Atomics

ID Technique
T1136.002 Domain Account
T1482 Domain Trust Discovery
T1547 Boot or Logon Autostart Execution
T1070.003 Clear Command History
T1518.001 Security Software Discovery
T1083 File and Directory Discovery
T1053.002 At
T1012 Query Registry
T1070.005 Network Share Connection Removal
T1021.006 Windows Remote Management
T1558.002 Silver Ticket
T1547.005 Security Support Provider
T1003.008 /etc/passwd and /etc/shadow
T1567.002 Exfiltration to Cloud Storage
T1531 Account Access Removal
T1127.001 MSBuild
T1592.001 Hardware
T1528 Steal Application Access Token
T1558.003 Kerberoasting
T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
T1218.008 Odbcconf
T1496 Resource Hijacking
T1069.001 Local Groups
T1021.003 Distributed Component Object Model
T1055.003 Thread Execution Hijacking
T1558.004 AS-REP Roasting
T1059.001 PowerShell
T1041 Exfiltration Over C2 Channel
T1563.002 RDP Hijacking
T1574.012 COR_PROFILER
T1137.002 Office Test
T1036.004 Masquerade Task or Service
T1572 Protocol Tunneling
T1176 Browser Extensions
T1187 Forced Authentication
T1040 Network Sniffing
T1564.001 Hidden Files and Directories
T1049 System Network Connections Discovery
T1489 Service Stop
T1055.012 Process Hollowing
T1106 Native API
T1071.004 DNS
T1070.004 File Deletion
T1202 Indirect Command Execution
T1553.001 Gatekeeper Bypass
T1005 Data from Local System
T1078.004 Cloud Accounts
T1553.004 Install Root Certificate
T1123 Audio Capture
T1070.001 Clear Windows Event Logs
T1217 Browser Information Discovery
T1218.003 CMSTP
T1562 Impair Defenses
T1546.007 Netsh Helper DLL
T1505.003 Web Shell
T1505.004 IIS Components
T1055.001 Dynamic-link Library Injection
T1110.002 Password Cracking
T1548.002 Bypass User Account Control
T1218.001 Compiled HTML File
T1610 Deploy Container
T1547.015 Login Items
T1553.003 SIP and Trust Provider Hijacking
T1218.010 Regsvr32
T1574.001 DLL Search Order Hijacking
T1098.003 Additional Cloud Roles
T1552 Unsecured Credentials
T1216.001 PubPrn
T1072 Software Deployment Tools
T1125 Video Capture
T1018 Remote System Discovery
T1555.004 Windows Credential Manager
T1556.002 Password Filter DLL
T1552.005 Cloud Instance Metadata API
T1547.007 Re-opened Applications
T1140 Deobfuscate/Decode Files or Information
T1559 Inter-Process Communication
T1095 Non-Application Layer Protocol
T1136.003 Cloud Account
T1564.002 Hidden Users
T1546.015 Component Object Model Hijacking
T1055.004 Asynchronous Procedure Call
T1484.002 Domain Trust Modification
T1571 Non-Standard Port
T1056.004 Credential API Hooking
T1555.001 Keychain
T1555.003 Credentials from Web Browsers
T1195 Supply Chain Compromise
T1098 Account Manipulation
T1573 Encrypted Channel
T1546.010 AppInit DLLs
T1218.007 Msiexec
T1014 Rootkit
T1491.001 Internal Defacement
T1074.001 Local Data Staging
T1612 Build Image on Host
T1070.006 Timestomp
T1546.012 Image File Execution Options Injection
T1562.006 Indicator Blocking
T1552.001 Credentials In Files
T1090.003 Multi-hop Proxy
T1115 Clipboard Data
T1069.002 Domain Groups
T1564.004 NTFS File Attributes
T1021.002 SMB/Windows Admin Shares
T1560.002 Archive via Library
T1558.001 Golden Ticket
T1611 Escape to Host
T1098.001 Additional Cloud Credentials
T1037.002 Login Hook
T1059.006 Python
T1030 Data Transfer Size Limits
T1547.006 Kernel Modules and Extensions
T1562.002 Disable Windows Event Logging
T1135 Network Share Discovery
T1574.011 Services Registry Permissions Weakness
T1204.002 Malicious File
T1127 Trusted Developer Utilities Proxy Execution
T1546.009 AppCert DLLs
T1003.007 Proc Filesystem
T1564 Hide Artifacts
T1550.003 Pass the Ticket
T1539 Steal Web Session Cookie
T1003.006 DCSync
T1552.002 Credentials in Registry
T1137 Office Application Startup
T1555 Credentials from Password Stores
T1037.005 Startup Items
T1110.001 Password Guessing
T1207 Rogue Domain Controller
T1546.005 Trap
T1056.001 Keylogging
T1547.008 LSASS Driver
T1027.004 Compile After Delivery
T1082 System Information Discovery
T1027.002 Software Packing
T1218 System Binary Proxy Execution
T1574.009 Path Interception by Unquoted Path
T1070.002 Clear Linux or Mac System Logs
T1564.003 Hidden Window
T1036.005 Match Legitimate Name or Location
T1552.004 Private Keys
T1505.005 Terminal Services DLL
T1033 System Owner/User Discovery
T1010 Application Window Discovery
T1546.008 Accessibility Features
T1071.001 Web Protocols
T1543.003 Windows Service
T1614.001 System Language Discovery
T1055.002 Portable Executable Injection
T1091 Replication Through Removable Media
T1518 Software Discovery
T1090.001 Internal Proxy
T1055.011 Extra Window Memory Injection
T1505.002 Transport Agent
T1546 Event Triggered Execution
T1027.006 HTML Smuggling
T1574.008 Path Interception by Search Order Hijacking
T1053.003 Cron
T1105 Ingress Tool Transfer
T1098.002 Additional Email Delegate Permissions
T1548.001 Setuid and Setgid
T1112 Modify Registry
T1087.002 Domain Account
T1003.005 Cached Domain Credentials
T1036.003 Rename System Utilities
T1562.004 Disable or Modify System Firewall
T1547.012 Print Processors
T1098.004 SSH Authorized Keys
T1047 Windows Management Instrumentation
T1218.009 Regsvcs/Regasm
T1546.004 Unix Shell Configuration Modification
T1048 Exfiltration Over Alternative Protocol
T1134.005 SID-History Injection
T1053.007 Container Orchestration Job
T1550.002 Pass the Hash
T1485 Data Destruction
T1566.001 Spearphishing Attachment
T1132.001 Standard Encoding
T1027.001 Binary Padding
T1134.004 Parent PID Spoofing
T1546.011 Application Shimming
T1134.002 Create Process with Token
T1222.001 Windows File and Directory Permissions Modification
T1070 Indicator Removal
T1114.003 Email Forwarding Rule
T1547.001 Registry Run Keys / Startup Folder
T1560 Archive Collected Data
T1490 Inhibit System Recovery
T1113 Screen Capture
T1567.003 Exfiltration to Text Storage Sites
T1221 Template Injection
T1037.004 RC Scripts
T1569.001 Launchctl
T1547.002 Authentication Package
T1016 System Network Configuration Discovery
T1222.002 Linux and Mac File and Directory Permissions Modification
T1136.001 Local Account
T1547.009 Shortcut Modification
T1124 System Time Discovery
T1620 Reflective Code Loading
T1037.001 Logon Script (Windows)
T1027 Obfuscated Files or Information
T1569.002 Service Execution
T1003.001 LSASS Memory
T1003.002 Security Account Manager
T1070.008 Clear Mailbox Data
T1574.002 DLL Side-Loading
T1613 Container and Resource Discovery
T1619 Cloud Storage Object Discovery
T1552.007 Container API
T1134.001 Token Impersonation/Theft
T1564.006 Run Virtual Instance
T1560.001 Archive via Utility
T1053.006 Systemd Timers
T1647 Plist File Modification
T1497.001 System Checks
T1570 Lateral Tool Transfer
T1546.001 Change Default File Association
T1547.014 Active Setup
T1087.001 Local Account
T1218.004 InstallUtil
T1137.004 Outlook Home Page
T1530 Data from Cloud Storage
T1218.011 Rundll32
T1133 External Remote Services
T1562.003 Impair Command History Logging
T1559.002 Dynamic Data Exchange
T1056.002 GUI Input Capture
T1006 Direct Volume Access
T1059.003 Windows Command Shell
T1615 Group Policy Discovery
T1649 Steal or Forge Authentication Certificates
T1562.008 Disable or Modify Cloud Logs
T1543.001 Launch Agent
T1484.001 Group Policy Modification
T1580 Cloud Infrastructure Discovery
T1546.003 Windows Management Instrumentation Event Subscription
T1201 Password Policy Discovery
T1562.009 Safe Mode Boot
T1606.002 SAML Tokens
T1057 Process Discovery
T1020 Automated Exfiltration
T1547.004 Winlogon Helper DLL
T1046 Network Service Discovery
T1548.003 Sudo and Sudo Caching
T1110.004 Credential Stuffing
T1059.004 Unix Shell
T1552.006 Group Policy Preferences
T1553.005 Mark-of-the-Web Bypass
T1039 Data from Network Shared Drive
T1546.002 Screensaver
T1216 System Script Proxy Execution
T1059.007 JavaScript
T1574.006 Dynamic Linker Hijacking
T1529 System Shutdown/Reboot
T1546.013 PowerShell Profile
T1609 Container Administration Command
T1055 Process Injection
T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
T1546.014 Emond
T1036.006 Space after Filename
T1053.005 Scheduled Task
T1078.003 Local Accounts
T1526 Cloud Service Discovery
T1003.004 LSA Secrets
T1110.003 Password Spraying
T1059.005 Visual Basic
T1219 Remote Access Software
T1218.002 Control Panel
T1003 OS Credential Dumping
T1120 Peripheral Device Discovery
T1007 System Service Discovery
T1543.004 Launch Daemon
T1552.003 Bash History
T1114.001 Local Email Collection
T1003.003 NTDS
T1556.003 Pluggable Authentication Modules
T1204.003 Malicious Image
T1486 Data Encrypted for Impact
T1218.005 Mshta
T1137.006 Add-ins
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
T1562.001 Disable or Modify Tools
T1021.001 Remote Desktop Protocol
T1021.005 VNC
T1547.010 Port Monitors
T1543.002 Systemd Service
T1036 Masquerading
T1547.003 Time Providers
T1197 BITS Jobs
T1119 Automated Collection
T1220 XSL Script Processing
T1059.002 AppleScript
T1078.001 Default Accounts

defense-evasion

T1647

Plist File Modification

T1620

Reflective Code Loading

T1574.011

Hijack Execution Flow: Services Registry Permissions Weakness

T1574.009

Hijack Execution Flow: Path Interception by Unquoted Path

T1574.008

Hijack Execution Flow: Path Interception by Search Order Hijacking

T1574.002

Hijack Execution Flow: DLL Side-Loading

T1574.001

Hijack Execution Flow: DLL Search Order Hijacking

T1564.001

Hide Artifacts: Hidden Files and Directories

T1562.004

Impair Defenses: Disable or Modify System Firewall

T1562.002

Impair Defenses: Disable Windows Event Logging

T1562.001

Impair Defenses: Disable or Modify Tools

T1553.005

Subvert Trust Controls: Mark-of-the-Web Bypass

T1553.004

Subvert Trust Controls: Install Root Certificate

T1553.003

Subvert Trust Controls: SIP and Trust Provider Hijacking

T1553.001

Subvert Trust Controls: Gatekeeper Bypass

T1548.003

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

T1548.002

Abuse Elevation Control Mechanism: Bypass User Account Control

T1548.001

Abuse Elevation Control Mechanism: Setuid and Setgid

T1222.002

File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification

T1222.001

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

T1218

Signed Binary Proxy Execution

T1218.011

Signed Binary Proxy Execution: Rundll32

T1218.010

Signed Binary Proxy Execution: Regsvr32

T1218.009

Signed Binary Proxy Execution: Regsvcs/Regasm

T1218.008

Signed Binary Proxy Execution: Odbcconf

T1218.007

Signed Binary Proxy Execution: Msiexec

T1218.004

Signed Binary Proxy Execution: InstallUtil

T1218.002

Signed Binary Proxy Execution: Control Panel

T1218.001

Signed Binary Proxy Execution: Compiled HTML File

T1216

Signed Script Proxy Execution

T1207

Rogue Domain Controller

T1202

Indirect Command Execution

T1140

Deobfuscate/Decode Files or Information

T1127

Trusted Developer Utilities Proxy Execution

T1127.001

Trusted Developer Utilities Proxy Execution: MSBuild

T1070

Indicator Removal on Host

T1070.008

Email Collection: Mailbox Manipulation

T1070.005

Indicator Removal on Host: Network Share Connection Removal

T1070.004

Indicator Removal on Host: File Deletion

T1070.003

Indicator Removal on Host: Clear Command History

T1070.002

Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs

T1070.001

Indicator Removal on Host: Clear Windows Event Logs

T1036.005

Masquerading: Match Legitimate Name or Location

T1036.004

Masquerading: Masquerade Task or Service

T1027

Obfuscated Files or Information

T1027.004

Obfuscated Files or Information: Compile After Delivery

T1027.002

Obfuscated Files or Information: Software Packing

T1027.001

Obfuscated Files or Information: Binary Padding

Back to Top ↑

privilege-escalation

T1547

Boot or Logon Autostart Execution

T1547.015

Boot or Logon Autostart Execution: Login Items

T1547.012

Boot or Logon Autostart Execution: Print Processors

T1547.010

Boot or Logon Autostart Execution: Port Monitors

T1547.009

Boot or Logon Autostart Execution: Shortcut Modification

T1547.008

Boot or Logon Autostart Execution: LSASS Driver

T1547.007

Boot or Logon Autostart Execution: Re-opened Applications

T1547.006

Boot or Logon Autostart Execution: Kernel Modules and Extensions

T1547.005

Boot or Logon Autostart Execution: Security Support Provider

T1547.004

Boot or Logon Autostart Execution: Winlogon Helper DLL

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

T1543.004

Create or Modify System Process: Launch Daemon

T1543.003

Create or Modify System Process: Windows Service

T1543.002

Create or Modify System Process: SysV/Systemd Service

T1543.001

Create or Modify System Process: Launch Agent

T1484.001

Domain Policy Modification: Group Policy Modification

T1134.005

Access Token Manipulation: SID-History Injection

T1134.004

Access Token Manipulation: Parent PID Spoofing

T1134.001

Access Token Manipulation: Token Impersonation/Theft

T1098.003

Account Manipulation: Additional Cloud Roles

T1098.002

Account Manipulation: Additional Email Delegate Permissions

T1098.001

Account Manipulation: Additional Cloud Credentials

T1055.011

Process Injection: Extra Window Memory Injection

T1055.004

Process Injection: Asynchronous Procedure Call

T1055.002

Process Injection: Portable Executable Injection

T1055.001

Process Injection: Dynamic-link Library Injection

T1037.005

Boot or Logon Initialization Scripts: Startup Items

T1037.004

Boot or Logon Initialization Scripts: Rc.common

T1037.002

Boot or Logon Initialization Scripts: Logon Script (Mac)

T1037.001

Boot or Logon Initialization Scripts: Logon Script (Windows)

Back to Top ↑

credential-access

T1649

Steal or Forge Authentication Certificates

T1558.004

Steal or Forge Kerberos Tickets: AS-REP Roasting

T1558.003

Steal or Forge Kerberos Tickets: Kerberoasting

T1558.002

Steal or Forge Kerberos Tickets: Silver Ticket

T1558.001

Steal or Forge Kerberos Tickets: Golden Ticket

T1555

Credentials from Password Stores

T1555.004

Credentials from Password Stores: Windows Credential Manager

T1555.003

Credentials from Password Stores: Credentials from Web Browsers

T1555.001

Credentials from Password Stores: Keychain

T1552.006

Unsecured Credentials: Group Policy Preferences

T1552.005

Unsecured Credentials: Cloud Instance Metadata API

T1552.002

Unsecured Credentials: Credentials in Registry

T1552.001

Unsecured Credentials: Credentials In Files

T1539

Steal Web Session Cookie

T1528

Steal Application Access Token

T1003.008

OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow

T1003.007

OS Credential Dumping: Proc Filesystem

T1003.005

OS Credential Dumping: Cached Domain Credentials

T1003.002

OS Credential Dumping: Security Account Manager

Back to Top ↑

discovery

T1619

Cloud Storage Object Discovery

T1615

Group Policy Discovery

T1614.001

System Location Discovery: System Language Discovery

T1613

Container and Resource Discovery

T1580

Cloud Infrastructure Discovery

T1526

Cloud Service Discovery

T1518.001

Software Discovery: Security Software Discovery

T1497.001

Virtualization/Sandbox Evasion: System Checks

T1482

Domain Trust Discovery

T1217

Browser Bookmark Discovery

T1201

Password Policy Discovery

T1135

Network Share Discovery

T1120

Peripheral Device Discovery

T1083

File and Directory Discovery

T1082

System Information Discovery

T1069.002

Permission Groups Discovery: Domain Groups

T1069.001

Permission Groups Discovery: Local Groups

T1049

System Network Connections Discovery

T1046

Network Service Discovery

T1033

System Owner/User Discovery

T1018

Remote System Discovery

T1016

System Network Configuration Discovery

T1010

Application Window Discovery

T1007

System Service Discovery

Back to Top ↑

persistence

T1556.003

Modify Authentication Process: Pluggable Authentication Modules

T1556.002

Modify Authentication Process: Password Filter DLL

T1546

Event Triggered Execution

T1546.015

Event Triggered Execution: Component Object Model Hijacking

T1546.013

Event Triggered Execution: PowerShell Profile

T1546.012

Event Triggered Execution: Image File Execution Options Injection

T1546.011

Event Triggered Execution: Application Shimming

T1546.010

Event Triggered Execution: AppInit DLLs

T1546.009

Event Triggered Execution: AppCert DLLs

T1546.008

Event Triggered Execution: Accessibility Features

T1546.007

Event Triggered Execution: Netsh Helper DLL

T1546.004

Event Triggered Execution: .bash_profile .bashrc and .shrc

T1546.003

Event Triggered Execution: Windows Management Instrumentation Event Subscription

T1546.002

Event Triggered Execution: Screensaver

T1546.001

Event Triggered Execution: Change Default File Association

T1505.005

Server Software Component: Terminal Services DLL

T1505.002

Server Software Component: Transport Agent

T1137

Office Application Startup

T1137.004

Office Application Startup: Outlook Home Page

T1137.002

Office Application Startup: Office Test

Back to Top ↑

execution

T1609

Kubernetes Exec Into Container

T1559

Inter-Process Communication

T1559.002

Inter-Process Communication: Dynamic Data Exchange

T1059.007

Command and Scripting Interpreter: JavaScript

T1059.006

Command and Scripting Interpreter: Python

T1059.005

Command and Scripting Interpreter: Visual Basic

T1059.004

Command and Scripting Interpreter: Bash

T1059.003

Command and Scripting Interpreter: Windows Command Shell

T1059.002

Command and Scripting Interpreter: AppleScript

T1059.001

Command and Scripting Interpreter: PowerShell

T1047

Windows Management Instrumentation

Back to Top ↑

collection

T1560

Archive Collected Data

T1560.002

Archive Collected Data: Archive via Library

T1560.001

Archive Collected Data: Archive via Utility

T1557.001

Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

T1530

Data from Cloud Storage Object

T1114.003

Email Collection: Email Forwarding Rule

T1114.001

Email Collection: Local Email Collection

T1039

Data from Network Shared Drive

T1005

Data from Local System

Back to Top ↑

command-and-control

T1219

Remote Access Software

T1095

Non-Application Layer Protocol

T1071.001

Application Layer Protocol: Web Protocols

Back to Top ↑

lateral-movement

T1563.002

Remote Service Session Hijacking: RDP Hijacking

T1550.003

Use Alternate Authentication Material: Pass the Ticket

T1550.002

Use Alternate Authentication Material: Pass the Hash

T1072

Software Deployment Tools

T1021.006

Remote Services: Windows Remote Management

T1021.003

Remote Services: Distributed Component Object Model

T1021.002

Remote Services: SMB/Windows Admin Shares

T1021.001

Remote Services: Remote Desktop Protocol

Back to Top ↑

exfiltration

T1567.003

Exfiltration Over Web Service: Exfiltration to Text Storage Sites

T1567.002

Exfiltration Over Web Service: Exfiltration to Cloud Storage

T1048

Exfiltration Over Alternative Protocol

T1048.003

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

T1048.002

Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

T1041

Exfiltration Over C2 Channel

T1030

Data Transfer Size Limits

T1020

Automated Exfiltration

Back to Top ↑

impact

T1531

Account Access Removal

T1529

System Shutdown/Reboot

T1490

Inhibit System Recovery

T1486

Data Encrypted for Impact

Back to Top ↑

initial-access

T1195

Supply Chain Compromise

T1133

External Remote Services

T1091

Replication Through Removable Media

Back to Top ↑

reconnaissance

T1592.001

Gather Victim Host Information: Hardware

Back to Top ↑