[]
reconnaissanceresource-developmentinitial-accessexecutionpersistenceprivilege-escalationdefense-evasioncredential-accessdiscoverylateral-movementcollectioncommand-and-controlexfiltrationimpact
Gather Victim Identity Information
Gather Victim Org Information
Search Open Websites/Domains
Phishing for Information
Gather Victim Host Information
Search Closed Sources
Search Victim-Owned Websites
Gather Victim Network Information
Active Scanning
Search Open Technical Databases
Compromise Accounts
Obtain Capabilities
Establish Accounts
Develop Capabilities
Stage Capabilities
Compromise Infrastructure
Acquire Infrastructure
Acquire Access
Replication Through Removable Media
Spearphishing via Service
Spearphishing Link
Trusted Relationship
Phishing
Drive-by Compromise
Supply Chain Compromise
Content Injection
Exploit Public-Facing Application
Spearphishing Attachment
Valid Accounts
Hardware Additions
External Remote Services
Source
Trap
Space after Filename
Regsvr32
Native API
LSASS Driver
Deploy Container
Control Panel Items
Mshta
InstallUtil
PowerShell
Service Execution
Windows Remote Management
Windows Management Instrumentation
Software Deployment Tools
Rundll32
Exploitation for Client Execution
CMSTP
Compiled HTML File
Local Job Scheduling
Shared Modules
System Services
Command and Scripting Interpreter
Scripting
Scheduled Task/Job
Regsvcs/Regasm
Launchctl
User Execution
Graphical User Interface
Cloud Administration Command
AppleScript
Serverless Execution
Component Object Model and Distributed COM
Container Administration Command
Inter-Process Communication
Dynamic Data Exchange
Plist Modification
Trap
Boot or Logon Initialization Scripts
Hijack Execution Flow
Malicious Shell Modification
Registry Run Keys / Startup Folder
Winlogon Helper DLL
LSASS Driver
Image File Execution Options Injection
SIP and Trust Provider Hijacking
Create Account
Component Firmware
Modify Authentication Process
Emond
Accessibility Features
DLL Search Order Hijacking
Time Providers
Launch Agent
Security Support Provider
PowerShell Profile
Launch Daemon
New Service
System Firmware
BITS Jobs
Account Manipulation
Shortcut Modification
Modify Existing Service
Office Application Startup
Web Shell
Boot or Logon Autostart Execution
Local Job Scheduling
LC_LOAD_DYLIB Addition
Authentication Package
Hidden Files and Directories
Server Software Component
Pre-OS Boot
Implant Internal Image
Dylib Hijacking
Scheduled Task/Job
Compromise Client Software Binary
Launchctl
Port Monitors
Traffic Signaling
Screensaver
Application Shimming
Change Default File Association
Rc.common
AppInit DLLs
Create or Modify System Process
Browser Extensions
Windows Management Instrumentation Event Subscription
Valid Accounts
Login Item
Netsh Helper DLL
Hooking
Hypervisor
File System Permissions Weakness
Setuid and Setgid
Component Object Model Hijacking
AppCert DLLs
Bootkit
Path Interception
Kernel Modules and Extensions
External Remote Services
Service Registry Permissions Weakness
Event Triggered Execution
Re-opened Applications
Startup Items
Power Settings
Redundant Access
Systemd Service
Plist Modification
Boot or Logon Initialization Scripts
Hijack Execution Flow
Domain Policy Modification
SID-History Injection
Elevated Execution with Prompt
Image File Execution Options Injection
Sudo Caching
Emond
Accessibility Features
Abuse Elevation Control Mechanism
DLL Search Order Hijacking
Extra Window Memory Injection
PowerShell Profile
Launch Daemon
New Service
Account Manipulation
Escape to Host
Web Shell
Boot or Logon Autostart Execution
Bypass User Account Control
Process Injection
Exploitation for Privilege Escalation
Parent PID Spoofing
Dylib Hijacking
Scheduled Task/Job
Port Monitors
Application Shimming
AppInit DLLs
Create or Modify System Process
Valid Accounts
Access Token Manipulation
Hooking
File System Permissions Weakness
Setuid and Setgid
AppCert DLLs
Path Interception
Service Registry Permissions Weakness
Event Triggered Execution
Startup Items
Sudo
Reflective Code Loading
Indicator Removal from Tools
Direct Volume Access
Indicator Removal
Plist Modification
Space after Filename
Binary Padding
Hijack Execution Flow
Regsvr32
Domain Policy Modification
Clear Command History
Modify Cloud Compute Infrastructure
Application Access Token
Masquerading
Plist File Modification
Deploy Container
Control Panel Items
Image File Execution Options Injection
Mshta
SIP and Trust Provider Hijacking
Hidden Window
Component Firmware
Gatekeeper Bypass
InstallUtil
Modify Authentication Process
Subvert Trust Controls
Obfuscated Files or Information
NTFS File Attributes
Abuse Elevation Control Mechanism
DLL Search Order Hijacking
Extra Window Memory Injection
Process Hollowing
Rogue Domain Controller
Software Packing
BITS Jobs
Rundll32
Hide Artifacts
CMSTP
Hidden Users
Compiled HTML File
Timestomp
Unused/Unsupported Cloud Regions
Code Signing
Bypass User Account Control
Compile After Delivery
Process Injection
System Script Proxy Execution
Disabling Security Tools
Hidden Files and Directories
Modify Registry
File Deletion
Pre-OS Boot
Weaken Encryption
Parent PID Spoofing
Impersonation
Execution Guardrails
Scripting
Build Image on Host
Regsvcs/Regasm
Indirect Command Execution
Launchctl
Impair Defenses
Web Session Cookie
Traffic Signaling
LC_MAIN Hijacking
Exploitation for Defense Evasion
Install Root Certificate
File and Directory Permissions Modification
Rootkit
Use Alternate Authentication Material
Deobfuscate/Decode Files or Information
System Binary Proxy Execution
Trusted Developer Utilities Proxy Execution
DLL Side-Loading
Debugger Evasion
Valid Accounts
Indicator Blocking
Template Injection
Network Boundary Bridging
Access Token Manipulation
Component Object Model Hijacking
Process Doppelgänging
Modify System Image
Network Share Connection Removal
Revert Cloud Instance
XSL Script Processing
HISTCONTROL
Virtualization/Sandbox Evasion
Redundant Access
Unsecured Credentials
Multi-Factor Authentication Request Generation
Steal Web Session Cookie
Steal or Forge Kerberos Tickets
Adversary-in-the-Middle
Credentials in Registry
Password Filter DLL
Cloud Instance Metadata API
Keychain
Modify Authentication Process
Input Prompt
Securityd Memory
Credentials from Password Stores
Forced Authentication
Credentials in Files
Credentials from Web Browsers
Steal Application Access Token
Brute Force
Kerberoasting
Input Capture
Steal or Forge Authentication Certificates
LLMNR/NBT-NS Poisoning and Relay
Multi-Factor Authentication Interception
Hooking
Network Sniffing
Exploitation for Credential Access
Forge Web Credentials
Bash History
Private Keys
OS Credential Dumping
Peripheral Device Discovery
Log Enumeration
Password Policy Discovery
Remote System Discovery
Network Share Discovery
Cloud Service Discovery
System Network Configuration Discovery
Account Discovery
Domain Trust Discovery
System Network Connections Discovery
Cloud Storage Object Discovery
Device Driver Discovery
System Information Discovery
Group Policy Discovery
Permission Groups Discovery
System Location Discovery
Query Registry
File and Directory Discovery
Cloud Infrastructure Discovery
System Owner/User Discovery
Container and Resource Discovery
Cloud Service Dashboard
Browser Information Discovery
Software Discovery
Debugger Evasion
Network Service Discovery
Application Window Discovery
Network Sniffing
System Service Discovery
Process Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Security Software Discovery
Application Deployment Software
Replication Through Removable Media
Application Access Token
Lateral Tool Transfer
Windows Remote Management
Software Deployment Tools
SSH Hijacking
Remote Desktop Protocol
Pass the Ticket
Web Session Cookie
Exploitation of Remote Services
Shared Webroot
Pass the Hash
Use Alternate Authentication Material
Remote Services
Remote Service Session Hijacking
Component Object Model and Distributed COM
Taint Shared Content
Internal Spearphishing
Windows Admin Shares
Browser Session Hijacking
Data from Removable Media
Adversary-in-the-Middle
Archive Collected Data
Data Staged
Data from Network Shared Drive
Data from Configuration Repository
Video Capture
Clipboard Data
Data from Local System
Email Collection
Input Capture
Screen Capture
Data from Cloud Storage
Automated Collection
Audio Capture
Data from Information Repositories
Web Service
Multi-Stage Channels
Standard Cryptographic Protocol
Non-Application Layer Protocol
Proxy
Multiband Communication
Domain Fronting
Content Injection
Ingress Tool Transfer
Uncommonly Used Port
Remote Access Software
Communication Through Removable Media
Multi-hop Proxy
Encrypted Channel
Fallback Channels
Dynamic Resolution
Data Obfuscation
Traffic Signaling
Multilayer Encryption
Commonly Used Port
Data Encoding
Custom Cryptographic Protocol
Domain Generation Algorithms
Custom Command and Control Protocol
Application Layer Protocol
Non-Standard Port
Protocol Tunneling
Scheduled Transfer
Transfer Data to Cloud Account
Exfiltration Over Alternative Protocol
Exfiltration Over C2 Channel
Data Transfer Size Limits
Exfiltration Over Other Network Medium
Automated Exfiltration
Data Encrypted
Exfiltration Over Physical Medium
Exfiltration Over Web Service
Data Compressed
Financial Theft
Account Access Removal
Inhibit System Recovery
System Shutdown/Reboot
Defacement
Data Manipulation
Data Destruction
Runtime Data Manipulation
Disk Content Wipe
Network Denial of Service
Firmware Corruption
Data Encrypted for Impact
Disk Structure Wipe
Disk Wipe
Endpoint Denial of Service
Stored Data Manipulation
Service Stop
Transmitted Data Manipulation
Resource Hijacking