reconnaissance | resource-development | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | command-and-control | exfiltration | impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Host Information Gather Victim Host Information Phishing for Information Phishing for Information Active Scanning Active Scanning Search Victim-Owned Websites Gather Victim Identity Information Gather Victim Identity Information Search Open Technical Databases Search Open Technical Databases Search Open Websites/Domains Search Open Websites/Domains Gather Victim Org Information Gather Victim Org Information Gather Victim Network Information Gather Victim Network Information Search Closed Sources Search Closed Sources | Acquire Infrastructure Acquire Infrastructure Acquire Access Compromise Accounts Compromise Accounts Establish Accounts Establish Accounts Develop Capabilities Develop Capabilities Compromise Infrastructure Compromise Infrastructure Stage Capabilities Stage Capabilities Obtain Capabilities Obtain Capabilities | Valid Accounts Valid Accounts Spearphishing Link Spearphishing Attachment Spearphishing via Service Drive-by Compromise Hardware Additions Supply Chain Compromise Supply Chain Compromise Replication Through Removable Media Phishing Phishing Exploit Public-Facing Application Content Injection External Remote Services Trusted Relationship | Regsvcs/Regasm Cloud Administration Command Launchctl Regsvr32 Deploy Container AppleScript Space after Filename Dynamic Data Exchange Rundll32 Source Native API Container Administration Command Shared Modules Graphical User Interface Trap Windows Remote Management System Services System Services Compiled HTML File Scheduled Task/Job Scheduled Task/Job Component Object Model and Distributed COM LSASS Driver Service Execution PowerShell InstallUtil Command and Scripting Interpreter Command and Scripting Interpreter Windows Management Instrumentation User Execution User Execution Serverless Execution CMSTP Control Panel Items Mshta Inter-Process Communication Inter-Process Communication Exploitation for Client Execution Local Job Scheduling Scripting Software Deployment Tools | Path Interception Valid Accounts Valid Accounts Boot or Logon Initialization Scripts Boot or Logon Initialization Scripts Rc.common BITS Jobs Port Monitors LC_LOAD_DYLIB Addition Office Application Startup Office Application Startup AppInit DLLs Malicious Shell Modification Bootkit Hypervisor Systemd Service Traffic Signaling Traffic Signaling Service Registry Permissions Weakness New Service Winlogon Helper DLL Emond AppCert DLLs Change Default File Association Authentication Package Launchctl Kernel Modules and Extensions Hidden Files and Directories Launch Agent Hooking System Firmware Re-opened Applications SIP and Trust Provider Hijacking Power Settings Application Shimming Pre-OS Boot Pre-OS Boot Screensaver Account Manipulation Account Manipulation Shortcut Modification Component Object Model Hijacking Registry Run Keys / Startup Folder Boot or Logon Autostart Execution Boot or Logon Autostart Execution Dylib Hijacking Hijack Execution Flow Hijack Execution Flow Netsh Helper DLL Trap Event Triggered Execution Event Triggered Execution Modify Existing Service Web Shell Server Software Component Server Software Component Scheduled Task/Job Scheduled Task/Job Time Providers Create Account Create Account Windows Management Instrumentation Event Subscription Image File Execution Options Injection LSASS Driver Modify Authentication Process Modify Authentication Process Security Support Provider PowerShell Profile Plist Modification Create or Modify System Process Create or Modify System Process External Remote Services Setuid and Setgid Browser Extensions Implant Internal Image Component Firmware Redundant Access Accessibility Features DLL Search Order Hijacking File System Permissions Weakness Launch Daemon Local Job Scheduling Login Item Startup Items Compromise Client Software Binary | Exploitation for Privilege Escalation Path Interception Valid Accounts Valid Accounts Boot or Logon Initialization Scripts Boot or Logon Initialization Scripts Port Monitors AppInit DLLs Elevated Execution with Prompt Service Registry Permissions Weakness New Service Emond AppCert DLLs Access Token Manipulation Access Token Manipulation Abuse Elevation Control Mechanism Abuse Elevation Control Mechanism Hooking Domain Policy Modification Domain Policy Modification Application Shimming Account Manipulation Account Manipulation Boot or Logon Autostart Execution Boot or Logon Autostart Execution Parent PID Spoofing Extra Window Memory Injection Sudo Dylib Hijacking Hijack Execution Flow Hijack Execution Flow Event Triggered Execution Event Triggered Execution Web Shell Scheduled Task/Job Scheduled Task/Job Image File Execution Options Injection PowerShell Profile Plist Modification Create or Modify System Process Create or Modify System Process Setuid and Setgid Sudo Caching Accessibility Features DLL Search Order Hijacking SID-History Injection File System Permissions Weakness Launch Daemon Bypass User Account Control Process Injection Process Injection Escape to Host Startup Items | Indicator Removal from Tools Network Share Connection Removal Direct Volume Access Valid Accounts Valid Accounts Reflective Code Loading Timestomp Modify Cloud Compute Infrastructure Modify Cloud Compute Infrastructure BITS Jobs Process Hollowing Regsvcs/Regasm Disabling Security Tools Impersonation HISTCONTROL Impair Defenses Impair Defenses Code Signing Masquerading Masquerading Traffic Signaling Traffic Signaling Binary Padding Hidden Window Access Token Manipulation Access Token Manipulation Gatekeeper Bypass Launchctl Regsvr32 Rootkit Deploy Container Space after Filename Hidden Files and Directories Abuse Elevation Control Mechanism Abuse Elevation Control Mechanism Rundll32 Install Root Certificate Debugger Evasion Revert Cloud Instance SIP and Trust Provider Hijacking Software Packing System Binary Proxy Execution System Binary Proxy Execution Indicator Removal Indicator Removal Domain Policy Modification Domain Policy Modification Pre-OS Boot Pre-OS Boot Component Object Model Hijacking Parent PID Spoofing Obfuscated Files or Information Obfuscated Files or Information Extra Window Memory Injection LC_MAIN Hijacking Hide Artifacts Hide Artifacts Modify System Image Modify System Image DLL Side-Loading Hijack Execution Flow Hijack Execution Flow Subvert Trust Controls Subvert Trust Controls Hidden Users Compiled HTML File File and Directory Permissions Modification File and Directory Permissions Modification File Deletion Image File Execution Options Injection Modify Authentication Process Modify Authentication Process InstallUtil System Script Proxy Execution System Script Proxy Execution Clear Command History Trusted Developer Utilities Proxy Execution Trusted Developer Utilities Proxy Execution Plist Modification Virtualization/Sandbox Evasion Virtualization/Sandbox Evasion Exploitation for Defense Evasion Rogue Domain Controller Unused/Unsupported Cloud Regions Component Firmware Redundant Access CMSTP Indicator Blocking DLL Search Order Hijacking Web Session Cookie Control Panel Items Compile After Delivery Mshta Network Boundary Bridging Network Boundary Bridging Deobfuscate/Decode Files or Information Plist File Modification Bypass User Account Control Process Injection Process Injection XSL Script Processing Weaken Encryption Weaken Encryption Process Doppelgänging Build Image on Host Application Access Token Execution Guardrails Execution Guardrails Scripting NTFS File Attributes Use Alternate Authentication Material Use Alternate Authentication Material Template Injection Indirect Command Execution Modify Registry | OS Credential Dumping OS Credential Dumping Forced Authentication Credentials in Registry Steal or Forge Kerberos Tickets Steal or Forge Kerberos Tickets Credentials from Password Stores Credentials from Password Stores Bash History Unsecured Credentials Unsecured Credentials LLMNR/NBT-NS Poisoning and Relay Steal Web Session Cookie Steal Application Access Token Hooking Keychain Input Capture Input Capture Private Keys Modify Authentication Process Modify Authentication Process Adversary-in-the-Middle Adversary-in-the-Middle Brute Force Brute Force Cloud Instance Metadata API Securityd Memory Password Filter DLL Credentials from Web Browsers Multi-Factor Authentication Request Generation Network Sniffing Multi-Factor Authentication Interception Input Prompt Kerberoasting Credentials in Files Steal or Forge Authentication Certificates Forge Web Credentials Forge Web Credentials Exploitation for Credential Access | Container and Resource Discovery Password Policy Discovery Permission Groups Discovery Permission Groups Discovery Peripheral Device Discovery System Service Discovery Network Share Discovery Cloud Service Discovery Application Window Discovery Browser Information Discovery Debugger Evasion Account Discovery Account Discovery Process Discovery Cloud Storage Object Discovery Device Driver Discovery Group Policy Discovery System Location Discovery System Location Discovery Query Registry System Information Discovery Software Discovery Software Discovery Network Service Discovery Cloud Service Dashboard File and Directory Discovery System Owner/User Discovery System Time Discovery System Network Configuration Discovery System Network Configuration Discovery Virtualization/Sandbox Evasion Virtualization/Sandbox Evasion Cloud Infrastructure Discovery Network Sniffing Domain Trust Discovery System Network Connections Discovery Security Software Discovery Remote System Discovery Log Enumeration | Lateral Tool Transfer Application Deployment Software Remote Desktop Protocol Windows Admin Shares Exploitation of Remote Services Internal Spearphishing Pass the Ticket Windows Remote Management Pass the Hash Component Object Model and Distributed COM Replication Through Removable Media Remote Services Remote Services SSH Hijacking Remote Service Session Hijacking Remote Service Session Hijacking Taint Shared Content Web Session Cookie Shared Webroot Application Access Token Use Alternate Authentication Material Use Alternate Authentication Material Software Deployment Tools | Data from Information Repositories Data from Information Repositories Screen Capture Data from Configuration Repository Data from Configuration Repository Data from Removable Media Clipboard Data Audio Capture Archive Collected Data Archive Collected Data Video Capture Input Capture Input Capture Data from Cloud Storage Data from Local System Adversary-in-the-Middle Adversary-in-the-Middle Data Staged Data Staged Data from Network Shared Drive Browser Session Hijacking Email Collection Email Collection Automated Collection | Application Layer Protocol Application Layer Protocol Domain Fronting Multilayer Encryption Traffic Signaling Traffic Signaling Standard Cryptographic Protocol Domain Generation Algorithms Communication Through Removable Media Proxy Proxy Multi-Stage Channels Dynamic Resolution Dynamic Resolution Multi-hop Proxy Multiband Communication Data Obfuscation Data Obfuscation Non-Standard Port Custom Cryptographic Protocol Encrypted Channel Encrypted Channel Non-Application Layer Protocol Uncommonly Used Port Data Encoding Data Encoding Ingress Tool Transfer Fallback Channels Custom Command and Control Protocol Remote Access Software Content Injection Protocol Tunneling Web Service Web Service Commonly Used Port | Exfiltration Over Web Service Exfiltration Over Web Service Scheduled Transfer Exfiltration Over Other Network Medium Exfiltration Over Other Network Medium Automated Exfiltration Automated Exfiltration Exfiltration Over C2 Channel Exfiltration Over Alternative Protocol Exfiltration Over Alternative Protocol Data Compressed Data Transfer Size Limits Data Encrypted Exfiltration Over Physical Medium Exfiltration Over Physical Medium Transfer Data to Cloud Account | Stored Data Manipulation Service Stop Disk Structure Wipe Network Denial of Service Network Denial of Service Firmware Corruption Data Manipulation Data Manipulation Inhibit System Recovery Defacement Defacement Endpoint Denial of Service Endpoint Denial of Service Runtime Data Manipulation Data Destruction Account Access Removal Disk Wipe Disk Wipe System Shutdown/Reboot Data Encrypted for Impact Disk Content Wipe Transmitted Data Manipulation Financial Theft Resource Hijacking |