Posts by Tag

windows

T1620

Reflective Code Loading

T1615

Group Policy Discovery

T1614.001

System Location Discovery: System Language Discovery

T1592.001

Gather Victim Host Information: Hardware

T1574.011

Hijack Execution Flow: Services Registry Permissions Weakness

T1574.009

Hijack Execution Flow: Path Interception by Unquoted Path

T1574.008

Hijack Execution Flow: Path Interception by Search Order Hijacking

T1574.002

Hijack Execution Flow: DLL Side-Loading

T1574.001

Hijack Execution Flow: DLL Search Order Hijacking

T1567

Exfiltration Over Web Service

T1564.001

Hide Artifacts: Hidden Files and Directories

T1563.002

Remote Service Session Hijacking: RDP Hijacking

T1562.004

Impair Defenses: Disable or Modify System Firewall

T1562.002

Impair Defenses: Disable Windows Event Logging

T1562.001

Impair Defenses: Disable or Modify Tools

T1560

Archive Collected Data

T1560.001

Archive Collected Data: Archive via Utility

T1559.002

Inter-Process Communication: Dynamic Data Exchange

T1558.004

Steal or Forge Kerberos Tickets: AS-REP Roasting

T1558.003

Steal or Forge Kerberos Tickets: Kerberoasting

T1558.002

Steal or Forge Kerberos Tickets: Silver Ticket

T1558.001

Steal or Forge Kerberos Tickets: Golden Ticket

T1557.001

Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

T1556.002

Modify Authentication Process: Password Filter DLL

T1555

Credentials from Password Stores

T1555.004

Credentials from Password Stores: Windows Credential Manager

T1555.003

Credentials from Password Stores: Credentials from Web Browsers

T1553.005

Subvert Trust Controls: Mark-of-the-Web Bypass

T1553.004

Subvert Trust Controls: Install Root Certificate

T1552.006

Unsecured Credentials: Group Policy Preferences

T1552.002

Unsecured Credentials: Credentials in Registry

T1552.001

Unsecured Credentials: Credentials In Files

T1550.003

Use Alternate Authentication Material: Pass the Ticket

T1550.002

Use Alternate Authentication Material: Pass the Hash

T1548.002

Abuse Elevation Control Mechanism: Bypass User Access Control

T1547

Boot or Logon Autostart Execution

T1547.015

Boot or Logon Autostart Execution: Login Items

T1547.010

Boot or Logon Autostart Execution: Port Monitors

T1547.009

Boot or Logon Autostart Execution: Shortcut Modification

T1547.008

Boot or Logon Autostart Execution: LSASS Driver

T1547.005

Boot or Logon Autostart Execution: Security Support Provider

T1547.004

Boot or Logon Autostart Execution: Winlogon Helper DLL

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

T1546

Event Triggered Execution

T1546.015

Event Triggered Execution: Component Object Model Hijacking

T1546.013

Event Triggered Execution: PowerShell Profile

T1546.012

Event Triggered Execution: Image File Execution Options Injection

T1546.011

Event Triggered Execution: Application Shimming

T1546.010

Event Triggered Execution: AppInit DLLs

T1546.009

Event Triggered Execution: AppCert DLLs

T1546.008

Event Triggered Execution: Accessibility Features

T1546.007

Event Triggered Execution: Netsh Helper DLL

T1546.003

Event Triggered Execution: Windows Management Instrumentation Event Subscription

T1546.002

Event Triggered Execution: Screensaver

T1546.001

Event Triggered Execution: Change Default File Association

T1543.003

Create or Modify System Process: Windows Service

T1539

Steal Web Session Cookie

T1531

Account Access Removal

T1529

System Shutdown/Reboot

T1518.001

Software Discovery: Security Software Discovery

T1505.002

Server Software Component: Transport Agent

T1497.001

Virtualization/Sandbox Evasion: System Checks

T1490

Inhibit System Recovery

T1486

Data Encrypted for Impact

T1484.001

Domain Policy Modification: Group Policy Modification

T1482

Domain Trust Discovery

T1222.001

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

T1219

Remote Access Software

T1218

Signed Binary Proxy Execution

T1218.011

Signed Binary Proxy Execution: Rundll32

T1218.010

Signed Binary Proxy Execution: Regsvr32

T1218.009

Signed Binary Proxy Execution: Regsvcs/Regasm

T1218.008

Signed Binary Proxy Execution: Odbcconf

T1218.007

Signed Binary Proxy Execution: Msiexec

T1218.004

Signed Binary Proxy Execution: InstallUtil

T1218.002

Signed Binary Proxy Execution: Control Panel

T1218.001

Signed Binary Proxy Execution: Compiled HTML File

T1217

Browser Bookmark Discovery

T1216

Signed Script Proxy Execution

T1207

Rogue Domain Controller

T1202

Indirect Command Execution

T1201

Password Policy Discovery

T1195

Supply Chain Compromise

T1140

Deobfuscate/Decode Files or Information

T1137

Office Application Startup

T1137.004

Office Application Startup: Outlook Home Page

T1137.002

Office Application Startup: Office Test

T1135

Network Share Discovery

T1134.005

Access Token Manipulation: SID-History Injection

T1134.004

Access Token Manipulation: Parent PID Spoofing

T1134.001

Access Token Manipulation: Token Impersonation/Theft

T1133

External Remote Services

T1127

Trusted Developer Utilities Proxy Execution

T1127.001

Trusted Developer Utilities Proxy Execution: MSBuild

T1120

Peripheral Device Discovery

T1114.001

Email Collection: Local Email Collection

T1095

Non-Application Layer Protocol

T1091

Replication Through Removable Media

T1083

File and Directory Discovery

T1082

System Information Discovery

T1072

Software Deployment Tools

T1071.001

Application Layer Protocol: Web Protocols

T1070

Indicator Removal on Host

T1070.005

Indicator Removal on Host: Network Share Connection Removal

T1070.004

Indicator Removal on Host: File Deletion

T1070.003

Indicator Removal on Host: Clear Command History

T1070.001

Indicator Removal on Host: Clear Windows Event Logs

T1069.002

Permission Groups Discovery: Domain Groups

T1069.001

Permission Groups Discovery: Local Groups

T1059.005

Command and Scripting Interpreter: Visual Basic

T1059.003

Command and Scripting Interpreter: Windows Command Shell

T1059.001

Command and Scripting Interpreter: PowerShell

T1055.004

Process Injection: Asynchronous Procedure Call

T1055.001

Process Injection: Dynamic-link Library Injection

T1049

System Network Connections Discovery

T1048

Exfiltration Over Alternative Protocol

T1048.003

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

T1048.002

Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

T1047

Windows Management Instrumentation

T1046

Network Service Scanning

T1041

Exfiltration Over C2 Channel

T1039

Data from Network Shared Drive

T1037.001

Boot or Logon Initialization Scripts: Logon Script (Windows)

T1036.005

Masquerading: Match Legitimate Name or Location

T1036.004

Masquerading: Masquerade Task or Service

T1033

System Owner/User Discovery

T1027

Obfuscated Files or Information

T1027.004

Obfuscated Files or Information: Compile After Delivery

T1021.006

Remote Services: Windows Remote Management

T1021.003

Remote Services: Distributed Component Object Model

T1021.002

Remote Services: SMB/Windows Admin Shares

T1021.001

Remote Services: Remote Desktop Protocol

T1020

Automated Exfiltration

T1018

Remote System Discovery

T1016

System Network Configuration Discovery

T1010

Application Window Discovery

T1007

System Service Discovery

T1003.005

OS Credential Dumping: Cached Domain Credentials

T1003.002

OS Credential Dumping: Security Account Manager

Back to Top ↑

powershell

T1620

Reflective Code Loading

T1615

Group Policy Discovery

T1592.001

Gather Victim Host Information: Hardware

T1574.011

Hijack Execution Flow: Services Registry Permissions Weakness

T1574.008

Hijack Execution Flow: Path Interception by Search Order Hijacking

T1567

Exfiltration Over Web Service

T1562.004

Impair Defenses: Disable or Modify System Firewall

T1562.002

Impair Defenses: Disable Windows Event Logging

T1562.001

Impair Defenses: Disable or Modify Tools

T1560

Archive Collected Data

T1558.004

Steal or Forge Kerberos Tickets: AS-REP Roasting

T1558.003

Steal or Forge Kerberos Tickets: Kerberoasting

T1558.002

Steal or Forge Kerberos Tickets: Silver Ticket

T1558.001

Steal or Forge Kerberos Tickets: Golden Ticket

T1557.001

Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

T1556.002

Modify Authentication Process: Password Filter DLL

T1555

Credentials from Password Stores

T1555.004

Credentials from Password Stores: Windows Credential Manager

T1555.003

Credentials from Password Stores: Credentials from Web Browsers

T1553.005

Subvert Trust Controls: Mark-of-the-Web Bypass

T1553.004

Subvert Trust Controls: Install Root Certificate

T1552.006

Unsecured Credentials: Group Policy Preferences

T1552.005

Unsecured Credentials: Cloud Instance Metadata API

T1552.001

Unsecured Credentials: Credentials In Files

T1550.003

Use Alternate Authentication Material: Pass the Ticket

T1550.002

Use Alternate Authentication Material: Pass the Hash

T1548.002

Abuse Elevation Control Mechanism: Bypass User Access Control

T1547.015

Boot or Logon Autostart Execution: Login Items

T1547.009

Boot or Logon Autostart Execution: Shortcut Modification

T1547.008

Boot or Logon Autostart Execution: LSASS Driver

T1547.005

Boot or Logon Autostart Execution: Security Support Provider

T1547.004

Boot or Logon Autostart Execution: Winlogon Helper DLL

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

T1546

Event Triggered Execution

T1546.015

Event Triggered Execution: Component Object Model Hijacking

T1546.013

Event Triggered Execution: PowerShell Profile

T1546.012

Event Triggered Execution: Image File Execution Options Injection

T1546.011

Event Triggered Execution: Application Shimming

T1546.009

Event Triggered Execution: AppCert DLLs

T1546.008

Event Triggered Execution: Accessibility Features

T1546.003

Event Triggered Execution: Windows Management Instrumentation Event Subscription

T1543.003

Create or Modify System Process: Windows Service

T1539

Steal Web Session Cookie

T1531

Account Access Removal

T1530

Data from Cloud Storage Object

T1528

Steal Application Access Token

T1526

Cloud Service Discovery

T1518.001

Software Discovery: Security Software Discovery

T1505.002

Server Software Component: Transport Agent

T1497.001

Virtualization/Sandbox Evasion: System Checks

T1490

Inhibit System Recovery

T1484.001

Domain Policy Modification: Group Policy Modification

T1482

Domain Trust Discovery

T1219

Remote Access Software

T1218

Signed Binary Proxy Execution

T1218.011

Signed Binary Proxy Execution: Rundll32

T1218.009

Signed Binary Proxy Execution: Regsvcs/Regasm

T1218.007

Signed Binary Proxy Execution: Msiexec

T1218.004

Signed Binary Proxy Execution: InstallUtil

T1218.001

Signed Binary Proxy Execution: Compiled HTML File

T1217

Browser Bookmark Discovery

T1207

Rogue Domain Controller

T1201

Password Policy Discovery

T1135

Network Share Discovery

T1134.004

Access Token Manipulation: Parent PID Spoofing

T1134.001

Access Token Manipulation: Token Impersonation/Theft

T1133

External Remote Services

T1120

Peripheral Device Discovery

T1114.001

Email Collection: Local Email Collection

T1098.001

Account Manipulation: Additional Cloud Credentials

T1095

Non-Application Layer Protocol

T1091

Replication Through Removable Media

T1083

File and Directory Discovery

T1082

System Information Discovery

T1071.001

Application Layer Protocol: Web Protocols

T1070.005

Indicator Removal on Host: Network Share Connection Removal

T1070.004

Indicator Removal on Host: File Deletion

T1070.003

Indicator Removal on Host: Clear Command History

T1070.001

Indicator Removal on Host: Clear Windows Event Logs

T1069.002

Permission Groups Discovery: Domain Groups

T1069.001

Permission Groups Discovery: Local Groups

T1059.005

Command and Scripting Interpreter: Visual Basic

T1059.003

Command and Scripting Interpreter: Windows Command Shell

T1059.001

Command and Scripting Interpreter: PowerShell

T1055.001

Process Injection: Dynamic-link Library Injection

T1049

System Network Connections Discovery

T1048

Exfiltration Over Alternative Protocol

T1048.003

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

T1047

Windows Management Instrumentation

T1046

Network Service Scanning

T1041

Exfiltration Over C2 Channel

T1039

Data from Network Shared Drive

T1036.005

Masquerading: Match Legitimate Name or Location

T1033

System Owner/User Discovery

T1027

Obfuscated Files or Information

T1027.004

Obfuscated Files or Information: Compile After Delivery

T1021.006

Remote Services: Windows Remote Management

T1021.003

Remote Services: Distributed Component Object Model

T1021.002

Remote Services: SMB/Windows Admin Shares

T1021.001

Remote Services: Remote Desktop Protocol

T1020

Automated Exfiltration

T1018

Remote System Discovery

T1016

System Network Configuration Discovery

T1003.002

OS Credential Dumping: Security Account Manager

Back to Top ↑

command_prompt

T1615

Group Policy Discovery

T1614.001

System Location Discovery: System Language Discovery

T1574.011

Hijack Execution Flow: Services Registry Permissions Weakness

T1574.009

Hijack Execution Flow: Path Interception by Unquoted Path

T1574.002

Hijack Execution Flow: DLL Side-Loading

T1574.001

Hijack Execution Flow: DLL Search Order Hijacking

T1564.001

Hide Artifacts: Hidden Files and Directories

T1563.002

Remote Service Session Hijacking: RDP Hijacking

T1562.004

Impair Defenses: Disable or Modify System Firewall

T1562.002

Impair Defenses: Disable Windows Event Logging

T1562.001

Impair Defenses: Disable or Modify Tools

T1560.001

Archive Collected Data: Archive via Utility

T1559.002

Inter-Process Communication: Dynamic Data Exchange

T1558.003

Steal or Forge Kerberos Tickets: Kerberoasting

T1555.004

Credentials from Password Stores: Windows Credential Manager

T1555.003

Credentials from Password Stores: Credentials from Web Browsers

T1552.006

Unsecured Credentials: Group Policy Preferences

T1552.002

Unsecured Credentials: Credentials in Registry

T1552.001

Unsecured Credentials: Credentials In Files

T1550.003

Use Alternate Authentication Material: Pass the Ticket

T1550.002

Use Alternate Authentication Material: Pass the Hash

T1548.002

Abuse Elevation Control Mechanism: Bypass User Access Control

T1547

Boot or Logon Autostart Execution

T1547.010

Boot or Logon Autostart Execution: Port Monitors

T1547.009

Boot or Logon Autostart Execution: Shortcut Modification

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

T1546.012

Event Triggered Execution: Image File Execution Options Injection

T1546.011

Event Triggered Execution: Application Shimming

T1546.010

Event Triggered Execution: AppInit DLLs

T1546.008

Event Triggered Execution: Accessibility Features

T1546.007

Event Triggered Execution: Netsh Helper DLL

T1546.002

Event Triggered Execution: Screensaver

T1546.001

Event Triggered Execution: Change Default File Association

T1543.003

Create or Modify System Process: Windows Service

T1531

Account Access Removal

T1529

System Shutdown/Reboot

T1518.001

Software Discovery: Security Software Discovery

T1490

Inhibit System Recovery

T1486

Data Encrypted for Impact

T1484.001

Domain Policy Modification: Group Policy Modification

T1482

Domain Trust Discovery

T1222.001

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

T1218

Signed Binary Proxy Execution

T1218.011

Signed Binary Proxy Execution: Rundll32

T1218.010

Signed Binary Proxy Execution: Regsvr32

T1218.009

Signed Binary Proxy Execution: Regsvcs/Regasm

T1218.008

Signed Binary Proxy Execution: Odbcconf

T1218.007

Signed Binary Proxy Execution: Msiexec

T1218.002

Signed Binary Proxy Execution: Control Panel

T1218.001

Signed Binary Proxy Execution: Compiled HTML File

T1217

Browser Bookmark Discovery

T1216

Signed Script Proxy Execution

T1202

Indirect Command Execution

T1201

Password Policy Discovery

T1195

Supply Chain Compromise

T1140

Deobfuscate/Decode Files or Information

T1137

Office Application Startup

T1137.004

Office Application Startup: Outlook Home Page

T1137.002

Office Application Startup: Office Test

T1135

Network Share Discovery

T1134.005

Access Token Manipulation: SID-History Injection

T1127

Trusted Developer Utilities Proxy Execution

T1127.001

Trusted Developer Utilities Proxy Execution: MSBuild

T1083

File and Directory Discovery

T1082

System Information Discovery

T1072

Software Deployment Tools

T1071.001

Application Layer Protocol: Web Protocols

T1070

Indicator Removal on Host

T1070.005

Indicator Removal on Host: Network Share Connection Removal

T1070.004

Indicator Removal on Host: File Deletion

T1070.001

Indicator Removal on Host: Clear Windows Event Logs

T1069.002

Permission Groups Discovery: Domain Groups

T1069.001

Permission Groups Discovery: Local Groups

T1059.003

Command and Scripting Interpreter: Windows Command Shell

T1059.001

Command and Scripting Interpreter: PowerShell

T1055.004

Process Injection: Asynchronous Procedure Call

T1049

System Network Connections Discovery

T1048.002

Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

T1047

Windows Management Instrumentation

T1039

Data from Network Shared Drive

T1037.001

Boot or Logon Initialization Scripts: Logon Script (Windows)

T1036.004

Masquerading: Masquerade Task or Service

T1033

System Owner/User Discovery

T1027

Obfuscated Files or Information

T1027.004

Obfuscated Files or Information: Compile After Delivery

T1021.002

Remote Services: SMB/Windows Admin Shares

T1021.001

Remote Services: Remote Desktop Protocol

T1018

Remote System Discovery

T1016

System Network Configuration Discovery

T1010

Application Window Discovery

T1007

System Service Discovery

T1003.005

OS Credential Dumping: Cached Domain Credentials

T1003.002

OS Credential Dumping: Security Account Manager

Back to Top ↑

macos

T1647

Plist File Modification

T1564.001

Hide Artifacts: Hidden Files and Directories

T1562.001

Impair Defenses: Disable or Modify Tools

T1560.001

Archive Collected Data: Archive via Utility

T1555.003

Credentials from Password Stores: Credentials from Web Browsers

T1555.001

Credentials from Password Stores: Keychain

T1553.004

Subvert Trust Controls: Install Root Certificate

T1553.001

Subvert Trust Controls: Gatekeeper Bypass

T1552.001

Unsecured Credentials: Credentials In Files

T1548.003

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

T1548.001

Abuse Elevation Control Mechanism: Setuid and Setgid

T1547.015

Boot or Logon Autostart Execution: Login Items

T1547.007

Boot or Logon Autostart Execution: Re-opened Applications

T1547.006

Boot or Logon Autostart Execution: Kernel Modules and Extensions

T1546.004

Event Triggered Execution: .bash_profile and .bashrc

T1543.004

Create or Modify System Process: Launch Daemon

T1543.001

Create or Modify System Process: Launch Agent

T1529

System Shutdown/Reboot

T1518.001

Software Discovery: Security Software Discovery

T1497.001

Virtualization/Sandbox Evasion: System Checks

T1222.002

File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

T1217

Browser Bookmark Discovery

T1201

Password Policy Discovery

T1140

Deobfuscate/Decode Files or Information

T1135

Network Share Discovery

T1083

File and Directory Discovery

T1082

System Information Discovery

T1071.001

Application Layer Protocol: Web Protocols

T1070.004

Indicator Removal on Host: File Deletion

T1070.003

Indicator Removal on Host: Clear Command History

T1070.002

Indicator Removal on Host: Clear Linux or Mac System Logs

T1069.001

Permission Groups Discovery: Local Groups

T1059.004

Command and Scripting Interpreter: Bash

T1059.002

Command and Scripting Interpreter: AppleScript

T1049

System Network Connections Discovery

T1048

Exfiltration Over Alternative Protocol

T1048.003

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

T1048.002

Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

T1046

Network Service Scanning

T1037.005

Boot or Logon Initialization Scripts: Startup Items

T1037.004

Boot or Logon Initialization Scripts: Rc.common

T1037.002

Boot or Logon Initialization Scripts: Logon Script (Mac)

T1036.005

Masquerading: Match Legitimate Name or Location

T1033

System Owner/User Discovery

T1030

Data Transfer Size Limits

T1027

Obfuscated Files or Information

T1027.004

Obfuscated Files or Information: Compile After Delivery

T1027.002

Obfuscated Files or Information: Software Packing

T1027.001

Obfuscated Files or Information: Binary Padding

T1018

Remote System Discovery

T1016

System Network Configuration Discovery

Back to Top ↑

linux

T1564.001

Hide Artifacts: Hidden Files and Directories

T1562.004

Impair Defenses: Disable or Modify System Firewall

T1562.001

Impair Defenses: Disable or Modify Tools

T1560.002

Archive Collected Data: Archive via Library

T1560.001

Archive Collected Data: Archive via Utility

T1556.003

Modify Authentication Process: Pluggable Authentication Modules

T1555.003

Credentials from Password Stores: Credentials from Web Browsers

T1553.004

Subvert Trust Controls: Install Root Certificate

T1552.001

Unsecured Credentials: Credentials In Files

T1548.003

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

T1548.001

Abuse Elevation Control Mechanism: Setuid and Setgid

T1547.006

Boot or Logon Autostart Execution: Kernel Modules and Extensions

T1546.004

Event Triggered Execution: .bash_profile and .bashrc

T1543.002

Create or Modify System Process: Systemd Service

T1529

System Shutdown/Reboot

T1518.001

Software Discovery: Security Software Discovery

T1497.001

Virtualization/Sandbox Evasion: System Checks

T1486

Data Encrypted for Impact

T1222.002

File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

T1217

Browser Bookmark Discovery

T1201

Password Policy Discovery

T1140

Deobfuscate/Decode Files or Information

T1135

Network Share Discovery

T1083

File and Directory Discovery

T1082

System Information Discovery

T1071.001

Application Layer Protocol: Web Protocols

T1070.004

Indicator Removal on Host: File Deletion

T1070.003

Indicator Removal on Host: Clear Command History

T1070.002

Indicator Removal on Host: Clear Linux or Mac System Logs

T1069.001

Permission Groups Discovery: Local Groups

T1059.006

Command and Scripting Interpreter: Python

T1059.004

Command and Scripting Interpreter: Bash

T1049

System Network Connections Discovery

T1048

Exfiltration Over Alternative Protocol

T1048.003

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

T1048.002

Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

T1046

Network Service Scanning

T1037.004

Boot or Logon Initialization Scripts: Rc.common

T1036.005

Masquerading: Match Legitimate Name or Location

T1033

System Owner/User Discovery

T1030

Data Transfer Size Limits

T1027

Obfuscated Files or Information

T1027.004

Obfuscated Files or Information: Compile After Delivery

T1027.002

Obfuscated Files or Information: Software Packing

T1027.001

Obfuscated Files or Information: Binary Padding

T1018

Remote System Discovery

T1016

System Network Configuration Discovery

T1007

System Service Discovery

T1003.008

OS Credential Dumping: /etc/passwd and /etc/shadow

T1003.007

OS Credential Dumping: Proc Filesystem

Back to Top ↑

sh

T1619

Cloud Storage Object Discovery

T1564.001

Hide Artifacts: Hidden Files and Directories

T1562.004

Impair Defenses: Disable or Modify System Firewall

T1562.001

Impair Defenses: Disable or Modify Tools

T1560.001

Archive Collected Data: Archive via Utility

T1556.003

Modify Authentication Process: Pluggable Authentication Modules

T1555.003

Credentials from Password Stores: Credentials from Web Browsers

T1555.001

Credentials from Password Stores: Keychain

T1553.004

Subvert Trust Controls: Install Root Certificate

T1553.001

Subvert Trust Controls: Gatekeeper Bypass

T1552.001

Unsecured Credentials: Credentials In Files

T1548.003

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

T1548.001

Abuse Elevation Control Mechanism: Setuid and Setgid

T1547.007

Boot or Logon Autostart Execution: Re-opened Applications

T1546.004

Event Triggered Execution: .bash_profile and .bashrc

T1530

Data from Cloud Storage Object

T1518.001

Software Discovery: Security Software Discovery

T1497.001

Virtualization/Sandbox Evasion: System Checks

T1222.002

File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

T1217

Browser Bookmark Discovery

T1140

Deobfuscate/Decode Files or Information

T1135

Network Share Discovery

T1098.001

Account Manipulation: Additional Cloud Credentials

T1083

File and Directory Discovery

T1082

System Information Discovery

T1071.001

Application Layer Protocol: Web Protocols

T1070.004

Indicator Removal on Host: File Deletion

T1070.003

Indicator Removal on Host: Clear Command History

T1070.002

Indicator Removal on Host: Clear Linux or Mac System Logs

T1069.001

Permission Groups Discovery: Local Groups

T1059.006

Command and Scripting Interpreter: Python

T1059.004

Command and Scripting Interpreter: Bash

T1059.002

Command and Scripting Interpreter: AppleScript

T1049

System Network Connections Discovery

T1048

Exfiltration Over Alternative Protocol

T1046

Network Service Scanning

T1037.005

Boot or Logon Initialization Scripts: Startup Items

T1036.005

Masquerading: Match Legitimate Name or Location

T1033

System Owner/User Discovery

T1030

Data Transfer Size Limits

T1027

Obfuscated Files or Information

T1027.002

Obfuscated Files or Information: Software Packing

T1027.001

Obfuscated Files or Information: Binary Padding

T1018

Remote System Discovery

T1016

System Network Configuration Discovery

T1003.008

OS Credential Dumping: /etc/passwd and /etc/shadow

T1003.007

OS Credential Dumping: Proc Filesystem

Back to Top ↑

bash

T1609

Kubernetes Exec Into Container

T1560.002

Archive Collected Data: Archive via Library

T1552.001

Unsecured Credentials: Credentials In Files

T1547.015

Boot or Logon Autostart Execution: Login Items

T1547.006

Boot or Logon Autostart Execution: Kernel Modules and Extensions

T1543.004

Create or Modify System Process: Launch Daemon

T1543.002

Create or Modify System Process: Systemd Service

T1543.001

Create or Modify System Process: Launch Agent

T1529

System Shutdown/Reboot

T1486

Data Encrypted for Impact

T1222.002

File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

T1201

Password Policy Discovery

T1135

Network Share Discovery

T1082

System Information Discovery

T1070.004

Indicator Removal on Host: File Deletion

T1070.002

Indicator Removal on Host: Clear Linux or Mac System Logs

T1059.006

Command and Scripting Interpreter: Python

T1048.002

Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

T1046

Network Service Scanning

T1037.004

Boot or Logon Initialization Scripts: Rc.common

T1027.004

Obfuscated Files or Information: Compile After Delivery

T1016

System Network Configuration Discovery

T1007

System Service Discovery

T1003.008

OS Credential Dumping: /etc/passwd and /etc/shadow

T1003.007

OS Credential Dumping: Proc Filesystem

Back to Top ↑

manual

T1647

Plist File Modification

T1559.002

Inter-Process Communication: Dynamic Data Exchange

T1059.001

Command and Scripting Interpreter: PowerShell

T1048.003

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

T1037.002

Boot or Logon Initialization Scripts: Logon Script (Mac)

T1027

Obfuscated Files or Information

Back to Top ↑

azure-ad

T1552.005

Unsecured Credentials: Cloud Instance Metadata API

T1098.001

Account Manipulation: Additional Cloud Credentials

T1082

System Information Discovery

Back to Top ↑

iaas:azure

T1619

Cloud Storage Object Discovery

T1552.005

Unsecured Credentials: Cloud Instance Metadata API

T1530

Data from Cloud Storage Object

T1528

Steal Application Access Token

T1526

Cloud Service Discovery

Back to Top ↑

iaas:aws

T1530

Data from Cloud Storage Object

T1098.001

Account Manipulation: Additional Cloud Credentials

Back to Top ↑

containers

T1609

Kubernetes Exec Into Container

Back to Top ↑

office-365

T1562.001

Impair Defenses: Disable or Modify Tools

Back to Top ↑

google-workspace

Back to Top ↑

iaas:gcp

Back to Top ↑