All Atomic Tests by ATT&CK Tactic & Technique

| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact | |—–|—–|—–|—–|—–|—–|—–|—–|—–|—–|—–|—–| | External Remote Services | Scheduled Task/Job: Scheduled Task | Scheduled Task/Job: Scheduled Task | Process Injection: Extra Window Memory Injection | Process Injection: Extra Window Memory Injection | Adversary-in-the-Middle CONTRIBUTE A TEST | System Owner/User Discovery | Remote Services:VNC | Archive Collected Data: Archive via Utility | Exfiltration Over Web Service CONTRIBUTE A TEST | Socket Filters CONTRIBUTE A TEST | Disk Structure Wipe CONTRIBUTE A TEST | | Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST | Windows Management Instrumentation | Socket Filters CONTRIBUTE A TEST | Scheduled Task/Job: Scheduled Task | Socket Filters CONTRIBUTE A TEST | Modify Authentication Process: Pluggable Authentication Modules | Container and Resource Discovery | Taint Shared Content CONTRIBUTE A TEST | Screen Capture | Exfiltration Over Webhook CONTRIBUTE A TEST | Data Encoding: Standard Encoding | Direct Network Flood CONTRIBUTE A TEST | | Spearphishing Link CONTRIBUTE A TEST | Server Software Component | Boot or Logon Initialization Scripts CONTRIBUTE A TEST | Boot or Logon Initialization Scripts CONTRIBUTE A TEST | Fileless Storage CONTRIBUTE A TEST | Input Capture: Keylogging | Internet Connection Discovery CONTRIBUTE A TEST | Remote Services: SSH | Adversary-in-the-Middle CONTRIBUTE A TEST | Scheduled Transfer CONTRIBUTE A TEST | Domain Generation Algorithms CONTRIBUTE A TEST | External Defacement CONTRIBUTE A TEST | | Phishing: Spearphishing Attachment | Command and Scripting Interpreter: JavaScript | Modify Authentication Process: Pluggable Authentication Modules | Path Interception by PATH Environment Variable CONTRIBUTE A TEST | Signed Binary Proxy Execution: Rundll32 | Brute Force: Password Guessing | Permission Groups Discovery CONTRIBUTE A TEST | Replication Through Removable Media | Input Capture: Keylogging | Exfiltration Over Other Network Medium CONTRIBUTE A TEST | Application Layer Protocol: DNS | OS Exhaustion Flood CONTRIBUTE A TEST | | Compromise Hardware Supply Chain CONTRIBUTE A TEST | Kubernetes Cronjob | Path Interception by PATH Environment Variable CONTRIBUTE A TEST | Event Triggered Execution: PowerShell Profile | Embedded Payloads CONTRIBUTE A TEST | OS Credential Dumping | Cloud Groups CONTRIBUTE A TEST | Direct Cloud VM Connections CONTRIBUTE A TEST | Data from Configuration Repository CONTRIBUTE A TEST | Exfiltration Over Bluetooth CONTRIBUTE A TEST | Symmetric Cryptography CONTRIBUTE A TEST | Application Exhaustion Flood CONTRIBUTE A TEST | | Replication Through Removable Media | Inter-Process Communication: Dynamic Data Exchange | Event Triggered Execution: PowerShell Profile | Create or Modify System Process CONTRIBUTE A TEST | Modify Authentication Process: Pluggable Authentication Modules | Steal Web Session Cookie | Group Policy Discovery | SSH Hijacking CONTRIBUTE A TEST | Sharepoint CONTRIBUTE A TEST | Automated Exfiltration | Fast Flux DNS CONTRIBUTE A TEST | Disk Wipe CONTRIBUTE A TEST | | Supply Chain Compromise | User Execution: Malicious File | Create or Modify System Process CONTRIBUTE A TEST | LC_LOAD_DYLIB Addition CONTRIBUTE A TEST | Revert Cloud Instance CONTRIBUTE A TEST | OS Credential Dumping: Security Account Manager | Device Driver Discovery CONTRIBUTE A TEST | Remote Services: SMB/Windows Admin Shares | Audio Capture | Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST | Application Layer Protocol | Stored Data Manipulation CONTRIBUTE A TEST | | Exploit Public-Facing Application CONTRIBUTE A TEST | Scheduled Task/Job: Cron | External Remote Services | Kubernetes Cronjob | File/Path Exclusions CONTRIBUTE A TEST | Unsecured Credentials: Cloud Instance Metadata API | Account Discovery: Domain Account | Use Alternate Authentication Material CONTRIBUTE A TEST | Archive via Custom Method CONTRIBUTE A TEST | Traffic Duplication CONTRIBUTE A TEST | Remote Access Software | Service Stop | | Content Injection CONTRIBUTE A TEST | Component Object Model CONTRIBUTE A TEST | LC_LOAD_DYLIB Addition CONTRIBUTE A TEST | Abuse Elevation Control Mechanism: Bypass User Account Control | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | Securityd Memory CONTRIBUTE A TEST | Account Discovery: Local Account | Remote Services CONTRIBUTE A TEST | Email Collection CONTRIBUTE A TEST | Exfiltration to Code Repository CONTRIBUTE A TEST | Content Injection CONTRIBUTE A TEST | Application or System Exploitation CONTRIBUTE A TEST | | Valid Accounts: Default Accounts | Scheduled Task/Job CONTRIBUTE A TEST | Kubernetes Cronjob | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | Signed Script Proxy Execution: Pubprn | Brute Force: Password Cracking | Virtualization/Sandbox Evasion: System Checks | Remote Service Session Hijacking CONTRIBUTE A TEST | Data from Removable Media CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Traffic Signaling CONTRIBUTE A TEST | Runtime Data Manipulation CONTRIBUTE A TEST | | Trusted Relationship CONTRIBUTE A TEST | Command and Scripting Interpreter: AppleScript | Pre-OS Boot: System Firmware | Hijack Execution Flow: Services Registry Permissions Weakness | Path Interception by PATH Environment Variable CONTRIBUTE A TEST | Credentials from Password Stores: Keychain | Permission Groups Discovery: Domain Groups | Remote Services: Windows Remote Management | Data Staged: Local Data Staging | Exfiltration Over C2 Channel | Protocol Tunneling | Reflection Amplification CONTRIBUTE A TEST | | Phishing CONTRIBUTE A TEST | Native API | Hijack Execution Flow: Services Registry Permissions Weakness | Boot or Logon Autostart Execution | Direct Volume Access | OS Credential Dumping: LSA Secrets | System Service Discovery | Remote Services: Distributed Component Object Model | Email Collection: Local Email Collection | Exfiltration Over Alternative Protocol | Mail Protocols CONTRIBUTE A TEST | Service Exhaustion Flood CONTRIBUTE A TEST | | Valid Accounts CONTRIBUTE A TEST | AutoHotKey & AutoIT CONTRIBUTE A TEST | Bootkit CONTRIBUTE A TEST | Active Setup | Email Hiding Rules CONTRIBUTE A TEST | Forge Web Credentials: SAML token | Network Sniffing | Use Alternate Authentication Material: Pass the Ticket | Automated Collection | Exfiltration over USB CONTRIBUTE A TEST | Communication Through Removable Media CONTRIBUTE A TEST | Defacement CONTRIBUTE A TEST | | Spearphishing Voice CONTRIBUTE A TEST | Cloud API CONTRIBUTE A TEST | Boot or Logon Autostart Execution | Domain Trust Modification | Encrypted/Encoded File CONTRIBUTE A TEST | OS Credential Dumping: Proc Filesystem | Network Share Discovery | Cloud Services CONTRIBUTE A TEST | Clipboard Data | Exfiltration Over Web Service: Exfiltration to Text Storage Sites | External Proxy CONTRIBUTE A TEST | Financial Theft CONTRIBUTE A TEST | | Compromise Software Supply Chain CONTRIBUTE A TEST | Deploy a container | Active Setup | Create or Modify System Process: Windows Service | Rootkit | Password Managers CONTRIBUTE A TEST | Peripheral Device Discovery | Software Deployment Tools | Data from Cloud Storage Object | Exfiltration Over Web Service: Exfiltration to Cloud Storage | Proxy CONTRIBUTE A TEST | Defacement: Internal Defacement | | Domain Accounts CONTRIBUTE A TEST | Command and Scripting Interpreter | TFTP Boot CONTRIBUTE A TEST | Scheduled Task/Job: Cron | Double File Extension CONTRIBUTE A TEST | Network Sniffing | System Information Discovery | Exploitation of Remote Services CONTRIBUTE A TEST | Remote Data Staging CONTRIBUTE A TEST | Data Transfer Size Limits | Dynamic Resolution CONTRIBUTE A TEST | Data Manipulation CONTRIBUTE A TEST | | Hardware Additions CONTRIBUTE A TEST | Kubernetes Exec Into Container | Create or Modify System Process: Windows Service | Account Manipulation: Additional Cloud Roles | Abuse Elevation Control Mechanism: Bypass User Account Control | Unsecured Credentials: Credentials in Registry | System Network Configuration Discovery: Wi-Fi Discovery | Internal Spearphishing CONTRIBUTE A TEST | Data from Local System | Transfer Data to Cloud Account CONTRIBUTE A TEST | Web Service CONTRIBUTE A TEST | Account Access Removal | | Drive-by Compromise CONTRIBUTE A TEST | System Services: Launchctl | Scheduled Task/Job: Cron | Boot or Logon Autostart Execution: Print Processors | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | Modify Authentication Process: Password Filter DLL | Application Window Discovery | Lateral Tool Transfer | Archive Collected Data: Archive via Library | Exfiltration Over Physical Medium CONTRIBUTE A TEST | DNS Calculation CONTRIBUTE A TEST | Data Encrypted for Impact | | Valid Accounts: Cloud Accounts | Network Device CLI CONTRIBUTE A TEST | Office Application Startup | Hijack Execution Flow: DLL Search Order Hijacking | Modify Cloud Compute Infrastructure CONTRIBUTE A TEST | Steal or Forge Kerberos Tickets: AS-REP Roasting | Email Account CONTRIBUTE A TEST | Web Session Cookie CONTRIBUTE A TEST | Network Device Configuration Dump CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | Multi-Stage Channels CONTRIBUTE A TEST | Endpoint Denial of Service CONTRIBUTE A TEST | | Spearphishing via Service CONTRIBUTE A TEST | XPC Services CONTRIBUTE A TEST | Account Manipulation: Additional Cloud Roles | AppDomainManager CONTRIBUTE A TEST | Pre-OS Boot: System Firmware | Steal or Forge Kerberos Tickets CONTRIBUTE A TEST | Time Based Evasion CONTRIBUTE A TEST | Remote Service Session Hijacking: RDP Hijacking | Archive Collected Data | | Port Knocking CONTRIBUTE A TEST | Resource Hijacking | | Valid Accounts: Local Accounts | User Execution CONTRIBUTE A TEST | Boot or Logon Autostart Execution: Print Processors | Additional Container Cluster Roles CONTRIBUTE A TEST | Hijack Execution Flow: Services Registry Permissions Weakness | Credentials from Password Stores | Cloud Infrastructure Discovery | Use Alternate Authentication Material: Pass the Hash | Browser Session Hijacking CONTRIBUTE A TEST | | File Transfer Protocols CONTRIBUTE A TEST | Transmitted Data Manipulation CONTRIBUTE A TEST | | | Software Deployment Tools | Hijack Execution Flow: DLL Search Order Hijacking | Scheduled Task/Job CONTRIBUTE A TEST | Bootkit CONTRIBUTE A TEST | Unsecured Credentials | Browser Bookmark Discovery | Remote Services: Remote Desktop Protocol | DHCP Spoofing CONTRIBUTE A TEST | | One-Way Communication CONTRIBUTE A TEST | Data Destruction | | | Command and Scripting Interpreter: PowerShell | Office Application Startup: Add-ins | Thread Execution Hijacking | Mavinject CONTRIBUTE A TEST | Hybrid Identity CONTRIBUTE A TEST | System Network Configuration Discovery | Application Access Token CONTRIBUTE A TEST | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay | | Proxy: Multi-hop Proxy | Network Denial of Service CONTRIBUTE A TEST | | | Scheduled Task/Job: Systemd Timers | Server Software Component: Transport Agent | Event Triggered Execution: Application Shimming | Masquerading: Match Legitimate Name or Location | Credentials from Password Stores: Credentials from Web Browsers | Account Discovery CONTRIBUTE A TEST | | Web Portal Capture CONTRIBUTE A TEST | | Data Obfuscation CONTRIBUTE A TEST | Firmware Corruption CONTRIBUTE A TEST | | | Command and Scripting Interpreter: Bash | AppDomainManager CONTRIBUTE A TEST | Boot or Logon Autostart Execution: Port Monitors | Weaken Encryption CONTRIBUTE A TEST | DHCP Spoofing CONTRIBUTE A TEST | Domain Trust Discovery | | Video Capture | | Non-Standard Port | Inhibit System Recovery | | | Inter-Process Communication | Additional Container Cluster Roles CONTRIBUTE A TEST | Boot or Logon Initialization Scripts: Logon Script (Mac) | Masquerade File Type CONTRIBUTE A TEST | Unsecured Credentials: Private Keys | File and Directory Discovery | | Confluence CONTRIBUTE A TEST | | Encrypted Channel | Disk Content Wipe CONTRIBUTE A TEST | | | User Execution: Malicious Image | Scheduled Task/Job CONTRIBUTE A TEST | Process Injection | Hide Artifacts | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay | System Network Connections Discovery | | Email Collection: Email Forwarding Rule | | Bidirectional Communication CONTRIBUTE A TEST | System Shutdown/Reboot | | | Exploitation for Client Execution CONTRIBUTE A TEST | Modify Authentication Process: Password Filter DLL | Escape to Host | Domain Trust Modification | OS Credential Dumping: LSASS Memory | Virtualization/Sandbox Evasion CONTRIBUTE A TEST | | Data Staged CONTRIBUTE A TEST | | Asymmetric Cryptography CONTRIBUTE A TEST | | | | Command and Scripting Interpreter: Python | Server Software Component: Terminal Services DLL | Boot or Logon Autostart Execution: Shortcut Modification | Impair Defenses: Safe Boot Mode | Brute Force: Password Spraying | Cloud Storage Object Discovery | | Input Capture: GUI Input Capture | | Non-Application Layer Protocol | | | | System Services CONTRIBUTE A TEST | Browser Extensions | Boot or Logon Autostart Execution: Security Support Provider | TFTP Boot CONTRIBUTE A TEST | Web Portal Capture CONTRIBUTE A TEST | Log Enumeration | | Data from Network Shared Drive | | Protocol Impersonation CONTRIBUTE A TEST | | | | Command and Scripting Interpreter: Windows Command Shell | Outlook Rules CONTRIBUTE A TEST | Create or Modify System Process: Launch Daemon | Virtualization/Sandbox Evasion: System Checks | OS Credential Dumping: Cached Domain Credentials | Cloud Account CONTRIBUTE A TEST | | Email Collection: Remote Email Collection | | Domain Fronting CONTRIBUTE A TEST | | | | Cloud Administration Command CONTRIBUTE A TEST | Event Triggered Execution: Application Shimming | Hijack Execution Flow: Path Interception by Search Order Hijacking | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | Steal or Forge Kerberos Tickets: Golden Ticket | Process Discovery | | Input Capture CONTRIBUTE A TEST | | Data Encoding CONTRIBUTE A TEST | | | | Command and Scripting Interpreter: Visual Basic | Boot or Logon Autostart Execution: Port Monitors | Domain Policy Modification: Group Policy Modification | Signed Binary Proxy Execution: InstallUtil | Steal or Forge Authentication Certificates | User Activity Based Checks CONTRIBUTE A TEST | | ARP Cache Poisoning CONTRIBUTE A TEST | | Non-Standard Encoding CONTRIBUTE A TEST | | | | Serverless Execution CONTRIBUTE A TEST | Boot or Logon Initialization Scripts: Logon Script (Mac) | Valid Accounts: Default Accounts | Stripped Payloads CONTRIBUTE A TEST | Unsecured Credentials: Bash History | Permission Groups Discovery: Local Groups | | Code Repositories CONTRIBUTE A TEST | | Application Layer Protocol: Web Protocols | | | | Malicious Link CONTRIBUTE A TEST | Traffic Signaling CONTRIBUTE A TEST | Time Providers | Hijack Execution Flow: DLL Search Order Hijacking | Unsecured Credentials: Credentials In Files | Password Policy Discovery | | Data from Information Repositories CONTRIBUTE A TEST | | Ingress Tool Transfer | | | | System Services: Service Execution | Boot or Logon Autostart Execution: Shortcut Modification | Event Triggered Execution: Trap | Subvert Trust Controls: Gatekeeper Bypass | Web Cookies CONTRIBUTE A TEST | System Location Discovery: System Language Discovery | | SNMP (MIB Dump) CONTRIBUTE A TEST | | Hide Infrastructure CONTRIBUTE A TEST | | | | Scheduled Task/Job: At | Implant Internal Image CONTRIBUTE A TEST | Hijack Execution Flow: LD_PRELOAD | Code Signing CONTRIBUTE A TEST | Steal Application Access Token | Query Registry | | Input Capture: Credential API Hooking | | Data Obfuscation via Steganography | | | | | Boot or Logon Autostart Execution: Security Support Provider | Abuse Elevation Control Mechanism CONTRIBUTE A TEST | Break Process Trees CONTRIBUTE A TEST | Unsecured Credentials: Group Policy Preferences | System Location Discovery CONTRIBUTE A TEST | | | | Fallback Channels CONTRIBUTE A TEST | | | | | Hybrid Identity CONTRIBUTE A TEST | Create Process with Token | File and Directory Permissions Modification: Windows File and Directory Permissions Modification | Network Provider DLL CONTRIBUTE A TEST | Software Discovery: Security Software Discovery | | | | Proxy: Internal Proxy | | | | | Create or Modify System Process: Launch Daemon | Abuse Elevation Control Mechanism: Setuid and Setgid | AppDomainManager CONTRIBUTE A TEST | Forge Web Credentials CONTRIBUTE A TEST | Cloud Service Discovery | | | | Dead Drop Resolver CONTRIBUTE A TEST | | | | | Hijack Execution Flow: Path Interception by Search Order Hijacking | Boot or Logon Autostart Execution: Winlogon Helper DLL | Signed Binary Proxy Execution: Msiexec | Multi-Factor Authentication Request Generation CONTRIBUTE A TEST | Remote System Discovery | | | | Junk Data CONTRIBUTE A TEST | | | | | Server Software Component: Web Shell | SSH Authorized Keys | Modify Authentication Process: Password Filter DLL | Chat Messages CONTRIBUTE A TEST | Network Service Discovery | | | | | | | | | Valid Accounts: Default Accounts | Event Triggered Execution: Image File Execution Options Injection | Clear Network Connection History and Configurations CONTRIBUTE A TEST | Exploitation for Credential Access CONTRIBUTE A TEST | Software Discovery | | | | | | | | | Time Providers | Temporary Elevated Cloud Access CONTRIBUTE A TEST | Reduce Key Space CONTRIBUTE A TEST | Input Capture: GUI Input Capture | Cloud Service Dashboard CONTRIBUTE A TEST | | | | | | | | | Event Triggered Execution: Trap | Process Doppelgänging CONTRIBUTE A TEST | Indicator Removal on Host: Clear Command History | Brute Force CONTRIBUTE A TEST | Debugger Evasion | | | | | | | | | Hijack Execution Flow: LD_PRELOAD | Executable Installer File Permissions Weakness CONTRIBUTE A TEST | Indirect Command Execution | Brute Force: Credential Stuffing | System Time Discovery | | | | | | | | | Create Account: Local Account | Event Triggered Execution: Accessibility Features | Deobfuscate/Decode Files or Information | Multi-Factor Authentication CONTRIBUTE A TEST | | | | | | | | | | Boot or Logon Autostart Execution: Winlogon Helper DLL | Process Injection: Asynchronous Procedure Call | Impair Defenses | Forced Authentication | | | | | | | | | | SSH Authorized Keys | Event Triggered Execution: AppCert DLLs | Thread Execution Hijacking | Input Capture CONTRIBUTE A TEST | | | | | | | | | | Event Triggered Execution: Image File Execution Options Injection | Device Registration CONTRIBUTE A TEST | Masquerading | ARP Cache Poisoning CONTRIBUTE A TEST | | | | | | | | | | Executable Installer File Permissions Weakness CONTRIBUTE A TEST | Process Injection: Portable Executable Injection | Email Collection: Mailbox Manipulation | Conditional Access Policies CONTRIBUTE A TEST | | | | | | | | | | Event Triggered Execution: Accessibility Features | Boot or Logon Autostart Execution: Login Items | Process Injection | Cloud Secrets Management Stores CONTRIBUTE A TEST | | | | | | | | | | Create Account: Domain Account | Access Token Manipulation: Token Impersonation/Theft | Traffic Signaling CONTRIBUTE A TEST | OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow | | | | | | | | | | Component Firmware CONTRIBUTE A TEST | Account Manipulation: Additional Cloud Credentials | Signed Binary Proxy Execution | Steal or Forge Kerberos Tickets: Silver Ticket | | | | | | | | | | Office Application Startup: Office Template Macros. | Make and Impersonate Token CONTRIBUTE A TEST | Indicator Removal on Host: Timestomp | Credentials from Password Stores: Windows Credential Manager | | | | | | | | | | Event Triggered Execution: AppCert DLLs | Event Triggered Execution: Windows Management Instrumentation Event Subscription | Reflective Code Loading | Domain Controller Authentication CONTRIBUTE A TEST | | | | | | | | | | Device Registration CONTRIBUTE A TEST | Access Token Manipulation: Parent PID Spoofing | Ignore Process Interrupts CONTRIBUTE A TEST | Reversible Encryption CONTRIBUTE A TEST | | | | | | | | | | Pre-OS Boot CONTRIBUTE A TEST | Event Triggered Execution: Change Default File Association | Time Based Evasion CONTRIBUTE A TEST | Multi-Factor Authentication Interception CONTRIBUTE A TEST | | | | | | | | | | Boot or Logon Autostart Execution: Login Items | VDSO Hijacking CONTRIBUTE A TEST | Signed Binary Proxy Execution: CMSTP | OS Credential Dumping: NTDS | | | | | | | | | | Port Knocking CONTRIBUTE A TEST | Event Triggered Execution: Emond | Impair Defenses: Disable Windows Event Logging | Steal or Forge Kerberos Tickets: Kerberoasting | | | | | | | | | | Account Manipulation: Additional Cloud Credentials | Services File Permissions Weakness CONTRIBUTE A TEST | Signed Binary Proxy Execution: Control Panel | OS Credential Dumping: DCSync | | | | | | | | | | Network Provider DLL CONTRIBUTE A TEST | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Network Address Translation Traversal CONTRIBUTE A TEST | Modify Authentication Process CONTRIBUTE A TEST | | | | | | | | | | Event Triggered Execution: Windows Management Instrumentation Event Subscription | Account Manipulation | Use Alternate Authentication Material CONTRIBUTE A TEST | Input Capture: Credential API Hooking | | | | | | | | | | Compromise Host Software Binary CONTRIBUTE A TEST | Boot or Logon Autostart Execution: Kernel Modules and Extensions | Impair Defenses: Disable or Modify System Firewall | Kubernetes List Secrets | | | | | | | | | | Event Triggered Execution: Change Default File Association | KernelCallbackTable CONTRIBUTE A TEST | Subvert Trust Controls: SIP and Trust Provider Hijacking | Network Device Authentication CONTRIBUTE A TEST | | | | | | | | | | Event Triggered Execution: Emond | Scheduled Task/Job: Systemd Timers | Hybrid Identity CONTRIBUTE A TEST | | | | | | | | | | | Services File Permissions Weakness CONTRIBUTE A TEST | Hijack Execution Flow CONTRIBUTE A TEST | Electron Applications CONTRIBUTE A TEST | | | | | | | | | | | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Container Service CONTRIBUTE A TEST | Impair Defenses: Disable or Modify Linux Audit System | | | | | | | | | | | Create Account: Cloud Account | Valid Accounts CONTRIBUTE A TEST | Rogue Domain Controller | | | | | | | | | | | Account Manipulation | Process Injection: Process Hollowing | Subvert Trust Controls: Code Signing Policy Modification | | | | | | | | | | | Boot or Logon Autostart Execution: Kernel Modules and Extensions | Exploitation for Privilege Escalation CONTRIBUTE A TEST | Deploy a container | | | | | | | | | | | KernelCallbackTable CONTRIBUTE A TEST | Event Triggered Execution | Modify Registry | | | | | | | | | | | Scheduled Task/Job: Systemd Timers | Event Triggered Execution: .bash_profile .bashrc and .shrc | Hijack Execution Flow: Path Interception by Search Order Hijacking | | | | | | | | | | | ROMMONkit CONTRIBUTE A TEST | Access Token Manipulation: SID-History Injection | Unused/Unsupported Cloud Regions CONTRIBUTE A TEST | | | | | | | | | | | Outlook Forms CONTRIBUTE A TEST | Elevated Execution with Prompt CONTRIBUTE A TEST | Obfuscated Files or Information: Binary Padding | | | | | | | | | | | Hijack Execution Flow CONTRIBUTE A TEST | Authentication Package | Domain Policy Modification: Group Policy Modification | | | | | | | | | | | Container Service CONTRIBUTE A TEST | Event Triggered Execution: Component Object Model Hijacking | Valid Accounts: Default Accounts | | | | | | | | | | | Valid Accounts CONTRIBUTE A TEST | Hijack Execution Flow: Path Interception by Unquoted Path | Hijack Execution Flow: LD_PRELOAD | | | | | | | | | | | Multi-Factor Authentication CONTRIBUTE A TEST | Boot or Logon Initialization Scripts: Startup Items | Indicator Removal on Host: Clear Windows Event Logs | | | | | | | | | | | IIS Components | Domain Accounts CONTRIBUTE A TEST | File and Directory Permissions Modification CONTRIBUTE A TEST | | | | | | | | | | | Event Triggered Execution | Network Logon Script CONTRIBUTE A TEST | Abuse Elevation Control Mechanism CONTRIBUTE A TEST | | | | | | | | | | | Event Triggered Execution: .bash_profile .bashrc and .shrc | Event Triggered Execution: AppInit DLLs | Create Process with Token | | | | | | | | | | | Authentication Package | Event Triggered Execution: Screensaver | Abuse Elevation Control Mechanism: Setuid and Setgid | | | | | | | | | | | Event Triggered Execution: Component Object Model Hijacking | Create or Modify System Process: Launch Agent | Signed Binary Proxy Execution: Odbcconf | | | | | | | | | | | Office Application Startup: Outlook Home Page | Proc Memory CONTRIBUTE A TEST | Temporary Elevated Cloud Access CONTRIBUTE A TEST | | | | | | | | | | | Hijack Execution Flow: Path Interception by Unquoted Path | Installer Packages CONTRIBUTE A TEST | Process Doppelgänging CONTRIBUTE A TEST | | | | | | | | | | | Boot or Logon Initialization Scripts: Startup Items | Boot or Logon Initialization Scripts: Rc.common | Delete Cloud Instance CONTRIBUTE A TEST | | | | | | | | | | | Domain Accounts CONTRIBUTE A TEST | Access Token Manipulation CONTRIBUTE A TEST | Executable Installer File Permissions Weakness CONTRIBUTE A TEST | | | | | | | | | | | Network Logon Script CONTRIBUTE A TEST | Create or Modify System Process: SysV/Systemd Service | Impair Defenses: Indicator Blocking | | | | | | | | | | | BITS Jobs | XDG Autostart Entries CONTRIBUTE A TEST | Disable or Modify Cloud Firewall CONTRIBUTE A TEST | | | | | | | | | | | Event Triggered Execution: AppInit DLLs | Thread Local Storage CONTRIBUTE A TEST | Right-to-Left Override CONTRIBUTE A TEST | | | | | | | | | | | Event Triggered Execution: Screensaver | Boot or Logon Autostart Execution: Re-opened Applications | Component Firmware CONTRIBUTE A TEST | | | | | | | | | | | Conditional Access Policies CONTRIBUTE A TEST | Hijack Execution Flow: DLL Side-Loading | Indicator Removal on Host | | | | | | | | | | | Create or Modify System Process: Launch Agent | Account Manipulation: Additional Email Delegate Permissions | Use Alternate Authentication Material: Pass the Ticket | | | | | | | | | | | Server Software Component CONTRIBUTE A TEST | TCC Manipulation CONTRIBUTE A TEST | Masquerading: Masquerade Task or Service | | | | | | | | | | | Domain Controller Authentication CONTRIBUTE A TEST | Ptrace System Calls CONTRIBUTE A TEST | Process Injection: Asynchronous Procedure Call | | | | | | | | | | | Reversible Encryption CONTRIBUTE A TEST | Boot or Logon Initialization Scripts: Logon Script (Windows) | Plist File Modification | | | | | | | | | | | Installer Packages CONTRIBUTE A TEST | Process Injection: ListPlanting | Subvert Trust Controls: Mark-of-the-Web Bypass | | | | | | | | | | | Boot or Logon Initialization Scripts: Rc.common | Domain or Tenant Policy Modification CONTRIBUTE A TEST | Disable Crypto Hardware CONTRIBUTE A TEST | | | | | | | | | | | Create or Modify System Process: SysV/Systemd Service | Boot or Logon Autostart Execution: LSASS Driver | Pre-OS Boot CONTRIBUTE A TEST | | | | | | | | | | | Create Account CONTRIBUTE A TEST | Valid Accounts: Cloud Accounts | Build Image on Host | | | | | | | | | | | XDG Autostart Entries CONTRIBUTE A TEST | Scheduled Task/Job: At | Process Injection: Portable Executable Injection | | | | | | | | | | | Boot or Logon Autostart Execution: Re-opened Applications | Process Injection: Dynamic-link Library Injection | Verclsid CONTRIBUTE A TEST | | | | | | | | | | | Hijack Execution Flow: DLL Side-Loading | Event Triggered Execution: Netsh Helper DLL | Impair Defenses: Downgrade Attack | | | | | | | | | | | Account Manipulation: Additional Email Delegate Permissions | Dylib Hijacking CONTRIBUTE A TEST | Virtualization/Sandbox Evasion CONTRIBUTE A TEST | | | | | | | | | | | Power Settings CONTRIBUTE A TEST | Valid Accounts: Local Accounts | Signed Binary Proxy Execution: Mshta | | | | | | | | | | | Boot or Logon Initialization Scripts: Logon Script (Windows) | Hijack Execution Flow: COR_PROFILER | Execution Guardrails CONTRIBUTE A TEST | | | | | | | | | | | Office Application Startup: Office Test | | Access Token Manipulation: Token Impersonation/Theft | | | | | | | | | | | Boot or Logon Autostart Execution: LSASS Driver | | Port Knocking CONTRIBUTE A TEST | | | | | | | | | | | Valid Accounts: Cloud Accounts | | LNK Icon Smuggling CONTRIBUTE A TEST | | | | | | | | | | | Scheduled Task/Job: At | | Hide Artifacts: Hidden Users | | | | | | | | | | | Modify Authentication Process CONTRIBUTE A TEST | | Make and Impersonate Token CONTRIBUTE A TEST | | | | | | | | | | | Event Triggered Execution: Netsh Helper DLL | | Impair Defenses: Impair Command History Logging | | | | | | | | | | | SQL Stored Procedures CONTRIBUTE A TEST | | Network Provider DLL CONTRIBUTE A TEST | | | | | | | | | | | Network Device Authentication CONTRIBUTE A TEST | | User Activity Based Checks CONTRIBUTE A TEST | | | | | | | | | | | Dylib Hijacking CONTRIBUTE A TEST | | Access Token Manipulation: Parent PID Spoofing | | | | | | | | | | | Valid Accounts: Local Accounts | | VDSO Hijacking CONTRIBUTE A TEST | | | | | | | | | | | Hijack Execution Flow: COR_PROFILER | | Services File Permissions Weakness CONTRIBUTE A TEST | | | | | | | | | | | | | KernelCallbackTable CONTRIBUTE A TEST | | | | | | | | | | | | | ROMMONkit CONTRIBUTE A TEST | | | | | | | | | | | | | Signed Binary Proxy Execution: Compiled HTML File | | | | | | | | | | | | | Indicator Removal on Host: Network Share Connection Removal | | | | | | | | | | | | | Impair Defenses: Disable or Modify Tools | | | | | | | | | | | | | Modify System Image CONTRIBUTE A TEST | | | | | | | | | | | | | Hijack Execution Flow CONTRIBUTE A TEST | | | | | | | | | | | | | Indicator Removal from Tools CONTRIBUTE A TEST | | | | | | | | | | | | | Valid Accounts CONTRIBUTE A TEST | | | | | | | | | | | | | Process Injection: Process Hollowing | | | | | | | | | | | | | Resource Forking CONTRIBUTE A TEST | | | | | | | | | | | | | Obfuscated Files or Information | | | | | | | | | | | | | Multi-Factor Authentication CONTRIBUTE A TEST | | | | | | | | | | | | | Invalid Code Signature CONTRIBUTE A TEST | | | | | | | | | | | | | Run Virtual Instance | | | | | | | | | | | | | Access Token Manipulation: SID-History Injection | | | | | | | | | | | | | Network Boundary Bridging CONTRIBUTE A TEST | | | | | | | | | | | | | Subvert Trust Controls CONTRIBUTE A TEST | | | | | | | | | | | | | Elevated Execution with Prompt CONTRIBUTE A TEST | | | | | | | | | | | | | Signed Binary Proxy Execution: Regsvr32 | | | | | | | | | | | | | Masquerading: Rename System Utilities | | | | | | | | | | | | | Spoof Security Alerting CONTRIBUTE A TEST | | | | | | | | | | | | | Hijack Execution Flow: Path Interception by Unquoted Path | | | | | | | | | | | | | Steganography CONTRIBUTE A TEST | | | | | | | | | | | | | Web Session Cookie CONTRIBUTE A TEST | | | | | | | | | | | | | Domain Accounts CONTRIBUTE A TEST | | | | | | | | | | | | | Signed Binary Proxy Execution: Regsvcs/Regasm | | | | | | | | | | | | | Subvert Trust Controls: Install Root Certificate | | | | | | | | | | | | | Obfuscated Files or Information: Compile After Delivery | | | | | | | | | | | | | VBA Stomping CONTRIBUTE A TEST | | | | | | | | | | | | | BITS Jobs | | | | | | | | | | | | | Trusted Developer Utilities Proxy Execution: MSBuild | | | | | | | | | | | | | Impersonation CONTRIBUTE A TEST | | | | | | | | | | | | | Modify Cloud Compute Configurations CONTRIBUTE A TEST | | | | | | | | | | | | | Impair Defenses: Disable Cloud Logs | | | | | | | | | | | | | Hide Artifacts: Hidden Window | | | | | | | | | | | | | Conditional Access Policies CONTRIBUTE A TEST | | | | | | | | | | | | | Create Cloud Instance CONTRIBUTE A TEST | | | | | | | | | | | | | Proc Memory CONTRIBUTE A TEST | | | | | | | | | | | | | Patch System Image CONTRIBUTE A TEST | | | | | | | | | | | | | Clear Persistence CONTRIBUTE A TEST | | | | | | | | | | | | | Domain Controller Authentication CONTRIBUTE A TEST | | | | | | | | | | | | | HTML Smuggling | | | | | | | | | | | | | Reversible Encryption CONTRIBUTE A TEST | | | | | | | | | | | | | Command Obfuscation CONTRIBUTE A TEST | | | | | | | | | | | | | Indicator Removal on Host: File Deletion | | | | | | | | | | | | | Template Injection | | | | | | | | | | | | | Access Token Manipulation CONTRIBUTE A TEST | | | | | | | | | | | | | Obfuscated Files or Information: Software Packing | | | | | | | | | | | | | Hidden File System CONTRIBUTE A TEST | | | | | | | | | | | | | Thread Local Storage CONTRIBUTE A TEST | | | | | | | | | | | | | Debugger Evasion | | | | | | | | | | | | | Masquerading: Space after Filename | | | | | | | | | | | | | Use Alternate Authentication Material: Pass the Hash | | | | | | | | | | | | | Hijack Execution Flow: DLL Side-Loading | | | | | | | | | | | | | SyncAppvPublishingServer CONTRIBUTE A TEST | | | | | | | | | | | | | TCC Manipulation CONTRIBUTE A TEST | | | | | | | | | | | | | Ptrace System Calls CONTRIBUTE A TEST | | | | | | | | | | | | | Obfuscated Files or Information: Dynamic API Resolution | | | | | | | | | | | | | Process Injection: ListPlanting | | | | | | | | | | | | | Domain or Tenant Policy Modification CONTRIBUTE A TEST | | | | | | | | | | | | | XSL Script Processing | | | | | | | | | | | | | Hide Artifacts: Hidden Files and Directories | | | | | | | | | | | | | Create Snapshot CONTRIBUTE A TEST | | | | | | | | | | | | | Application Access Token CONTRIBUTE A TEST | | | | | | | | | | | | | Valid Accounts: Cloud Accounts | | | | | | | | | | | | | Environmental Keying CONTRIBUTE A TEST | | | | | | | | | | | | | Hide Artifacts: NTFS File Attributes | | | | | | | | | | | | | Process Injection: Dynamic-link Library Injection | | | | | | | | | | | | | Modify Authentication Process CONTRIBUTE A TEST | | | | | | | | | | | | | Signed Script Proxy Execution | | | | | | | | | | | | | Network Device Authentication CONTRIBUTE A TEST | | | | | | | | | | | | | Dylib Hijacking CONTRIBUTE A TEST | | | | | | | | | | | | | Downgrade System Image CONTRIBUTE A TEST | | | | | | | | | | | | | Valid Accounts: Local Accounts | | | | | | | | | | | | | Exploitation for Defense Evasion CONTRIBUTE A TEST | | | | | | | | | | | | | Trusted Developer Utilities Proxy Execution | | | | | | | | | | | | | MMC CONTRIBUTE A TEST | | | | | | | | | | | | | Process Argument Spoofing CONTRIBUTE A TEST | | | | | | | | | | | | | Hijack Execution Flow: COR_PROFILER | | | | | | | |