| Code | Display | tactic | parentTechnique | isSubtechnique |
| T1047 |
Windows Management Instrumentation |
TA0002 |
|
false |
| T1113 |
Screen Capture |
TA0009 |
|
false |
| T1037 |
Boot or Logon Initialization Scripts |
TA0003, TA0004 |
|
false |
| T1037.004 |
RC Scripts |
TA0003, TA0004 |
T1037 |
true |
| T1037.001 |
Logon Script (Windows) |
TA0003, TA0004 |
T1037 |
true |
| T1037.003 |
Network Logon Script |
TA0003, TA0004 |
T1037 |
true |
| T1037.005 |
Startup Items |
TA0003, TA0004 |
T1037 |
true |
| T1037.002 |
Login Hook |
TA0003, TA0004 |
T1037 |
true |
| T1557 |
Adversary-in-the-Middle |
TA0006, TA0009 |
|
false |
| T1557.003 |
DHCP Spoofing |
TA0006, TA0009 |
T1557 |
true |
| T1557.002 |
ARP Cache Poisoning |
TA0006, TA0009 |
T1557 |
true |
| T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
TA0006, TA0009 |
T1557 |
true |
| T1557.004 |
Evil Twin |
TA0006, TA0009 |
T1557 |
true |
| T1033 |
System Owner/User Discovery |
TA0007 |
|
false |
| T1583 |
Acquire Infrastructure |
TA0042 |
|
false |
| T1583.008 |
Malvertising |
TA0042 |
T1583 |
true |
| T1583.001 |
Domains |
TA0042 |
T1583 |
true |
| T1583.005 |
Botnet |
TA0042 |
T1583 |
true |
| T1583.004 |
Server |
TA0042 |
T1583 |
true |
| T1583.002 |
DNS Server |
TA0042 |
T1583 |
true |
| T1583.003 |
Virtual Private Server |
TA0042 |
T1583 |
true |
| T1583.007 |
Serverless |
TA0042 |
T1583 |
true |
| T1583.006 |
Web Services |
TA0042 |
T1583 |
true |
| T1613 |
Container and Resource Discovery |
TA0007 |
|
false |
| T1592 |
Gather Victim Host Information |
TA0043 |
|
false |
| T1592.001 |
Hardware |
TA0043 |
T1592 |
true |
| T1592.003 |
Firmware |
TA0043 |
T1592 |
true |
| T1592.002 |
Software |
TA0043 |
T1592 |
true |
| T1592.004 |
Client Configurations |
TA0043 |
T1592 |
true |
| T1003 |
OS Credential Dumping |
TA0006 |
|
false |
| T1003.002 |
Security Account Manager |
TA0006 |
T1003 |
true |
| T1003.004 |
LSA Secrets |
TA0006 |
T1003 |
true |
| T1003.006 |
DCSync |
TA0006 |
T1003 |
true |
| T1003.007 |
Proc Filesystem |
TA0006 |
T1003 |
true |
| T1003.003 |
NTDS |
TA0006 |
T1003 |
true |
| T1003.005 |
Cached Domain Credentials |
TA0006 |
T1003 |
true |
| T1003.001 |
LSASS Memory |
TA0006 |
T1003 |
true |
| T1003.008 |
/etc/passwd and /etc/shadow |
TA0006 |
T1003 |
true |
| T1129 |
Shared Modules |
TA0002 |
|
false |
| T1602 |
Data from Configuration Repository |
TA0009 |
|
false |
| T1602.002 |
Network Device Configuration Dump |
TA0009 |
T1602 |
true |
| T1602.001 |
SNMP (MIB Dump) |
TA0009 |
T1602 |
true |
| T1006 |
Direct Volume Access |
TA0005 |
|
false |
| T1666 |
Modify Cloud Resource Hierarchy |
TA0005 |
|
false |
| T1014 |
Rootkit |
TA0005 |
|
false |
| T1123 |
Audio Capture |
TA0009 |
|
false |
| T1543 |
Create or Modify System Process |
TA0003, TA0004 |
|
false |
| T1543.004 |
Launch Daemon |
TA0003, TA0004 |
T1543 |
true |
| T1543.005 |
Container Service |
TA0003, TA0004 |
T1543 |
true |
| T1543.001 |
Launch Agent |
TA0003, TA0004 |
T1543 |
true |
| T1543.002 |
Systemd Service |
TA0003, TA0004 |
T1543 |
true |
| T1543.003 |
Windows Service |
TA0003, TA0004 |
T1543 |
true |
| T1133 |
External Remote Services |
TA0003, TA0001 |
|
false |
| T1539 |
Steal Web Session Cookie |
TA0006 |
|
false |
| T1578 |
Modify Cloud Compute Infrastructure |
TA0005 |
|
false |
| T1578.001 |
Create Snapshot |
TA0005 |
T1578 |
true |
| T1578.003 |
Delete Cloud Instance |
TA0005 |
T1578 |
true |
| T1578.004 |
Revert Cloud Instance |
TA0005 |
T1578 |
true |
| T1578.002 |
Create Cloud Instance |
TA0005 |
T1578 |
true |
| T1578.005 |
Modify Cloud Compute Configurations |
TA0005 |
T1578 |
true |
| T1069 |
Permission Groups Discovery |
TA0007 |
|
false |
| T1069.003 |
Cloud Groups |
TA0007 |
T1069 |
true |
| T1069.002 |
Domain Groups |
TA0007 |
T1069 |
true |
| T1069.001 |
Local Groups |
TA0007 |
T1069 |
true |
| T1114 |
Email Collection |
TA0009 |
|
false |
| T1114.002 |
Remote Email Collection |
TA0009 |
T1114 |
true |
| T1114.003 |
Email Forwarding Rule |
TA0009 |
T1114 |
true |
| T1114.001 |
Local Email Collection |
TA0009 |
T1114 |
true |
| T1594 |
Search Victim-Owned Websites |
TA0043 |
|
false |
| T1561 |
Disk Wipe |
TA0040 |
|
false |
| T1561.002 |
Disk Structure Wipe |
TA0040 |
T1561 |
true |
| T1561.001 |
Disk Content Wipe |
TA0040 |
T1561 |
true |
| T1615 |
Group Policy Discovery |
TA0007 |
|
false |
| T1025 |
Data from Removable Media |
TA0009 |
|
false |
| T1547 |
Boot or Logon Autostart Execution |
TA0003, TA0004 |
|
false |
| T1547.009 |
Shortcut Modification |
TA0003, TA0004 |
T1547 |
true |
| T1547.006 |
Kernel Modules and Extensions |
TA0003, TA0004 |
T1547 |
true |
| T1547.007 |
Re-opened Applications |
TA0003, TA0004 |
T1547 |
true |
| T1547.004 |
Winlogon Helper DLL |
TA0003, TA0004 |
T1547 |
true |
| T1547.005 |
Security Support Provider |
TA0003, TA0004 |
T1547 |
true |
| T1547.001 |
Registry Run Keys / Startup Folder |
TA0003, TA0004 |
T1547 |
true |
| T1547.008 |
LSASS Driver |
TA0003, TA0004 |
T1547 |
true |
| T1547.012 |
Print Processors |
TA0003, TA0004 |
T1547 |
true |
| T1547.014 |
Active Setup |
TA0003, TA0004 |
T1547 |
true |
| T1547.015 |
Login Items |
TA0003, TA0004 |
T1547 |
true |
| T1547.013 |
XDG Autostart Entries |
TA0003, TA0004 |
T1547 |
true |
| T1547.003 |
Time Providers |
TA0003, TA0004 |
T1547 |
true |
| T1547.002 |
Authentication Package |
TA0003, TA0004 |
T1547 |
true |
| T1547.010 |
Port Monitors |
TA0003, TA0004 |
T1547 |
true |
| T1600 |
Weaken Encryption |
TA0005 |
|
false |
| T1600.001 |
Reduce Key Space |
TA0005 |
T1600 |
true |
| T1600.002 |
Disable Crypto Hardware |
TA0005 |
T1600 |
true |
| T1489 |
Service Stop |
TA0040 |
|
false |
| T1652 |
Device Driver Discovery |
TA0007 |
|
false |
| T1564 |
Hide Artifacts |
TA0005 |
|
false |
| T1564.003 |
Hidden Window |
TA0005 |
T1564 |
true |
| T1564.011 |
Ignore Process Interrupts |
TA0005 |
T1564 |
true |
| T1564.002 |
Hidden Users |
TA0005 |
T1564 |
true |
| T1564.012 |
File/Path Exclusions |
TA0005 |
T1564 |
true |
| T1564.014 |
Extended Attributes |
TA0005 |
T1564 |
true |
| T1564.008 |
Email Hiding Rules |
TA0005 |
T1564 |
true |
| T1564.009 |
Resource Forking |
TA0005 |
T1564 |
true |
| T1564.013 |
Bind Mounts |
TA0005 |
T1564 |
true |
| T1564.006 |
Run Virtual Instance |
TA0005 |
T1564 |
true |
| T1564.010 |
Process Argument Spoofing |
TA0005 |
T1564 |
true |
| T1564.001 |
Hidden Files and Directories |
TA0005 |
T1564 |
true |
| T1564.004 |
NTFS File Attributes |
TA0005 |
T1564 |
true |
| T1564.007 |
VBA Stomping |
TA0005 |
T1564 |
true |
| T1564.005 |
Hidden File System |
TA0005 |
T1564 |
true |
| T1080 |
Taint Shared Content |
TA0008 |
|
false |
| T1137 |
Office Application Startup |
TA0003 |
|
false |
| T1137.002 |
Office Test |
TA0003 |
T1137 |
true |
| T1137.001 |
Office Template Macros |
TA0003 |
T1137 |
true |
| T1137.004 |
Outlook Home Page |
TA0003 |
T1137 |
true |
| T1137.003 |
Outlook Forms |
TA0003 |
T1137 |
true |
| T1137.006 |
Add-ins |
TA0003 |
T1137 |
true |
| T1137.005 |
Outlook Rules |
TA0003 |
T1137 |
true |
| T1119 |
Automated Collection |
TA0009 |
|
false |
| T1115 |
Clipboard Data |
TA0009 |
|
false |
| T1675 |
ESXi Administration Command |
TA0002 |
|
false |
| T1007 |
System Service Discovery |
TA0007 |
|
false |
| T1040 |
Network Sniffing |
TA0006, TA0007 |
|
false |
| T1530 |
Data from Cloud Storage |
TA0009 |
|
false |
| T1135 |
Network Share Discovery |
TA0007 |
|
false |
| T1120 |
Peripheral Device Discovery |
TA0007 |
|
false |
| T1082 |
System Information Discovery |
TA0007 |
|
false |
| T1071 |
Application Layer Protocol |
TA0011 |
|
false |
| T1071.002 |
File Transfer Protocols |
TA0011 |
T1071 |
true |
| T1071.004 |
DNS |
TA0011 |
T1071 |
true |
| T1071.005 |
Publish/Subscribe Protocols |
TA0011 |
T1071 |
true |
| T1071.003 |
Mail Protocols |
TA0011 |
T1071 |
true |
| T1071.001 |
Web Protocols |
TA0011 |
T1071 |
true |
| T1053 |
Scheduled Task/Job |
TA0002, TA0003, TA0004 |
|
false |
| T1053.003 |
Cron |
TA0002, TA0003, TA0004 |
T1053 |
true |
| T1053.005 |
Scheduled Task |
TA0002, TA0003, TA0004 |
T1053 |
true |
| T1053.006 |
Systemd Timers |
TA0002, TA0003, TA0004 |
T1053 |
true |
| T1053.007 |
Container Orchestration Job |
TA0002, TA0003, TA0004 |
T1053 |
true |
| T1053.002 |
At |
TA0002, TA0003, TA0004 |
T1053 |
true |
| T1176 |
Software Extensions |
TA0003 |
|
false |
| T1176.002 |
IDE Extensions |
TA0003 |
T1176 |
true |
| T1176.001 |
Browser Extensions |
TA0003 |
T1176 |
true |
| T1106 |
Native API |
TA0002 |
|
false |
| T1202 |
Indirect Command Execution |
TA0005 |
|
false |
| T1091 |
Replication Through Removable Media |
TA0008, TA0001 |
|
false |
| T1005 |
Data from Local System |
TA0009 |
|
false |
| T1140 |
Deobfuscate/Decode Files or Information |
TA0005 |
|
false |
| T1562 |
Impair Defenses |
TA0005 |
|
false |
| T1562.003 |
Impair Command History Logging |
TA0005 |
T1562 |
true |
| T1562.013 |
Disable or Modify Network Device Firewall |
TA0005 |
T1562 |
true |
| T1562.004 |
Disable or Modify System Firewall |
TA0005 |
T1562 |
true |
| T1562.002 |
Disable Windows Event Logging |
TA0005 |
T1562 |
true |
| T1562.001 |
Disable or Modify Tools |
TA0005 |
T1562 |
true |
| T1562.006 |
Indicator Blocking |
TA0005 |
T1562 |
true |
| T1562.012 |
Disable or Modify Linux Audit System |
TA0005 |
T1562 |
true |
| T1562.011 |
Spoof Security Alerting |
TA0005 |
T1562 |
true |
| T1562.008 |
Disable or Modify Cloud Logs |
TA0005 |
T1562 |
true |
| T1562.010 |
Downgrade Attack |
TA0005 |
T1562 |
true |
| T1562.007 |
Disable or Modify Cloud Firewall |
TA0005 |
T1562 |
true |
| T1562.009 |
Safe Mode Boot |
TA0005 |
T1562 |
true |
| T1195 |
Supply Chain Compromise |
TA0001 |
|
false |
| T1195.001 |
Compromise Software Dependencies and Development Tools |
TA0001 |
T1195 |
true |
| T1195.002 |
Compromise Software Supply Chain |
TA0001 |
T1195 |
true |
| T1195.003 |
Compromise Hardware Supply Chain |
TA0001 |
T1195 |
true |
| T1190 |
Exploit Public-Facing Application |
TA0001 |
|
false |
| T1558 |
Steal or Forge Kerberos Tickets |
TA0006 |
|
false |
| T1558.003 |
Kerberoasting |
TA0006 |
T1558 |
true |
| T1558.002 |
Silver Ticket |
TA0006 |
T1558 |
true |
| T1558.005 |
Ccache Files |
TA0006 |
T1558 |
true |
| T1558.004 |
AS-REP Roasting |
TA0006 |
T1558 |
true |
| T1558.001 |
Golden Ticket |
TA0006 |
T1558 |
true |
| T1555 |
Credentials from Password Stores |
TA0006 |
|
false |
| T1555.004 |
Windows Credential Manager |
TA0006 |
T1555 |
true |
| T1555.001 |
Keychain |
TA0006 |
T1555 |
true |
| T1555.005 |
Password Managers |
TA0006 |
T1555 |
true |
| T1555.006 |
Cloud Secrets Management Stores |
TA0006 |
T1555 |
true |
| T1555.003 |
Credentials from Web Browsers |
TA0006 |
T1555 |
true |
| T1555.002 |
Securityd Memory |
TA0006 |
T1555 |
true |
| T1567 |
Exfiltration Over Web Service |
TA0010 |
|
false |
| T1567.001 |
Exfiltration to Code Repository |
TA0010 |
T1567 |
true |
| T1567.003 |
Exfiltration to Text Storage Sites |
TA0010 |
T1567 |
true |
| T1567.002 |
Exfiltration to Cloud Storage |
TA0010 |
T1567 |
true |
| T1567.004 |
Exfiltration Over Webhook |
TA0010 |
T1567 |
true |
| T1219 |
Remote Access Tools |
TA0011 |
|
false |
| T1219.003 |
Remote Access Hardware |
TA0011 |
T1219 |
true |
| T1219.001 |
IDE Tunneling |
TA0011 |
T1219 |
true |
| T1219.002 |
Remote Desktop Software |
TA0011 |
T1219 |
true |
| T1036 |
Masquerading |
TA0005 |
|
false |
| T1036.008 |
Masquerade File Type |
TA0005 |
T1036 |
true |
| T1036.003 |
Rename Legitimate Utilities |
TA0005 |
T1036 |
true |
| T1036.006 |
Space after Filename |
TA0005 |
T1036 |
true |
| T1036.004 |
Masquerade Task or Service |
TA0005 |
T1036 |
true |
| T1036.002 |
Right-to-Left Override |
TA0005 |
T1036 |
true |
| T1036.005 |
Match Legitimate Resource Name or Location |
TA0005 |
T1036 |
true |
| T1036.011 |
Overwrite Process Arguments |
TA0005 |
T1036 |
true |
| T1036.007 |
Double File Extension |
TA0005 |
T1036 |
true |
| T1036.010 |
Masquerade Account Name |
TA0005 |
T1036 |
true |
| T1036.001 |
Invalid Code Signature |
TA0005 |
T1036 |
true |
| T1036.012 |
Browser Fingerprint |
TA0005 |
T1036 |
true |
| T1036.009 |
Break Process Trees |
TA0005 |
T1036 |
true |
| T1552 |
Unsecured Credentials |
TA0006 |
|
false |
| T1552.006 |
Group Policy Preferences |
TA0006 |
T1552 |
true |
| T1552.004 |
Private Keys |
TA0006 |
T1552 |
true |
| T1552.007 |
Container API |
TA0006 |
T1552 |
true |
| T1552.001 |
Credentials In Files |
TA0006 |
T1552 |
true |
| T1552.002 |
Credentials in Registry |
TA0006 |
T1552 |
true |
| T1552.003 |
Shell History |
TA0006 |
T1552 |
true |
| T1552.008 |
Chat Messages |
TA0006 |
T1552 |
true |
| T1552.005 |
Cloud Instance Metadata API |
TA0006 |
T1552 |
true |
| T1659 |
Content Injection |
TA0001, TA0011 |
|
false |
| T1055 |
Process Injection |
TA0005, TA0004 |
|
false |
| T1055.013 |
Process Doppelgänging |
TA0005, TA0004 |
T1055 |
true |
| T1055.012 |
Process Hollowing |
TA0005, TA0004 |
T1055 |
true |
| T1055.009 |
Proc Memory |
TA0005, TA0004 |
T1055 |
true |
| T1055.015 |
ListPlanting |
TA0005, TA0004 |
T1055 |
true |
| T1055.014 |
VDSO Hijacking |
TA0005, TA0004 |
T1055 |
true |
| T1055.005 |
Thread Local Storage |
TA0005, TA0004 |
T1055 |
true |
| T1055.011 |
Extra Window Memory Injection |
TA0005, TA0004 |
T1055 |
true |
| T1055.001 |
Dynamic-link Library Injection |
TA0005, TA0004 |
T1055 |
true |
| T1055.003 |
Thread Execution Hijacking |
TA0005, TA0004 |
T1055 |
true |
| T1055.008 |
Ptrace System Calls |
TA0005, TA0004 |
T1055 |
true |
| T1055.004 |
Asynchronous Procedure Call |
TA0005, TA0004 |
T1055 |
true |
| T1055.002 |
Portable Executable Injection |
TA0005, TA0004 |
T1055 |
true |
| T1205 |
Traffic Signaling |
TA0005, TA0003, TA0011 |
|
false |
| T1205.001 |
Port Knocking |
TA0005, TA0003, TA0011 |
T1205 |
true |
| T1205.002 |
Socket Filters |
TA0005, TA0003, TA0011 |
T1205 |
true |
| T1218 |
System Binary Proxy Execution |
TA0005 |
|
false |
| T1218.005 |
Mshta |
TA0005 |
T1218 |
true |
| T1218.014 |
MMC |
TA0005 |
T1218 |
true |
| T1218.008 |
Odbcconf |
TA0005 |
T1218 |
true |
| T1218.015 |
Electron Applications |
TA0005 |
T1218 |
true |
| T1218.012 |
Verclsid |
TA0005 |
T1218 |
true |
| T1218.013 |
Mavinject |
TA0005 |
T1218 |
true |
| T1218.002 |
Control Panel |
TA0005 |
T1218 |
true |
| T1218.001 |
Compiled HTML File |
TA0005 |
T1218 |
true |
| T1218.010 |
Regsvr32 |
TA0005 |
T1218 |
true |
| T1218.004 |
InstallUtil |
TA0005 |
T1218 |
true |
| T1218.011 |
Rundll32 |
TA0005 |
T1218 |
true |
| T1218.009 |
Regsvcs/Regasm |
TA0005 |
T1218 |
true |
| T1218.003 |
CMSTP |
TA0005 |
T1218 |
true |
| T1218.007 |
Msiexec |
TA0005 |
T1218 |
true |
| T1620 |
Reflective Code Loading |
TA0005 |
|
false |
| T1611 |
Escape to Host |
TA0004 |
|
false |
| T1010 |
Application Window Discovery |
TA0007 |
|
false |
| T1029 |
Scheduled Transfer |
TA0010 |
|
false |
| T1525 |
Implant Internal Image |
TA0003 |
|
false |
| T1572 |
Protocol Tunneling |
TA0011 |
|
false |
| T1550 |
Use Alternate Authentication Material |
TA0005, TA0008 |
|
false |
| T1550.004 |
Web Session Cookie |
TA0005, TA0008 |
T1550 |
true |
| T1550.001 |
Application Access Token |
TA0005, TA0008 |
T1550 |
true |
| T1550.003 |
Pass the Ticket |
TA0005, TA0008 |
T1550 |
true |
| T1550.002 |
Pass the Hash |
TA0005, TA0008 |
T1550 |
true |
| T1011 |
Exfiltration Over Other Network Medium |
TA0010 |
|
false |
| T1011.001 |
Exfiltration Over Bluetooth |
TA0010 |
T1011 |
true |
| T1589 |
Gather Victim Identity Information |
TA0043 |
|
false |
| T1589.003 |
Employee Names |
TA0043 |
T1589 |
true |
| T1589.002 |
Email Addresses |
TA0043 |
T1589 |
true |
| T1589.001 |
Credentials |
TA0043 |
T1589 |
true |
| T1560 |
Archive Collected Data |
TA0009 |
|
false |
| T1560.002 |
Archive via Library |
TA0009 |
T1560 |
true |
| T1560.001 |
Archive via Utility |
TA0009 |
T1560 |
true |
| T1560.003 |
Archive via Custom Method |
TA0009 |
T1560 |
true |
| T1185 |
Browser Session Hijacking |
TA0009 |
|
false |
| T1021 |
Remote Services |
TA0008 |
|
false |
| T1021.006 |
Windows Remote Management |
TA0008 |
T1021 |
true |
| T1021.005 |
VNC |
TA0008 |
T1021 |
true |
| T1021.002 |
SMB/Windows Admin Shares |
TA0008 |
T1021 |
true |
| T1021.007 |
Cloud Services |
TA0008 |
T1021 |
true |
| T1021.001 |
Remote Desktop Protocol |
TA0008 |
T1021 |
true |
| T1021.003 |
Distributed Component Object Model |
TA0008 |
T1021 |
true |
| T1021.008 |
Direct Cloud VM Connections |
TA0008 |
T1021 |
true |
| T1021.004 |
SSH |
TA0008 |
T1021 |
true |
| T1596 |
Search Open Technical Databases |
TA0043 |
|
false |
| T1596.003 |
Digital Certificates |
TA0043 |
T1596 |
true |
| T1596.005 |
Scan Databases |
TA0043 |
T1596 |
true |
| T1596.001 |
DNS/Passive DNS |
TA0043 |
T1596 |
true |
| T1596.004 |
CDNs |
TA0043 |
T1596 |
true |
| T1596.002 |
WHOIS |
TA0043 |
T1596 |
true |
| T1207 |
Rogue Domain Controller |
TA0005 |
|
false |
| T1610 |
Deploy Container |
TA0005, TA0002 |
|
false |
| T1112 |
Modify Registry |
TA0005, TA0003 |
|
false |
| T1580 |
Cloud Infrastructure Discovery |
TA0007 |
|
false |
| T1491 |
Defacement |
TA0040 |
|
false |
| T1491.002 |
External Defacement |
TA0040 |
T1491 |
true |
| T1491.001 |
Internal Defacement |
TA0040 |
T1491 |
true |
| T1535 |
Unused/Unsupported Cloud Regions |
TA0005 |
|
false |
| T1563 |
Remote Service Session Hijacking |
TA0008 |
|
false |
| T1563.002 |
RDP Hijacking |
TA0008 |
T1563 |
true |
| T1563.001 |
SSH Hijacking |
TA0008 |
T1563 |
true |
| T1217 |
Browser Information Discovery |
TA0007 |
|
false |
| T1681 |
Search Threat Vendor Data |
TA0043 |
|
false |
| T1674 |
Input Injection |
TA0002 |
|
false |
| T1092 |
Communication Through Removable Media |
TA0011 |
|
false |
| T1222 |
File and Directory Permissions Modification |
TA0005 |
|
false |
| T1222.002 |
Linux and Mac File and Directory Permissions Modification |
TA0005 |
T1222 |
true |
| T1222.001 |
Windows File and Directory Permissions Modification |
TA0005 |
T1222 |
true |
| T1595 |
Active Scanning |
TA0043 |
|
false |
| T1595.003 |
Wordlist Scanning |
TA0043 |
T1595 |
true |
| T1595.001 |
Scanning IP Blocks |
TA0043 |
T1595 |
true |
| T1595.002 |
Vulnerability Scanning |
TA0043 |
T1595 |
true |
| T1548 |
Abuse Elevation Control Mechanism |
TA0004, TA0005 |
|
false |
| T1548.001 |
Setuid and Setgid |
TA0004, TA0005 |
T1548 |
true |
| T1548.005 |
Temporary Elevated Cloud Access |
TA0004, TA0005 |
T1548 |
true |
| T1548.002 |
Bypass User Account Control |
TA0004, TA0005 |
T1548 |
true |
| T1548.004 |
Elevated Execution with Prompt |
TA0004, TA0005 |
T1548 |
true |
| T1548.003 |
Sudo and Sudo Caching |
TA0004, TA0005 |
T1548 |
true |
| T1548.006 |
TCC Manipulation |
TA0004, TA0005 |
T1548 |
true |
| T1673 |
Virtual Machine Discovery |
TA0007 |
|
false |
| T1125 |
Video Capture |
TA0009 |
|
false |
| T1016 |
System Network Configuration Discovery |
TA0007 |
|
false |
| T1016.002 |
Wi-Fi Discovery |
TA0007 |
T1016 |
true |
| T1016.001 |
Internet Connection Discovery |
TA0007 |
T1016 |
true |
| T1087 |
Account Discovery |
TA0007 |
|
false |
| T1087.003 |
Email Account |
TA0007 |
T1087 |
true |
| T1087.004 |
Cloud Account |
TA0007 |
T1087 |
true |
| T1087.002 |
Domain Account |
TA0007 |
T1087 |
true |
| T1087.001 |
Local Account |
TA0007 |
T1087 |
true |
| T1090 |
Proxy |
TA0011 |
|
false |
| T1090.001 |
Internal Proxy |
TA0011 |
T1090 |
true |
| T1090.003 |
Multi-hop Proxy |
TA0011 |
T1090 |
true |
| T1090.004 |
Domain Fronting |
TA0011 |
T1090 |
true |
| T1090.002 |
External Proxy |
TA0011 |
T1090 |
true |
| T1059 |
Command and Scripting Interpreter |
TA0002 |
|
false |
| T1059.005 |
Visual Basic |
TA0002 |
T1059 |
true |
| T1059.002 |
AppleScript |
TA0002 |
T1059 |
true |
| T1059.003 |
Windows Command Shell |
TA0002 |
T1059 |
true |
| T1059.013 |
Container CLI/API |
TA0002 |
T1059 |
true |
| T1059.004 |
Unix Shell |
TA0002 |
T1059 |
true |
| T1059.010 |
AutoHotKey & AutoIT |
TA0002 |
T1059 |
true |
| T1059.008 |
Network Device CLI |
TA0002 |
T1059 |
true |
| T1059.012 |
Hypervisor CLI |
TA0002 |
T1059 |
true |
| T1059.006 |
Python |
TA0002 |
T1059 |
true |
| T1059.001 |
PowerShell |
TA0002 |
T1059 |
true |
| T1059.009 |
Cloud API |
TA0002 |
T1059 |
true |
| T1059.011 |
Lua |
TA0002 |
T1059 |
true |
| T1059.007 |
JavaScript |
TA0002 |
T1059 |
true |
| T1677 |
Poisoned Pipeline Execution |
TA0002 |
|
false |
| T1482 |
Domain Trust Discovery |
TA0007 |
|
false |
| T1020 |
Automated Exfiltration |
TA0010 |
|
false |
| T1020.001 |
Traffic Duplication |
TA0010 |
T1020 |
true |
| T1070 |
Indicator Removal |
TA0005 |
|
false |
| T1070.004 |
File Deletion |
TA0005 |
T1070 |
true |
| T1070.006 |
Timestomp |
TA0005 |
T1070 |
true |
| T1070.008 |
Clear Mailbox Data |
TA0005 |
T1070 |
true |
| T1070.002 |
Clear Linux or Mac System Logs |
TA0005 |
T1070 |
true |
| T1070.001 |
Clear Windows Event Logs |
TA0005 |
T1070 |
true |
| T1070.009 |
Clear Persistence |
TA0005 |
T1070 |
true |
| T1070.003 |
Clear Command History |
TA0005 |
T1070 |
true |
| T1070.010 |
Relocate Malware |
TA0005 |
T1070 |
true |
| T1070.007 |
Clear Network Connection History and Configurations |
TA0005 |
T1070 |
true |
| T1070.005 |
Network Share Connection Removal |
TA0005 |
T1070 |
true |
| T1609 |
Container Administration Command |
TA0002 |
|
false |
| T1083 |
File and Directory Discovery |
TA0007 |
|
false |
| T1568 |
Dynamic Resolution |
TA0011 |
|
false |
| T1568.001 |
Fast Flux DNS |
TA0011 |
T1568 |
true |
| T1568.002 |
Domain Generation Algorithms |
TA0011 |
T1568 |
true |
| T1568.003 |
DNS Calculation |
TA0011 |
T1568 |
true |
| T1647 |
Plist File Modification |
TA0005 |
|
false |
| T1074 |
Data Staged |
TA0009 |
|
false |
| T1074.001 |
Local Data Staging |
TA0009 |
T1074 |
true |
| T1074.002 |
Remote Data Staging |
TA0009 |
T1074 |
true |
| T1649 |
Steal or Forge Authentication Certificates |
TA0006 |
|
false |
| T1049 |
System Network Connections Discovery |
TA0007 |
|
false |
| T1584 |
Compromise Infrastructure |
TA0042 |
|
false |
| T1584.003 |
Virtual Private Server |
TA0042 |
T1584 |
true |
| T1584.002 |
DNS Server |
TA0042 |
T1584 |
true |
| T1584.006 |
Web Services |
TA0042 |
T1584 |
true |
| T1584.007 |
Serverless |
TA0042 |
T1584 |
true |
| T1584.005 |
Botnet |
TA0042 |
T1584 |
true |
| T1584.004 |
Server |
TA0042 |
T1584 |
true |
| T1584.008 |
Network Devices |
TA0042 |
T1584 |
true |
| T1584.001 |
Domains |
TA0042 |
T1584 |
true |
| T1542 |
Pre-OS Boot |
TA0005, TA0003 |
|
false |
| T1542.003 |
Bootkit |
TA0005, TA0003 |
T1542 |
true |
| T1542.005 |
TFTP Boot |
TA0005, TA0003 |
T1542 |
true |
| T1542.002 |
Component Firmware |
TA0005, TA0003 |
T1542 |
true |
| T1542.004 |
ROMMONkit |
TA0005, TA0003 |
T1542 |
true |
| T1542.001 |
System Firmware |
TA0005, TA0003 |
T1542 |
true |
| T1612 |
Build Image on Host |
TA0005 |
|
false |
| T1586 |
Compromise Accounts |
TA0042 |
|
false |
| T1586.003 |
Cloud Accounts |
TA0042 |
T1586 |
true |
| T1586.002 |
Email Accounts |
TA0042 |
T1586 |
true |
| T1586.001 |
Social Media Accounts |
TA0042 |
T1586 |
true |
| T1497 |
Virtualization/Sandbox Evasion |
TA0005, TA0007 |
|
false |
| T1497.002 |
User Activity Based Checks |
TA0005, TA0007 |
T1497 |
true |
| T1497.001 |
System Checks |
TA0005, TA0007 |
T1497 |
true |
| T1497.003 |
Time Based Checks |
TA0005, TA0007 |
T1497 |
true |
| T1102 |
Web Service |
TA0011 |
|
false |
| T1102.003 |
One-Way Communication |
TA0011 |
T1102 |
true |
| T1102.001 |
Dead Drop Resolver |
TA0011 |
T1102 |
true |
| T1102.002 |
Bidirectional Communication |
TA0011 |
T1102 |
true |
| T1608 |
Stage Capabilities |
TA0042 |
|
false |
| T1608.004 |
Drive-by Target |
TA0042 |
T1608 |
true |
| T1608.005 |
Link Target |
TA0042 |
T1608 |
true |
| T1608.006 |
SEO Poisoning |
TA0042 |
T1608 |
true |
| T1608.003 |
Install Digital Certificate |
TA0042 |
T1608 |
true |
| T1608.002 |
Upload Tool |
TA0042 |
T1608 |
true |
| T1608.001 |
Upload Malware |
TA0042 |
T1608 |
true |
| T1104 |
Multi-Stage Channels |
TA0011 |
|
false |
| T1657 |
Financial Theft |
TA0040 |
|
false |
| T1480 |
Execution Guardrails |
TA0005 |
|
false |
| T1480.001 |
Environmental Keying |
TA0005 |
T1480 |
true |
| T1480.002 |
Mutual Exclusion |
TA0005 |
T1480 |
true |
| T1619 |
Cloud Storage Object Discovery |
TA0007 |
|
false |
| T1654 |
Log Enumeration |
TA0007 |
|
false |
| T1528 |
Steal Application Access Token |
TA0006 |
|
false |
| T1204 |
User Execution |
TA0002 |
|
false |
| T1204.005 |
Malicious Library |
TA0002 |
T1204 |
true |
| T1204.002 |
Malicious File |
TA0002 |
T1204 |
true |
| T1204.003 |
Malicious Image |
TA0002 |
T1204 |
true |
| T1204.001 |
Malicious Link |
TA0002 |
T1204 |
true |
| T1204.004 |
Malicious Copy and Paste |
TA0002 |
T1204 |
true |
| T1057 |
Process Discovery |
TA0007 |
|
false |
| T1072 |
Software Deployment Tools |
TA0002, TA0008 |
|
false |
| T1041 |
Exfiltration Over C2 Channel |
TA0010 |
|
false |
| T1591 |
Gather Victim Org Information |
TA0043 |
|
false |
| T1591.002 |
Business Relationships |
TA0043 |
T1591 |
true |
| T1591.001 |
Determine Physical Locations |
TA0043 |
T1591 |
true |
| T1591.004 |
Identify Roles |
TA0043 |
T1591 |
true |
| T1591.003 |
Identify Business Tempo |
TA0043 |
T1591 |
true |
| T1606 |
Forge Web Credentials |
TA0006 |
|
false |
| T1606.001 |
Web Cookies |
TA0006 |
T1606 |
true |
| T1606.002 |
SAML Tokens |
TA0006 |
T1606 |
true |
| T1621 |
Multi-Factor Authentication Request Generation |
TA0006 |
|
false |
| T1554 |
Compromise Host Software Binary |
TA0003 |
|
false |
| T1679 |
Selective Exclusion |
TA0005 |
|
false |
| T1212 |
Exploitation for Credential Access |
TA0006 |
|
false |
| T1590 |
Gather Victim Network Information |
TA0043 |
|
false |
| T1590.001 |
Domain Properties |
TA0043 |
T1590 |
true |
| T1590.002 |
DNS |
TA0043 |
T1590 |
true |
| T1590.005 |
IP Addresses |
TA0043 |
T1590 |
true |
| T1590.003 |
Network Trust Dependencies |
TA0043 |
T1590 |
true |
| T1590.004 |
Network Topology |
TA0043 |
T1590 |
true |
| T1590.006 |
Network Security Appliances |
TA0043 |
T1590 |
true |
| T1210 |
Exploitation of Remote Services |
TA0008 |
|
false |
| T1534 |
Internal Spearphishing |
TA0008 |
|
false |
| T1199 |
Trusted Relationship |
TA0001 |
|
false |
| T1593 |
Search Open Websites/Domains |
TA0043 |
|
false |
| T1593.002 |
Search Engines |
TA0043 |
T1593 |
true |
| T1593.003 |
Code Repositories |
TA0043 |
T1593 |
true |
| T1593.001 |
Social Media |
TA0043 |
T1593 |
true |
| T1098 |
Account Manipulation |
TA0003, TA0004 |
|
false |
| T1098.001 |
Additional Cloud Credentials |
TA0003, TA0004 |
T1098 |
true |
| T1098.002 |
Additional Email Delegate Permissions |
TA0003, TA0004 |
T1098 |
true |
| T1098.003 |
Additional Cloud Roles |
TA0003, TA0004 |
T1098 |
true |
| T1098.005 |
Device Registration |
TA0003, TA0004 |
T1098 |
true |
| T1098.006 |
Additional Container Cluster Roles |
TA0003, TA0004 |
T1098 |
true |
| T1098.004 |
SSH Authorized Keys |
TA0003, TA0004 |
T1098 |
true |
| T1098.007 |
Additional Local or Domain Groups |
TA0003, TA0004 |
T1098 |
true |
| T1048 |
Exfiltration Over Alternative Protocol |
TA0010 |
|
false |
| T1048.002 |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
TA0010 |
T1048 |
true |
| T1048.003 |
Exfiltration Over Unencrypted Non-C2 Protocol |
TA0010 |
T1048 |
true |
| T1048.001 |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
TA0010 |
T1048 |
true |
| T1678 |
Delay Execution |
TA0005 |
|
false |
| T1597 |
Search Closed Sources |
TA0043 |
|
false |
| T1597.001 |
Threat Intel Vendors |
TA0043 |
T1597 |
true |
| T1597.002 |
Purchase Technical Data |
TA0043 |
T1597 |
true |
| T1566 |
Phishing |
TA0001 |
|
false |
| T1566.002 |
Spearphishing Link |
TA0001 |
T1566 |
true |
| T1566.001 |
Spearphishing Attachment |
TA0001 |
T1566 |
true |
| T1566.004 |
Spearphishing Voice |
TA0001 |
T1566 |
true |
| T1566.003 |
Spearphishing via Service |
TA0001 |
T1566 |
true |
| T1110 |
Brute Force |
TA0006 |
|
false |
| T1110.004 |
Credential Stuffing |
TA0006 |
T1110 |
true |
| T1110.002 |
Password Cracking |
TA0006 |
T1110 |
true |
| T1110.001 |
Password Guessing |
TA0006 |
T1110 |
true |
| T1110.003 |
Password Spraying |
TA0006 |
T1110 |
true |
| T1565 |
Data Manipulation |
TA0040 |
|
false |
| T1565.002 |
Transmitted Data Manipulation |
TA0040 |
T1565 |
true |
| T1565.003 |
Runtime Data Manipulation |
TA0040 |
T1565 |
true |
| T1565.001 |
Stored Data Manipulation |
TA0040 |
T1565 |
true |
| T1559 |
Inter-Process Communication |
TA0002 |
|
false |
| T1559.003 |
XPC Services |
TA0002 |
T1559 |
true |
| T1559.002 |
Dynamic Data Exchange |
TA0002 |
T1559 |
true |
| T1559.001 |
Component Object Model |
TA0002 |
T1559 |
true |
| T1001 |
Data Obfuscation |
TA0011 |
|
false |
| T1001.001 |
Junk Data |
TA0011 |
T1001 |
true |
| T1001.003 |
Protocol or Service Impersonation |
TA0011 |
T1001 |
true |
| T1001.002 |
Steganography |
TA0011 |
T1001 |
true |
| T1039 |
Data from Network Shared Drive |
TA0009 |
|
false |
| T1601 |
Modify System Image |
TA0005 |
|
false |
| T1601.002 |
Downgrade System Image |
TA0005 |
T1601 |
true |
| T1601.001 |
Patch System Image |
TA0005 |
T1601 |
true |
| T1574 |
Hijack Execution Flow |
TA0003, TA0004, TA0005 |
|
false |
| T1574.010 |
Services File Permissions Weakness |
TA0003, TA0004, TA0005 |
T1574 |
true |
| T1574.013 |
KernelCallbackTable |
TA0003, TA0004, TA0005 |
T1574 |
true |
| T1574.007 |
Path Interception by PATH Environment Variable |
TA0003, TA0004, TA0005 |
T1574 |
true |
| T1574.005 |
Executable Installer File Permissions Weakness |
TA0003, TA0004, TA0005 |
T1574 |
true |
| T1574.009 |
Path Interception by Unquoted Path |
TA0003, TA0004, TA0005 |
T1574 |
true |
| T1574.004 |
Dylib Hijacking |
TA0003, TA0004, TA0005 |
T1574 |
true |
| T1574.006 |
Dynamic Linker Hijacking |
TA0003, TA0004, TA0005 |
T1574 |
true |
| T1574.014 |
AppDomainManager |
TA0003, TA0004, TA0005 |
T1574 |
true |
| T1574.001 |
DLL |
TA0003, TA0004, TA0005 |
T1574 |
true |
| T1574.008 |
Path Interception by Search Order Hijacking |
TA0003, TA0004, TA0005 |
T1574 |
true |
| T1574.011 |
Services Registry Permissions Weakness |
TA0003, TA0004, TA0005 |
T1574 |
true |
| T1574.012 |
COR_PROFILER |
TA0003, TA0004, TA0005 |
T1574 |
true |
| T1078 |
Valid Accounts |
TA0005, TA0003, TA0004, TA0001 |
|
false |
| T1078.004 |
Cloud Accounts |
TA0005, TA0003, TA0004, TA0001 |
T1078 |
true |
| T1078.002 |
Domain Accounts |
TA0005, TA0003, TA0004, TA0001 |
T1078 |
true |
| T1078.003 |
Local Accounts |
TA0005, TA0003, TA0004, TA0001 |
T1078 |
true |
| T1078.001 |
Default Accounts |
TA0005, TA0003, TA0004, TA0001 |
T1078 |
true |
| T1571 |
Non-Standard Port |
TA0011 |
|
false |
| T1068 |
Exploitation for Privilege Escalation |
TA0004 |
|
false |
| T1531 |
Account Access Removal |
TA0040 |
|
false |
| T1027 |
Obfuscated Files or Information |
TA0005 |
|
false |
| T1027.005 |
Indicator Removal from Tools |
TA0005 |
T1027 |
true |
| T1027.009 |
Embedded Payloads |
TA0005 |
T1027 |
true |
| T1027.013 |
Encrypted/Encoded File |
TA0005 |
T1027 |
true |
| T1027.012 |
LNK Icon Smuggling |
TA0005 |
T1027 |
true |
| T1027.017 |
SVG Smuggling |
TA0005 |
T1027 |
true |
| T1027.006 |
HTML Smuggling |
TA0005 |
T1027 |
true |
| T1027.011 |
Fileless Storage |
TA0005 |
T1027 |
true |
| T1027.014 |
Polymorphic Code |
TA0005 |
T1027 |
true |
| T1027.010 |
Command Obfuscation |
TA0005 |
T1027 |
true |
| T1027.004 |
Compile After Delivery |
TA0005 |
T1027 |
true |
| T1027.007 |
Dynamic API Resolution |
TA0005 |
T1027 |
true |
| T1027.003 |
Steganography |
TA0005 |
T1027 |
true |
| T1027.015 |
Compression |
TA0005 |
T1027 |
true |
| T1027.016 |
Junk Code Insertion |
TA0005 |
T1027 |
true |
| T1027.008 |
Stripped Payloads |
TA0005 |
T1027 |
true |
| T1027.002 |
Software Packing |
TA0005 |
T1027 |
true |
| T1027.001 |
Binary Padding |
TA0005 |
T1027 |
true |
| T1201 |
Password Policy Discovery |
TA0007 |
|
false |
| T1546 |
Event Triggered Execution |
TA0004, TA0003 |
|
false |
| T1546.002 |
Screensaver |
TA0004, TA0003 |
T1546 |
true |
| T1546.013 |
PowerShell Profile |
TA0004, TA0003 |
T1546 |
true |
| T1546.016 |
Installer Packages |
TA0004, TA0003 |
T1546 |
true |
| T1546.003 |
Windows Management Instrumentation Event Subscription |
TA0004, TA0003 |
T1546 |
true |
| T1546.006 |
LC_LOAD_DYLIB Addition |
TA0004, TA0003 |
T1546 |
true |
| T1546.018 |
Python Startup Hooks |
TA0004, TA0003 |
T1546 |
true |
| T1546.011 |
Application Shimming |
TA0004, TA0003 |
T1546 |
true |
| T1546.015 |
Component Object Model Hijacking |
TA0004, TA0003 |
T1546 |
true |
| T1546.004 |
Unix Shell Configuration Modification |
TA0004, TA0003 |
T1546 |
true |
| T1546.010 |
AppInit DLLs |
TA0004, TA0003 |
T1546 |
true |
| T1546.005 |
Trap |
TA0004, TA0003 |
T1546 |
true |
| T1546.007 |
Netsh Helper DLL |
TA0004, TA0003 |
T1546 |
true |
| T1546.012 |
Image File Execution Options Injection |
TA0004, TA0003 |
T1546 |
true |
| T1546.001 |
Change Default File Association |
TA0004, TA0003 |
T1546 |
true |
| T1546.009 |
AppCert DLLs |
TA0004, TA0003 |
T1546 |
true |
| T1546.017 |
Udev Rules |
TA0004, TA0003 |
T1546 |
true |
| T1546.014 |
Emond |
TA0004, TA0003 |
T1546 |
true |
| T1546.008 |
Accessibility Features |
TA0004, TA0003 |
T1546 |
true |
| T1187 |
Forced Authentication |
TA0006 |
|
false |
| T1599 |
Network Boundary Bridging |
TA0005 |
|
false |
| T1599.001 |
Network Address Translation Traversal |
TA0005 |
T1599 |
true |
| T1486 |
Data Encrypted for Impact |
TA0040 |
|
false |
| T1553 |
Subvert Trust Controls |
TA0005 |
|
false |
| T1553.005 |
Mark-of-the-Web Bypass |
TA0005 |
T1553 |
true |
| T1553.002 |
Code Signing |
TA0005 |
T1553 |
true |
| T1553.004 |
Install Root Certificate |
TA0005 |
T1553 |
true |
| T1553.003 |
SIP and Trust Provider Hijacking |
TA0005 |
T1553 |
true |
| T1553.006 |
Code Signing Policy Modification |
TA0005 |
T1553 |
true |
| T1553.001 |
Gatekeeper Bypass |
TA0005 |
T1553 |
true |
| T1573 |
Encrypted Channel |
TA0011 |
|
false |
| T1573.002 |
Asymmetric Cryptography |
TA0011 |
T1573 |
true |
| T1573.001 |
Symmetric Cryptography |
TA0011 |
T1573 |
true |
| T1056 |
Input Capture |
TA0009, TA0006 |
|
false |
| T1056.001 |
Keylogging |
TA0009, TA0006 |
T1056 |
true |
| T1056.002 |
GUI Input Capture |
TA0009, TA0006 |
T1056 |
true |
| T1056.004 |
Credential API Hooking |
TA0009, TA0006 |
T1056 |
true |
| T1056.003 |
Web Portal Capture |
TA0009, TA0006 |
T1056 |
true |
| T1203 |
Exploitation for Client Execution |
TA0002 |
|
false |
| T1667 |
Email Bombing |
TA0040 |
|
false |
| T1570 |
Lateral Tool Transfer |
TA0008 |
|
false |
| T1095 |
Non-Application Layer Protocol |
TA0011 |
|
false |
| T1671 |
Cloud Application Integration |
TA0003 |
|
false |
| T1012 |
Query Registry |
TA0007 |
|
false |
| T1030 |
Data Transfer Size Limits |
TA0010 |
|
false |
| T1499 |
Endpoint Denial of Service |
TA0040 |
|
false |
| T1499.003 |
Application Exhaustion Flood |
TA0040 |
T1499 |
true |
| T1499.002 |
Service Exhaustion Flood |
TA0040 |
T1499 |
true |
| T1499.004 |
Application or System Exploitation |
TA0040 |
T1499 |
true |
| T1499.001 |
OS Exhaustion Flood |
TA0040 |
T1499 |
true |
| T1614 |
System Location Discovery |
TA0007 |
|
false |
| T1614.001 |
System Language Discovery |
TA0007 |
T1614 |
true |
| T1197 |
BITS Jobs |
TA0005, TA0003 |
|
false |
| T1656 |
Impersonation |
TA0005 |
|
false |
| T1132 |
Data Encoding |
TA0011 |
|
false |
| T1132.001 |
Standard Encoding |
TA0011 |
T1132 |
true |
| T1132.002 |
Non-Standard Encoding |
TA0011 |
T1132 |
true |
| T1598 |
Phishing for Information |
TA0043 |
|
false |
| T1598.004 |
Spearphishing Voice |
TA0043 |
T1598 |
true |
| T1598.001 |
Spearphishing Service |
TA0043 |
T1598 |
true |
| T1598.002 |
Spearphishing Attachment |
TA0043 |
T1598 |
true |
| T1598.003 |
Spearphishing Link |
TA0043 |
T1598 |
true |
| T1496 |
Resource Hijacking |
TA0040 |
|
false |
| T1496.001 |
Compute Hijacking |
TA0040 |
T1496 |
true |
| T1496.002 |
Bandwidth Hijacking |
TA0040 |
T1496 |
true |
| T1496.004 |
Cloud Service Hijacking |
TA0040 |
T1496 |
true |
| T1496.003 |
SMS Pumping |
TA0040 |
T1496 |
true |
| T1585 |
Establish Accounts |
TA0042 |
|
false |
| T1585.003 |
Cloud Accounts |
TA0042 |
T1585 |
true |
| T1585.002 |
Email Accounts |
TA0042 |
T1585 |
true |
| T1585.001 |
Social Media Accounts |
TA0042 |
T1585 |
true |
| T1588 |
Obtain Capabilities |
TA0042 |
|
false |
| T1588.006 |
Vulnerabilities |
TA0042 |
T1588 |
true |
| T1588.005 |
Exploits |
TA0042 |
T1588 |
true |
| T1588.007 |
Artificial Intelligence |
TA0042 |
T1588 |
true |
| T1588.004 |
Digital Certificates |
TA0042 |
T1588 |
true |
| T1588.002 |
Tool |
TA0042 |
T1588 |
true |
| T1588.003 |
Code Signing Certificates |
TA0042 |
T1588 |
true |
| T1588.001 |
Malware |
TA0042 |
T1588 |
true |
| T1569 |
System Services |
TA0002 |
|
false |
| T1569.003 |
Systemctl |
TA0002 |
T1569 |
true |
| T1569.002 |
Service Execution |
TA0002 |
T1569 |
true |
| T1569.001 |
Launchctl |
TA0002 |
T1569 |
true |
| T1650 |
Acquire Access |
TA0042 |
|
false |
| T1213 |
Data from Information Repositories |
TA0009 |
|
false |
| T1213.003 |
Code Repositories |
TA0009 |
T1213 |
true |
| T1213.006 |
Databases |
TA0009 |
T1213 |
true |
| T1213.005 |
Messaging Applications |
TA0009 |
T1213 |
true |
| T1213.004 |
Customer Relationship Management Software |
TA0009 |
T1213 |
true |
| T1213.002 |
Sharepoint |
TA0009 |
T1213 |
true |
| T1213.001 |
Confluence |
TA0009 |
T1213 |
true |
| T1200 |
Hardware Additions |
TA0001 |
|
false |
| T1505 |
Server Software Component |
TA0003 |
|
false |
| T1505.002 |
Transport Agent |
TA0003 |
T1505 |
true |
| T1505.004 |
IIS Components |
TA0003 |
T1505 |
true |
| T1505.003 |
Web Shell |
TA0003 |
T1505 |
true |
| T1505.005 |
Terminal Services DLL |
TA0003 |
T1505 |
true |
| T1505.006 |
vSphere Installation Bundles |
TA0003 |
T1505 |
true |
| T1505.001 |
SQL Stored Procedures |
TA0003 |
T1505 |
true |
| T1485 |
Data Destruction |
TA0040 |
|
false |
| T1485.001 |
Lifecycle-Triggered Deletion |
TA0040 |
T1485 |
true |
| T1537 |
Transfer Data to Cloud Account |
TA0010 |
|
false |
| T1189 |
Drive-by Compromise |
TA0001 |
|
false |
| T1498 |
Network Denial of Service |
TA0040 |
|
false |
| T1498.002 |
Reflection Amplification |
TA0040 |
T1498 |
true |
| T1498.001 |
Direct Network Flood |
TA0040 |
T1498 |
true |
| T1651 |
Cloud Administration Command |
TA0002 |
|
false |
| T1221 |
Template Injection |
TA0005 |
|
false |
| T1134 |
Access Token Manipulation |
TA0005, TA0004 |
|
false |
| T1134.001 |
Token Impersonation/Theft |
TA0005, TA0004 |
T1134 |
true |
| T1134.004 |
Parent PID Spoofing |
TA0005, TA0004 |
T1134 |
true |
| T1134.005 |
SID-History Injection |
TA0005, TA0004 |
T1134 |
true |
| T1134.002 |
Create Process with Token |
TA0005, TA0004 |
T1134 |
true |
| T1134.003 |
Make and Impersonate Token |
TA0005, TA0004 |
T1134 |
true |
| T1111 |
Multi-Factor Authentication Interception |
TA0006 |
|
false |
| T1668 |
Exclusive Control |
TA0003 |
|
false |
| T1136 |
Create Account |
TA0003 |
|
false |
| T1136.003 |
Cloud Account |
TA0003 |
T1136 |
true |
| T1136.001 |
Local Account |
TA0003 |
T1136 |
true |
| T1136.002 |
Domain Account |
TA0003 |
T1136 |
true |
| T1672 |
Email Spoofing |
TA0005 |
|
false |
| T1526 |
Cloud Service Discovery |
TA0007 |
|
false |
| T1018 |
Remote System Discovery |
TA0007 |
|
false |
| T1046 |
Network Service Discovery |
TA0007 |
|
false |
| T1518 |
Software Discovery |
TA0007 |
|
false |
| T1518.001 |
Security Software Discovery |
TA0007 |
T1518 |
true |
| T1518.002 |
Backup Software Discovery |
TA0007 |
T1518 |
true |
| T1538 |
Cloud Service Dashboard |
TA0007 |
|
false |
| T1622 |
Debugger Evasion |
TA0005, TA0007 |
|
false |
| T1052 |
Exfiltration Over Physical Medium |
TA0010 |
|
false |
| T1052.001 |
Exfiltration over USB |
TA0010 |
T1052 |
true |
| T1105 |
Ingress Tool Transfer |
TA0011 |
|
false |
| T1648 |
Serverless Execution |
TA0002 |
|
false |
| T1653 |
Power Settings |
TA0003 |
|
false |
| T1665 |
Hide Infrastructure |
TA0011 |
|
false |
| T1484 |
Domain or Tenant Policy Modification |
TA0005, TA0004 |
|
false |
| T1484.002 |
Trust Modification |
TA0005, TA0004 |
T1484 |
true |
| T1484.001 |
Group Policy Modification |
TA0005, TA0004 |
T1484 |
true |
| T1220 |
XSL Script Processing |
TA0005 |
|
false |
| T1587 |
Develop Capabilities |
TA0042 |
|
false |
| T1587.002 |
Code Signing Certificates |
TA0042 |
T1587 |
true |
| T1587.003 |
Digital Certificates |
TA0042 |
T1587 |
true |
| T1587.004 |
Exploits |
TA0042 |
T1587 |
true |
| T1587.001 |
Malware |
TA0042 |
T1587 |
true |
| T1008 |
Fallback Channels |
TA0011 |
|
false |
| T1680 |
Local Storage Discovery |
TA0007 |
|
false |
| T1124 |
System Time Discovery |
TA0007 |
|
false |
| T1556 |
Modify Authentication Process |
TA0006, TA0005, TA0003 |
|
false |
| T1556.004 |
Network Device Authentication |
TA0006, TA0005, TA0003 |
T1556 |
true |
| T1556.001 |
Domain Controller Authentication |
TA0006, TA0005, TA0003 |
T1556 |
true |
| T1556.009 |
Conditional Access Policies |
TA0006, TA0005, TA0003 |
T1556 |
true |
| T1556.008 |
Network Provider DLL |
TA0006, TA0005, TA0003 |
T1556 |
true |
| T1556.002 |
Password Filter DLL |
TA0006, TA0005, TA0003 |
T1556 |
true |
| T1556.006 |
Multi-Factor Authentication |
TA0006, TA0005, TA0003 |
T1556 |
true |
| T1556.007 |
Hybrid Identity |
TA0006, TA0005, TA0003 |
T1556 |
true |
| T1556.005 |
Reversible Encryption |
TA0006, TA0005, TA0003 |
T1556 |
true |
| T1556.003 |
Pluggable Authentication Modules |
TA0006, TA0005, TA0003 |
T1556 |
true |
| T1495 |
Firmware Corruption |
TA0040 |
|
false |
| T1490 |
Inhibit System Recovery |
TA0040 |
|
false |
| T1216 |
System Script Proxy Execution |
TA0005 |
|
false |
| T1216.001 |
PubPrn |
TA0005 |
T1216 |
true |
| T1216.002 |
SyncAppvPublishingServer |
TA0005 |
T1216 |
true |
| T1669 |
Wi-Fi Networks |
TA0001 |
|
false |
| T1211 |
Exploitation for Defense Evasion |
TA0005 |
|
false |
| T1127 |
Trusted Developer Utilities Proxy Execution |
TA0005 |
|
false |
| T1127.001 |
MSBuild |
TA0005 |
T1127 |
true |
| T1127.002 |
ClickOnce |
TA0005 |
T1127 |
true |
| T1127.003 |
JamPlus |
TA0005 |
T1127 |
true |
| T1529 |
System Shutdown/Reboot |
TA0040 |
|
false |