T1647
Plist File Modification
ID | Technique |
---|---|
T1047 | Windows Management Instrumentation |
T1083 | File and Directory Discovery |
T1546 | Event Triggered Execution |
T1547.014 | Active Setup |
T1030 | Data Transfer Size Limits |
T1620 | Reflective Code Loading |
T1003.006 | DCSync |
T1098.004 | SSH Authorized Keys |
T1074.001 | Local Data Staging |
T1036 | Masquerading |
T1098 | Account Manipulation |
T1071.001 | Web Protocols |
T1003.002 | Security Account Manager |
T1070.004 | File Deletion |
T1610 | Deploy Container |
T1218.009 | Regsvcs/Regasm |
T1592.001 | Hardware |
T1204.003 | Malicious Image |
T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
T1552.006 | Group Policy Preferences |
T1055.015 | ListPlanting |
T1614.001 | System Language Discovery |
T1037.004 | RC Scripts |
T1110.001 | Password Guessing |
T1135 | Network Share Discovery |
T1005 | Data from Local System |
T1547.003 | Time Providers |
T1055.004 | Asynchronous Procedure Call |
T1558.002 | Silver Ticket |
T1562 | Impair Defenses |
T1612 | Build Image on Host |
T1021.006 | Windows Remote Management |
T1137.006 | Add-ins |
T1563.002 | RDP Hijacking |
T1132.001 | Standard Encoding |
T1546.014 | Emond |
T1552.007 | Container API |
T1027.002 | Software Packing |
T1611 | Escape to Host |
T1137.001 | Office Template Macros |
T1040 | Network Sniffing |
T1562.003 | Impair Command History Logging |
T1221 | Template Injection |
T1505.004 | IIS Components |
T1078.003 | Local Accounts |
T1564.008 | Email Hiding Rules |
T1003.007 | Proc Filesystem |
T1552.005 | Cloud Instance Metadata API |
T1558.001 | Golden Ticket |
T1207 | Rogue Domain Controller |
T1489 | Service Stop |
T1539 | Steal Web Session Cookie |
T1562.002 | Disable Windows Event Logging |
T1033 | System Owner/User Discovery |
T1039 | Data from Network Shared Drive |
T1543.004 | Launch Daemon |
T1098.002 | Additional Email Delegate Permissions |
T1120 | Peripheral Device Discovery |
T1606.002 | SAML Tokens |
T1529 | System Shutdown/Reboot |
T1562.012 | Disable or Modify Linux Audit System |
T1136.002 | Domain Account |
T1078.004 | Cloud Accounts |
T1580 | Cloud Infrastructure Discovery |
T1218.003 | CMSTP |
T1012 | Query Registry |
T1222.001 | Windows File and Directory Permissions Modification |
T1518 | Software Discovery |
T1574.006 | Dynamic Linker Hijacking |
T1559 | Inter-Process Communication |
T1546.005 | Trap |
T1546.013 | PowerShell Profile |
T1652 | Device Driver Discovery |
T1543.001 | Launch Agent |
T1560.001 | Archive via Utility |
T1140 | Deobfuscate/Decode Files or Information |
T1098.003 | Additional Cloud Roles |
T1112 | Modify Registry |
T1546.002 | Screensaver |
T1570 | Lateral Tool Transfer |
T1567.003 | Exfiltration to Text Storage Sites |
T1036.003 | Rename System Utilities |
T1574.011 | Services Registry Permissions Weakness |
T1007 | System Service Discovery |
T1654 | Log Enumeration |
T1055.011 | Extra Window Memory Injection |
T1078.001 | Default Accounts |
T1562.006 | Indicator Blocking |
T1553.003 | SIP and Trust Provider Hijacking |
T1560 | Archive Collected Data |
T1059.002 | AppleScript |
T1547.008 | LSASS Driver |
T1548.003 | Sudo and Sudo Caching |
T1218.007 | Msiexec |
T1497.001 | System Checks |
T1187 | Forced Authentication |
T1090.003 | Multi-hop Proxy |
T1136.001 | Local Account |
T1087.001 | Local Account |
T1055.001 | Dynamic-link Library Injection |
T1574.008 | Path Interception by Search Order Hijacking |
T1016.002 | Wi-Fi Discovery |
T1110.004 | Credential Stuffing |
T1055.003 | Thread Execution Hijacking |
T1647 | Plist File Modification |
T1552.004 | Private Keys |
T1546.010 | AppInit DLLs |
T1542.001 | System Firmware |
T1010 | Application Window Discovery |
T1216.001 | PubPrn |
T1619 | Cloud Storage Object Discovery |
T1016.001 | Internet Connection Discovery |
T1201 | Password Policy Discovery |
T1087.002 | Domain Account |
T1137.004 | Outlook Home Page |
T1547.009 | Shortcut Modification |
T1119 | Automated Collection |
T1218.004 | InstallUtil |
T1105 | Ingress Tool Transfer |
T1547.002 | Authentication Package |
T1091 | Replication Through Removable Media |
T1055.012 | Process Hollowing |
T1204.002 | Malicious File |
T1059.005 | Visual Basic |
T1218 | System Binary Proxy Execution |
T1195 | Supply Chain Compromise |
T1622 | Debugger Evasion |
T1574.009 | Path Interception by Unquoted Path |
T1217 | Browser Information Discovery |
T1018 | Remote System Discovery |
T1003 | OS Credential Dumping |
T1553.006 | Code Signing Policy Modification |
T1216 | System Script Proxy Execution |
T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
T1059.004 | Unix Shell |
T1037.002 | Login Hook |
T1484.001 | Group Policy Modification |
T1566.001 | Spearphishing Attachment |
T1222 | File and Directory Permissions Modification |
T1556.003 | Pluggable Authentication Modules |
T1124 | System Time Discovery |
T1110.002 | Password Cracking |
T1564.004 | NTFS File Attributes |
T1197 | BITS Jobs |
T1059.006 | Python |
T1021.005 | VNC |
T1106 | Native API |
T1082 | System Information Discovery |
T1070.001 | Clear Windows Event Logs |
T1486 | Data Encrypted for Impact |
T1574.012 | COR_PROFILER |
T1027.004 | Compile After Delivery |
T1003.004 | LSA Secrets |
T1003.001 | LSASS Memory |
T1548.001 | Setuid and Setgid |
T1046 | Network Service Discovery |
T1070.005 | Network Share Connection Removal |
T1546.003 | Windows Management Instrumentation Event Subscription |
T1547.004 | Winlogon Helper DLL |
T1564.002 | Hidden Users |
T1550.003 | Pass the Ticket |
T1574.001 | DLL Search Order Hijacking |
T1020 | Automated Exfiltration |
T1496 | Resource Hijacking |
T1574.002 | DLL Side-Loading |
T1003.005 | Cached Domain Credentials |
T1547.010 | Port Monitors |
T1134.005 | SID-History Injection |
T1056.002 | GUI Input Capture |
T1562.010 | Downgrade Attack |
T1543.002 | Systemd Service |
T1218.002 | Control Panel |
T1564.006 | Run Virtual Instance |
T1485 | Data Destruction |
T1055 | Process Injection |
T1021.002 | SMB/Windows Admin Shares |
T1125 | Video Capture |
T1555.001 | Keychain |
T1003.008 | /etc/passwd and /etc/shadow |
T1049 | System Network Connections Discovery |
T1003.003 | NTDS |
T1218.011 | Rundll32 |
T1006 | Direct Volume Access |
T1037.005 | Startup Items |
T1027.006 | HTML Smuggling |
T1547.006 | Kernel Modules and Extensions |
T1053.006 | Systemd Timers |
T1564.003 | Hidden Window |
T1218.010 | Regsvr32 |
T1572 | Protocol Tunneling |
T1526 | Cloud Service Discovery |
T1571 | Non-Standard Port |
T1069.002 | Domain Groups |
T1071.004 | DNS |
T1559.002 | Dynamic Data Exchange |
T1560.002 | Archive via Library |
T1053.005 | Scheduled Task |
T1543.003 | Windows Service |
T1552 | Unsecured Credentials |
T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
T1567.002 | Exfiltration to Cloud Storage |
T1021.003 | Distributed Component Object Model |
T1484.002 | Trust Modification |
T1057 | Process Discovery |
T1069.001 | Local Groups |
T1548.002 | Bypass User Account Control |
T1036.006 | Space after Filename |
T1550.002 | Pass the Hash |
T1546.007 | Netsh Helper DLL |
T1070.003 | Clear Command History |
T1555 | Credentials from Password Stores |
T1110.003 | Password Spraying |
T1021.001 | Remote Desktop Protocol |
T1556.002 | Password Filter DLL |
T1528 | Steal Application Access Token |
T1053.003 | Cron |
T1218.005 | Mshta |
T1072 | Software Deployment Tools |
T1115 | Clipboard Data |
T1071 | Application Layer Protocol |
T1134.002 | Create Process with Token |
T1569.002 | Service Execution |
T1134.004 | Parent PID Spoofing |
T1562.009 | Safe Mode Boot |
T1027.007 | Dynamic API Resolution |
T1613 | Container and Resource Discovery |
T1553.005 | Mark-of-the-Web Bypass |
T1547.005 | Security Support Provider |
T1564.001 | Hidden Files and Directories |
T1219 | Remote Access Software |
T1505.002 | Transport Agent |
T1090.001 | Internal Proxy |
T1137.002 | Office Test |
T1505.003 | Web Shell |
T1056.004 | Credential API Hooking |
T1546.011 | Application Shimming |
T1133 | External Remote Services |
T1615 | Group Policy Discovery |
T1546.009 | AppCert DLLs |
T1123 | Audio Capture |
T1547.015 | Login Items |
T1014 | Rootkit |
T1573 | Encrypted Channel |
T1562.004 | Disable or Modify System Firewall |
T1552.001 | Credentials In Files |
T1614 | System Location Discovery |
T1053.007 | Container Orchestration Job |
T1569.001 | Launchctl |
T1036.004 | Masquerade Task or Service |
T1547.001 | Registry Run Keys / Startup Folder |
T1562.008 | Disable or Modify Cloud Logs |
T1070.006 | Timestomp |
T1136.003 | Cloud Account |
T1070.008 | Clear Mailbox Data |
T1114.003 | Email Forwarding Rule |
T1546.015 | Component Object Model Hijacking |
T1555.004 | Windows Credential Manager |
T1546.008 | Accessibility Features |
T1114.001 | Local Email Collection |
T1218.008 | Odbcconf |
T1553.004 | Install Root Certificate |
T1609 | Container Administration Command |
T1552.003 | Bash History |
T1649 | Steal or Forge Authentication Certificates |
T1202 | Indirect Command Execution |
T1564 | Hide Artifacts |
T1134.001 | Token Impersonation/Theft |
T1137 | Office Application Startup |
T1021.004 | SSH |
T1059.001 | PowerShell |
T1036.005 | Match Legitimate Name or Location |
T1531 | Account Access Removal |
T1220 | XSL Script Processing |
T1001.002 | Steganography |
T1552.002 | Credentials in Registry |
T1546.001 | Change Default File Association |
T1053.002 | At |
T1547.007 | Re-opened Applications |
T1482 | Domain Trust Discovery |
T1176 | Browser Extensions |
T1547.012 | Print Processors |
T1562.001 | Disable or Modify Tools |
T1546.012 | Image File Execution Options Injection |
T1114.002 | Remote Email Collection |
T1555.003 | Credentials from Web Browsers |
T1129 | Shared Modules |
T1059.003 | Windows Command Shell |
T1218.001 | Compiled HTML File |
T1113 | Screen Capture |
T1490 | Inhibit System Recovery |
T1505.005 | Terminal Services DLL |
T1098.001 | Additional Cloud Credentials |
T1070.002 | Clear Linux or Mac System Logs |
T1027.001 | Binary Padding |
T1558.003 | Kerberoasting |
T1048 | Exfiltration Over Alternative Protocol |
T1016 | System Network Configuration Discovery |
T1530 | Data from Cloud Storage |
T1518.001 | Security Software Discovery |
T1127 | Trusted Developer Utilities Proxy Execution |
T1041 | Exfiltration Over C2 Channel |
T1027 | Obfuscated Files or Information |
T1059 | Command and Scripting Interpreter |
T1056.001 | Keylogging |
T1547 | Boot or Logon Autostart Execution |
T1059.007 | JavaScript |
T1491.001 | Internal Defacement |
T1095 | Non-Application Layer Protocol |
T1497.003 | Time Based Evasion |
T1127.001 | MSBuild |
T1037.001 | Logon Script (Windows) |
T1222.002 | Linux and Mac File and Directory Permissions Modification |
T1558.004 | AS-REP Roasting |
T1070 | Indicator Removal |
T1553.001 | Gatekeeper Bypass |
T1055.002 | Portable Executable Injection |
T1546.004 | Unix Shell Configuration Modification |
Plist File Modification
Reflective Code Loading
Build Image on Host
Hijack Execution Flow: COR_PROFILER
Hijack Execution Flow: Services Registry Permissions Weakness
Hijack Execution Flow: Path Interception by Unquoted Path
Hijack Execution Flow: Path Interception by Search Order Hijacking
Hijack Execution Flow: LD_PRELOAD
Hijack Execution Flow: DLL Side-Loading
Hijack Execution Flow: DLL Search Order Hijacking
Hide Artifacts
Hide Artifacts: Email Hiding Rules
Run Virtual Instance
Hide Artifacts: NTFS File Attributes
Hide Artifacts: Hidden Window
Hide Artifacts: Hidden Users
Hide Artifacts: Hidden Files and Directories
Impair Defenses
Impair Defenses: Disable or Modify Linux Audit System
Impair Defenses: Downgrade Attack
Impair Defenses: Safe Boot Mode
Impair Defenses: Disable Cloud Logs
Impair Defenses: Indicator Blocking
Impair Defenses: Disable or Modify System Firewall
Impair Defenses: Impair Command History Logging
Impair Defenses: Disable Windows Event Logging
Impair Defenses: Disable or Modify Tools
Subvert Trust Controls: Code Signing Policy Modification
Subvert Trust Controls: Mark-of-the-Web Bypass
Subvert Trust Controls: Install Root Certificate
Subvert Trust Controls: SIP and Trust Provider Hijacking
Subvert Trust Controls: Gatekeeper Bypass
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse Elevation Control Mechanism: Bypass User Account Control
Abuse Elevation Control Mechanism: Setuid and Setgid
Pre-OS Boot: System Firmware
File and Directory Permissions Modification
File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Template Injection
XSL Script Processing
Signed Binary Proxy Execution
Signed Binary Proxy Execution: Rundll32
Signed Binary Proxy Execution: Regsvr32
Signed Binary Proxy Execution: Regsvcs/Regasm
Signed Binary Proxy Execution: Odbcconf
Signed Binary Proxy Execution: Msiexec
Signed Binary Proxy Execution: Mshta
Signed Binary Proxy Execution: InstallUtil
Signed Binary Proxy Execution: CMSTP
Signed Binary Proxy Execution: Control Panel
Signed Binary Proxy Execution: Compiled HTML File
Signed Script Proxy Execution
Signed Script Proxy Execution: Pubprn
Rogue Domain Controller
Indirect Command Execution
Deobfuscate/Decode Files or Information
Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution: MSBuild
Modify Registry
Indicator Removal on Host
Email Collection: Mailbox Manipulation
Indicator Removal on Host: Timestomp
Indicator Removal on Host: Network Share Connection Removal
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Clear Command History
Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Indicator Removal on Host: Clear Windows Event Logs
Masquerading
Masquerading: Space after Filename
Masquerading: Match Legitimate Name or Location
Masquerading: Masquerade Task or Service
Masquerading: Rename System Utilities
Obfuscated Files or Information
Obfuscated Files or Information: Dynamic API Resolution
HTML Smuggling
Obfuscated Files or Information: Compile After Delivery
Obfuscated Files or Information: Software Packing
Obfuscated Files or Information: Binary Padding
Rootkit
Direct Volume Access
Escape to Host
Boot or Logon Autostart Execution
Boot or Logon Autostart Execution: Login Items
Active Setup
Boot or Logon Autostart Execution: Print Processors
Boot or Logon Autostart Execution: Port Monitors
Boot or Logon Autostart Execution: Shortcut Modification
Boot or Logon Autostart Execution: LSASS Driver
Boot or Logon Autostart Execution: Re-opened Applications
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Boot or Logon Autostart Execution: Security Support Provider
Boot or Logon Autostart Execution: Winlogon Helper DLL
Time Providers
Authentication Package
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Create or Modify System Process: Launch Daemon
Create or Modify System Process: Windows Service
Create or Modify System Process: SysV/Systemd Service
Create or Modify System Process: Launch Agent
Domain Trust Modification
Domain Policy Modification: Group Policy Modification
Access Token Manipulation: SID-History Injection
Access Token Manipulation: Parent PID Spoofing
Create Process with Token
Access Token Manipulation: Token Impersonation/Theft
Account Manipulation
SSH Authorized Keys
Account Manipulation: Additional Cloud Roles
Account Manipulation: Additional Email Delegate Permissions
Account Manipulation: Additional Cloud Credentials
Process Injection
Process Injection: ListPlanting
Process Injection: Process Hollowing
Process Injection: Extra Window Memory Injection
Process Injection: Asynchronous Procedure Call
Thread Execution Hijacking
Process Injection: Portable Executable Injection
Process Injection: Dynamic-link Library Injection
Kubernetes Cronjob
Scheduled Task/Job: Systemd Timers
Scheduled Task/Job: Scheduled Task
Scheduled Task/Job: Cron
Scheduled Task/Job: At
Boot or Logon Initialization Scripts: Startup Items
Boot or Logon Initialization Scripts: Rc.common
Boot or Logon Initialization Scripts: Logon Script (Mac)
Boot or Logon Initialization Scripts: Logon Script (Windows)
Log Enumeration
Device Driver Discovery
Debugger Evasion
Cloud Storage Object Discovery
Group Policy Discovery
System Location Discovery
System Location Discovery: System Language Discovery
Container and Resource Discovery
Cloud Infrastructure Discovery
Cloud Service Discovery
Software Discovery
Software Discovery: Security Software Discovery
Time Based Evasion
Virtualization/Sandbox Evasion: System Checks
Domain Trust Discovery
Browser Bookmark Discovery
Password Policy Discovery
Network Share Discovery
System Time Discovery
Peripheral Device Discovery
Account Discovery: Domain Account
Account Discovery: Local Account
File and Directory Discovery
System Information Discovery
Permission Groups Discovery: Domain Groups
Permission Groups Discovery: Local Groups
Process Discovery
System Network Connections Discovery
Network Service Discovery
Network Sniffing
System Owner/User Discovery
Remote System Discovery
System Network Configuration Discovery
System Network Configuration Discovery: Wi-Fi Discovery
System Network Configuration Discovery: Internet Connection Discovery
Query Registry
Application Window Discovery
System Service Discovery
Steal or Forge Authentication Certificates
Forge Web Credentials: SAML token
Steal or Forge Kerberos Tickets: AS-REP Roasting
Steal or Forge Kerberos Tickets: Kerberoasting
Steal or Forge Kerberos Tickets: Silver Ticket
Steal or Forge Kerberos Tickets: Golden Ticket
Credentials from Password Stores
Credentials from Password Stores: Windows Credential Manager
Credentials from Password Stores: Credentials from Web Browsers
Credentials from Password Stores: Keychain
Unsecured Credentials
Kubernetes List Secrets
Unsecured Credentials: Group Policy Preferences
Unsecured Credentials: Cloud Instance Metadata API
Unsecured Credentials: Private Keys
Unsecured Credentials: Bash History
Unsecured Credentials: Credentials in Registry
Unsecured Credentials: Credentials In Files
Steal Web Session Cookie
Steal Application Access Token
Forced Authentication
Brute Force: Credential Stuffing
Brute Force: Password Spraying
Brute Force: Password Cracking
Brute Force: Password Guessing
Input Capture: Credential API Hooking
Input Capture: GUI Input Capture
Input Capture: Keylogging
OS Credential Dumping
OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow
OS Credential Dumping: Proc Filesystem
OS Credential Dumping: DCSync
OS Credential Dumping: Cached Domain Credentials
OS Credential Dumping: LSA Secrets
OS Credential Dumping: NTDS
OS Credential Dumping: Security Account Manager
OS Credential Dumping: LSASS Memory
Modify Authentication Process: Pluggable Authentication Modules
Modify Authentication Process: Password Filter DLL
Event Triggered Execution
Event Triggered Execution: Component Object Model Hijacking
Event Triggered Execution: Emond
Event Triggered Execution: PowerShell Profile
Event Triggered Execution: Image File Execution Options Injection
Event Triggered Execution: Application Shimming
Event Triggered Execution: AppInit DLLs
Event Triggered Execution: AppCert DLLs
Event Triggered Execution: Accessibility Features
Event Triggered Execution: Netsh Helper DLL
Event Triggered Execution: Trap
Event Triggered Execution: .bash_profile .bashrc and .shrc
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Event Triggered Execution: Screensaver
Event Triggered Execution: Change Default File Association
Server Software Component: Terminal Services DLL
IIS Components
Server Software Component: Web Shell
Server Software Component: Transport Agent
BITS Jobs
Browser Extensions
Office Application Startup
Office Application Startup: Add-ins
Office Application Startup: Outlook Home Page
Office Application Startup: Office Test
Office Application Startup: Office Template Macros.
Create Account: Cloud Account
Create Account: Domain Account
Create Account: Local Account
Deploy a container
Kubernetes Exec Into Container
System Services: Service Execution
System Services: Launchctl
Inter-Process Communication
Inter-Process Communication: Dynamic Data Exchange
User Execution: Malicious Image
User Execution: Malicious File
Server Software Component
Native API
Command and Scripting Interpreter
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: Python
Command and Scripting Interpreter: Visual Basic
Command and Scripting Interpreter: Bash
Command and Scripting Interpreter: Windows Command Shell
Command and Scripting Interpreter: AppleScript
Command and Scripting Interpreter: PowerShell
Windows Management Instrumentation
Archive Collected Data
Archive Collected Data: Archive via Library
Archive Collected Data: Archive via Utility
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Data from Cloud Storage Object
Video Capture
Audio Capture
Automated Collection
Clipboard Data
Email Collection: Email Forwarding Rule
Email Collection: Remote Email Collection
Email Collection: Local Email Collection
Screen Capture
Data Staged: Local Data Staging
Data from Network Shared Drive
Data from Local System
Encrypted Channel
Protocol Tunneling
Non-Standard Port
Remote Access Software
Data Encoding: Standard Encoding
Ingress Tool Transfer
Non-Application Layer Protocol
Proxy: Multi-hop Proxy
Proxy: Internal Proxy
Application Layer Protocol
Application Layer Protocol: DNS
Application Layer Protocol: Web Protocols
Data Obfuscation via Steganography
Lateral Tool Transfer
Remote Service Session Hijacking: RDP Hijacking
Use Alternate Authentication Material: Pass the Ticket
Use Alternate Authentication Material: Pass the Hash
Software Deployment Tools
Remote Services: Windows Remote Management
Remote Services:VNC
Remote Services: SSH
Remote Services: Distributed Component Object Model
Remote Services: SMB/Windows Admin Shares
Remote Services: Remote Desktop Protocol
Exfiltration Over Web Service: Exfiltration to Text Storage Sites
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Exfiltration Over C2 Channel
Data Transfer Size Limits
Automated Exfiltration
Account Access Removal
System Shutdown/Reboot
Resource Hijacking
Defacement: Internal Defacement
Inhibit System Recovery
Service Stop
Data Encrypted for Impact
Data Destruction
Phishing: Spearphishing Attachment
Supply Chain Compromise
External Remote Services
Replication Through Removable Media
Valid Accounts: Cloud Accounts
Valid Accounts: Local Accounts
Valid Accounts: Default Accounts
Gather Victim Host Information: Hardware