Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command

Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact Inhibit Response Function Impair Process Control Impact - ICS
Data Historian Compromise Change Program State Account Manipulation Abuse Elevation Control Mechanism Abuse Elevation Control Mechanism Brute Force Account Discovery Default Credentials Archive Collected Data Application Layer Protocol Automated Exfiltration Account Access Removal Activate Firmware Update Mode Brute Force I/O Damage to Property
Drive-by Compromise Command and Scripting Interpreter BITS Jobs Access Token Manipulation Access Token Manipulation Credentials from Password Stores Application Window Discovery Exploitation of Remote Services Audio Capture Commonly Used Port Data Transfer Size Limits Data Destruction Alarm Suppression Change Program State Denial of Control
Engineering Workstation Compromise Command-Line Interface Boot or Logon Autostart Execution Boot or Logon Autostart Execution BITS Jobs Exploitation for Credential Access Browser Bookmark Discovery External Remote Services Automated Collection Communication Through Removable MediaExfiltration Over Alternative Protocol Data Encrypted for Impact Block Command Message Masquerading Denial of View
Exploit Public-Facing Application Execution through API Boot or Logon Initialization Scripts Boot or Logon Initialization Scripts Deobfuscate/Decode Files or Information Forced Authentication Control Device Identification Internal Spearphishing Clipboard Data Connection Proxy Exfiltration Over C2 Channel Data Manipulation Block Reporting Message Modify Control Logic Loss of Availability
External Remote Services Exploitation for Client Execution Browser Extensions Create or Modify System Process Direct Volume Access Input Capture Domain Trust Discovery Lateral Tool Transfer Data from Information Repositories Data Encoding Exfiltration Over Other Network MediumDefacement Block Serial COM Modify Parameter Loss of Control
Hardware Additions Graphical User Interface Compromise Client Software Binary Event Triggered Execution Execution Guardrails Man-in-the-Middle File and Directory Discovery Program Organization Units Data from Local System Data Obfuscation Exfiltration Over Physical Medium Disk Wipe Data Destruction Module Firmware Loss of Productivity and Revenue
Internet Accessible Device Inter-Process Communication Create Account Exploitation for Privilege Escalation Exploitation for Defense Evasion Modify Authentication Process I/O Module Discovery Remote File Copy Data from Network Shared Drive Dynamic Resolution Exfiltration Over Web Service Endpoint Denial of Service Denial of Service Program Download Loss of Safety
Phishing Man in the Middle Create or Modify System Process Group Policy Modification File and Directory Permissions ModificationNetwork Sniffing Network Connection Enumeration Remote Service Session Hijacking Data from Removable Media Encrypted Channel Scheduled Transfer Firmware Corruption Device Restart/Shutdown Rogue Master Device Loss of View
Replication Through Removable Media Native API Event Triggered Execution Hijack Execution Flow Group Policy Modification OS Credential Dumping Network Service Scanning Remote Services Data Staged Fallback Channels Inhibit System Recovery Manipulate I/O Image Service Stop Manipulation of Control
Supply Chain Compromise Program Organization Units External Remote Services Process Injection Hide Artifacts Steal or Forge Kerberos Tickets Network Share Discovery Replication Through Removable MediaDetect Operating Mode Ingress Tool Transfer Network Denial of Service Modify Alarm Settings Spoof Reporting Message Manipulation of View
Trusted Relationship Project File Infection Hijack Execution Flow Scheduled Task/Job Hijack Execution Flow Steal Web Session Cookie Network Sniffing Software Deployment Tools Detect Program State Multi-Stage Channels Resource Hijacking Modify Control Logic Unauthorized Command Message Theft of Operational Information
Valid Accounts Scheduled Task/Job Hooking Valid Accounts Impair Defenses Two-Factor Authentication InterceptionPassword Policy Discovery Taint Shared Content Email Collection Non-Application Layer Protocol Service Stop Program Download
Wireless Compromise Scripting Module Firmware Indicator Removal on Host Unsecured Credentials Peripheral Device Discovery Use Alternate Authentication Material I/O Image Non-Standard Port System Shutdown/Reboot Rootkit
Shared Modules Office Application Startup Indirect Command Execution Permission Groups Discovery Valid Accounts Input Capture Protocol Tunneling System Firmware
Software Deployment Tools Pre-OS Boot Masquerading Process Discovery Location Identification Proxy Utilize/Change Operating Mode
System Services Program Download Modify Authentication Process Query Registry Man in the Browser Remote Access Software
User Execution Project File Infection Modify Registry Remote System Discovery Man-in-the-Middle Standard Application Layer Protocol
Windows Management InstrumentationScheduled Task/Job Obfuscated Files or Information Serial Connection Enumeration Monitor Process State Traffic Signaling
Server Software Component Pre-OS Boot Software Discovery Point & Tag Identification Web Service
Traffic Signaling Process Injection System Information Discovery Program Upload
Valid Accounts Rogue Domain Controller System Network Configuration Discovery Role Identification
Rogue Master Device System Network Connections Discovery Screen Capture
Rootkit System Owner/User Discovery Video Capture
Signed Binary Proxy Execution System Service Discovery
Signed Script Proxy Execution System Time Discovery
Spoof Reporting Message Virtualization/Sandbox Evasion
Subvert Trust Controls
Template Injection
Traffic Signaling
Trusted Developer Utilities Proxy Execution
Use Alternate Authentication Material
Utilize/Change Operating Mode
Valid Accounts
Virtualization/Sandbox Evasion
XSL Script Processing
 Initial Access Execution
Data Historian Compromise Change Program State
Drive-by Compromise
Engineering Workstation Compromise
Exploit Public-Facing Application
External Remote Services Command and Scripting Interpre
Hardware Additions
Internet Accessible Device
Spearphishing Attachment
Phishing Spearphishing Link Command-Line Interface
Spearphishing via Service Execution through API
Replication Through Removable Media Exploitation for Client Execution
Compromise Hardware Supply CGraphical User Interface
Supply Chain Compromise Compromise Software Dependenc
Inter-Process Communication
Compromise Software Supply Ch
Trusted Relationship Man in the Middle
Default Accounts Native API
Valid Accounts Domain Accounts Program Organization Units
Local Accounts Project File Infection
Wireless Compromise

Scheduled Task/Job

Scripting
Shared Modules
Software Deployment Tools
System Services

User Execution

Windows Management Instrumentation

 Execution Persistence
te Exchange Email Delegate Permis
Account Manipulation
AppleScript SSH Authorized Keys
JavaScript/JScript BITS Jobs
PowerShell Authentication Package
Python Kernel Modules and Extensions
Unix Shell LSASS Driver
Visual Basic Plist Modification
Windows Command Shell Port Monitors
face Boot or Logon Autostart Executi Re-opened Applications
PI Registry Run Keys / Startup Fold
t Execution Security Support Provider
ace Shortcut Modification
Component Object Model Time Providers
Dynamic Data Exchange Winlogon Helper DLL
Logon Script (Mac)
Logon Script (Windows)
n Units Boot or Logon Initialization Scrip Network Logon Script
Rc.common
At (Linux) Startup Items
At (Windows) Browser Extensions
Cron Compromise Client Software Binary
Launchd Domain Account
Create Account
Scheduled Task Local Account
Launch Agent
Launch Daemon
Create or Modify System Process
nt Tools Systemd Service
Launchctl Windows Service
Service Execution .bash_profile and .bashrc
Malicious File Accessibility Features
Malicious Link AppCert DLLs

ent Instrumentation AppInit DLLs

Application Shimming
Change Default File Association
Event Triggered Execution
Component Object Model Hijack
Emond
Image File Execution Options Inj
LC_LOAD_DYLIB Addition
Netsh Helper DLL
PowerShell Profile
Screensaver
Trap
Windows Management Instrument
External Remote Services
COR_PROFILER
 DLL Search Order Hijacking
DLL Side-Loading
Dylib Hijacking
Executable Installer File Permis
Hijack Execution Flow LD_PRELOAD
Path Interception by PATH Envir
Path Interception by Search Orde
Path Interception by Unquoted
Services File Permissions Weakn
Services Registry Permissions W
Hooking
Module Firmware
Add-ins
Office Template Macros
Office Test
Office Application Startup
Outlook Forms
Outlook Home Page
Outlook Rules
Bootkit
Pre-OS Boot Component Firmware
System Firmware
Program Download
Project File Infection
At (Linux)
At (Windows)
Scheduled Task/Job Cron
Launchd
Scheduled Task
SQL Stored Procedures
Server Software Component Transport Agent
Web Shell
Traffic Signaling
Default Accounts
Valid Accounts Domain Accounts
Local Accounts
 Privilege Escalation Defense Evasion
Bypass User Access Control
Elevated Execution with Prompt
Abuse Elevation Control Mechan Abuse Elevation Control Mechan
Setuid and Setgid
Sudo and Sudo Caching
Create Process with Token
Make and Impersonate Token
Access Token Manipulation Parent PID Spoofing Access Token Manipulation
SID-History Injection
Token Impersonation/Theft
Authentication Package BITS Jobs
Kernel Modules and Extensions Deobfuscate/Decode Files or Information
LSASS Driver Direct Volume Access
Plist Modification Execution Guardrails
Port Monitors Exploitation for Defense Evasion
Boot or Logon Autostart Executi Re-opened Applications
File and Directory Permissions M
Registry Run Keys / Startup Fold
Security Support Provider Group Policy Modification
Shortcut Modification
Time Providers
Winlogon Helper DLL
Hide Artifacts
Logon Script (Mac)
Logon Script (Windows)
Boot or Logon Initialization Scrip Network Logon Script
Rc.common
Startup Items
Launch Agent
Launch Daemon
Create or Modify System Process
Systemd Service
Windows Service
.bash_profile and .bashrc Hijack Execution Flow

Accessibility Features

AppCert DLLs
AppInit DLLs
Application Shimming
Change Default File Association
Event Triggered Execution
Component Object Model Hijack
Emond Impair Defenses
Image File Execution Options Inj
LC_LOAD_DYLIB Addition
Netsh Helper DLL
PowerShell Profile
Screensaver
Indicator Removal on Host
Trap
Windows Management Instrument
 Indicator Removal on Host

Exploitation for Privilege Escalation

Group Policy Modification Indirect Command Execution
COR_PROFILER
DLL Search Order Hijacking
DLL Side-Loading
Masquerading
Dylib Hijacking
Executable Installer File Permis
Hijack Execution Flow LD_PRELOAD
Path Interception by PATH Envir
Path Interception by Search OrdeModify Authentication Process
Path Interception by Unquoted
Services File Permissions Weakn Modify Registry
Services Registry Permissions W
Asynchronous Procedure Call
Dynamic-link Library Injection Obfuscated Files or Information
Extra Window Memory Injection
Portable Executable Injection
Proc Memory
Process Injection Process Doppelgänging Pre-OS Boot
Process Hollowing
Ptrace System Calls
Thread Execution Hijacking
Thread Local Storage
VDSO Hijacking
At (Linux)
At (Windows) Process Injection
Scheduled Task/Job Cron
Launchd
Scheduled Task
Default Accounts
Valid Accounts Domain Accounts
Local Accounts Rogue Domain Controller
Rogue Master Device
Rootkit

Signed Binary Proxy Execution

Spoof Reporting Message

Subvert Trust Controls

Subvert Trust Controls

Template Injection
Traffic Signaling
Trusted Developer Utilities Prox
Use Alternate Authentication Ma
Utilize/Change Operating Mode

Valid Accounts

Virtualization/Sandbox Evasion

XSL Script Processing

 Defense Evasion Credential Access
Bypass User Access Control Credential Stuffing
Elevated Execution with Prompt Password Cracking
Brute Force
Setuid and Setgid Password Guessing
Sudo and Sudo Caching Password Spraying
Create Process with Token Credentials from Web Browsers
Make and Impersonate Token Credentials from Password StoreKeychain
Parent PID Spoofing Securityd Memory
SID-History Injection Exploitation for Credential Access
Token Impersonation/Theft Forced Authentication
Credential API Hooking
e Files or Information GUI Input Capture
Input Capture
s Keylogging
Environmental Keying Web Portal Capture
nse Evasion Man-in-the-Middle LLMNR/NBT-NS Poisoning and S
Linux and Mac File and Directory Domain Controller Authenticatio
Windows File and Directory PermModify Authentication Process Password Filter DLL
ation Pluggable Authentication Modul
Hidden File System Network Sniffing
Hidden Files and Directories /etc/passwd and /etc/shadow
Hidden Users Cached Domain Credentials
Hidden Window DCSync
NTFS File Attributes LSA Secrets
OS Credential Dumping
Run Virtual Instance LSASS Memory
COR_PROFILER NTDS
DLL Search Order Hijacking Proc Filesystem
DLL Side-Loading Security Account Manager
Dylib Hijacking Golden Ticket
Executable Installer File Permis Steal or Forge Kerberos Tickets Kerberoasting
LD_PRELOAD Silver Ticket
Path Interception by PATH Envir Steal Web Session Cookie

Path Interception by Search OrdeTwo-Factor Authentication Interception

Path Interception by Unquoted Bash History

Services File Permissions Weakn Credentials In Files
Unsecured Credentials
Services Registry Permissions W Credentials in Registry
Disable or Modify System Firewal Group Policy Preferences
Disable or Modify Tools Private Keys
Disable Windows Event Logging
HISTCONTROL
Indicator Blocking
Clear Command History
Clear Linux or Mac System Logs
Clear Windows Event Logs
File Deletion
Network Share Connection Removal
 Timestomp
xecution
Invalid Code Signature
Masquerade Task or Service
Match Legitimate Name or Location
Rename System Utilities
Right-to-Left Override
Space after Filename
Domain Controller Authentication
Password Filter DLL
Pluggable Authentication Modules

Binary Padding
Compile After Delivery
Indicator Removal from Tools
Software Packing
Steganography
Bootkit
Component Firmware
System Firmware
Asynchronous Procedure Call
Dynamic-link Library Injection
Extra Window Memory Injection
Portable Executable Injection
Proc Memory
Process Doppelgänging
Process Hollowing
Ptrace System Calls
Thread Execution Hijacking
Thread Local Storage
VDSO Hijacking
oller
e

CMSTP
Compiled HTML File
Control Panel
InstallUtil
Mshta
Msiexec
Odbcconf
Regsvcs/Regasm
Regsvr32
Rundll32
PubPrn
ssage
Code Signing
Gatekeeper Bypass
 Install Root Certificate
SIP and Trust Provider Hijacking

Port Knocking
MSBuild
Pass the Hash
Pass the Ticket
ating Mode
Default Accounts
Domain Accounts
Local Accounts
System Checks
Time Based Evasion
User Activity Based Checks
 Discovery Lateral Movement
Domain Account Default Credentials
Account Discovery Email Account Exploitation of Remote Services
Local Account Internal Spearphishing
Application Window Discovery Lateral Tool Transfer
Browser Bookmark Discovery Program Organization Units
Control Device Identification Remote File Copy
Domain Trust Discovery
Remote Service Session Hijackin
File and Directory Discovery
I/O Module Discovery
Network Connection Enumeration
Network Service Scanning
Remote Services
Network Sniffing
Network Share Discovery
Network Sniffing
Password Policy Discovery Replication Through Removable Media
Peripheral Device Discovery Software Deployment Tools
Domain Groups Taint Shared Content
Permission Groups Discovery
Local Groups
Use Alternate Authentication Ma
Process Discovery
Query Registry
Remote System Discovery
Serial Connection Enumeration
Software Discovery Security Software Discovery
System Information Discovery
System Network Configuration Discovery
System Network Connections Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion System Checks

Virtualization/Sandbox Evasion Time Based Evasion

Virtualization/Sandbox Evasion User Activity Based Checks

 Lateral Movement Collection
Archive via Custom Method
te Services Archive Collected Data Archive via Library
ng Archive via Utility
Audio Capture
n Units Automated Collection
Clipboard Data
RDP Hijacking Data from Information RepositorSharepoint
SSH Hijacking Data from Local System
Distributed Component Object Data from Network Shared Drive
Remote Desktop Protocol Data from Removable Media
SMB/Windows Admin Shares Local Data Staging
Data Staged
SSH Remote Data Staging
VNC Detect Operating Mode
Windows Remote Management Detect Program State
Removable Media Email Forwarding Rule
nt Tools Email Collection Local Email Collection
t Remote Email Collection
Pass the Hash I/O Image
Pass the Ticket Credential API Hooking
GUI Input Capture
Input Capture
Keylogging
Web Portal Capture
Location Identification
Man in the Browser
Man-in-the-Middle LLMNR/NBT-NS Poisoning and S
Monitor Process State
Point & Tag Identification
Program Upload
Role Identification
Screen Capture

Video Capture
 Command and Control Exfiltration
DNS Automated Exfiltration
File Transfer Protocols Data Transfer Size Limits
Application Layer Protocol
Mail Protocols
Web Protocols Exfiltration Over Alternative Pro
Commonly Used Port
Communication Through Removable Media Exfiltration Over C2 Channel
Connection Proxy Exfiltration Over Other Networ
Non-Standard Encoding Exfiltration Over Physical Mediu
Data Encoding
Standard Encoding
Exfiltration Over Web Service
Junk Data
Data Obfuscation Protocol Impersonation Scheduled Transfer
Steganography
DNS Calculation
Dynamic Resolution Domain Generation Algorithms
Fast Flux DNS
Asymmetric Cryptography
Encrypted Channel
Symmetric Cryptography
Fallback Channels
Ingress Tool Transfer
Multi-Stage Channels
Non-Application Layer Protocol
Non-Standard Port
Protocol Tunneling
Domain Fronting
External Proxy
Proxy
Internal Proxy
Multi-hop Proxy
Remote Access Software
Standard Application Layer Protocol
Traffic Signaling Port Knocking

Bidirectional Communication
Web Service
Dead Drop Resolver
One-Way Communication
 Exfiltration Impact
on Account Access Removal
mits Data Destruction
Exfiltration Over Asymmetric En Data Encrypted for Impact
Exfiltration Over Symmetric Enc Runtime Data Manipulation
Exfiltration Over Unencrypted/OData Manipulation Stored Data Manipulation
Channel Transmitted Data Manipulation
Exfiltration Over Bluetooth External Defacement
Defacement
Exfiltration over USB Internal Defacement
Exfiltration to Cloud Storage Disk Content Wipe
Disk Wipe
Exfiltration to Code Repository Disk Structure Wipe
Application Exhaustion Flood
Application or System Exploitati
Endpoint Denial of Service
OS Exhaustion Flood
Service Exhaustion Flood
Firmware Corruption
Inhibit System Recovery
Direct Network Flood
Network Denial of Service
Reflection Amplification
Resource Hijacking
Service Stop
System Shutdown/Reboot
 Inhibit Response Function Impair Process Control Impact - ICS
Activate Firmware Update ModeBrute Force I/O Damage to Property
Alarm Suppression Change Program State Denial of Control
Block Command Message Masquerading Denial of View
Block Reporting Message Modify Control Logic Loss of Availability
Block Serial COM Modify Parameter Loss of Control
Data Destruction Module Firmware Loss of Productivity and Revenue
Denial of Service Program Download Loss of Safety
Device Restart/Shutdown Rogue Master Device Loss of View
Manipulate I/O Image Service Stop Manipulation of Control
Modify Alarm Settings Spoof Reporting Message Manipulation of View
Modify Control Logic Unauthorized Command MessagTheft of Operational Information
Program Download
Rootkit
System Firmware
Utilize/Change Operating Mode
and Revenue

Information