0% found this document useful (0 votes)
42 views121 pages

Enterprise Attack v15.1 Matrices

Uploaded by

dasmohan4565
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
42 views121 pages

Enterprise Attack v15.1 Matrices

Uploaded by

dasmohan4565
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 121

Reconnaissance Resource Development

Scanning IP Blocks Acquire Access


Active Scanning Vulnerability Scanning Botnet
Wordlist Scanning DNS Server
Client Configurations Domains
Gather Victim Host Firmware Malvertising
Acquire Infrastructure
Information Hardware Server
Software Serverless
Credentials Virtual Private Server
Gather Victim Identity
Information Email Addresses Web Services
Employee Names Cloud Accounts
DNS Compromise Accounts Email Accounts
Domain Properties Social Media Accounts
Gather Victim Network IP Addresses Botnet
Information Network Security Appliances DNS Server
Network Topology Domains
Network Trust Dependencies Compromise Network Devices
Business Relationships Infrastructure Server
Gather Victim Org Determine Physical Locations Serverless
Information Identify Business Tempo Virtual Private Server
Identify Roles Web Services
Spearphishing Attachment Code Signing Certificates
Spearphishing Link Digital Certificates
Phishing for Information Develop Capabilities
Spearphishing Service Exploits
Spearphishing Voice Malware
Purchase Technical Data Cloud Accounts
Search Closed Sources
Threat Intel Vendors Establish Accounts Email Accounts
CDNs Social Media Accounts
DNS/Passive DNS Artificial Intelligence
Search Open Technical
Databases Digital Certificates Code Signing Certificates
Scan Databases Digital Certificates
WHOIS Obtain Capabilities Exploits
Code Repositories Malware
Search Open
Websites/Domains Search Engines Tool
Social Media Vulnerabilities
Search Victim-Owned Websites Drive-by Target
Install Digital Certificate
Link Target
Stage Capabilities
SEO Poisoning
Upload Malware
Upload Tool
Initial Access Execution
Content Injection Cloud Administration Command
Drive-by Compromise AppleScript
Exploit Public-Facing Application AutoHotKey & AutoIT
External Remote Services Cloud API
Hardware Additions JavaScript
Spearphishing Attachment Command and Scripting Network Device CLI
Spearphishing Link Interpreter PowerShell
Phishing
Spearphishing Voice Python
Spearphishing via Service Unix Shell
Replication Through Removable Media Visual Basic
Compromise Hardware Supply Chain Windows Command Shell
Supply Chain
Compromise Software Dependencies and Development Tools Container Administration Command
Compromise
Compromise Software Supply Chain Deploy Container
Trusted Relationship Exploitation for Client Execution
Cloud Accounts Component Object Model
Inter-Process
Default Accounts Communication Dynamic Data Exchange
Valid Accounts
Domain Accounts XPC Services
Local Accounts Native API
At
Container Orchestration Job
Scheduled Task/Job Cron
Scheduled Task
Systemd Timers
Serverless Execution
Shared Modules
Software Deployment Tools
Launchctl
System Services
Service Execution
Malicious File
User Execution Malicious Image
Malicious Link
Windows Management Instrumentation
Persistence Privilege Escalation
Additional Cloud Credentials Bypass User Account Control
Additional Cloud Roles Elevated Execution with Prompt
Additional Container Cluster Roles Abuse Elevation Control Setuid and Setgid
Account Manipulation
Additional Email Delegate Permissions
Mechanism Sudo and Sudo Caching
Device Registration TCC Manipulation
SSH Authorized Keys Temporary Elevated Cloud Access
BITS Jobs Create Process with Token
Active Setup Make and Impersonate Token
Access Token
Authentication Package Manipulation Parent PID Spoofing
Kernel Modules and Extensions SID-History Injection
LSASS Driver Token Impersonation/Theft
Login Items Additional Cloud Credentials
Port Monitors Additional Cloud Roles
Boot or Logon Autostart Print Processors Additional Container Cluster Roles
Account Manipulation
Execution Re-opened Applications Additional Email Delegate Permissions

Registry Run Keys / Startup Folder Device Registration


Security Support Provider SSH Authorized Keys
Shortcut Modification Active Setup
Time Providers Authentication Package
Winlogon Helper DLL Kernel Modules and Extensions
XDG Autostart Entries LSASS Driver
Login Hook Login Items
Logon Script (Windows) Port Monitors
Boot or Logon
Initialization Scripts Network Logon Script Boot or Logon Autostart Print Processors
RC Scripts Execution Re-opened Applications
Startup Items Registry Run Keys / Startup Folder
Browser Extensions Security Support Provider
Compromise Host Software Binary Shortcut Modification
Cloud Account Time Providers
Create Account Domain Account Winlogon Helper DLL
Local Account XDG Autostart Entries
Container Service Login Hook
Launch Agent Logon Script (Windows)
Create or Modify System Boot or Logon
Process Launch Daemon Initialization Scripts Network Logon Script
Systemd Service RC Scripts
Windows Service Startup Items
Accessibility Features Container Service
AppCert DLLs Launch Agent
Create or Modify System
AppInit DLLs Process Launch Daemon
Application Shimming Systemd Service
Change Default File Association Windows Service
Component Object Model Hijacking Domain or Tenant Policy Group Policy Modification
Emond Modification Trust Modification
Event Triggered Image File Execution Options Injection Escape to Host
Execution
Event Triggered
Execution Installer Packages Accessibility Features
LC_LOAD_DYLIB Addition AppCert DLLs
Netsh Helper DLL AppInit DLLs
PowerShell Profile Application Shimming
Screensaver Change Default File Association
Trap Component Object Model Hijacking
Unix Shell Configuration Modification Emond
Windows Management Instrumentation Event Subscription Event Triggered Image File Execution Options Injection
External Remote Services Execution Installer Packages
AppDomainManager LC_LOAD_DYLIB Addition
COR_PROFILER Netsh Helper DLL
DLL Search Order Hijacking PowerShell Profile
DLL Side-Loading Screensaver
Dylib Hijacking Trap
Dynamic Linker Hijacking Unix Shell Configuration Modification
Hijack Execution Flow Executable Installer File Permissions Weakness Windows Management Instrumentation Event Subscription

KernelCallbackTable Exploitation for Privilege Escalation

Path Interception by PATH Environment Variable AppDomainManager


Path Interception by Search Order Hijacking COR_PROFILER
Path Interception by Unquoted Path DLL Search Order Hijacking
Services File Permissions Weakness DLL Side-Loading
Services Registry Permissions Weakness Dylib Hijacking
Implant Internal Image Dynamic Linker Hijacking
Conditional Access Policies Hijack Execution Flow Executable Installer File Permissions Weakness

Domain Controller Authentication KernelCallbackTable


Hybrid Identity Path Interception by PATH Environment Variable

Multi-Factor Authentication Path Interception by Search Order Hijacking


Modify Authentication
Process Network Device Authentication Path Interception by Unquoted Path
Network Provider DLL Services File Permissions Weakness
Password Filter DLL Services Registry Permissions Weakness

Pluggable Authentication Modules Asynchronous Procedure Call


Reversible Encryption Dynamic-link Library Injection
Add-ins Extra Window Memory Injection
Office Template Macros ListPlanting
Office Application Office Test Portable Executable Injection
Startup Outlook Forms Proc Memory
Process Injection
Outlook Home Page Process Doppelgänging
Outlook Rules Process Hollowing
Power Settings Ptrace System Calls
Bootkit Thread Execution Hijacking
Component Firmware Thread Local Storage
Pre-OS Boot ROMMONkit VDSO Hijacking
System Firmware At
TFTP Boot Container Orchestration Job
At Scheduled Task/Job Cron

Scheduled Task/Job
Scheduled Task/Job
Container Orchestration Job Scheduled Task
Scheduled Task/Job Cron Systemd Timers
Scheduled Task Cloud Accounts
Systemd Timers Default Accounts
Valid Accounts
IIS Components Domain Accounts
SQL Stored Procedures Local Accounts
Server Software
Component Terminal Services DLL
Transport Agent
Web Shell
Port Knocking
Traffic Signaling
Socket Filters
Cloud Accounts
Default Accounts
Valid Accounts
Domain Accounts
Local Accounts
Defense Evasion Credential Access
Bypass User Account Control ARP Cache Poisoning
Elevated Execution with Prompt Adversary-in-the-Middle DHCP Spoofing
Abuse Elevation Control Setuid and Setgid LLMNR/NBT-NS Poisoning and SMB Relay
Mechanism Sudo and Sudo Caching Credential Stuffing
TCC Manipulation Password Cracking
Brute Force
Temporary Elevated Cloud Access Password Guessing
Create Process with Token Password Spraying
Make and Impersonate Token Cloud Secrets Management Stores
Access Token
Manipulation Parent PID Spoofing Credentials from Web Browsers
SID-History Injection Credentials from Keychain
Token Impersonation/Theft Password Stores Password Managers
BITS Jobs Securityd Memory
Build Image on Host Windows Credential Manager
Debugger Evasion Exploitation for Credential Access
Deobfuscate/Decode Files or Information Forced Authentication
Deploy Container SAML Tokens
Forge Web Credentials
Direct Volume Access Web Cookies
Domain or Tenant Policy Group Policy Modification Credential API Hooking
Modification Trust Modification GUI Input Capture
Input Capture
Execution Guardrails Environmental Keying Keylogging
Exploitation for Defense Evasion Web Portal Capture
File and Directory Linux and Mac File and Directory Permissions Modification Conditional Access Policies
Permissions Modification Windows File and Directory Permissions Modification Domain Controller Authentication
Email Hiding Rules Hybrid Identity
File/Path Exclusions Multi-Factor Authentication
Modify Authentication
Hidden File System Process Network Device Authentication
Hidden Files and Directories Network Provider DLL
Hidden Users Password Filter DLL
Hidden Window Pluggable Authentication Modules
Hide Artifacts
Ignore Process Interrupts Reversible Encryption
NTFS File Attributes Multi-Factor Authentication Interception

Process Argument Spoofing Multi-Factor Authentication Request Generation


Resource Forking Network Sniffing
Run Virtual Instance /etc/passwd and /etc/shadow
VBA Stomping Cached Domain Credentials
AppDomainManager DCSync
COR_PROFILER LSA Secrets
OS Credential Dumping
DLL Search Order Hijacking LSASS Memory
DLL Side-Loading NTDS
Dylib Hijacking Proc Filesystem
Dynamic Linker Hijacking Security Account Manager
Hijack Execution Flow Executable Installer File Permissions Weakness Steal Application Access Token
KernelCallbackTable Steal Web Session Cookie
Path Interception by PATH Environment Variable Steal or Forge Authentication Certificates
Hijack Execution Flow

Path Interception by Search Order Hijacking AS-REP Roasting


Path Interception by Unquoted Path Steal or Forge Kerberos Golden Ticket
Services File Permissions Weakness Tickets Kerberoasting
Services Registry Permissions Weakness Silver Ticket
Disable Windows Event Logging Bash History
Disable or Modify Cloud Firewall Chat Messages
Disable or Modify Cloud Logs Cloud Instance Metadata API
Disable or Modify Linux Audit System Container API
Unsecured Credentials
Disable or Modify System Firewall Credentials In Files
Impair Defenses Disable or Modify Tools Credentials in Registry
Downgrade Attack Group Policy Preferences
Impair Command History Logging Private Keys
Indicator Blocking
Safe Mode Boot
Spoof Security Alerting
Impersonation
Clear Command History
Clear Linux or Mac System Logs
Clear Mailbox Data
Clear Network Connection History and Configurations

Indicator Removal Clear Persistence


Clear Windows Event Logs
File Deletion
Network Share Connection Removal
Timestomp
Indirect Command Execution
Break Process Trees
Double File Extension
Invalid Code Signature
Masquerade File Type
Masquerading Masquerade Task or Service
Match Legitimate Name or Location
Rename System Utilities
Right-to-Left Override
Space after Filename
Conditional Access Policies
Domain Controller Authentication
Hybrid Identity
Multi-Factor Authentication
Modify Authentication
Process Network Device Authentication
Network Provider DLL
Password Filter DLL
Pluggable Authentication Modules
Reversible Encryption
Create Cloud Instance

Modify Cloud Compute


Infrastructure
Create Snapshot
Modify Cloud Compute
Infrastructure Delete Cloud Instance
Modify Cloud Compute Configurations
Revert Cloud Instance
Modify Registry
Downgrade System Image
Modify System Image
Patch System Image
Network Boundary Bridging Network Address Translation Traversal
Binary Padding
Command Obfuscation
Compile After Delivery
Dynamic API Resolution
Embedded Payloads
Encrypted/Encoded File
Obfuscated Files or
Information Fileless Storage
HTML Smuggling
Indicator Removal from Tools
LNK Icon Smuggling
Software Packing
Steganography
Stripped Payloads
Plist File Modification
Bootkit
Component Firmware
Pre-OS Boot ROMMONkit
System Firmware
TFTP Boot
Asynchronous Procedure Call
Dynamic-link Library Injection
Extra Window Memory Injection
ListPlanting
Portable Executable Injection
Proc Memory
Process Injection
Process Doppelgänging
Process Hollowing
Ptrace System Calls
Thread Execution Hijacking
Thread Local Storage
VDSO Hijacking
Reflective Code Loading
Rogue Domain Controller
Rootkit
Code Signing
Code Signing Policy Modification
Gatekeeper Bypass
Subvert Trust Controls
Subvert Trust Controls
Install Root Certificate
Mark-of-the-Web Bypass
SIP and Trust Provider Hijacking
CMSTP
Compiled HTML File
Control Panel
Electron Applications
InstallUtil
MMC
System Binary Proxy Mavinject
Execution Mshta
Msiexec
Odbcconf
Regsvcs/Regasm
Regsvr32
Rundll32
Verclsid
System Script Proxy PubPrn
Execution SyncAppvPublishingServer
Template Injection
Port Knocking
Traffic Signaling
Socket Filters
Trusted Developer Utilities Proxy Execution MSBuild

Unused/Unsupported Cloud Regions


Application Access Token
Use Alternate Pass the Hash
Authentication Material Pass the Ticket
Web Session Cookie
Cloud Accounts
Default Accounts
Valid Accounts
Domain Accounts
Local Accounts
System Checks
Virtualization/Sandbox
Evasion Time Based Evasion
User Activity Based Checks
Disable Crypto Hardware
Weaken Encryption
Reduce Key Space
XSL Script Processing
Discovery Lateral Movement
Cloud Account Exploitation of Remote Services
Domain Account Internal Spearphishing
Account Discovery
Email Account Lateral Tool Transfer
Local Account Remote Service Session RDP Hijacking
Application Window Discovery Hijacking SSH Hijacking
Browser Information Discovery Cloud Services
Cloud Infrastructure Discovery Direct Cloud VM Connections
Cloud Service Dashboard Distributed Component Object Model
Cloud Service Discovery Remote Desktop Protocol
Remote Services
Cloud Storage Object Discovery SMB/Windows Admin Shares
Container and Resource Discovery SSH
Debugger Evasion VNC
Device Driver Discovery Windows Remote Management
Domain Trust Discovery Replication Through Removable Media

File and Directory Discovery Software Deployment Tools


Group Policy Discovery Taint Shared Content
Log Enumeration Application Access Token
Network Service Discovery Use Alternate Pass the Hash
Network Share Discovery Authentication Material Pass the Ticket
Network Sniffing Web Session Cookie
Password Policy Discovery
Peripheral Device Discovery
Cloud Groups
Permission Groups
Discovery Domain Groups
Local Groups
Process Discovery
Query Registry
Remote System Discovery
Software Discovery Security Software Discovery
System Information Discovery
System Location Discovery System Language Discovery
System Network Internet Connection Discovery
Configuration Discovery Wi-Fi Discovery
System Network Connections Discovery

System Owner/User Discovery


System Service Discovery
System Time Discovery
System Checks
Virtualization/Sandbox
Evasion Time Based Evasion
User Activity Based Checks
Collection Command and Control
ARP Cache Poisoning DNS
Adversary-in-the-Middle DHCP Spoofing Application Layer File Transfer Protocols
LLMNR/NBT-NS Poisoning and SMB Relay
Protocol Mail Protocols
Archive via Custom Method Web Protocols
Archive Collected Data Archive via Library Communication Through Removable Media

Archive via Utility Content Injection


Audio Capture Non-Standard Encoding
Data Encoding
Automated Collection Standard Encoding
Browser Session Hijacking Junk Data
Clipboard Data Data Obfuscation Protocol Impersonation
Local Data Staging Steganography
Data Staged
Remote Data Staging DNS Calculation
Data from Cloud Storage Dynamic Resolution Domain Generation Algorithms
Data from Configuration Network Device Configuration Dump Fast Flux DNS
Repository SNMP (MIB Dump) Asymmetric Cryptography
Encrypted Channel
Code Repositories Symmetric Cryptography
Data from Information
Repositories Confluence Fallback Channels
Sharepoint Hide Infrastructure
Data from Local System Ingress Tool Transfer
Data from Network Shared Drive Multi-Stage Channels
Data from Removable Media Non-Application Layer Protocol
Email Forwarding Rule Non-Standard Port
Email Collection Local Email Collection Protocol Tunneling
Remote Email Collection Domain Fronting
Credential API Hooking External Proxy
Proxy
GUI Input Capture Internal Proxy
Input Capture
Keylogging Multi-hop Proxy
Web Portal Capture Remote Access Software
Screen Capture Port Knocking
Traffic Signaling
Video Capture Socket Filters
Bidirectional Communication
Web Service Dead Drop Resolver
One-Way Communication
Exfiltration Impact
Automated Exfiltration Traffic Duplication Account Access Removal
Data Transfer Size Limits Data Destruction
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Data Encrypted for Impact
Exfiltration Over
Alternative Protocol Exfiltration Over Symmetric Encrypted Non-C2 Protocol Runtime Data Manipulation
Exfiltration Over Unencrypted Non-C2 Protocol Data Manipulation Stored Data Manipulation
Exfiltration Over C2 Channel Transmitted Data Manipulation
Exfiltration Over Other Network Medium Exfiltration Over Bluetooth External Defacement
Defacement
Exfiltration Over Physical Medium Exfiltration over USB Internal Defacement
Exfiltration Over Webhook Disk Content Wipe
Disk Wipe
Exfiltration Over Web Exfiltration to Cloud Storage Disk Structure Wipe
Service Exfiltration to Code Repository Application Exhaustion Flood
Exfiltration to Text Storage Sites Endpoint Denial of Application or System Exploitation
Scheduled Transfer Service OS Exhaustion Flood
Transfer Data to Cloud Account Service Exhaustion Flood
Financial Theft
Firmware Corruption
Inhibit System Recovery
Network Denial of Direct Network Flood
Service Reflection Amplification
Resource Hijacking
Service Stop
System Shutdown/Reboot
Reconnaissance Resource Development
Scanning IP Blocks Acquire Access
Active Scanning Vulnerability Scanning Botnet
Wordlist Scanning DNS Server
Client Configurations Domains
Gather Victim Host Firmware Malvertising
Acquire Infrastructure
Information Hardware Server
Software Serverless
Credentials Virtual Private Server
Gather Victim Identity
Information Email Addresses Web Services
Employee Names Cloud Accounts
DNS Compromise Accounts Email Accounts
Domain Properties Social Media Accounts
Gather Victim Network IP Addresses Botnet
Information Network Security Appliances DNS Server
Network Topology Domains
Network Trust Dependencies Compromise Network Devices
Business Relationships Infrastructure Server
Gather Victim Org Determine Physical Locations Serverless
Information Identify Business Tempo Virtual Private Server
Identify Roles Web Services
Spearphishing Attachment Code Signing Certificates
Spearphishing Link Digital Certificates
Phishing for Information Develop Capabilities
Spearphishing Service Exploits
Spearphishing Voice Malware
Purchase Technical Data Cloud Accounts
Search Closed Sources
Threat Intel Vendors Establish Accounts Email Accounts
CDNs Social Media Accounts
DNS/Passive DNS Artificial Intelligence
Search Open Technical
Databases Digital Certificates Code Signing Certificates
Scan Databases Digital Certificates
WHOIS Obtain Capabilities Exploits
Code Repositories Malware
Search Open
Websites/Domains Search Engines Tool
Social Media Vulnerabilities
Search Victim-Owned Websites Drive-by Target
Install Digital Certificate
Link Target
Stage Capabilities
SEO Poisoning
Upload Malware
Upload Tool
Initial Access Execution
Content Injection AutoHotKey & AutoIT
Drive-by Compromise JavaScript
Exploit Public-Facing Application Command and Scripting PowerShell
External Remote Services Interpreter Python
Hardware Additions Visual Basic
Spearphishing Attachment Windows Command Shell
Spearphishing Link Exploitation for Client Execution
Phishing
Spearphishing Voice Inter-Process Component Object Model
Spearphishing via Service Communication Dynamic Data Exchange
Replication Through Removable Media Native API
Compromise Hardware Supply Chain At
Supply Chain Scheduled Task/Job
Compromise Compromise Software Dependencies and Development Tools Scheduled Task
Compromise Software Supply Chain Shared Modules
Trusted Relationship Software Deployment Tools
Default Accounts System Services Service Execution
Valid Accounts Domain Accounts Malicious File
User Execution
Local Accounts Malicious Link
Windows Management Instrumentation
Persistence Privilege Escalation
Additional Email Delegate Permissions Abuse Elevation Control Mechanism Bypass User Account Control
Account Manipulation
Device Registration Create Process with Token
BITS Jobs Make and Impersonate Token
Access Token
Active Setup Manipulation Parent PID Spoofing
Authentication Package SID-History Injection
LSASS Driver Token Impersonation/Theft
Port Monitors Additional Email Delegate Permissions
Account Manipulation
Boot or Logon Autostart Print Processors Device Registration
Execution Registry Run Keys / Startup Folder Active Setup
Security Support Provider Authentication Package
Shortcut Modification LSASS Driver
Time Providers Port Monitors
Winlogon Helper DLL Boot or Logon Autostart Print Processors
Boot or Logon Logon Script (Windows) Execution Registry Run Keys / Startup Folder
Initialization Scripts Network Logon Script Security Support Provider
Browser Extensions Shortcut Modification
Compromise Host Software Binary Time Providers
Domain Account Winlogon Helper DLL
Create Account
Local Account Boot or Logon Logon Script (Windows)
Create or Modify System Process Windows Service Initialization Scripts Network Logon Script
Accessibility Features Create or Modify System Process Windows Service
AppCert DLLs Domain or Tenant Policy Group Policy Modification
AppInit DLLs Modification Trust Modification
Application Shimming Escape to Host
Change Default File Association Accessibility Features
Event Triggered Component Object Model Hijacking AppCert DLLs
Execution Image File Execution Options Injection AppInit DLLs
Installer Packages Application Shimming
Netsh Helper DLL Change Default File Association
PowerShell Profile Event Triggered Component Object Model Hijacking
Screensaver Execution Image File Execution Options Injection

Windows Management Instrumentation Event Subscription Installer Packages


External Remote Services Netsh Helper DLL
AppDomainManager PowerShell Profile
COR_PROFILER Screensaver
DLL Search Order Hijacking Windows Management Instrumentation Event Subscription

DLL Side-Loading Exploitation for Privilege Escalation


Executable Installer File Permissions Weakness AppDomainManager
Hijack Execution Flow KernelCallbackTable COR_PROFILER
Path Interception by PATH Environment Variable DLL Search Order Hijacking
Path Interception by Search Order Hijacking DLL Side-Loading
Path Interception by Unquoted Path Executable Installer File Permissions Weakness

Services File Permissions Weakness Hijack Execution Flow KernelCallbackTable


Services Registry Permissions Weakness Path Interception by PATH Environment Variable
Hijack Execution Flow

Domain Controller Authentication Path Interception by Search Order Hijacking

Hybrid Identity Path Interception by Unquoted Path


Modify Authentication Multi-Factor Authentication Services File Permissions Weakness
Process Network Provider DLL Services Registry Permissions Weakness

Password Filter DLL Asynchronous Procedure Call


Reversible Encryption Dynamic-link Library Injection
Add-ins Extra Window Memory Injection
Office Template Macros ListPlanting
Office Application Office Test Process Injection Portable Executable Injection
Startup Outlook Forms Process Doppelgänging
Outlook Home Page Process Hollowing
Outlook Rules Thread Execution Hijacking
Power Settings Thread Local Storage
Bootkit At
Scheduled Task/Job
Pre-OS Boot Component Firmware Scheduled Task
System Firmware Default Accounts
At Valid Accounts Domain Accounts
Scheduled Task/Job
Scheduled Task Local Accounts
IIS Components
SQL Stored Procedures
Server Software
Component Terminal Services DLL
Transport Agent
Web Shell
Port Knocking
Traffic Signaling
Socket Filters
Default Accounts
Valid Accounts Domain Accounts
Local Accounts
Defense Evasion Credential Access
Abuse Elevation Control Mechanism Bypass User Account Control ARP Cache Poisoning
Create Process with Token Adversary-in-the-Middle DHCP Spoofing
Make and Impersonate Token LLMNR/NBT-NS Poisoning and SMB Relay
Access Token
Manipulation Parent PID Spoofing Credential Stuffing
SID-History Injection Password Cracking
Brute Force
Token Impersonation/Theft Password Guessing
BITS Jobs Password Spraying
Debugger Evasion Credentials from Web Browsers
Credentials from
Deobfuscate/Decode Files or Information
Password Stores Password Managers
Direct Volume Access Windows Credential Manager
Domain or Tenant Policy Group Policy Modification Exploitation for Credential Access
Modification Trust Modification Forced Authentication
Execution Guardrails Environmental Keying SAML Tokens
Forge Web Credentials
Exploitation for Defense Evasion Web Cookies
File and Directory Permissions Modification Windows File and Directory Permissions Modification Credential API Hooking
Email Hiding Rules GUI Input Capture
Input Capture
File/Path Exclusions Keylogging
Hidden File System Web Portal Capture
Hidden Files and Directories Domain Controller Authentication
Hidden Users Hybrid Identity
Hide Artifacts Hidden Window Modify Authentication Multi-Factor Authentication
Ignore Process Interrupts Process Network Provider DLL
NTFS File Attributes Password Filter DLL
Process Argument Spoofing Reversible Encryption
Run Virtual Instance Multi-Factor Authentication Interception

VBA Stomping Multi-Factor Authentication Request Generation

AppDomainManager Network Sniffing


COR_PROFILER Cached Domain Credentials
DLL Search Order Hijacking DCSync
DLL Side-Loading LSA Secrets
OS Credential Dumping
Executable Installer File Permissions Weakness LSASS Memory
Hijack Execution Flow KernelCallbackTable NTDS
Path Interception by PATH Environment Variable Security Account Manager
Path Interception by Search Order Hijacking Steal Web Session Cookie
Path Interception by Unquoted Path Steal or Forge Authentication Certificates
Services File Permissions Weakness AS-REP Roasting
Services Registry Permissions Weakness Steal or Forge Kerberos Golden Ticket

Disable Windows Event Logging Tickets Kerberoasting


Disable or Modify System Firewall Silver Ticket
Disable or Modify Tools Credentials In Files
Downgrade Attack Credentials in Registry
Impair Defenses Unsecured Credentials
Impair Command History Logging Group Policy Preferences
Indicator Blocking Private Keys
Safe Mode Boot
Impair Defenses

Spoof Security Alerting


Impersonation
Clear Command History
Clear Mailbox Data
Clear Network Connection History and Configurations

Clear Persistence
Indicator Removal
Clear Windows Event Logs
File Deletion
Network Share Connection Removal
Timestomp
Indirect Command Execution
Double File Extension
Invalid Code Signature
Masquerade File Type
Masquerading Masquerade Task or Service
Match Legitimate Name or Location
Rename System Utilities
Right-to-Left Override
Domain Controller Authentication
Hybrid Identity
Modify Authentication Multi-Factor Authentication
Process Network Provider DLL
Password Filter DLL
Reversible Encryption
Modify Registry
Binary Padding
Command Obfuscation
Compile After Delivery
Dynamic API Resolution
Embedded Payloads
Encrypted/Encoded File
Obfuscated Files or
Information Fileless Storage
HTML Smuggling
Indicator Removal from Tools
LNK Icon Smuggling
Software Packing
Steganography
Stripped Payloads
Bootkit
Pre-OS Boot Component Firmware
System Firmware
Asynchronous Procedure Call
Dynamic-link Library Injection
Extra Window Memory Injection
ListPlanting
Process Injection
Process Injection Portable Executable Injection
Process Doppelgänging
Process Hollowing
Thread Execution Hijacking
Thread Local Storage
Reflective Code Loading
Rogue Domain Controller
Rootkit
Code Signing
Code Signing Policy Modification
Subvert Trust Controls Install Root Certificate
Mark-of-the-Web Bypass
SIP and Trust Provider Hijacking
CMSTP
Compiled HTML File
Control Panel
Electron Applications
InstallUtil
MMC
System Binary Proxy Mavinject
Execution Mshta
Msiexec
Odbcconf
Regsvcs/Regasm
Regsvr32
Rundll32
Verclsid
System Script Proxy PubPrn
Execution SyncAppvPublishingServer
Template Injection
Port Knocking
Traffic Signaling
Socket Filters
Trusted Developer Utilities Proxy Execution MSBuild

Use Alternate Pass the Hash


Authentication Material Pass the Ticket
Default Accounts
Valid Accounts Domain Accounts
Local Accounts
System Checks
Virtualization/Sandbox
Evasion Time Based Evasion
User Activity Based Checks
XSL Script Processing
Discovery Lateral Movement
Domain Account Exploitation of Remote Services
Account Discovery Email Account Internal Spearphishing
Local Account Lateral Tool Transfer
Application Window Discovery Remote Service Session Hijacking RDP Hijacking
Browser Information Discovery Distributed Component Object Model
Debugger Evasion Remote Desktop Protocol
Device Driver Discovery Remote Services SMB/Windows Admin Shares
Domain Trust Discovery VNC
File and Directory Discovery Windows Remote Management
Group Policy Discovery Replication Through Removable Media
Log Enumeration Software Deployment Tools
Network Service Discovery Taint Shared Content
Network Share Discovery Use Alternate Pass the Hash
Network Sniffing Authentication Material Pass the Ticket
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Domain Groups
Discovery Local Groups
Process Discovery
Query Registry
Remote System Discovery
Software Discovery Security Software Discovery
System Information Discovery
System Location Discovery System Language Discovery
System Network Internet Connection Discovery
Configuration Discovery Wi-Fi Discovery
System Network Connections Discovery

System Owner/User Discovery


System Service Discovery
System Time Discovery
System Checks
Virtualization/Sandbox
Evasion Time Based Evasion
User Activity Based Checks
Collection Command and Control
ARP Cache Poisoning DNS
Adversary-in-the-Middle DHCP Spoofing Application Layer File Transfer Protocols
LLMNR/NBT-NS Poisoning and SMB Relay
Protocol Mail Protocols
Archive via Custom Method Web Protocols
Archive Collected Data Archive via Library Communication Through Removable Media

Archive via Utility Content Injection


Audio Capture Non-Standard Encoding
Data Encoding
Automated Collection Standard Encoding
Browser Session Hijacking Junk Data
Clipboard Data Data Obfuscation Protocol Impersonation
Local Data Staging Steganography
Data Staged
Remote Data Staging DNS Calculation
Data from Information Repositories Sharepoint Dynamic Resolution Domain Generation Algorithms
Data from Local System Fast Flux DNS
Data from Network Shared Drive Asymmetric Cryptography
Encrypted Channel
Data from Removable Media Symmetric Cryptography
Email Forwarding Rule Fallback Channels
Email Collection Local Email Collection Hide Infrastructure
Remote Email Collection Ingress Tool Transfer
Credential API Hooking Multi-Stage Channels
GUI Input Capture Non-Application Layer Protocol
Input Capture
Keylogging Non-Standard Port
Web Portal Capture Protocol Tunneling
Screen Capture Domain Fronting
Video Capture External Proxy
Proxy
Internal Proxy
Multi-hop Proxy
Remote Access Software
Port Knocking
Traffic Signaling
Socket Filters
Bidirectional Communication
Web Service Dead Drop Resolver
One-Way Communication
Exfiltration Impact
Automated Exfiltration Account Access Removal
Data Transfer Size Limits Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Data Destruction
Exfiltration Over Symmetric Encrypted Non-C2 Protocol Data Encrypted for Impact
Exfiltration Over
Alternative Protocol Exfiltration Over Unencrypted Non-C2 Protocol Runtime Data Manipulation
Data Manipulation Stored Data Manipulation
Exfiltration Over C2 Channel Exfiltration Over Bluetooth Transmitted Data Manipulation
Exfiltration Over Other Network Medium Exfiltration over USB External Defacement
Defacement
Exfiltration Over Physical Medium Exfiltration Over Webhook Internal Defacement
Exfiltration to Cloud Storage Disk Content Wipe
Disk Wipe
Exfiltration Over Web Exfiltration to Code Repository Disk Structure Wipe
Service Exfiltration to Text Storage Sites Application Exhaustion Flood
Endpoint Denial of Application or System Exploitation
Scheduled Transfer Service OS Exhaustion Flood
Service Exhaustion Flood
Financial Theft
Firmware Corruption
Inhibit System Recovery
Network Denial of Direct Network Flood
Service Reflection Amplification
Resource Hijacking
Service Stop
System Shutdown/Reboot
Initial Access Execution
Content Injection AppleScript
Drive-by Compromise JavaScript
Command and Scripting
Exploit Public-Facing Application Interpreter Python
External Remote Services Unix Shell
Hardware Additions Visual Basic
Spearphishing Attachment Exploitation for Client Execution
Spearphishing Link Inter-Process Communication XPC Services
Phishing
Spearphishing Voice Native API
Spearphishing via Service At
Scheduled Task/Job
Compromise Hardware Supply Chain Cron
Supply Chain
Compromise Software Dependencies and Development Tools Shared Modules
Compromise
Compromise Software Supply Chain Software Deployment Tools
Trusted Relationship System Services Launchctl
Default Accounts Malicious File
User Execution
Valid Accounts Domain Accounts Malicious Link
Local Accounts
Persistence Privilege Escalation
Account Manipulation SSH Authorized Keys Elevated Execution with Prompt
Kernel Modules and Extensions Abuse Elevation Control Setuid and Setgid
Boot or Logon Autostart Mechanism
Execution Login Items Sudo and Sudo Caching
Re-opened Applications TCC Manipulation
Login Hook Account Manipulation SSH Authorized Keys
Boot or Logon
Initialization Scripts RC Scripts Kernel Modules and Extensions
Boot or Logon Autostart
Startup Items Execution Login Items
Browser Extensions Re-opened Applications
Compromise Host Software Binary Login Hook
Boot or Logon
Domain Account Initialization Scripts RC Scripts
Create Account
Local Account Startup Items
Create or Modify System Launch Agent Create or Modify System Launch Agent
Process Launch Daemon Process Launch Daemon
Emond Emond
Installer Packages Installer Packages
Event Triggered Event Triggered
Execution LC_LOAD_DYLIB Addition Execution LC_LOAD_DYLIB Addition
Trap Trap
Unix Shell Configuration Modification Unix Shell Configuration Modification
External Remote Services Exploitation for Privilege Escalation
Dylib Hijacking Dylib Hijacking
Hijack Execution Flow Dynamic Linker Hijacking Hijack Execution Flow Dynamic Linker Hijacking
Path Interception by PATH Environment Variable Path Interception by PATH Environment Variable

Modify Authentication Multi-Factor Authentication Process Injection At


Process Pluggable Authentication Modules Cron
Scheduled Task/Job
Power Settings Default Accounts
Pre-OS Boot Component Firmware Domain Accounts
At Valid Accounts Local Accounts
Scheduled Task/Job
Cron
Server Software Component Web Shell
Port Knocking
Traffic Signaling
Socket Filters
Default Accounts
Valid Accounts Domain Accounts
Local Accounts
Defense Evasion Credential Access
Elevated Execution with Prompt ARP Cache Poisoning
Adversary-in-the-Middle
Abuse Elevation Control Setuid and Setgid DHCP Spoofing
Mechanism Sudo and Sudo Caching Credential Stuffing
TCC Manipulation Password Cracking
Brute Force
Debugger Evasion Password Guessing
Deobfuscate/Decode Files or Information Password Spraying
Execution Guardrails Environmental Keying Credentials from Web Browsers
Exploitation for Defense Evasion Credentials from Keychain
File and Directory Permissions Modification Linux and Mac File and Directory Permissions Modification
Password Stores Password Managers
Email Hiding Rules Securityd Memory
File/Path Exclusions Exploitation for Credential Access
Hidden File System Forge Web Credentials Web Cookies
Hidden Files and Directories GUI Input Capture
Hidden Users Input Capture Keylogging
Hide Artifacts
Hidden Window Web Portal Capture
Ignore Process Interrupts Modify Authentication Multi-Factor Authentication
Resource Forking Process Pluggable Authentication Modules
Run Virtual Instance Multi-Factor Authentication Interception

VBA Stomping Multi-Factor Authentication Request Generation

Dylib Hijacking Network Sniffing


Hijack Execution Flow Dynamic Linker Hijacking OS Credential Dumping
Path Interception by PATH Environment Variable Steal Web Session Cookie
Bash History
Disable or Modify System Firewall Steal or Forge Authentication Certificates
Disable or Modify Tools Steal or Forge Kerberos Tickets Credentials In Files
Downgrade Attack Private Keys
Impair Defenses
Impair Command History Logging Unsecured Credentials
Indicator Blocking
Spoof Security Alerting
Impersonation
Clear Command History
Clear Linux or Mac System Logs
Clear Mailbox Data
Indicator Removal Clear Network Connection History and Configurations

Clear Persistence
File Deletion
Timestomp
Break Process Trees
Invalid Code Signature
Masquerade File Type
Masquerade Task or Service
Masquerading
Match Legitimate Name or Location
Rename System Utilities
Right-to-Left Override
Space after Filename
Modify Authentication Multi-Factor Authentication
Process Pluggable Authentication Modules
Binary Padding
Command Obfuscation
Compile After Delivery
Embedded Payloads
Obfuscated Files or Encrypted/Encoded File
Information HTML Smuggling
Indicator Removal from Tools
Software Packing
Steganography
Stripped Payloads
Plist File Modification
Pre-OS Boot Component Firmware
Process Injection
Reflective Code Loading
Rootkit Code Signing
Code Signing Policy Modification
Gatekeeper Bypass
Subvert Trust Controls
Install Root Certificate
Electron Applications
System Binary Proxy Execution Port Knocking
Socket Filters
Traffic Signaling
Default Accounts
Domain Accounts
Valid Accounts Local Accounts
System Checks
Time Based Evasion
Virtualization/Sandbox
Evasion User Activity Based Checks
Discovery Lateral Movement
Domain Account Exploitation of Remote Services
Account Discovery
Local Account Internal Spearphishing
Application Window Discovery Lateral Tool Transfer
Browser Information Discovery Remote Service Session Hijacking SSH Hijacking
Debugger Evasion SSH
Remote Services
Device Driver Discovery VNC
File and Directory Discovery Software Deployment Tools
Log Enumeration Taint Shared Content
Network Service Discovery
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Domain Groups
Discovery Local Groups
Process Discovery
Remote System Discovery
Software Discovery Security Software Discovery
System Information Discovery
System Location Discovery System Language Discovery
System Network Internet Connection Discovery
Configuration Discovery Wi-Fi Discovery
System Network Connections Discovery

System Owner/User Discovery


System Service Discovery
System Time Discovery
System Checks
Virtualization/Sandbox
Evasion Time Based Evasion
User Activity Based Checks
Collection Command and Control
ARP Cache Poisoning DNS
Adversary-in-the-Middle
DHCP Spoofing Application Layer File Transfer Protocols
Archive via Custom Method Protocol Mail Protocols
Archive Collected Data Archive via Library Web Protocols
Archive via Utility Communication Through Removable Media

Audio Capture Content Injection


Automated Collection Non-Standard Encoding
Data Encoding
Clipboard Data Standard Encoding
Local Data Staging Junk Data
Data Staged
Remote Data Staging Data Obfuscation Protocol Impersonation
Data from Information Repositories Steganography
Data from Local System DNS Calculation
Data from Network Shared Drive Dynamic Resolution Domain Generation Algorithms
Data from Removable Media Email Forwarding Rule Fast Flux DNS
Email Collection GUI Input Capture Asymmetric Cryptography
Encrypted Channel
Keylogging Symmetric Cryptography
Input Capture Web Portal Capture Fallback Channels
Hide Infrastructure
Screen Capture Ingress Tool Transfer
Video Capture Multi-Stage Channels
Non-Application Layer Protocol
Non-Standard Port
Protocol Tunneling
Domain Fronting
External Proxy
Proxy
Internal Proxy
Multi-hop Proxy
Remote Access Software
Port Knocking
Traffic Signaling
Socket Filters
Bidirectional Communication
Web Service Dead Drop Resolver
One-Way Communication
Exfiltration Impact
Automated Exfiltration Account Access Removal
Data Transfer Size Limits Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Data Destruction
Exfiltration Over Symmetric Encrypted Non-C2 Protocol Data Encrypted for Impact
Exfiltration Over
Alternative Protocol Exfiltration Over Unencrypted Non-C2 Protocol Runtime Data Manipulation
Data Manipulation Stored Data Manipulation
Exfiltration Over C2 Channel Exfiltration Over Bluetooth Transmitted Data Manipulation
Exfiltration Over Other Network Medium Exfiltration over USB External Defacement
Defacement
Exfiltration Over Physical Medium Exfiltration Over Webhook Internal Defacement
Exfiltration to Cloud Storage Disk Content Wipe
Disk Wipe
Exfiltration Over Web Exfiltration to Code Repository Disk Structure Wipe
Service Exfiltration to Text Storage Sites Application Exhaustion Flood
Endpoint Denial of Application or System Exploitation
Scheduled Transfer Service OS Exhaustion Flood
Service Exhaustion Flood
Financial Theft
Firmware Corruption
Inhibit System Recovery
Network Denial of Direct Network Flood
Service Reflection Amplification
Resource Hijacking
Service Stop
System Shutdown/Reboot
Initial Access Execution
Content Injection JavaScript
Drive-by Compromise Command and Scripting Python
Exploit Public-Facing Application Interpreter Unix Shell
External Remote Services Visual Basic
Hardware Additions Exploitation for Client Execution
Spearphishing Attachment Inter-Process Communication
Spearphishing Link Native API At
Phishing
Spearphishing Voice Cron
Spearphishing via Service Scheduled Task/Job Systemd Timers
Compromise Hardware Supply Chain
Supply Chain
Compromise Compromise Software Dependencies and Development Tools Shared Modules
Compromise Software Supply Chain Software Deployment Tools Malicious File
Trusted Relationship System Services Malicious Link
Default Accounts
User Execution
Valid Accounts Domain Accounts
Local Accounts
Persistence Privilege Escalation
Account Manipulation SSH Authorized Keys Abuse Elevation Control Setuid and Setgid
Boot or Logon Autostart Kernel Modules and Extensions Mechanism Sudo and Sudo Caching
Execution XDG Autostart Entries Account Manipulation SSH Authorized Keys
Boot or Logon Initialization Scripts RC Scripts Boot or Logon Autostart Kernel Modules and Extensions
Browser Extensions Execution XDG Autostart Entries
Compromise Host Software Binary Boot or Logon Initialization Scripts RC Scripts
Domain Account Create or Modify System Process Systemd Service
Create Account
Local Account Escape to Host
Create or Modify System Process Systemd Service Installer Packages
Event Triggered
Installer Packages Execution Trap
Event Triggered
Execution Trap Unix Shell Configuration Modification

Unix Shell Configuration Modification Exploitation for Privilege Escalation


External Remote Services Dynamic Linker Hijacking
Hijack Execution Flow
Dynamic Linker Hijacking
Hijack Execution Flow Path Interception by PATH Environment Variable

Path Interception by PATH Environment Variable Proc Memory


Modify Authentication Multi-Factor Authentication Process Injection Ptrace System Calls
Process Pluggable Authentication Modules VDSO Hijacking
Power Settings At
Bootkit Scheduled Task/Job Cron
Pre-OS Boot
Component Firmware Systemd Timers
At Default Accounts
Scheduled Task/Job Cron Valid Accounts Domain Accounts
Systemd Timers Local Accounts
SQL Stored Procedures
Server Software
Component Transport Agent
Web Shell
Port Knocking
Traffic Signaling
Socket Filters
Default Accounts
Valid Accounts Domain Accounts
Local Accounts
Defense Evasion Credential Access
Abuse Elevation Control Setuid and Setgid ARP Cache Poisoning
Adversary-in-the-Middle
Mechanism Sudo and Sudo Caching DHCP Spoofing
Debugger Evasion Credential Stuffing
Deobfuscate/Decode Files or Information Password Cracking
Brute Force
Execution Guardrails Environmental Keying Password Guessing
Exploitation for Defense Evasion Password Spraying
File and Directory Permissions Modification Linux and Mac File and Directory Permissions Modification Credentials from Web Browsers
Credentials from
Email Hiding Rules Password Stores Password Managers
File/Path Exclusions Securityd Memory
Hidden File System Exploitation for Credential Access
Hidden Files and Directories Forge Web Credentials Web Cookies
Hide Artifacts Hidden Users GUI Input Capture
Hidden Window Input Capture Keylogging
Ignore Process Interrupts Web Portal Capture
Run Virtual Instance Modify Authentication Multi-Factor Authentication
VBA Stomping Process Pluggable Authentication Modules
Dynamic Linker Hijacking Multi-Factor Authentication Interception
Hijack Execution Flow
Path Interception by PATH Environment Variable Multi-Factor Authentication Request Generation

Disable or Modify Linux Audit System Network Sniffing


Disable or Modify System Firewall /etc/passwd and /etc/shadow
Disable or Modify Tools OS Credential Dumping Cached Domain Credentials
Impair Defenses Downgrade Attack Proc Filesystem
Impair Command History Logging Steal Web Session Cookie
Indicator Blocking Steal or Forge Authentication Certificates

Spoof Security Alerting Steal or Forge Kerberos Tickets Bash History


Impersonation Credentials In Files
Clear Command History Unsecured Credentials Private Keys
Clear Linux or Mac System Logs
Clear Mailbox Data
Indicator Removal Clear Network Connection History and Configurations

Clear Persistence
File Deletion
Timestomp
Break Process Trees
Masquerade File Type
Masquerade Task or Service
Masquerading Match Legitimate Name or Location
Rename System Utilities
Right-to-Left Override
Space after Filename
Modify Authentication Multi-Factor Authentication
Process Pluggable Authentication Modules
Binary Padding
Command Obfuscation

Obfuscated Files or
Information
Compile After Delivery
Embedded Payloads
Obfuscated Files or Encrypted/Encoded File
Information HTML Smuggling
Indicator Removal from Tools
Software Packing
Steganography
Stripped Payloads
Bootkit
Pre-OS Boot
Component Firmware
Proc Memory
Process Injection Ptrace System Calls
VDSO Hijacking
Reflective Code Loading
Rootkit
Subvert Trust Controls Install Root Certificate
System Binary Proxy Execution Electron Applications
Port Knocking
Traffic Signaling
Socket Filters
Default Accounts
Valid Accounts Domain Accounts
Local Accounts
System Checks
Virtualization/Sandbox
Evasion Time Based Evasion
User Activity Based Checks
Discovery Lateral Movement
Domain Account Exploitation of Remote Services
Account Discovery
Local Account Internal Spearphishing
Application Window Discovery Lateral Tool Transfer
Browser Information Discovery Remote Service Session Hijacking SSH Hijacking
Debugger Evasion SSH
Remote Services
Device Driver Discovery VNC
File and Directory Discovery Software Deployment Tools
Log Enumeration Taint Shared Content
Network Service Discovery
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Domain Groups
Discovery Local Groups
Process Discovery
Remote System Discovery
Software Discovery Security Software Discovery
System Information Discovery
System Location Discovery System Language Discovery
System Network Internet Connection Discovery
Configuration Discovery Wi-Fi Discovery
System Network Connections Discovery

System Owner/User Discovery


System Service Discovery
System Time Discovery
System Checks
Virtualization/Sandbox
Evasion Time Based Evasion
User Activity Based Checks
Collection Command and Control
ARP Cache Poisoning DNS
Adversary-in-the-Middle
DHCP Spoofing Application Layer File Transfer Protocols
Archive via Custom Method Protocol Mail Protocols
Archive Collected Data Archive via Library Web Protocols
Archive via Utility Communication Through Removable Media

Audio Capture Content Injection


Automated Collection Non-Standard Encoding
Data Encoding
Clipboard Data Standard Encoding
Local Data Staging Junk Data
Data Staged
Remote Data Staging Data Obfuscation Protocol Impersonation
Data from Information Repositories Steganography
Data from Local System DNS Calculation
Data from Network Shared Drive Dynamic Resolution Domain Generation Algorithms
Data from Removable Media Email Forwarding Rule Fast Flux DNS
Email Collection GUI Input Capture Asymmetric Cryptography
Encrypted Channel
Keylogging Symmetric Cryptography
Input Capture Web Portal Capture Fallback Channels
Hide Infrastructure
Screen Capture Ingress Tool Transfer
Video Capture Multi-Stage Channels
Non-Application Layer Protocol
Non-Standard Port
Protocol Tunneling
Domain Fronting
External Proxy
Proxy
Internal Proxy
Multi-hop Proxy
Remote Access Software
Port Knocking
Traffic Signaling
Socket Filters
Bidirectional Communication
Web Service Dead Drop Resolver
One-Way Communication
Exfiltration Impact
Automated Exfiltration Account Access Removal
Data Transfer Size Limits Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Data Destruction
Exfiltration Over Symmetric Encrypted Non-C2 Protocol Data Encrypted for Impact
Exfiltration Over
Alternative Protocol Exfiltration Over Unencrypted Non-C2 Protocol Runtime Data Manipulation
Data Manipulation Stored Data Manipulation
Exfiltration Over C2 Channel Exfiltration Over Bluetooth Transmitted Data Manipulation
Exfiltration Over Other Network Medium Exfiltration over USB External Defacement
Defacement
Exfiltration Over Physical Medium Exfiltration Over Webhook Internal Defacement
Exfiltration to Cloud Storage Disk Content Wipe
Disk Wipe
Exfiltration Over Web Exfiltration to Code Repository Disk Structure Wipe
Service Exfiltration to Text Storage Sites Application Exhaustion Flood
Endpoint Denial of Application or System Exploitation
Scheduled Transfer Service OS Exhaustion Flood
Service Exhaustion Flood
Financial Theft
Firmware Corruption
Inhibit System Recovery
Network Denial of Direct Network Flood
Service Reflection Amplification
Resource Hijacking
Service Stop
System Shutdown/Reboot
Initial Access Execution
Drive-by Compromise Cloud Administration Command
Exploit Public-Facing Application Command and Scripting Interpreter Cloud API
Spearphishing Link Serverless Execution
Phishing
Spearphishing Voice Software Deployment Tools
Trusted Relationship User Execution Malicious Image
Cloud Accounts
Valid Accounts
Default Accounts
Persistence Privilege Escalation
Additional Cloud Credentials Abuse Elevation Control Mechanism Temporary Elevated Cloud Access
Additional Cloud Roles Additional Cloud Credentials
Account Manipulation Additional Email Delegate Permissions Additional Cloud Roles
Device Registration Account Manipulation Additional Email Delegate Permissions
SSH Authorized Keys Device Registration
Create Account Cloud Account SSH Authorized Keys
Event Triggered Execution Domain or Tenant Policy Modification Trust Modification
Implant Internal Image Conditional Access Policies Event Triggered Execution Cloud Accounts
Hybrid Identity Default Accounts
Modify Authentication Valid Accounts
Process Multi-Factor Authentication
Add-ins
Office Template Macros
Office Test
Office Application Outlook Forms
Startup Outlook Home Page
Outlook Rules
Cloud Accounts
Default Accounts
Valid Accounts
Defense Evasion Credential Access
Abuse Elevation Control Mechanism Temporary Elevated Cloud Access Credential Stuffing
Domain or Tenant Policy Modification Trust Modification Password Cracking
Brute Force
Exploitation for Defense Evasion Password Guessing
Hide Artifacts Email Hiding Rules Password Spraying
Disable or Modify Cloud Firewall Credentials from Password Stores Cloud Secrets Management Stores
Impair Defenses Disable or Modify Cloud Logs Exploitation for Credential Access
Disable or Modify Tools SAML Tokens
Forge Web Credentials
Impersonation Web Cookies
Indicator Removal Clear Mailbox Data Conditional Access Policies
Modify Authentication
Conditional Access Policies Process Hybrid Identity
Modify Authentication
Process Hybrid Identity Multi-Factor Authentication
Multi-Factor Authentication Multi-Factor Authentication Request Generation

Create Cloud Instance Network Sniffing


Create Snapshot Steal Application Access Token
Modify Cloud Compute
Infrastructure Delete Cloud Instance Steal Web Session Cookie
Modify Cloud Compute Configurations Steal or Forge Authentication Certificates
Revert Cloud Instance Chat Messages
Unused/Unsupported Cloud Regions Unsecured Credentials Cloud Instance Metadata API
Use Alternate Application Access Token Credentials In Files
Authentication Material Web Session Cookie
Cloud Accounts
Valid Accounts
Default Accounts
Discovery Lateral Movement
Cloud Account Internal Spearphishing
Account Discovery
Email Account Cloud Services
Remote Services
Cloud Infrastructure Discovery Direct Cloud VM Connections
Cloud Service Dashboard Software Deployment Tools
Cloud Service Discovery Taint Shared Content
Cloud Storage Object Discovery Use Alternate Application Access Token
Log Enumeration Authentication Material Web Session Cookie
Network Service Discovery
Network Sniffing
Password Policy Discovery
Permission Groups Discovery Cloud Groups
Software Discovery Security Software Discovery
System Information Discovery
System Location Discovery
System Network Connections Discovery
Collection Exfiltration
Automated Collection Exfiltration Over Alternative Protocol Exfiltration Over Webhook
Data Staged Remote Data Staging Exfiltration Over Web Service
Data from Cloud Storage Transfer Data to Cloud Account
Code Repositories
Data from Information
Repositories Confluence
Sharepoint
Email Forwarding Rule
Email Collection
Remote Email Collection
Impact
Account Access Removal
Data Destruction
Data Encrypted for Impact
Defacement External Defacement
Application Exhaustion Flood
Endpoint Denial of
Service Application or System Exploitation
Service Exhaustion Flood
Financial Theft
Inhibit System Recovery
Network Denial of Direct Network Flood
Service Reflection Amplification
Resource Hijacking
Initial Access Execution
Spearphishing Link Command and Scripting Interpreter Cloud API
Phishing
Spearphishing Voice Serverless Execution
Trusted Relationship
Cloud Accounts
Valid Accounts
Default Accounts
Persistence Privilege Escalation
Additional Cloud Roles Abuse Elevation Control Mechanism Temporary Elevated Cloud Access
Account Manipulation
Additional Email Delegate Permissions Additional Cloud Roles
Account Manipulation
Create Account Cloud Account Additional Email Delegate Permissions
Event Triggered Execution Hybrid Identity Event Triggered Execution Cloud Accounts
Modify Authentication Multi-Factor Authentication Default Accounts
Valid Accounts
Process Add-ins
Office Template Macros
Office Test
Office Application Outlook Forms
Startup Outlook Home Page
Outlook Rules
Cloud Accounts
Default Accounts
Valid Accounts
Defense Evasion Credential Access
Abuse Elevation Control Mechanism Temporary Elevated Cloud Access Credential Stuffing
Hide Artifacts Email Hiding Rules Password Cracking
Brute Force
Impair Defenses Disable or Modify Cloud Logs Password Guessing
Impersonation Password Spraying
Indicator Removal Clear Mailbox Data Forge Web Credentials SAML Tokens
Modify Authentication Hybrid Identity Modify Authentication Hybrid Identity
Process Multi-Factor Authentication Process Multi-Factor Authentication
Use Alternate Application Access Token Multi-Factor Authentication Request Generation
Authentication Material Web Session Cookie Steal Application Access Token
Cloud Accounts Steal Web Session Cookie
Valid Accounts
Default Accounts Unsecured Credentials Chat Messages
Discovery Lateral Movement
Cloud Account Internal Spearphishing
Account Discovery
Email Account Taint Shared Content
Cloud Service Dashboard Use Alternate Application Access Token
Cloud Service Discovery Authentication Material Web Session Cookie
Permission Groups Discovery Cloud Groups
Collection Exfiltration
Data from Cloud Storage Exfiltration Over Alternative Protocol Exfiltration Over Webhook
Data from Information Repositories Sharepoint Exfiltration Over Web Service
Email Forwarding Rule Transfer Data to Cloud Account
Email Collection
Remote Email Collection
Impact
Account Access Removal
Application Exhaustion Flood
Endpoint Denial of
Service Application or System Exploitation
Service Exhaustion Flood
Financial Theft
Network Denial of Direct Network Flood
Service Reflection Amplification
Initial Access Execution
Cloud Accounts Command and Scripting Interpreter Cloud API
Valid Accounts
Default Accounts
Persistence Privilege Escalation
Additional Cloud Credentials Abuse Elevation Control Mechanism Temporary Elevated Cloud Access
Account Manipulation Additional Cloud Roles Additional Cloud Credentials
Device Registration Account Manipulation Additional Cloud Roles
Create Account Cloud Account Device Registration
Conditional Access Policies Domain or Tenant Policy Modification Trust Modification
Modify Authentication
Process Hybrid Identity Cloud Accounts
Valid Accounts
Multi-Factor Authentication Default Accounts
Cloud Accounts
Valid Accounts
Default Accounts
Defense Evasion Credential Access
Abuse Elevation Control Mechanism Temporary Elevated Cloud Access Credential Stuffing
Domain or Tenant Policy Modification Trust Modification Password Cracking
Brute Force
Conditional Access Policies Password Guessing
Modify Authentication
Process Hybrid Identity Password Spraying
Multi-Factor Authentication Exploitation for Credential Access
Cloud Accounts Forge Web Credentials SAML Tokens
Valid Accounts
Default Accounts Conditional Access Policies
Modify Authentication
Process Hybrid Identity
Multi-Factor Authentication
Multi-Factor Authentication Request Generation

Steal Application Access Token


Steal or Forge Authentication Certificates

Unsecured Credentials
Discovery Impact
Account Discovery Cloud Account Application Exhaustion Flood
Endpoint Denial of
Cloud Service Dashboard Service Application or System Exploitation
Cloud Service Discovery Service Exhaustion Flood
Permission Groups Discovery Cloud Groups Network Denial of Direct Network Flood
Service Reflection Amplification
Initial Access Execution
Spearphishing Link Command and Scripting Interpreter Cloud API
Phishing
Spearphishing Voice
Cloud Accounts
Valid Accounts
Default Accounts
Persistence Privilege Escalation
Additional Cloud Roles Abuse Elevation Control Mechanism Temporary Elevated Cloud Access
Account Manipulation
Additional Email Delegate Permissions Additional Cloud Roles
Account Manipulation
Create Account Cloud Account Additional Email Delegate Permissions

Modify Authentication Hybrid Identity Cloud Accounts


Valid Accounts
Process Multi-Factor Authentication Default Accounts
Cloud Accounts
Valid Accounts
Default Accounts
Defense Evasion Credential Access
Abuse Elevation Control Mechanism Temporary Elevated Cloud Access Credential Stuffing
Impersonation Brute Force Password Guessing
Indicator Removal Clear Mailbox Data Password Spraying
Modify Authentication Hybrid Identity Forge Web Credentials SAML Tokens
Process Multi-Factor Authentication Modify Authentication Hybrid Identity
Use Alternate Application Access Token Process Multi-Factor Authentication
Authentication Material Web Session Cookie Multi-Factor Authentication Request Generation

Cloud Accounts Steal Application Access Token


Valid Accounts
Default Accounts Steal Web Session Cookie
Unsecured Credentials Chat Messages
Discovery Lateral Movement
Cloud Account Internal Spearphishing
Account Discovery
Email Account Use Alternate Application Access Token
Cloud Service Dashboard Authentication Material Web Session Cookie
Cloud Service Discovery
Permission Groups Discovery Cloud Groups
Collection Exfiltration
Data from Cloud Storage Exfiltration Over Alternative Protocol Exfiltration Over Webhook
Data from Information Repositories Email Forwarding Rule Exfiltration Over Web Service
Remote Email Collection Transfer Data to Cloud Account
Email Collection
Impact
Application Exhaustion Flood
Endpoint Denial of
Service Application or System Exploitation
Service Exhaustion Flood
Financial Theft
Network Denial of Direct Network Flood
Service Reflection Amplification
Initial Access Execution Persistence
Drive-by Compromise Serverless Execution
Spearphishing Link Software Deployment TooAccount Manipulation
Phishing
Spearphishing Voice
Trusted Relationship Create Account
Cloud Accounts Event Triggered Execution
Valid Accounts
Default Accounts
Modify Authentication
Process

Valid Accounts
Persistence Privilege Escalation Defense Evasion
Additional Cloud Credentials Additional Cloud Credentials Domain or Tenant Policy Modification
Additional Cloud Roles Account Manipulation Additional Cloud Roles Exploitation for Defense Evasion
Device Registration Device Registration Impersonation
Cloud Account Domain or Tenant Policy Modification Trust Modification
Modify Authentication
Conditional Access Policies Event Triggered Execution Cloud Accounts Process
Hybrid Identity Default Accounts
Valid Accounts
Multi-Factor Authentication Use Alternate
Cloud Accounts Authentication Material
Default Accounts
Valid Accounts
Defense Evasion Credential Access Discovery
Trust Modification Credential Stuffing Account Discovery
Brute Force Password Guessing Cloud Service Dashboard
Password Spraying Cloud Service Discovery
Conditional Access Policies SAML Tokens Permission Groups Discovery
Forge Web Credentials
Hybrid Identity Web Cookies
Multi-Factor Authentication Conditional Access Policies
Modify Authentication
Application Access Token Process Hybrid Identity
Web Session Cookie Multi-Factor Authentication
Cloud Accounts Multi-Factor Authentication Request Generation

Default Accounts Steal Application Access Token


Steal Web Session Cookie
Unsecured Credentials Chat Messages
Discovery Lateral Movement Collection
Cloud Account Internal Spearphishing Automated Collection
Software Deployment Tools Data from Cloud Storage
Taint Shared Content Data from Information
Cloud Groups Use Alternate Application Access Token Repositories
Authentication Material Web Session Cookie
Collection Exfiltration Impact
Exfiltration Over Alternative Protocol Exfiltration Over Webhook Account Access Removal
Exfiltration Over Web Service
Endpoint Denial of
Code Repositories Transfer Data to Cloud Account Service
Confluence
Financial Theft
Network Denial of
Service
Impact

Application Exhaustion Flood


Application or System Exploitation
Service Exhaustion Flood

Direct Network Flood


Reflection Amplification
Initial Access Execution
Exploit Public-Facing Application Cloud Administration Command
Trusted Relationship Command and Scripting Interpreter Cloud API
Cloud Accounts Serverless Execution
Valid Accounts
Default Accounts User Execution Malicious Image
Persistence Privilege Escalation
Additional Cloud Credentials Abuse Elevation Control Mechanism Temporary Elevated Cloud Access
Account Manipulation Additional Cloud Roles Additional Cloud Credentials
SSH Authorized Keys Account Manipulation Additional Cloud Roles
Create Account Cloud Account SSH Authorized Keys
Event Triggered Execution Event Triggered Execution Cloud Accounts
Implant Internal Image Conditional Access Policies Default Accounts
Valid Accounts
Hybrid Identity
Modify Authentication
Process Multi-Factor Authentication
Cloud Accounts
Default Accounts
Valid Accounts
Defense Evasion Credential Access
Abuse Elevation Control Mechanism Temporary Elevated Cloud Access Credential Stuffing
Exploitation for Defense Evasion Brute Force Password Guessing
Disable or Modify Cloud Firewall Password Spraying
Impair Defenses Disable or Modify Cloud Logs Credentials from Password Stores Cloud Secrets Management Stores
Disable or Modify Tools SAML Tokens
Forge Web Credentials
Conditional Access Policies Web Cookies
Modify Authentication
Process Hybrid Identity Conditional Access Policies
Modify Authentication
Multi-Factor Authentication Process Hybrid Identity
Create Cloud Instance Multi-Factor Authentication
Create Snapshot Multi-Factor Authentication Request Generation
Modify Cloud Compute
Infrastructure Delete Cloud Instance Network Sniffing
Modify Cloud Compute Configurations Cloud Instance Metadata API
Unsecured Credentials
Revert Cloud Instance Credentials In Files
Unused/Unsupported Cloud Regions
Use Alternate Application Access Token
Authentication Material Web Session Cookie
Cloud Accounts
Valid Accounts
Default Accounts
Discovery Lateral Movement
Account Discovery Cloud Account Cloud Services
Remote Services
Cloud Infrastructure Discovery Direct Cloud VM Connections
Cloud Service Dashboard Use Alternate Application Access Token
Cloud Service Discovery Authentication Material Web Session Cookie
Cloud Storage Object Discovery
Log Enumeration
Network Service Discovery
Network Sniffing
Password Policy Discovery
Permission Groups Discovery Cloud Groups
Software Discovery Security Software Discovery
System Information Discovery
System Location Discovery
System Network Connections Discovery
Collection Exfiltration Impact
Automated Collection Exfiltration Over Alternat Data Destruction
Data Staged Remote Data Staging Transfer Data to Cloud Ac Data Encrypted for Impact
Data from Cloud Storage Defacement
Data from Information Repositories
Endpoint Denial of
Service

Inhibit System Recovery


Network Denial of
Service
Resource Hijacking
Impact

External Defacement
Application Exhaustion Flood
Application or System Exploitation
Service Exhaustion Flood

Direct Network Flood


Reflection Amplification
Initial Access Execution
Exploit Public-Facing Application Command and Scripting Network Device CLI
Default Accounts Interpreter Unix Shell
Valid Accounts
Local Accounts Software Deployment Tools
Persistence Privilege Escalation
Account Manipulation SSH Authorized Keys Account Manipulation SSH Authorized Keys
Boot or Logon Autostart Execution RC Scripts Boot or Logon Autostart Execution RC Scripts
Boot or Logon Initialization Scripts Local Account Boot or Logon Initialization Scripts Default Accounts
Create Account Network Device Authentication Local Accounts
Valid Accounts
Modify Authentication Process
Power Settings ROMMONkit
System Firmware
Pre-OS Boot TFTP Boot
Web Shell
Server Software Component Port Knocking
Traffic Signaling Default Accounts
Local Accounts
Valid Accounts
Defense Evasion Credential Access
Direct Volume Access Adversary-in-the-Middle Credential Stuffing
Disable or Modify System Firewall Password Cracking
Impair Defenses Disable or Modify Tools Password Guessing
Brute Force
Impair Command History Logging Password Spraying
Clear Command History Keylogging
Indicator Removal
Clear Network Connection History and Configurations Input Capture Network Device Authentication
Modify Authentication Process Network Device Authentication Modify Authentication Process
Downgrade System Image Network Sniffing Private Keys
Modify System Image
Patch System Image Unsecured Credentials
Network Boundary Bridging Network Address Translation Traversal
Obfuscated Files or Information Stripped Payloads
ROMMONkit
Pre-OS Boot System Firmware
TFTP Boot
Traffic Signaling Port Knocking
Default Accounts
Valid Accounts
Local Accounts
Disable Crypto Hardware
Weaken Encryption
Reduce Key Space
Discovery Lateral Movement Collection
File and Directory DiscoveSoftware Deployment TooAdversary-in-the-Middle Network Device Configuration Dump
Network Service Discovery Data from Configuration SNMP (MIB Dump)
Network Sniffing Repository
Password Policy Discovery Data from Local System Keylogging
Process Discovery Input Capture
Remote System Discovery
System Information Discovery
System Network Configuration Discovery
System Network Connections Discovery
System Owner/User Discovery
System Time Discovery
Command and Control Exfiltration
DNS Automated Exfiltration Traffic Duplication
Application Layer File Transfer Protocols Exfiltration Over Alternative Protocol Exfiltration Over Unencrypted Non-C2 Protocol
Protocol Mail Protocols
Web Protocols
Asymmetric Cryptography
Encrypted Channel
Symmetric Cryptography
Hide Infrastructure
Ingress Tool Transfer
Non-Application Layer Protocol
External Proxy
Proxy Internal Proxy
Multi-hop Proxy
Traffic Signaling Port Knocking
Impact
Disk Content Wipe
Disk Wipe
Disk Structure Wipe
Firmware Corruption
Inhibit System Recovery
System Shutdown/Reboot
Initial Access Execution
Exploit Public-Facing Application Container Administration Command
External Remote Services Deploy Container
Default Accounts Scheduled Task/Job Container Orchestration Job
Valid Accounts
Local Accounts User Execution Malicious Image
Persistence Privilege Escalation
Account Manipulation Account Manipulation Additional Container Cluster Roles
Additional Container Cluster Roles
Create Account Local Account Create or Modify System Process Container Service
Create or Modify System Process Container Service Escape to Host
External Remote Services Exploitation for Privilege Escalation
Implant Internal Image Scheduled Task/Job Container Orchestration Job
Scheduled Task/Job Container Orchestration Job Default Accounts
Valid Accounts
Default Accounts Local Accounts
Valid Accounts
Local Accounts
Defense Evasion Credential Access
Build Image on Host Credential Stuffing
Deploy Container Brute Force Password Guessing
Impair Defenses Disable or Modify Tools Password Spraying
Indicator Removal Match Legitimate Name or Location Steal Application Access Token
Masquerading Application Access Token Container API
Unsecured Credentials
Use Alternate Authentication Material Default Accounts Credentials In Files
Local Accounts
Valid Accounts
Discovery Lateral Movement Impact
Container and Resource DUse Alternate Authentication Material Application Access Token Data Destruction
Network Service Discovery Endpoint Denial of Service
Permission Groups Discovery Inhibit System Recovery
Network Denial of Service
Resource Hijacking
ial of Service

al of Service

You might also like