Atomics

ID Technique
T1036.005 Match Legitimate Name or Location
T1574.006 Dynamic Linker Hijacking
T1567 Exfiltration Over Web Service
T1197 BITS Jobs
T1106 Native API
T1505.002 Transport Agent
T1490 Inhibit System Recovery
T1547.002 Authentication Package
T1216.001 PubPrn
T1218.010 Regsvr32
T1027.002 Software Packing
T1546.009 AppCert DLLs
T1078.003 Local Accounts
T1041 Exfiltration Over C2 Channel
T1562.004 Disable or Modify System Firewall
T1562.003 Impair Command History Logging
T1218.005 Mshta
T1036.006 Space after Filename
T1222.002 Linux and Mac File and Directory Permissions Modification
T1566.001 Spearphishing Attachment
T1546.008 Accessibility Features
T1543.003 Windows Service
T1216 System Script Proxy Execution
T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
T1053.002 At
T1547.009 Shortcut Modification
T1484.001 Group Policy Modification
T1569.002 Service Execution
T1546.010 AppInit DLLs
T1564.006 Run Virtual Instance
T1057 Process Discovery
T1489 Service Stop
T1562.002 Disable Windows Event Logging
T1546.001 Change Default File Association
T1558.003 Kerberoasting
T1137.006 Add-ins
T1112 Modify Registry
T1564.001 Hidden Files and Directories
T1055.001 Dynamic-link Library Injection
T1560 Archive Collected Data
T1556.002 Password Filter DLL
T1547.010 Port Monitors
T1553.005 Mark-of-the-Web Bypass
T1027.001 Binary Padding
T1114.001 Local Email Collection
T1564.004 NTFS File Attributes
T1046 Network Service Discovery
T1558.004 AS-REP Roasting
T1010 Application Window Discovery
T1218.011 Rundll32
T1552.005 Cloud Instance Metadata API
T1574.002 DLL Side-Loading
T1072 Software Deployment Tools
T1003.005 Cached Domain Credentials
T1555.004 Windows Credential Manager
T1037.004 RC Scripts
T1095 Non-Application Layer Protocol
T1021.003 Distributed Component Object Model
T1070.001 Clear Windows Event Logs
T1497.001 System Checks
T1069.001 Local Groups
T1007 System Service Discovery
T1135 Network Share Discovery
T1003.007 Proc Filesystem
T1550.003 Pass the Ticket
T1090.003 Multi-hop Proxy
T1555.001 Keychain
T1547.004 Winlogon Helper DLL
T1574.008 Path Interception by Search Order Hijacking
T1543.004 Launch Daemon
T1018 Remote System Discovery
T1059.002 AppleScript
T1546.004 Unix Shell Configuration Modification
T1113 Screen Capture
T1037.001 Logon Script (Windows)
T1134.004 Parent PID Spoofing
T1110.004 Credential Stuffing
T1021.002 SMB/Windows Admin Shares
T1546.015 Component Object Model Hijacking
T1572 Protocol Tunneling
T1078.001 Default Accounts
T1552.007 Container API
T1136.002 Domain Account
T1070.006 Timestomp
T1055.004 Asynchronous Procedure Call
T1003.002 Security Account Manager
T1134.002 Create Process with Token
T1087.002 Domain Account
T1574.001 DLL Search Order Hijacking
T1552.001 Credentials In Files
T1027.004 Compile After Delivery
T1553.004 Install Root Certificate
T1218.007 Msiexec
T1204.002 Malicious File
T1059.004 Unix Shell
T1543.002 Systemd Service
T1547 Boot or Logon Autostart Execution
T1059.003 Windows Command Shell
T1553.001 Gatekeeper Bypass
T1539 Steal Web Session Cookie
T1136.001 Local Account
T1071.001 Web Protocols
T1098 Account Manipulation
T1187 Forced Authentication
T1110.002 Password Cracking
T1120 Peripheral Device Discovery
T1518.001 Security Software Discovery
T1556.003 Pluggable Authentication Modules
T1573 Encrypted Channel
T1016 System Network Configuration Discovery
T1137 Office Application Startup
T1021.006 Windows Remote Management
T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
T1550.002 Pass the Hash
T1053.006 Systemd Timers
T1136.003 Cloud Account
T1014 Rootkit
T1614.001 System Language Discovery
T1547.001 Registry Run Keys / Startup Folder
T1218.001 Compiled HTML File
T1053.007 Container Orchestration Job
T1069.002 Domain Groups
T1176 Browser Extensions
T1078.004 Cloud Accounts
T1546.014 Emond
T1049 System Network Connections Discovery
T1090.001 Internal Proxy
T1555 Credentials from Password Stores
T1036.004 Masquerade Task or Service
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
T1071.004 DNS
T1070.004 File Deletion
T1036 Masquerading
T1548.001 Setuid and Setgid
T1558.001 Golden Ticket
T1574.011 Services Registry Permissions Weakness
T1125 Video Capture
T1546.012 Image File Execution Options Injection
T1518 Software Discovery
T1546.003 Windows Management Instrumentation Event Subscription
T1124 System Time Discovery
T1218 System Binary Proxy Execution
T1552.006 Group Policy Preferences
T1091 Replication Through Removable Media
T1221 Template Injection
T1202 Indirect Command Execution
T1039 Data from Network Shared Drive
T1543.001 Launch Agent
T1546.002 Screensaver
T1059.006 Python
T1220 XSL Script Processing
T1218.009 Regsvcs/Regasm
T1546.013 PowerShell Profile
T1037.005 Startup Items
T1562.006 Indicator Blocking
T1552.004 Private Keys
T1003 OS Credential Dumping
T1496 Resource Hijacking
T1012 Query Registry
T1070 Indicator Removal on Host
T1219 Remote Access Software
T1207 Rogue Domain Controller
T1218.008 Odbcconf
T1021.001 Remote Desktop Protocol
T1056.004 Credential API Hooking
T1485 Data Destruction
T1053.005 Scheduled Task
T1505.003 Web Shell
T1547.006 Kernel Modules and Extensions
T1647 Plist File Modification
T1055 Process Injection
T1115 Clipboard Data
T1529 System Shutdown/Reboot
T1546.007 Netsh Helper DLL
T1003.008 /etc/passwd and /etc/shadow
T1127 Trusted Developer Utilities Proxy Execution
T1003.001 LSASS Memory
T1620 Reflective Code Loading
T1134.005 SID-History Injection
T1087.001 Local Account
T1036.003 Rename System Utilities
T1006 Direct Volume Access
T1546.005 Trap
T1070.003 Clear Command History
T1137.004 Outlook Home Page
T1548.003 Sudo and Sudo Caching
T1055.012 Process Hollowing
T1222.001 Windows File and Directory Permissions Modification
T1560.002 Archive via Library
T1195 Supply Chain Compromise
T1037.002 Login Hook
T1040 Network Sniffing
T1053.003 Cron
T1133 External Remote Services
T1564 Hide Artifacts
T1611 Escape to Host
T1558.002 Silver Ticket
T1020 Automated Exfiltration
T1003.004 LSA Secrets
T1562.008 Disable Cloud Logs
T1217 Browser Bookmark Discovery
T1491.001 Internal Defacement
T1526 Cloud Service Discovery
T1552.003 Bash History
T1082 System Information Discovery
T1574.012 COR_PROFILER
T1030 Data Transfer Size Limits
T1048 Exfiltration Over Alternative Protocol
T1059.001 PowerShell
T1574.009 Path Interception by Unquoted Path
T1555.003 Credentials from Web Browsers
T1105 Ingress Tool Transfer
T1564.002 Hidden Users
T1123 Audio Capture
T1003.006 DCSync
T1486 Data Encrypted for Impact
T1218.004 InstallUtil
T1056.001 Keylogging
T1484.002 Domain Trust Modification
T1218.002 Control Panel
T1134.001 Token Impersonation/Theft
T1615 Group Policy Discovery
T1098.001 Additional Cloud Credentials
T1548.002 Bypass User Account Control
T1569.001 Launchctl
T1027 Obfuscated Files or Information
T1098.004 SSH Authorized Keys
T1552.002 Credentials in Registry
T1119 Automated Collection
T1547.005 Security Support Provider
T1003.003 NTDS
T1110.001 Password Guessing
T1531 Account Access Removal
T1606.002 SAML Tokens
T1547.007 Re-opened Applications
T1059.005 Visual Basic
T1137.002 Office Test
T1609 Container Administration Command
T1047 Windows Management Instrumentation
T1571 Non-Standard Port
T1074.001 Local Data Staging
T1056.002 GUI Input Capture
T1127.001 MSBuild
T1564.003 Hidden Window
T1546.011 Application Shimming
T1530 Data from Cloud Storage Object
T1110.003 Password Spraying
T1563.002 RDP Hijacking
T1218.003 CMSTP
T1560.001 Archive via Utility
T1201 Password Policy Discovery
T1559.002 Dynamic Data Exchange
T1547.003 Time Providers
T1132.001 Standard Encoding
T1562.001 Disable or Modify Tools
T1482 Domain Trust Discovery
T1083 File and Directory Discovery
T1070.005 Network Share Connection Removal
T1140 Deobfuscate/Decode Files or Information
T1033 System Owner/User Discovery
T1070.002 Clear Linux or Mac System Logs

defense-evasion

T1647

Plist File Modification

T1620

Reflective Code Loading

T1574.011

Hijack Execution Flow: Services Registry Permissions Weakness

T1574.009

Hijack Execution Flow: Path Interception by Unquoted Path

T1574.008

Hijack Execution Flow: Path Interception by Search Order Hijacking

T1574.002

Hijack Execution Flow: DLL Side-Loading

T1574.001

Hijack Execution Flow: DLL Search Order Hijacking

T1564.001

Hide Artifacts: Hidden Files and Directories

T1562.004

Impair Defenses: Disable or Modify System Firewall

T1562.002

Impair Defenses: Disable Windows Event Logging

T1562.001

Impair Defenses: Disable or Modify Tools

T1553.005

Subvert Trust Controls: Mark-of-the-Web Bypass

T1553.004

Subvert Trust Controls: Install Root Certificate

T1553.001

Subvert Trust Controls: Gatekeeper Bypass

T1548.003

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

T1548.002

Abuse Elevation Control Mechanism: Bypass User Access Control

T1548.001

Abuse Elevation Control Mechanism: Setuid and Setgid

T1222.002

File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

T1222.001

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

T1218

Signed Binary Proxy Execution

T1218.011

Signed Binary Proxy Execution: Rundll32

T1218.010

Signed Binary Proxy Execution: Regsvr32

T1218.009

Signed Binary Proxy Execution: Regsvcs/Regasm

T1218.008

Signed Binary Proxy Execution: Odbcconf

T1218.007

Signed Binary Proxy Execution: Msiexec

T1218.004

Signed Binary Proxy Execution: InstallUtil

T1218.002

Signed Binary Proxy Execution: Control Panel

T1218.001

Signed Binary Proxy Execution: Compiled HTML File

T1216

Signed Script Proxy Execution

T1207

Rogue Domain Controller

T1202

Indirect Command Execution

T1140

Deobfuscate/Decode Files or Information

T1127

Trusted Developer Utilities Proxy Execution

T1127.001

Trusted Developer Utilities Proxy Execution: MSBuild

T1070

Indicator Removal on Host

T1070.005

Indicator Removal on Host: Network Share Connection Removal

T1070.004

Indicator Removal on Host: File Deletion

T1070.003

Indicator Removal on Host: Clear Command History

T1070.002

Indicator Removal on Host: Clear Linux or Mac System Logs

T1070.001

Indicator Removal on Host: Clear Windows Event Logs

T1036.005

Masquerading: Match Legitimate Name or Location

T1036.004

Masquerading: Masquerade Task or Service

T1027

Obfuscated Files or Information

T1027.004

Obfuscated Files or Information: Compile After Delivery

T1027.002

Obfuscated Files or Information: Software Packing

T1027.001

Obfuscated Files or Information: Binary Padding

Back to Top ↑

credential-access

T1558.004

Steal or Forge Kerberos Tickets: AS-REP Roasting

T1558.003

Steal or Forge Kerberos Tickets: Kerberoasting

T1558.002

Steal or Forge Kerberos Tickets: Silver Ticket

T1558.001

Steal or Forge Kerberos Tickets: Golden Ticket

T1555

Credentials from Password Stores

T1555.004

Credentials from Password Stores: Windows Credential Manager

T1555.003

Credentials from Password Stores: Credentials from Web Browsers

T1555.001

Credentials from Password Stores: Keychain

T1552.006

Unsecured Credentials: Group Policy Preferences

T1552.005

Unsecured Credentials: Cloud Instance Metadata API

T1552.002

Unsecured Credentials: Credentials in Registry

T1552.001

Unsecured Credentials: Credentials In Files

T1539

Steal Web Session Cookie

T1003.008

OS Credential Dumping: /etc/passwd and /etc/shadow

T1003.007

OS Credential Dumping: Proc Filesystem

T1003.005

OS Credential Dumping: Cached Domain Credentials

T1003.002

OS Credential Dumping: Security Account Manager

Back to Top ↑

privilege-escalation

T1547

Boot or Logon Autostart Execution

T1547.010

Boot or Logon Autostart Execution: Port Monitors

T1547.009

Boot or Logon Autostart Execution: Shortcut Modification

T1547.007

Boot or Logon Autostart Execution: Re-opened Applications

T1547.006

Boot or Logon Autostart Execution: Kernel Modules and Extensions

T1547.005

Boot or Logon Autostart Execution: Security Support Provider

T1547.004

Boot or Logon Autostart Execution: Winlogon Helper DLL

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

T1543.004

Create or Modify System Process: Launch Daemon

T1543.003

Create or Modify System Process: Windows Service

T1543.002

Create or Modify System Process: Systemd Service

T1543.001

Create or Modify System Process: Launch Agent

T1484.001

Domain Policy Modification: Group Policy Modification

T1134.005

Access Token Manipulation: SID-History Injection

T1134.004

Access Token Manipulation: Parent PID Spoofing

T1134.001

Access Token Manipulation: Token Impersonation/Theft

T1055.004

Process Injection: Asynchronous Procedure Call

T1055.001

Process Injection: Dynamic-link Library Injection

T1037.005

Boot or Logon Initialization Scripts: Startup Items

T1037.004

Boot or Logon Initialization Scripts: Rc.common

T1037.002

Boot or Logon Initialization Scripts: Logon Script (Mac)

T1037.001

Boot or Logon Initialization Scripts: Logon Script (Windows)

Back to Top ↑

persistence

T1556.003

Modify Authentication Process: Pluggable Authentication Modules

T1556.002

Modify Authentication Process: Password Filter DLL

T1546.015

Event Triggered Execution: Component Object Model Hijacking

T1546.013

Event Triggered Execution: PowerShell Profile

T1546.012

Event Triggered Execution: Image File Execution Options Injection

T1546.011

Event Triggered Execution: Application Shimming

T1546.010

Event Triggered Execution: AppInit DLLs

T1546.009

Event Triggered Execution: AppCert DLLs

T1546.008

Event Triggered Execution: Accessibility Features

T1546.007

Event Triggered Execution: Netsh Helper DLL

T1546.004

Event Triggered Execution: .bash_profile and .bashrc

T1546.003

Event Triggered Execution: Windows Management Instrumentation Event Subscription

T1546.002

Event Triggered Execution: Screensaver

T1546.001

Event Triggered Execution: Change Default File Association

T1505.002

Server Software Component: Transport Agent

T1137

Office Application Startup

T1137.004

Office Application Startup: Outlook Home Page

T1137.002

Office Application Startup: Office Test

T1098.001

Account Manipulation: Additional Cloud Credentials

Back to Top ↑

discovery

T1615

Group Policy Discovery

T1614.001

System Location Discovery: System Language Discovery

T1526

Cloud Service Discovery

T1518.001

Software Discovery: Security Software Discovery

T1497.001

Virtualization/Sandbox Evasion: System Checks

T1482

Domain Trust Discovery

T1217

Browser Bookmark Discovery

T1201

Password Policy Discovery

T1135

Network Share Discovery

T1120

Peripheral Device Discovery

T1083

File and Directory Discovery

T1082

System Information Discovery

T1069.002

Permission Groups Discovery: Domain Groups

T1069.001

Permission Groups Discovery: Local Groups

T1049

System Network Connections Discovery

T1046

Network Service Scanning

T1033

System Owner/User Discovery

T1018

Remote System Discovery

T1016

System Network Configuration Discovery

T1010

Application Window Discovery

T1007

System Service Discovery

Back to Top ↑

collection

T1560

Archive Collected Data

T1560.002

Archive Collected Data: Archive via Library

T1560.001

Archive Collected Data: Archive via Utility

T1557.001

Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

T1530

Data from Cloud Storage Object

T1114.001

Email Collection: Local Email Collection

T1039

Data from Network Shared Drive

Back to Top ↑

execution

T1609

Kubernetes Exec Into Container

T1559.002

Inter-Process Communication: Dynamic Data Exchange

T1059.006

Command and Scripting Interpreter: Python

T1059.005

Command and Scripting Interpreter: Visual Basic

T1059.004

Command and Scripting Interpreter: Bash

T1059.003

Command and Scripting Interpreter: Windows Command Shell

T1059.002

Command and Scripting Interpreter: AppleScript

T1059.001

Command and Scripting Interpreter: PowerShell

T1047

Windows Management Instrumentation

Back to Top ↑

command-and-control

T1219

Remote Access Software

T1095

Non-Application Layer Protocol

T1071.001

Application Layer Protocol: Web Protocols

Back to Top ↑

lateral-movement

T1563.002

Remote Service Session Hijacking: RDP Hijacking

T1550.003

Use Alternate Authentication Material: Pass the Ticket

T1550.002

Use Alternate Authentication Material: Pass the Hash

T1072

Software Deployment Tools

T1021.006

Remote Services: Windows Remote Management

T1021.003

Remote Services: Distributed Component Object Model

T1021.002

Remote Services: SMB/Windows Admin Shares

T1021.001

Remote Services: Remote Desktop Protocol

Back to Top ↑

impact

T1531

Account Access Removal

T1529

System Shutdown/Reboot

T1490

Inhibit System Recovery

T1486

Data Encrypted for Impact

Back to Top ↑

exfiltration

T1567

Exfiltration Over Web Service

T1048

Exfiltration Over Alternative Protocol

T1048.003

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

T1048.002

Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

T1041

Exfiltration Over C2 Channel

T1030

Data Transfer Size Limits

T1020

Automated Exfiltration

Back to Top ↑

initial-access

T1195

Supply Chain Compromise

T1133

External Remote Services

T1091

Replication Through Removable Media

Back to Top ↑