastructure:Revert CloudInstanceSystemServices:LaunchctlDomain orTenantPolicyModificationBoot or LogonAutostartExecution:AuthenticationPackageProxy:Multi-hopProxyAcquireInfrastructure:Virtual PrivateServerImpairDefenses:IndicatorBlockingCompromiseHostSoftwareBinaryBoot orLogonInitializationScriptsDataEncodingHideArtifacts:VBAStompingIndicatorRemoval:FileDeletionExfiltrationOver WebService:ExfiltrationOver WebhookIndicatorRemoval:ClearMailbox DataPhishing:SpearphishingLinkSystemScriptProxyExecutionInputCaptureExfiltrationOver WebService:Exfiltration toText StorageSitesAccountManipulation:AdditionalCloudCredentialsValidAccounts:DefaultAccountsCompromiseInfrastructure:ServerBoot or LogonAutostartExecution:Re-openedApplicationsSystem NetworkConfigurationDiscovery:InternetConnectionDiscoveryImpairDefenses:SpoofSecurityAlertingWeakenEncryption:DisableCryptoHardwareModifyAuthenticationProcess:PasswordFilter DLLObfuscatedFiles orInformation:SteganographyDataObfuscation:Junk DataAcquireInfrastructure:BotnetFinancialTheftGatherVictim HostInformation:SoftwareSystemInformationDiscoveryExternalRemoteServicesBruteForce:CredentialStuffingNon-StandardPortHideArtifacts:ProcessArgumentSpoofingBoot orLogonAutostartExecution:Port MonitorsData fromConfigurationRepository:Network DeviceConfigurationDumpSteal orForgeKerberosTickets:Silver TicketGatherVictimNetworkInformation:DNSCredentialsfrom PasswordStores: CloudSecretsManagementStoresNativeAPIMasquerading:Right-to-LeftOverrideOfficeApplicationStartup:OutlookHome PageImpairDefenses:DowngradeAttackProxy:InternalProxyObfuscatedFiles orInformation:EmbeddedPayloadsAccountAccessRemovalBoot or LogonAutostartExecution:TimeProvidersSearch ClosedSources:PurchaseTechnical DataSystemServicesEncryptedChannel:SymmetricCryptographyCreate orModifySystemProcess:Launch AgentExfiltration OverAlternativeProtocol:Exfiltration OverUnencryptedNon-C2 ProtocolEndpoint Denialof Service:Application orSystemExploitationSoftwareDeploymentToolsDefacement:InternalDefacementCredentialsfromPasswordStoresExecutionGuardrails:MutualExclusionSubvert TrustControls:Code SigningPolicyModificationGather VictimNetworkInformation:DomainPropertiesExploitationforCredentialAccessAcquireInfrastructure:MalvertisingSystemBinary ProxyExecution:VerclsidEvent TriggeredExecution:Change DefaultFile AssociationUserExecution:MaliciousImageEventTriggeredExecutionSystemBinary ProxyExecution:ElectronApplicationsAbuseElevationControlMechanismUse AlternateAuthenticationMaterial: Passthe HashMasquerading:MasqueradeTask orServiceSystemBinary ProxyExecution:OdbcconfOfficeApplicationStartup: OfficeTemplateMacrosDomain orTenant PolicyModification:TrustModificationLogEnumerationNetworkDenial ofServiceScheduledTask/Job:ScheduledTaskEndpointDenial ofService: OSExhaustionFloodProcessInjection:ProcMemorySearch OpenWebsites/DomainsEventTriggeredExecution:AccessibilityFeaturesRemoteServices:Direct CloudVMConnectionsResourceHijacking:BandwidthHijackingAutomatedExfiltration:TrafficDuplicationEscapeto HostTrustedDeveloperUtilities ProxyExecution:MSBuildNetworkServiceDiscoveryGather VictimOrgInformation:BusinessRelationshipsAcquireInfrastructure:ServerRemoteAccessSoftwareOS CredentialDumping:SecurityAccountManagerMasquerading:MasqueradeAccount NameUnsecuredCredentials:CloudInstanceMetadata APIPeripheralDeviceDiscoveryCreate orModify SystemProcess:SystemdServiceHideInfrastructureSupplyChainCompromisenameImpairDefenses:Disable orModify SystemFirewallGather VictimNetworkInformation:NetworkSecurityAppliancesBoot or LogonAutostartExecution:WinlogonHelper DLLValidAccounts:CloudAccountsObfuscatedFiles orInformation:IndicatorRemoval fromToolsGatherVictimIdentityInformationAccountManipulation:AdditionalEmail DelegatePermissionsEventTriggeredExecution:Udev RulesOfficeApplicationStartup:Office TestBruteForce:PasswordSprayingEstablishAccounts:CloudAccountsDataDestructionSystemBinary ProxyExecution:MshtaSystem BinaryProxy Execution:Regsvcs/RegasmPhishing forInformation:SpearphishingVoiceDataDestruction:Lifecycle-TriggeredDeletionBoot orLogonInitializationScripts:Login HookServerSoftwareComponentGather VictimHostInformation:ClientConfigurationsModify CloudComputeInfrastructure:CreateSnapshotSteal or ForgeKerberosTickets:KerberoastingResourceHijacking:SMSPumpingIndicatorRemoval:Clear Linuxor MacSystem LogsHijackExecution Flow:ExecutableInstaller FilePermissionsWeaknessObfuscatedFiles orInformation:SoftwarePackingPowerSettingsAcquireInfrastructure:DomainsCompromiseInfrastructureResourceHijackingAutomatedCollectionExfiltrationOver OtherNetworkMediumCreateAccount:DomainAccountExfiltrationOverPhysicalMediumExfiltrationOver WebServiceHideArtifacts:NTFS FileAttributesRogueDomainControllerHijack ExecutionFlow:COR_PROFILERData fromInformationRepositories:SharepointData fromCloudStorageAccessTokenManipulation:SID-HistoryInjectionIndicatorRemoval:ClearWindowsEvent LogsNetworkSniffingGatherVictim HostInformation:HardwareArchiveCollectedData:Archive viaUtilitySteal orForgeKerberosTickets:Golden TicketSupply ChainCompromise:CompromiseSoftwareDependencies andDevelopmentToolsProcessInjection:Thread LocalStorageModify CloudComputeInfrastructure:Create CloudInstanceDataObfuscation:Protocol orServiceImpersonationAccountManipulation:AdditionalCloud RolesEventTriggeredExecution:ApplicationShimmingSystemNetworkConfigurationDiscovery: Wi-Fi DiscoveryProcessInjection:AsynchronousProcedureCallStageCapabilities:Link TargetArchiveCollectedData:Archive viaLibraryPre-OSBoot:TFTPBootData fromNetworkSharedDriveModify CloudComputeInfrastructure:Delete CloudInstanceCompromiseAccountsDataTransferSizeLimitsSystemNetworkConfigurationDiscoveryHideArtifactsCommandand ScriptingInterpreter:AutoHotKey& AutoITHijackExecution Flow:PathInterception bySearch OrderHijackingServerSoftwareComponent:TerminalServices DLLHijackExecution Flow:ServicesRegistryPermissionsWeaknessScreenCaptureExfiltrationOver OtherNetworkMedium:ExfiltrationOver BluetoothEndpointDenial ofServiceData fromConfigurationRepositoryDataManipulation:Stored DataManipulationObfuscatedFiles orInformation:Dynamic APIResolutionFile and DirectoryPermissionsModification:Windows File andDirectoryPermissionsModificationMasquerading:Break ProcessTreesModifyAuthenticationProcess:Network DeviceAuthenticationDomainTrustDiscoveryContainerAdministrationCommandAccountDiscovery:EmailAccountAccountDiscoveryHideArtifacts:Hidden FilesandDirectoriesImpairDefenses:ImpairCommandHistory LoggingRemoteServicesArchiveCollectedData: Archivevia CustomMethodModifyAuthenticationProcess:DomainControllerAuthenticationQueryRegistryProcessInjection:PtraceSystem CallsHijack ExecutionFlow:KernelCallbackTableUnsecuredCredentials:Credentialsin RegistryIndicatorRemoval:ClearPersistenceSearchOpenTechnicalDatabases:CDNsSubvertTrustControls:GatekeeperBypassBoot orLogonAutostartExecution:Active SetupObfuscatedFiles orInformation:FilelessStorageCompromiseInfrastructure:Web ServicesTrafficSignalingEncryptedChannel:AsymmetricCryptographyPermissionGroupsDiscoveryEventTriggeredExecution:ScreensaverCompromiseInfrastructure:ServerlessCommandand ScriptingInterpreter:PythonAccountManipulation:DeviceRegistrationAbuseElevationControlMechanism:Sudo and SudoCachingImpairDefenses:Safe ModeBootExecutionGuardrailsInhibitSystemRecoverySoftwareDiscovery:SecuritySoftwareDiscoveryAccountDiscovery:CloudAccountDynamicResolution:DomainGenerationAlgorithmsModifySystemImage:DowngradeSystem ImageSubvertTrustControlsDirectVolumeAccessHideArtifacts:IgnoreProcessInterruptsSteal or ForgeKerberosTickets: AS-REP RoastingDataEncoding:Non-StandardEncodingWebService:Dead DropResolverData fromLocalSystemAccessTokenManipulation:Parent PIDSpoofingPre-OSBoot:ComponentFirmwareMasquerading:Double FileExtensionHideArtifacts:Hidden FileSystemCommandand ScriptingInterpreter:PowerShellCredentialsfromPasswordStores:KeychainVirtualization/SandboxEvasion: Time BasedEvasionEmailCollectionNetworkBoundaryBridging: NetworkAddressTranslationTraversalEvent TriggeredExecution:LC_LOAD_DYLIBAdditionAccess TokenManipulation: TokenImpersonation/TheftActiveScanningImpairDefenses:Disable orModify ToolsAcquireInfrastructure:ServerlessPre-OSBoot:ROMMONkitGatherVictimNetworkInformationStageCapabilitiesModifyRegistryValidAccounts:DomainAccountsNetworkDenial ofService: DirectNetwork FloodInter-ProcessCommunication:ComponentObject ModelApplicationLayerProtocol:MailProtocolsCredentialsfrom PasswordStores:WindowsCredentialManagerDynamicResolution:Fast FluxDNSStageCapabilities:Upload ToolGather VictimIdentityInformation:EmailAddressesIndicatorRemoval:ClearCommandHistoryXSL ScriptProcessingMulti-StageChannelsSubvertTrustControls:Install RootCertificateUserExecutionCredentialsfrom PasswordStores:Credentialsfrom WebBrowsersModifyCloudResourceHierarchyRemoteServices:SMB/WindowsAdmin SharesTrafficSignaling:PortKnockingSystemLocationDiscoveryBuildImageon HostAbuse ElevationControlMechanism:TemporaryElevated CloudAccessObtainCapabilities:MalwareRemoteServices:RemoteDesktopProtocolPre-OSBootEvent TriggeredExecution: UnixShellConfigurationModificationEmailCollection:EmailForwardingRuleEmailCollection:Local EmailCollectionDisk Wipe:DiskContentWipeBoot or LogonAutostartExecution:ShortcutModificationGather VictimIdentityInformation:EmployeeNamesSystem Script ProxyExecution:SyncAppvPublishingServerDataEncoding:StandardEncodingModifySystemImage: PatchSystemImagePre-OSBoot:BootkitValidAccountsSearch OpenWebsites/Domains:Social MediaPlist FileModificationNetworkShareDiscoveryProcessInjection:VDSOHijackingObtainCapabilities:ArtificialIntelligenceSearch OpenTechnicalDatabases:DigitalCertificatesLateralToolTransferAdversary-in-the-Middle:DHCPSpoofingDevelopCapabilities:MalwareSystemBinary ProxyExecution:InstallUtilCompromiseInfrastructure:BotnetBoot orLogonAutostartExecution:Login ItemsImpairDefenses:Disable orModify CloudLogsEstablishAccounts:EmailAccountsCompromiseInfrastructure:DomainsOSCredentialDumping:LSASSMemoryServerlessExecutionApplication LayerProtocol:Publish/SubscribeProtocolsRemoteServiceSessionHijackingDynamicResolution:DNSCalculationApplicationWindowDiscoveryOSCredentialDumping:ProcFilesystemGatherVictimIdentityInformation:CredentialsForge WebCredentials:SAMLTokensProcessInjection:ThreadExecutionHijackingData fromInformationRepositories:MessagingApplicationsOSCredentialDumping:DCSyncGatherVictim OrgInformationContentInjectionExfiltrationOver C2ChannelStageCapabilities:UploadMalwareRemoteServices:WindowsRemoteManagementProcessInjectionIndicatorRemovalFile and DirectoryPermissionsModification: Linuxand Mac File andDirectoryPermissionsModificationAdversary-in-the-Middle: ARPCachePoisoningObfuscatedFiles orInformation:LNK IconSmugglingTrustedRelationshipVirtualization/SandboxEvasion: User ActivityBased ChecksDefacementAccessTokenManipulationBoot or LogonInitializationScripts: LogonScript(Windows)Use AlternateAuthenticationMaterial: Passthe TicketEstablishAccountsRemoteServices:SSHWebServiceCommandand ScriptingInterpreter:LuaGather VictimOrgInformation:IdentifyBusinessTempoScheduledTask/JobOS CredentialDumping:/etc/passwdand/etc/shadowAbuse ElevationControlMechanism:ElevatedExecution withPromptImpairDefenses:DisableWindowsEvent LoggingSteal orForgeKerberosTickets:Ccache FilesUnsecuredCredentials:ChatMessagesAccountDiscovery:LocalAccountCloudAdministrationCommandUnsecuredCredentials:Group PolicyPreferencesInputCapture:KeyloggingClipboardDataSupply ChainCompromise:CompromiseSoftwareSupply ChainTransferData toCloudAccountDeployContainerScheduledTransferWeb Service:BidirectionalCommunicationSystemShutdown/RebootPhishingforInformationMasquerading:RenameSystemUtilitiesScheduledTask/Job:SystemdTimersHardwareAdditionsDevelopCapabilities:CodeSigningCertificatesFallbackChannelsCreateAccountSystemNetworkConnectionsDiscoveryFirmwareCorruptionBoot or LogonAutostartExecution:LSASS DriverHideArtifacts:ResourceForkingCommandand ScriptingInterpreter:JavaScriptReplicationThroughRemovableMediaDataEncryptedfor ImpactForge WebCredentialsAccountDiscovery:DomainAccountApplicationLayerProtocol:DNSCreateAccount:CloudAccountIndicatorRemoval:RelocateMalwareCompromiseAccounts:Social MediaAccountsTemplateInjectionArchiveCollectedDataHideArtifacts:Run VirtualInstanceSystemBinary ProxyExecution:MsiexecCompromiseInfrastructure:DNS ServerDevelopCapabilities:ExploitsEndpoint Denialof Service:ApplicationExhaustionFloodTaintSharedContentExploitationfor ClientExecutionImpairDefenses:Disable orModify CloudFirewallExfiltrationOver PhysicalMedium:Exfiltrationover USBVirtualization/SandboxEvasionSystemOwner/UserDiscoveryEncryptedChannelAbuse ElevationControlMechanism:Bypass UserAccount ControlDevelopCapabilities:DigitalCertificatesDataStagedDebuggerEvasionServiceStopTrafficSignaling:SocketFiltersExfiltrationOverAlternativeProtocolBruteForce:PasswordCrackingServerSoftwareComponent:TransportAgentMasqueradingHijackExecutionFlow: DLLSide-LoadingPermissionGroupsDiscovery:LocalGroupsInputCapture:Web PortalCaptureUnsecuredCredentialsHijack ExecutionFlow:AppDomainManagerOSCredentialDumping:NTDSSupply ChainCompromise:CompromiseHardwareSupply ChainRemoteServices:CloudServicesPhishing:SpearphishingVoiceModifyAuthenticationProcess:ConditionalAccess PoliciesDataManipulation:Runtime DataManipulationProxy:DomainFrontingReflectiveCodeLoadingPhishing forInformation:SpearphishingServiceOS CredentialDumping:CachedDomainCredentialsInputCapture:GUI InputCaptureSearch OpenWebsites/Domains:Search EnginesAccess TokenManipulation:Make andImpersonateTokenProcessInjection:ProcessDoppelgängingSearchClosedSources:Threat IntelVendorsPhishing forInformation:SpearphishingLinkCloudServiceDashboardOSCredentialDumpingModifyAuthenticationProcessCompromiseInfrastructure:NetworkDevicesAudioCaptureBoot or LogonAutostartExecution:Kernel Modulesand ExtensionsInter-ProcessCommunication:Dynamic DataExchangeBrowserExtensionsData fromInformationRepositories:CodeRepositoriesUserExecution:MaliciousLinkAccountManipulation:AdditionalContainerCluster RolesUse AlternateAuthenticationMaterial: WebSessionCookieApplicationLayerProtocol: FileTransferProtocolsCreate orModifySystemProcessProcessInjection:ListPlantingSearch OpenWebsites/Domains:Code RepositoriesEventTriggeredExecution:AppCertDLLsServerSoftwareComponent:Web ShellUse AlternateAuthenticationMaterial:ApplicationAccess TokenAccess TokenManipulation:CreateProcess withTokenAbuseElevationControlMechanism:TCCManipulationObtainCapabilities:VulnerabilitiesForcedAuthenticationAdversary-in-the-Middle:Evil TwinMulti-FactorAuthenticationRequestGenerationEventTriggeredExecution:EmondCredentialsfrom PasswordStores:PasswordManagersInter-ProcessCommunicationApplicationLayerProtocol:WebProtocolsDevelopCapabilitiesRemoteServiceSessionHijacking:RDP HijackingDeviceDriverDiscoveryDefacement:ExternalDefacementBoot orLogonAutostartExecutionAbuseElevationControlMechanism:Setuid andSetgidActiveScanning:VulnerabilityScanningProcessInjection:ProcessHollowingEmailCollection:RemoteEmailCollectionObfuscatedFiles orInformation:StrippedPayloadsInter-ProcessCommunication:XPC ServicesCreate orModify SystemProcess:WindowsServiceGather VictimNetworkInformation:NetworkTopologyRemoteServices:DistributedComponentObject ModelProcessInjection:PortableExecutableInjectionNetworkBoundaryBridgingData fromConfigurationRepository:SNMP (MIBDump)Event TriggeredExecution:Image FileExecutionOptionsInjectionEvent TriggeredExecution:ComponentObject ModelHijackingProcessDiscoveryBoot or LogonAutostartExecution:SecuritySupportProviderBITSJobsImpairDefensesEndpoint Denialof Service:ServiceExhaustionFloodHijackExecutionFlow: PathInterception byUnquoted PathCloudServiceDiscoveryPasswordPolicyDiscoveryExploitationof RemoteServicesSystemLocationDiscovery:SystemLanguageDiscoverySteal or ForgeAuthenticationCertificatesPermissionGroupsDiscovery:CloudGroupsUnsecuredCredentials:BashHistory

MITRE ATT&CK Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
  1. Hijack Execution Flow
  2. Use Alternate Authentication Material
  3. System Binary Proxy Execution: Control Panel
  4. Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
  5. Obfuscated Files or Information: HTML Smuggling
  6. Unsecured Credentials: Credentials In Files
  7. Scheduled Task/Job: Container Orchestration Job
  8. Scheduled Task/Job: At
  9. Group Policy Discovery
  10. Command and Scripting Interpreter: Unix Shell
  11. Boot or Logon Initialization Scripts: RC Scripts
  12. Search Victim-Owned Websites
  13. Acquire Access
  14. Masquerading: Match Legitimate Name or Location
  15. Search Open Technical Databases: Scan Databases
  16. Valid Accounts: Local Accounts
  17. Command and Scripting Interpreter
  18. Gather Victim Network Information: IP Addresses
  19. Pre-OS Boot: System Firmware
  20. Compromise Accounts: Email Accounts
  21. Software Discovery
  22. Drive-by Compromise
  23. Hijack Execution Flow: Path Interception by PATH Environment Variable
  24. File and Directory Discovery
  25. Command and Scripting Interpreter: Visual Basic
  26. Impair Defenses: Disable or Modify Linux Audit System
  27. Event Triggered Execution: Netsh Helper DLL
  28. Internal Spearphishing
  29. Office Application Startup: Add-ins
  30. Unused/Unsupported Cloud Regions
  31. Event Triggered Execution: Trap
  32. Dynamic Resolution
  33. Modify Authentication Process: Reversible Encryption
  34. System Time Discovery
  35. Proxy
  36. Process Injection: Dynamic-link Library Injection
  37. Steal Application Access Token
  38. Brute Force: Password Guessing
  39. Phishing: Spearphishing Attachment
  40. Trusted Developer Utilities Proxy Execution: ClickOnce
  41. Data Staged: Local Data Staging
  42. Steal Web Session Cookie
  43. Boot or Logon Initialization Scripts: Network Logon Script
  44. Subvert Trust Controls: SIP and Trust Provider Hijacking
  45. Modify Authentication Process: Hybrid Identity
  46. Obfuscated Files or Information: Encrypted/Encoded File
  47. Obtain Capabilities: Digital Certificates
  48. Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
  49. Obtain Capabilities
  50. Create Account: Local Account
  51. Trusted Developer Utilities Proxy Execution
  52. Forge Web Credentials: Web Cookies
  53. Protocol Tunneling
  54. Deobfuscate/Decode Files or Information
  55. Execution Guardrails: Environmental Keying
  56. Credentials from Password Stores: Securityd Memory
  57. Event Triggered Execution: AppInit DLLs
  58. Hijack Execution Flow: Dynamic Linker Hijacking
  59. Resource Hijacking: Compute Hijacking
  60. Masquerading: Space after Filename
  61. Establish Accounts: Social Media Accounts
  62. Stage Capabilities: Install Digital Certificate
  63. Data from Information Repositories
  64. Data from Removable Media
  65. Active Scanning: Scanning IP Blocks
  66. Create or Modify System Process: Launch Daemon
  67. Data Obfuscation: Steganography
  68. Account Manipulation: SSH Authorized Keys
  69. Gather Victim Org Information: Determine Physical Locations
  70. Browser Session Hijacking
  71. File and Directory Permissions Modification
  72. Hijack Execution Flow: DLL Search Order Hijacking
  73. Hide Artifacts: File/Path Exclusions
  74. Indicator Removal: Clear Network Connection History and Configurations
  75. Gather Victim Host Information: Firmware
  76. Modify Authentication Process: Network Provider DLL
  77. System Services: Service Execution
  78. Acquire Infrastructure: Web Services
  79. Stage Capabilities: Drive-by Target
  80. Event Triggered Execution: PowerShell Profile
  81. Gather Victim Host Information
  82. System Binary Proxy Execution: Regsvr32
  83. Exfiltration Over Web Service: Exfiltration to Cloud Storage
  84. Boot or Logon Initialization Scripts: Startup Items
  85. Phishing for Information: Spearphishing Attachment
  86. Obfuscated Files or Information: Compile After Delivery
  87. Weaken Encryption: Reduce Key Space
  88. Hide Artifacts: Email Hiding Rules
  89. Subvert Trust Controls: Code Signing
  90. Stage Capabilities: SEO Poisoning
  91. Masquerading: Invalid Code Signature
  92. Boot or Logon Autostart Execution: Print Processors
  93. Adversary-in-the-Middle
  94. Search Open Technical Databases: DNS/Passive DNS
  95. Indicator Removal: Timestomp
  96. System Binary Proxy Execution
  97. Data from Information Repositories: Customer Relationship Management Software
  98. Hijack Execution Flow: Services File Permissions Weakness
  99. Event Triggered Execution: Installer Packages
  100. Subvert Trust Controls: Mark-of-the-Web Bypass
  101. Obfuscated Files or Information: Polymorphic Code
  102. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
  103. Multi-Factor Authentication Interception
  104. Data from Information Repositories: Confluence
  105. Hide Artifacts: Hidden Window
  106. Virtualization/Sandbox Evasion: System Checks
  107. Server Software Component: IIS Components
  108. Domain or Tenant Policy Modification: Group Policy Modification
  109. Impersonation
  110. Indirect Command Execution
  111. Automated Exfiltration
  112. Obtain Capabilities: Code Signing Certificates
  113. Command and Scripting Interpreter: Cloud API
  114. System Service Discovery
  115. Disk Wipe: Disk Structure Wipe
  116. Acquire Infrastructure: DNS Server
  117. Phishing: Spearphishing via Service
  118. System Binary Proxy Execution: Compiled HTML File
  119. Command and Scripting Interpreter: Windows Command Shell
  120. Scheduled Task/Job: Cron
  121. Exploit Public-Facing Application
  122. Search Closed Sources
  123. Search Open Technical Databases
  124. Office Application Startup: Outlook Rules
  125. Office Application Startup
  126. Search Open Technical Databases: WHOIS
  127. Permission Groups Discovery: Domain Groups
  128. Modify Authentication Process: Pluggable Authentication Modules
  129. Data Manipulation: Transmitted Data Manipulation
  130. Rootkit
  131. Hijack Execution Flow: Dylib Hijacking
  132. Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations
  133. Account Manipulation: Additional Local or Domain Groups
  134. Browser Information Discovery
  135. Resource Hijacking: Cloud Service Hijacking
  136. Server Software Component: SQL Stored Procedures
  137. System Binary Proxy Execution: Mavinject
  138. Obfuscated Files or Information
  139. Obfuscated Files or Information: Command Obfuscation
  140. Disk Wipe
  141. Non-Application Layer Protocol
  142. Create or Modify System Process: Container Service
  143. Account Manipulation
  144. Acquire Infrastructure
  145. Cloud Infrastructure Discovery
  146. User Execution: Malicious File
  147. Implant Internal Image
  148. Remote Service Session Hijacking: SSH Hijacking
  149. Modify Authentication Process: Multi-Factor Authentication
  150. Proxy: External Proxy
  151. Boot or Logon Autostart Execution: XDG Autostart Entries
  152. Hide Artifacts: Hidden Users
  153. Command and Scripting Interpreter: AppleScript
  154. Weaken Encryption
  155. Ingress Tool Transfer
  156. Compromise Infrastructure: Virtual Private Server
  157. Windows Management Instrumentation
  158. Unsecured Credentials: Private Keys
  159. Shared Modules
  160. Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
  161. OS Credential Dumping: LSA Secrets
  162. Cloud Storage Object Discovery
  163. Steal or Forge Kerberos Tickets
  164. Container and Resource Discovery
  165. Data Manipulation
  166. Indicator Removal: Network Share Connection Removal
  167. Communication Through Removable Media
  168. Modify Cloud Compute Infrastructure
  169. Exfiltration Over Web Service: Exfiltration to Code Repository
  170. Application Layer Protocol
  171. Modify System Image
  172. System Script Proxy Execution: PubPrn
  173. Data Obfuscation
  174. Office Application Startup: Outlook Forms
  175. Remote System Discovery
  176. Obtain Capabilities: Exploits
  177. System Binary Proxy Execution: Rundll32
  178. Obtain Capabilities: Tool
  179. Compromise Accounts: Cloud Accounts
  180. Command and Scripting Interpreter: Network Device CLI
  181. Web Service: One-Way Communication
  182. Unsecured Credentials: Container API
  183. Gather Victim Org Information: Identify Roles
  184. System Binary Proxy Execution: MMC
  185. Remote Services: VNC
  186. Active Scanning: Wordlist Scanning
  187. Exploitation for Defense Evasion
  188. Exploitation for Privilege Escalation
  189. Input Capture: Credential API Hooking
  190. Event Triggered Execution: Windows Management Instrumentation Event Subscription
  191. Data Staged: Remote Data Staging
  192. Phishing
  193. Gather Victim Network Information: Network Trust Dependencies
  194. Brute Force
  195. Network Denial of Service: Reflection Amplification
  196. System Binary Proxy Execution: CMSTP
  197. Masquerading: Masquerade File Type
  198. Video Capture
  199. Process Injection: Extra Window Memory Injection
  200. Obfuscated Files or Information: Binary Padding
  201. Modify Cloud Compute Infrastructure: Revert Cloud Instance
  202. System Services: Launchctl
  203. Domain or Tenant Policy Modification
  204. Boot or Logon Autostart Execution: Authentication Package
  205. Proxy: Multi-hop Proxy
  206. Acquire Infrastructure: Virtual Private Server
  207. Impair Defenses: Indicator Blocking
  208. Compromise Host Software Binary
  209. Boot or Logon Initialization Scripts
  210. Data Encoding
  211. Hide Artifacts: VBA Stomping
  212. Indicator Removal: File Deletion
  213. Exfiltration Over Web Service: Exfiltration Over Webhook
  214. Indicator Removal: Clear Mailbox Data
  215. Phishing: Spearphishing Link
  216. System Script Proxy Execution
  217. Input Capture
  218. Exfiltration Over Web Service: Exfiltration to Text Storage Sites
  219. Account Manipulation: Additional Cloud Credentials
  220. Valid Accounts: Default Accounts
  221. Compromise Infrastructure: Server
  222. Boot or Logon Autostart Execution: Re-opened Applications
  223. System Network Configuration Discovery: Internet Connection Discovery
  224. Impair Defenses: Spoof Security Alerting
  225. Weaken Encryption: Disable Crypto Hardware
  226. Modify Authentication Process: Password Filter DLL
  227. Obfuscated Files or Information: Steganography
  228. Data Obfuscation: Junk Data
  229. Acquire Infrastructure: Botnet
  230. Financial Theft
  231. Gather Victim Host Information: Software
  232. System Information Discovery
  233. External Remote Services
  234. Brute Force: Credential Stuffing
  235. Non-Standard Port
  236. Hide Artifacts: Process Argument Spoofing
  237. Boot or Logon Autostart Execution: Port Monitors
  238. Data from Configuration Repository: Network Device Configuration Dump
  239. Steal or Forge Kerberos Tickets: Silver Ticket
  240. Gather Victim Network Information: DNS
  241. Credentials from Password Stores: Cloud Secrets Management Stores
  242. Native API
  243. Masquerading: Right-to-Left Override
  244. Office Application Startup: Outlook Home Page
  245. Impair Defenses: Downgrade Attack
  246. Proxy: Internal Proxy
  247. Obfuscated Files or Information: Embedded Payloads
  248. Account Access Removal
  249. Boot or Logon Autostart Execution: Time Providers
  250. Search Closed Sources: Purchase Technical Data
  251. System Services
  252. Encrypted Channel: Symmetric Cryptography
  253. Create or Modify System Process: Launch Agent
  254. Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
  255. Endpoint Denial of Service: Application or System Exploitation
  256. Software Deployment Tools
  257. Defacement: Internal Defacement
  258. Credentials from Password Stores
  259. Execution Guardrails: Mutual Exclusion
  260. Subvert Trust Controls: Code Signing Policy Modification
  261. Gather Victim Network Information: Domain Properties
  262. Exploitation for Credential Access
  263. Acquire Infrastructure: Malvertising
  264. System Binary Proxy Execution: Verclsid
  265. Event Triggered Execution: Change Default File Association
  266. User Execution: Malicious Image
  267. Event Triggered Execution
  268. System Binary Proxy Execution: Electron Applications
  269. Abuse Elevation Control Mechanism
  270. Use Alternate Authentication Material: Pass the Hash
  271. Masquerading: Masquerade Task or Service
  272. System Binary Proxy Execution: Odbcconf
  273. Office Application Startup: Office Template Macros
  274. Domain or Tenant Policy Modification: Trust Modification
  275. Log Enumeration
  276. Network Denial of Service
  277. Scheduled Task/Job: Scheduled Task
  278. Endpoint Denial of Service: OS Exhaustion Flood
  279. Process Injection: Proc Memory
  280. Search Open Websites/Domains
  281. Event Triggered Execution: Accessibility Features
  282. Remote Services: Direct Cloud VM Connections
  283. Resource Hijacking: Bandwidth Hijacking
  284. Automated Exfiltration: Traffic Duplication
  285. Escape to Host
  286. Trusted Developer Utilities Proxy Execution: MSBuild
  287. Network Service Discovery
  288. Gather Victim Org Information: Business Relationships
  289. Acquire Infrastructure: Server
  290. Remote Access Software
  291. OS Credential Dumping: Security Account Manager
  292. Masquerading: Masquerade Account Name
  293. Unsecured Credentials: Cloud Instance Metadata API
  294. Peripheral Device Discovery
  295. Create or Modify System Process: Systemd Service
  296. Hide Infrastructure
  297. Supply Chain Compromise
  298. name
  299. Impair Defenses: Disable or Modify System Firewall
  300. Gather Victim Network Information: Network Security Appliances
  301. Boot or Logon Autostart Execution: Winlogon Helper DLL
  302. Valid Accounts: Cloud Accounts
  303. Obfuscated Files or Information: Indicator Removal from Tools
  304. Gather Victim Identity Information
  305. Account Manipulation: Additional Email Delegate Permissions
  306. Event Triggered Execution: Udev Rules
  307. Office Application Startup: Office Test
  308. Brute Force: Password Spraying
  309. Establish Accounts: Cloud Accounts
  310. Data Destruction
  311. System Binary Proxy Execution: Mshta
  312. System Binary Proxy Execution: Regsvcs/Regasm
  313. Phishing for Information: Spearphishing Voice
  314. Data Destruction: Lifecycle-Triggered Deletion
  315. Boot or Logon Initialization Scripts: Login Hook
  316. Server Software Component
  317. Gather Victim Host Information: Client Configurations
  318. Modify Cloud Compute Infrastructure: Create Snapshot
  319. Steal or Forge Kerberos Tickets: Kerberoasting
  320. Resource Hijacking: SMS Pumping
  321. Indicator Removal: Clear Linux or Mac System Logs
  322. Hijack Execution Flow: Executable Installer File Permissions Weakness
  323. Obfuscated Files or Information: Software Packing
  324. Power Settings
  325. Acquire Infrastructure: Domains
  326. Compromise Infrastructure
  327. Resource Hijacking
  328. Automated Collection
  329. Exfiltration Over Other Network Medium
  330. Create Account: Domain Account
  331. Exfiltration Over Physical Medium
  332. Exfiltration Over Web Service
  333. Hide Artifacts: NTFS File Attributes
  334. Rogue Domain Controller
  335. Hijack Execution Flow: COR_PROFILER
  336. Data from Information Repositories: Sharepoint
  337. Data from Cloud Storage
  338. Access Token Manipulation: SID-History Injection
  339. Indicator Removal: Clear Windows Event Logs
  340. Network Sniffing
  341. Gather Victim Host Information: Hardware
  342. Archive Collected Data: Archive via Utility
  343. Steal or Forge Kerberos Tickets: Golden Ticket
  344. Supply Chain Compromise: Compromise Software Dependencies and Development Tools
  345. Process Injection: Thread Local Storage
  346. Modify Cloud Compute Infrastructure: Create Cloud Instance
  347. Data Obfuscation: Protocol or Service Impersonation
  348. Account Manipulation: Additional Cloud Roles
  349. Event Triggered Execution: Application Shimming
  350. System Network Configuration Discovery: Wi-Fi Discovery
  351. Process Injection: Asynchronous Procedure Call
  352. Stage Capabilities: Link Target
  353. Archive Collected Data: Archive via Library
  354. Pre-OS Boot: TFTP Boot
  355. Data from Network Shared Drive
  356. Modify Cloud Compute Infrastructure: Delete Cloud Instance
  357. Compromise Accounts
  358. Data Transfer Size Limits
  359. System Network Configuration Discovery
  360. Hide Artifacts
  361. Command and Scripting Interpreter: AutoHotKey & AutoIT
  362. Hijack Execution Flow: Path Interception by Search Order Hijacking
  363. Server Software Component: Terminal Services DLL
  364. Hijack Execution Flow: Services Registry Permissions Weakness
  365. Screen Capture
  366. Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
  367. Endpoint Denial of Service
  368. Data from Configuration Repository
  369. Data Manipulation: Stored Data Manipulation
  370. Obfuscated Files or Information: Dynamic API Resolution
  371. File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  372. Masquerading: Break Process Trees
  373. Modify Authentication Process: Network Device Authentication
  374. Domain Trust Discovery
  375. Container Administration Command
  376. Account Discovery: Email Account
  377. Account Discovery
  378. Hide Artifacts: Hidden Files and Directories
  379. Impair Defenses: Impair Command History Logging
  380. Remote Services
  381. Archive Collected Data: Archive via Custom Method
  382. Modify Authentication Process: Domain Controller Authentication
  383. Query Registry
  384. Process Injection: Ptrace System Calls
  385. Hijack Execution Flow: KernelCallbackTable
  386. Unsecured Credentials: Credentials in Registry
  387. Indicator Removal: Clear Persistence
  388. Search Open Technical Databases: CDNs
  389. Subvert Trust Controls: Gatekeeper Bypass
  390. Boot or Logon Autostart Execution: Active Setup
  391. Obfuscated Files or Information: Fileless Storage
  392. Compromise Infrastructure: Web Services
  393. Traffic Signaling
  394. Encrypted Channel: Asymmetric Cryptography
  395. Permission Groups Discovery
  396. Event Triggered Execution: Screensaver
  397. Compromise Infrastructure: Serverless
  398. Command and Scripting Interpreter: Python
  399. Account Manipulation: Device Registration
  400. Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  401. Impair Defenses: Safe Mode Boot
  402. Execution Guardrails
  403. Inhibit System Recovery
  404. Software Discovery: Security Software Discovery
  405. Account Discovery: Cloud Account
  406. Dynamic Resolution: Domain Generation Algorithms
  407. Modify System Image: Downgrade System Image
  408. Subvert Trust Controls
  409. Direct Volume Access
  410. Hide Artifacts: Ignore Process Interrupts
  411. Steal or Forge Kerberos Tickets: AS-REP Roasting
  412. Data Encoding: Non-Standard Encoding
  413. Web Service: Dead Drop Resolver
  414. Data from Local System
  415. Access Token Manipulation: Parent PID Spoofing
  416. Pre-OS Boot: Component Firmware
  417. Masquerading: Double File Extension
  418. Hide Artifacts: Hidden File System
  419. Command and Scripting Interpreter: PowerShell
  420. Credentials from Password Stores: Keychain
  421. Virtualization/Sandbox Evasion: Time Based Evasion
  422. Email Collection
  423. Network Boundary Bridging: Network Address Translation Traversal
  424. Event Triggered Execution: LC_LOAD_DYLIB Addition
  425. Access Token Manipulation: Token Impersonation/Theft
  426. Active Scanning
  427. Impair Defenses: Disable or Modify Tools
  428. Acquire Infrastructure: Serverless
  429. Pre-OS Boot: ROMMONkit
  430. Gather Victim Network Information
  431. Stage Capabilities
  432. Modify Registry
  433. Valid Accounts: Domain Accounts
  434. Network Denial of Service: Direct Network Flood
  435. Inter-Process Communication: Component Object Model
  436. Application Layer Protocol: Mail Protocols
  437. Credentials from Password Stores: Windows Credential Manager
  438. Dynamic Resolution: Fast Flux DNS
  439. Stage Capabilities: Upload Tool
  440. Gather Victim Identity Information: Email Addresses
  441. Indicator Removal: Clear Command History
  442. XSL Script Processing
  443. Multi-Stage Channels
  444. Subvert Trust Controls: Install Root Certificate
  445. User Execution
  446. Credentials from Password Stores: Credentials from Web Browsers
  447. Modify Cloud Resource Hierarchy
  448. Remote Services: SMB/Windows Admin Shares
  449. Traffic Signaling: Port Knocking
  450. System Location Discovery
  451. Build Image on Host
  452. Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access
  453. Obtain Capabilities: Malware
  454. Remote Services: Remote Desktop Protocol
  455. Pre-OS Boot
  456. Event Triggered Execution: Unix Shell Configuration Modification
  457. Email Collection: Email Forwarding Rule
  458. Email Collection: Local Email Collection
  459. Disk Wipe: Disk Content Wipe
  460. Boot or Logon Autostart Execution: Shortcut Modification
  461. Gather Victim Identity Information: Employee Names
  462. System Script Proxy Execution: SyncAppvPublishingServer
  463. Data Encoding: Standard Encoding
  464. Modify System Image: Patch System Image
  465. Pre-OS Boot: Bootkit
  466. Valid Accounts
  467. Search Open Websites/Domains: Social Media
  468. Plist File Modification
  469. Network Share Discovery
  470. Process Injection: VDSO Hijacking
  471. Obtain Capabilities: Artificial Intelligence
  472. Search Open Technical Databases: Digital Certificates
  473. Lateral Tool Transfer
  474. Adversary-in-the-Middle: DHCP Spoofing
  475. Develop Capabilities: Malware
  476. System Binary Proxy Execution: InstallUtil
  477. Compromise Infrastructure: Botnet
  478. Boot or Logon Autostart Execution: Login Items
  479. Impair Defenses: Disable or Modify Cloud Logs
  480. Establish Accounts: Email Accounts
  481. Compromise Infrastructure: Domains
  482. OS Credential Dumping: LSASS Memory
  483. Serverless Execution
  484. Application Layer Protocol: Publish/Subscribe Protocols
  485. Remote Service Session Hijacking
  486. Dynamic Resolution: DNS Calculation
  487. Application Window Discovery
  488. OS Credential Dumping: Proc Filesystem
  489. Gather Victim Identity Information: Credentials
  490. Forge Web Credentials: SAML Tokens
  491. Process Injection: Thread Execution Hijacking
  492. Data from Information Repositories: Messaging Applications
  493. OS Credential Dumping: DCSync
  494. Gather Victim Org Information
  495. Content Injection
  496. Exfiltration Over C2 Channel
  497. Stage Capabilities: Upload Malware
  498. Remote Services: Windows Remote Management
  499. Process Injection
  500. Indicator Removal
  501. File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
  502. Adversary-in-the-Middle: ARP Cache Poisoning
  503. Obfuscated Files or Information: LNK Icon Smuggling
  504. Trusted Relationship
  505. Virtualization/Sandbox Evasion: User Activity Based Checks
  506. Defacement
  507. Access Token Manipulation
  508. Boot or Logon Initialization Scripts: Logon Script (Windows)
  509. Use Alternate Authentication Material: Pass the Ticket
  510. Establish Accounts
  511. Remote Services: SSH
  512. Web Service
  513. Command and Scripting Interpreter: Lua
  514. Gather Victim Org Information: Identify Business Tempo
  515. Scheduled Task/Job
  516. OS Credential Dumping: /etc/passwd and /etc/shadow
  517. Abuse Elevation Control Mechanism: Elevated Execution with Prompt
  518. Impair Defenses: Disable Windows Event Logging
  519. Steal or Forge Kerberos Tickets: Ccache Files
  520. Unsecured Credentials: Chat Messages
  521. Account Discovery: Local Account
  522. Cloud Administration Command
  523. Unsecured Credentials: Group Policy Preferences
  524. Input Capture: Keylogging
  525. Clipboard Data
  526. Supply Chain Compromise: Compromise Software Supply Chain
  527. Transfer Data to Cloud Account
  528. Deploy Container
  529. Scheduled Transfer
  530. Web Service: Bidirectional Communication
  531. System Shutdown/Reboot
  532. Phishing for Information
  533. Masquerading: Rename System Utilities
  534. Scheduled Task/Job: Systemd Timers
  535. Hardware Additions
  536. Develop Capabilities: Code Signing Certificates
  537. Fallback Channels
  538. Create Account
  539. System Network Connections Discovery
  540. Firmware Corruption
  541. Boot or Logon Autostart Execution: LSASS Driver
  542. Hide Artifacts: Resource Forking
  543. Command and Scripting Interpreter: JavaScript
  544. Replication Through Removable Media
  545. Data Encrypted for Impact
  546. Forge Web Credentials
  547. Account Discovery: Domain Account
  548. Application Layer Protocol: DNS
  549. Create Account: Cloud Account
  550. Indicator Removal: Relocate Malware
  551. Compromise Accounts: Social Media Accounts
  552. Template Injection
  553. Archive Collected Data
  554. Hide Artifacts: Run Virtual Instance
  555. System Binary Proxy Execution: Msiexec
  556. Compromise Infrastructure: DNS Server
  557. Develop Capabilities: Exploits
  558. Endpoint Denial of Service: Application Exhaustion Flood
  559. Taint Shared Content
  560. Exploitation for Client Execution
  561. Impair Defenses: Disable or Modify Cloud Firewall
  562. Exfiltration Over Physical Medium: Exfiltration over USB
  563. Virtualization/Sandbox Evasion
  564. System Owner/User Discovery
  565. Encrypted Channel
  566. Abuse Elevation Control Mechanism: Bypass User Account Control
  567. Develop Capabilities: Digital Certificates
  568. Data Staged
  569. Debugger Evasion
  570. Service Stop
  571. Traffic Signaling: Socket Filters
  572. Exfiltration Over Alternative Protocol
  573. Brute Force: Password Cracking
  574. Server Software Component: Transport Agent
  575. Masquerading
  576. Hijack Execution Flow: DLL Side-Loading
  577. Permission Groups Discovery: Local Groups
  578. Input Capture: Web Portal Capture
  579. Unsecured Credentials
  580. Hijack Execution Flow: AppDomainManager
  581. OS Credential Dumping: NTDS
  582. Supply Chain Compromise: Compromise Hardware Supply Chain
  583. Remote Services: Cloud Services
  584. Phishing: Spearphishing Voice
  585. Modify Authentication Process: Conditional Access Policies
  586. Data Manipulation: Runtime Data Manipulation
  587. Proxy: Domain Fronting
  588. Reflective Code Loading
  589. Phishing for Information: Spearphishing Service
  590. OS Credential Dumping: Cached Domain Credentials
  591. Input Capture: GUI Input Capture
  592. Search Open Websites/Domains: Search Engines
  593. Access Token Manipulation: Make and Impersonate Token
  594. Process Injection: Process Doppelgänging
  595. Search Closed Sources: Threat Intel Vendors
  596. Phishing for Information: Spearphishing Link
  597. Cloud Service Dashboard
  598. OS Credential Dumping
  599. Modify Authentication Process
  600. Compromise Infrastructure: Network Devices
  601. Audio Capture
  602. Boot or Logon Autostart Execution: Kernel Modules and Extensions
  603. Inter-Process Communication: Dynamic Data Exchange
  604. Browser Extensions
  605. Data from Information Repositories: Code Repositories
  606. User Execution: Malicious Link
  607. Account Manipulation: Additional Container Cluster Roles
  608. Use Alternate Authentication Material: Web Session Cookie
  609. Application Layer Protocol: File Transfer Protocols
  610. Create or Modify System Process
  611. Process Injection: ListPlanting
  612. Search Open Websites/Domains: Code Repositories
  613. Event Triggered Execution: AppCert DLLs
  614. Server Software Component: Web Shell
  615. Use Alternate Authentication Material: Application Access Token
  616. Access Token Manipulation: Create Process with Token
  617. Abuse Elevation Control Mechanism: TCC Manipulation
  618. Obtain Capabilities: Vulnerabilities
  619. Forced Authentication
  620. Adversary-in-the-Middle: Evil Twin
  621. Multi-Factor Authentication Request Generation
  622. Event Triggered Execution: Emond
  623. Credentials from Password Stores: Password Managers
  624. Inter-Process Communication
  625. Application Layer Protocol: Web Protocols
  626. Develop Capabilities
  627. Remote Service Session Hijacking: RDP Hijacking
  628. Device Driver Discovery
  629. Defacement: External Defacement
  630. Boot or Logon Autostart Execution
  631. Abuse Elevation Control Mechanism: Setuid and Setgid
  632. Active Scanning: Vulnerability Scanning
  633. Process Injection: Process Hollowing
  634. Email Collection: Remote Email Collection
  635. Obfuscated Files or Information: Stripped Payloads
  636. Inter-Process Communication: XPC Services
  637. Create or Modify System Process: Windows Service
  638. Gather Victim Network Information: Network Topology
  639. Remote Services: Distributed Component Object Model
  640. Process Injection: Portable Executable Injection
  641. Network Boundary Bridging
  642. Data from Configuration Repository: SNMP (MIB Dump)
  643. Event Triggered Execution: Image File Execution Options Injection
  644. Event Triggered Execution: Component Object Model Hijacking
  645. Process Discovery
  646. Boot or Logon Autostart Execution: Security Support Provider
  647. BITS Jobs
  648. Impair Defenses
  649. Endpoint Denial of Service: Service Exhaustion Flood
  650. Hijack Execution Flow: Path Interception by Unquoted Path
  651. Cloud Service Discovery
  652. Password Policy Discovery
  653. Exploitation of Remote Services
  654. System Location Discovery: System Language Discovery
  655. Steal or Forge Authentication Certificates
  656. Permission Groups Discovery: Cloud Groups
  657. Unsecured Credentials: Bash History