Atomics

ID Technique
T1053.004 Launchd
T1127.001 MSBuild
T1021.003 Distributed Component Object Model
T1569.002 Service Execution
T1059.001 PowerShell
T1046 Network Service Discovery
T1070.002 Clear Linux or Mac System Logs
T1218.001 Compiled HTML File
T1547.007 Re-opened Applications
T1564.003 Hidden Window
T1053.003 Cron
T1134.001 Token Impersonation/Theft
T1558.003 Kerberoasting
T1003.003 NTDS
T1574.006 Dynamic Linker Hijacking
T1070.001 Clear Windows Event Logs
T1562.003 Impair Command History Logging
T1070.003 Clear Command History
T1547.006 Kernel Modules and Extensions
T1016 System Network Configuration Discovery
T1562.006 Indicator Blocking
T1218 System Binary Proxy Execution
T1003.004 LSA Secrets
T1573 Encrypted Channel
T1553.001 Gatekeeper Bypass
T1218.003 CMSTP
T1564.002 Hidden Users
T1574.009 Path Interception by Unquoted Path
T1047 Windows Management Instrumentation
T1556.002 Password Filter DLL
T1546.008 Accessibility Features
T1569.001 Launchctl
T1566.001 Spearphishing Attachment
T1007 System Service Discovery
T1087.002 Domain Account
T1543.003 Windows Service
T1027.002 Software Packing
T1218.011 Rundll32
T1552.004 Private Keys
T1543.004 Launch Daemon
T1059.003 Windows Command Shell
T1553.004 Install Root Certificate
T1571 Non-Standard Port
T1087.004 Cloud Account
T1547.001 Registry Run Keys / Startup Folder
T1197 BITS Jobs
T1550.003 Pass the Ticket
T1069.001 Local Groups
T1053.002 At
T1071.004 DNS
T1546.010 AppInit DLLs
T1056.001 Keylogging
T1098.004 SSH Authorized Keys
T1564.001 Hidden Files and Directories
T1018 Remote System Discovery
T1069.003 Cloud Groups
T1562.001 Disable or Modify Tools
T1490 Inhibit System Recovery
T1546.005 Trap
T1489 Service Stop
T1531 Account Access Removal
T1006 Direct Volume Access
T1548.001 Setuid and Setgid
T1547.010 Port Monitors
T1560.001 Archive via Utility
T1218.002 Control Panel
T1059.005 Visual Basic
T1562.004 Disable or Modify System Firewall
T1037.005 Startup Items
T1135 Network Share Discovery
T1136.003 Cloud Account
T1010 Application Window Discovery
T1055.012 Process Hollowing
T1546.012 Image File Execution Options Injection
T1106 Native API
T1087.001 Local Account
T1563.002 RDP Hijacking
T1030 Data Transfer Size Limits
T1219 Remote Access Software
T1053.005 Scheduled Task
T1218.004 InstallUtil
T1216 System Script Proxy Execution
T1090.001 Internal Proxy
T1021.006 Windows Remote Management
T1132.001 Standard Encoding
T1115 Clipboard Data
T1110.001 Password Guessing
T1036.004 Masquerade Task or Service
T1070.006 Timestomp
T1529 System Shutdown/Reboot
T1140 Deobfuscate/Decode Files or Information
T1485 Data Destruction
T1003.002 Security Account Manager
T1021.001 Remote Desktop Protocol
T1204.002 Malicious File
T1552.002 Credentials in Registry
T1550.002 Pass the Hash
T1040 Network Sniffing
T1546.004 Unix Shell Configuration Modification
T1049 System Network Connections Discovery
T1069.002 Domain Groups
T1548.003 Sudo and Sudo Caching
T1083 File and Directory Discovery
T1555.003 Credentials from Web Browsers
T1222.001 Windows File and Directory Permissions Modification
T1552.003 Bash History
T1134.004 Parent PID Spoofing
T1201 Password Policy Discovery
T1552.006 Group Policy Preferences
T1202 Indirect Command Execution
T1222.002 Linux and Mac File and Directory Permissions Modification
T1518 Software Discovery
T1082 System Information Discovery
T1033 System Owner/User Discovery
T1003.001 LSASS Memory
T1095 Non-Application Layer Protocol
T1543.002 Systemd Service
T1574.002 DLL Side-Loading
T1110.002 Password Cracking
T1574.001 DLL Search Order Hijacking
T1056.002 GUI Input Capture
T1546.001 Change Default File Association
T1059.002 AppleScript
T1070.004 File Deletion
T1176 Browser Extensions
T1036.003 Rename System Utilities
T1547.005 Security Support Provider
T1059.004 Unix Shell
T1547.009 Shortcut Modification
T1037.004 RC Scripts
T1574.012 COR_PROFILER
T1218.010 Regsvr32
T1496 Resource Hijacking
T1218.007 Msiexec
T1020 Automated Exfiltration
T1547.011 Plist Modification
T1037.001 Logon Script (Windows)
T1057 Process Discovery
T1547.004 Winlogon Helper DLL
T1070 Indicator Removal on Host
T1546.007 Netsh Helper DLL
T1124 System Time Discovery
T1217 Browser Bookmark Discovery
T1105 Ingress Tool Transfer
T1114.001 Local Email Collection
T1056.004 Credential API Hooking
T1048 Exfiltration Over Alternative Protocol
T1110.003 Password Spraying
T1027 Obfuscated Files or Information
T1119 Automated Collection
T1012 Query Registry
T1123 Audio Capture
T1216.001 PubPrn
T1021.002 SMB/Windows Admin Shares
T1497.001 System Checks
T1518.001 Security Software Discovery
T1070.005 Network Share Connection Removal
T1546.011 Application Shimming
T1555.001 Keychain
T1074.001 Local Data Staging
T1546.014 Emond
T1482 Domain Trust Discovery
T1036.006 Space after Filename
T1098 Account Manipulation
T1505.003 Web Shell
T1548.002 Bypass User Account Control
T1055.004 Asynchronous Procedure Call
T1543.001 Launch Agent
T1055 Process Injection
T1564.004 NTFS File Attributes
T1218.009 Regsvcs/Regasm
T1037.002 Login Hook
T1027.004 Compile After Delivery
T1071.001 Web Protocols
T1546.003 Windows Management Instrumentation Event Subscription
T1078.001 Default Accounts
T1137.002 Office Test
T1218.008 Odbcconf
T1552.001 Credentials In Files
T1546.002 Screensaver
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
T1113 Screen Capture
T1220 XSL Script Processing
T1207 Rogue Domain Controller
T1027.001 Binary Padding
T1562.002 Disable Windows Event Logging
T1505.002 Transport Agent
T1014 Rootkit
T1053.001 At (Linux)
T1136.001 Local Account
T1218.005 Mshta
T1112 Modify Registry
T1136.002 Domain Account
T1003 OS Credential Dumping
T1560 Archive Collected Data
T1546.013 PowerShell Profile
T1559.002 Dynamic Data Exchange
T1574.011 Services Registry Permissions Weakness

defense-evasion

T1574.011

Hijack Execution Flow: Services Registry Permissions Weakness

T1574.009

Hijack Execution Flow: Path Interception by Unquoted Path

T1574.002

Hijack Execution Flow: DLL Side-Loading

T1574.001

Hijack Execution Flow: DLL Search Order Hijacking

T1564.001

Hide Artifacts: Hidden Files and Directories

T1562.004

Impair Defenses: Disable or Modify System Firewall

T1562.002

Impair Defenses: Disable Windows Event Logging

T1562.001

Impair Defenses: Disable or Modify Tools

T1553.004

Subvert Trust Controls: Install Root Certificate

T1553.001

Subvert Trust Controls: Gatekeeper Bypass

T1548.003

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

T1548.002

Abuse Elevation Control Mechanism: Bypass User Access Control

T1548.001

Abuse Elevation Control Mechanism: Setuid and Setgid

T1222.002

File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

T1222.001

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

T1218

Signed Binary Proxy Execution

T1218.011

Signed Binary Proxy Execution: Rundll32

T1218.010

Signed Binary Proxy Execution: Regsvr32

T1218.009

Signed Binary Proxy Execution: Regsvcs/Regasm

T1218.008

Signed Binary Proxy Execution: Odbcconf

T1218.007

Signed Binary Proxy Execution: Msiexec

T1218.004

Signed Binary Proxy Execution: InstallUtil

T1218.002

Signed Binary Proxy Execution: Control Panel

T1218.001

Signed Binary Proxy Execution: Compiled HTML File

T1216

Signed Script Proxy Execution

T1207

Rogue Domain Controller

T1202

Indirect Command Execution

T1140

Deobfuscate/Decode Files or Information

T1127.001

Trusted Developer Utilities Proxy Execution: MSBuild

T1070

Indicator Removal on Host

T1070.005

Indicator Removal on Host: Network Share Connection Removal

T1070.004

Indicator Removal on Host: File Deletion

T1070.003

Indicator Removal on Host: Clear Command History

T1070.002

Indicator Removal on Host: Clear Linux or Mac System Logs

T1070.001

Indicator Removal on Host: Clear Windows Event Logs

T1036.004

Masquerading: Masquerade Task or Service

T1027

Obfuscated Files or Information

T1027.004

Obfuscated Files or Information: Compile After Delivery

T1027.002

Obfuscated Files or Information: Software Packing

T1027.001

Obfuscated Files or Information: Binary Padding

Back to Top ↑

discovery

T1518.001

Software Discovery: Security Software Discovery

T1497.001

Virtualization/Sandbox Evasion: System Checks

T1482

Domain Trust Discovery

T1217

Browser Bookmark Discovery

T1201

Password Policy Discovery

T1135

Network Share Discovery

T1083

File and Directory Discovery

T1082

System Information Discovery

T1069.003

Permission Groups Discovery: Cloud Groups

T1069.002

Permission Groups Discovery: Domain Groups

T1069.001

Permission Groups Discovery: Local Groups

T1049

System Network Connections Discovery

T1046

Network Service Scanning

T1033

System Owner/User Discovery

T1018

Remote System Discovery

T1016

System Network Configuration Discovery

T1010

Application Window Discovery

T1007

System Service Discovery

Back to Top ↑

privilege-escalation

T1547.011

Boot or Logon Autostart Execution: Plist Modification

T1547.009

Boot or Logon Autostart Execution: Shortcut Modification

T1547.007

Boot or Logon Autostart Execution: Re-opened Applications

T1547.006

Boot or Logon Autostart Execution: Kernel Modules and Extensions

T1547.005

Boot or Logon Autostart Execution: Security Support Provider

T1547.004

Boot or Logon Autostart Execution: Winlogon Helper DLL

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

T1543.004

Create or Modify System Process: Launch Daemon

T1543.003

Create or Modify System Process: Windows Service

T1543.002

Create or Modify System Process: Systemd Service

T1543.001

Create or Modify System Process: Launch Agent

T1134.004

Access Token Manipulation: Parent PID Spoofing

T1134.001

Access Token Manipulation: Token Impersonation/Theft

T1055.004

Process Injection: Asynchronous Procedure Call

T1037.005

Boot or Logon Initialization Scripts: Startup Items

T1037.004

Boot or Logon Initialization Scripts: Rc.common

T1037.002

Boot or Logon Initialization Scripts: Logon Script (Mac)

T1037.001

Boot or Logon Initialization Scripts: Logon Script (Windows)

Back to Top ↑

persistence

T1556.002

Modify Authentication Process: Password Filter DLL

T1546.013

Event Triggered Execution: PowerShell Profile

T1546.012

Event Triggered Execution: Image File Execution Options Injection

T1546.011

Event Triggered Execution: Application Shimming

T1546.010

Event Triggered Execution: AppInit DLLs

T1546.008

Event Triggered Execution: Accessibility Features

T1546.007

Event Triggered Execution: Netsh Helper DLL

T1546.004

Event Triggered Execution: .bash_profile and .bashrc

T1546.003

Event Triggered Execution: Windows Management Instrumentation Event Subscription

T1546.002

Event Triggered Execution: Screensaver

T1546.001

Event Triggered Execution: Change Default File Association

T1505.002

Server Software Component: Transport Agent

T1137.002

Office Application Startup: Office Test

Back to Top ↑

credential-access

T1558.003

Steal or Forge Kerberos Tickets: Kerberoasting

T1555.003

Credentials from Password Stores: Credentials from Web Browsers

T1555.001

Credentials from Password Stores: Keychain

T1552.006

Unsecured Credentials: Group Policy Preferences

T1552.002

Unsecured Credentials: Credentials in Registry

T1552.001

Unsecured Credentials: Credentials In Files

T1003.002

OS Credential Dumping: Security Account Manager

Back to Top ↑

execution

T1559.002

Inter-Process Communication: Dynamic Data Exchange

T1059.005

Command and Scripting Interpreter: Visual Basic

T1059.004

Command and Scripting Interpreter: Bash

T1059.003

Command and Scripting Interpreter: Windows Command Shell

T1059.002

Command and Scripting Interpreter: AppleScript

T1059.001

Command and Scripting Interpreter: PowerShell

T1047

Windows Management Instrumentation

Back to Top ↑

command-and-control

T1219

Remote Access Software

T1095

Non-Application Layer Protocol

T1071.001

Application Layer Protocol: Web Protocols

Back to Top ↑

collection

T1560

Archive Collected Data

T1560.001

Archive Collected Data: Archive via Utility

T1114.001

Email Collection: Local Email Collection

Back to Top ↑

lateral-movement

T1563.002

Remote Service Session Hijacking: RDP Hijacking

T1550.003

Use Alternate Authentication Material: Pass the Ticket

T1550.002

Use Alternate Authentication Material: Pass the Hash

T1021.006

Remote Services: Windows Remote Management

T1021.003

Remote Services: Distributed Component Object Model

T1021.002

Remote Services: SMB/Windows Admin Shares

T1021.001

Remote Services: Remote Desktop Protocol

Back to Top ↑

impact

T1531

Account Access Removal

T1529

System Shutdown/Reboot

T1490

Inhibit System Recovery

Back to Top ↑

exfiltration

T1048

Exfiltration Over Alternative Protocol

T1048.003

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

T1030

Data Transfer Size Limits

T1020

Automated Exfiltration

Back to Top ↑

initial-access

Back to Top ↑