T1620
Reflective Code Loading
Posts by Tag
- windows 221
- powershell 177
- command_prompt 144
- linux 89
- macos 88
- sh 84
- bash 50
- manual 10
- azure-ad 10
- iaas:azure 8
- iaas:aws 7
- containers 6
- office-365 3
- iaas:gcp 1
- google-workspace 1
windows
T1615
Group Policy Discovery
T1614.001
System Location Discovery: System Language Discovery
T1592.001
Gather Victim Host Information: Hardware
T1574.012
Hijack Execution Flow: COR_PROFILER
T1574.011
Hijack Execution Flow: Services Registry Permissions Weakness
T1574.009
Hijack Execution Flow: Path Interception by Unquoted Path
T1574.008
Hijack Execution Flow: Path Interception by Search Order Hijacking
T1574.002
Hijack Execution Flow: DLL Side-Loading
T1574.001
Hijack Execution Flow: DLL Search Order Hijacking
T1573
Encrypted Channel
T1572
Protocol Tunneling
T1571
Non-Standard Port
T1569.002
System Services: Service Execution
T1567.002
Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1566.001
Phishing: Spearphishing Attachment
T1564
Hide Artifacts
T1564.006
Run Virtual Instance
T1564.004
Hide Artifacts: NTFS File Attributes
T1564.003
Hide Artifacts: Hidden Window
T1564.002
Hide Artifacts: Hidden Users
T1564.001
Hide Artifacts: Hidden Files and Directories
T1563.002
Remote Service Session Hijacking: RDP Hijacking
T1562
Impair Defenses
T1562.006
Impair Defenses: Indicator Blocking
T1562.004
Impair Defenses: Disable or Modify System Firewall
T1562.002
Impair Defenses: Disable Windows Event Logging
T1562.001
Impair Defenses: Disable or Modify Tools
T1560
Archive Collected Data
T1560.001
Archive Collected Data: Archive via Utility
T1559
Inter-Process Communication
T1559.002
Inter-Process Communication: Dynamic Data Exchange
T1558.004
Steal or Forge Kerberos Tickets: AS-REP Roasting
T1558.003
Steal or Forge Kerberos Tickets: Kerberoasting
T1558.002
Steal or Forge Kerberos Tickets: Silver Ticket
T1558.001
Steal or Forge Kerberos Tickets: Golden Ticket
T1557.001
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
T1556.002
Modify Authentication Process: Password Filter DLL
T1555
Credentials from Password Stores
T1555.004
Credentials from Password Stores: Windows Credential Manager
T1555.003
Credentials from Password Stores: Credentials from Web Browsers
T1553.005
Subvert Trust Controls: Mark-of-the-Web Bypass
T1553.004
Subvert Trust Controls: Install Root Certificate
T1552.006
Unsecured Credentials: Group Policy Preferences
T1552.004
Unsecured Credentials: Private Keys
T1552.002
Unsecured Credentials: Credentials in Registry
T1552.001
Unsecured Credentials: Credentials In Files
T1550.003
Use Alternate Authentication Material: Pass the Ticket
T1550.002
Use Alternate Authentication Material: Pass the Hash
T1548.002
Abuse Elevation Control Mechanism: Bypass User Account Control
T1547
Boot or Logon Autostart Execution
T1547.015
Boot or Logon Autostart Execution: Login Items
T1547.014
Active Setup
T1547.010
Boot or Logon Autostart Execution: Port Monitors
T1547.009
Boot or Logon Autostart Execution: Shortcut Modification
T1547.008
Boot or Logon Autostart Execution: LSASS Driver
T1547.005
Boot or Logon Autostart Execution: Security Support Provider
T1547.004
Boot or Logon Autostart Execution: Winlogon Helper DLL
T1547.003
Time Providers
T1547.002
Authentication Package
T1547.001
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1546
Event Triggered Execution
T1546.015
Event Triggered Execution: Component Object Model Hijacking
T1546.013
Event Triggered Execution: PowerShell Profile
T1546.012
Event Triggered Execution: Image File Execution Options Injection
T1546.011
Event Triggered Execution: Application Shimming
T1546.010
Event Triggered Execution: AppInit DLLs
T1546.009
Event Triggered Execution: AppCert DLLs
T1546.008
Event Triggered Execution: Accessibility Features
T1546.007
Event Triggered Execution: Netsh Helper DLL
T1546.003
Event Triggered Execution: Windows Management Instrumentation Event Subscription
T1546.002
Event Triggered Execution: Screensaver
T1546.001
Event Triggered Execution: Change Default File Association
T1543.003
Create or Modify System Process: Windows Service
T1539
Steal Web Session Cookie
T1531
Account Access Removal
T1529
System Shutdown/Reboot
T1518
Software Discovery
T1518.001
Software Discovery: Security Software Discovery
T1505.004
IIS Components
T1505.003
Server Software Component: Web Shell
T1505.002
Server Software Component: Transport Agent
T1497.001
Virtualization/Sandbox Evasion: System Checks
T1491.001
Defacement: Internal Defacement
T1490
Inhibit System Recovery
T1489
Service Stop
T1486
Data Encrypted for Impact
T1485
Data Destruction
T1484.001
Domain Policy Modification: Group Policy Modification
T1482
Domain Trust Discovery
T1222.001
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1221
Template Injection
T1220
XSL Script Processing
T1219
Remote Access Software
T1218
Signed Binary Proxy Execution
T1218.011
Signed Binary Proxy Execution: Rundll32
T1218.010
Signed Binary Proxy Execution: Regsvr32
T1218.009
Signed Binary Proxy Execution: Regsvcs/Regasm
T1218.008
Signed Binary Proxy Execution: Odbcconf
T1218.007
Signed Binary Proxy Execution: Msiexec
T1218.005
Signed Binary Proxy Execution: Mshta
T1218.004
Signed Binary Proxy Execution: InstallUtil
T1218.003
Signed Binary Proxy Execution: CMSTP
T1218.002
Signed Binary Proxy Execution: Control Panel
T1218.001
Signed Binary Proxy Execution: Compiled HTML File
T1217
Browser Bookmark Discovery
T1216
Signed Script Proxy Execution
T1216.001
Signed Script Proxy Execution: Pubprn
T1207
Rogue Domain Controller
T1204.002
User Execution: Malicious File
T1202
Indirect Command Execution
T1201
Password Policy Discovery
T1197
BITS Jobs
T1195
Supply Chain Compromise
T1187
Forced Authentication
T1176
Browser Extensions
T1140
Deobfuscate/Decode Files or Information
T1137
Office Application Startup
T1137.006
Office Application Startup: Add-ins
T1137.004
Office Application Startup: Outlook Home Page
T1137.002
Office Application Startup: Office Test
T1136.002
Create Account: Domain Account
T1136.001
Create Account: Local Account
T1135
Network Share Discovery
T1134.005
Access Token Manipulation: SID-History Injection
T1134.004
Access Token Manipulation: Parent PID Spoofing
T1134.002
Create Process with Token
T1134.001
Access Token Manipulation: Token Impersonation/Theft
T1133
External Remote Services
T1132.001
Data Encoding: Standard Encoding
T1127
Trusted Developer Utilities Proxy Execution
T1127.001
Trusted Developer Utilities Proxy Execution: MSBuild
T1125
Video Capture
T1124
System Time Discovery
T1123
Audio Capture
T1120
Peripheral Device Discovery
T1119
Automated Collection
T1115
Clipboard Data
T1114.001
Email Collection: Local Email Collection
T1113
Screen Capture
T1112
Modify Registry
T1110.004
Brute Force: Credential Stuffing
T1110.003
Brute Force: Password Spraying
T1110.002
Brute Force: Password Cracking
T1110.001
Brute Force: Password Guessing
T1106
Native API
T1105
Ingress Tool Transfer
T1098
Account Manipulation
T1095
Non-Application Layer Protocol
T1091
Replication Through Removable Media
T1090.003
Proxy: Multi-hop Proxy
T1090.001
Proxy: Internal Proxy
T1087.002
Account Discovery: Domain Account
T1087.001
Account Discovery: Local Account
T1083
File and Directory Discovery
T1082
System Information Discovery
T1078.003
Valid Accounts: Local Accounts
T1078.001
Valid Accounts: Default Accounts
T1074.001
Data Staged: Local Data Staging
T1072
Software Deployment Tools
T1071.004
Application Layer Protocol: DNS
T1071.001
Application Layer Protocol: Web Protocols
T1070
Indicator Removal on Host
T1070.006
Indicator Removal on Host: Timestomp
T1070.005
Indicator Removal on Host: Network Share Connection Removal
T1070.004
Indicator Removal on Host: File Deletion
T1070.003
Indicator Removal on Host: Clear Command History
T1070.001
Indicator Removal on Host: Clear Windows Event Logs
T1069.002
Permission Groups Discovery: Domain Groups
T1069.001
Permission Groups Discovery: Local Groups
T1059.007
Command and Scripting Interpreter: JavaScript
T1059.005
Command and Scripting Interpreter: Visual Basic
T1059.003
Command and Scripting Interpreter: Windows Command Shell
T1059.001
Command and Scripting Interpreter: PowerShell
T1057
Process Discovery
T1056.004
Input Capture: Credential API Hooking
T1056.002
Input Capture: GUI Input Capture
T1056.001
Input Capture: Keylogging
T1055
Process Injection
T1055.012
Process Injection: Process Hollowing
T1055.004
Process Injection: Asynchronous Procedure Call
T1055.003
Thread Execution Hijacking
T1055.001
Process Injection: Dynamic-link Library Injection
T1053.005
Scheduled Task/Job: Scheduled Task
T1053.002
Scheduled Task/Job: At
T1049
System Network Connections Discovery
T1048
Exfiltration Over Alternative Protocol
T1048.003
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1048.002
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
T1047
Windows Management Instrumentation
T1046
Network Service Scanning
T1041
Exfiltration Over C2 Channel
T1040
Network Sniffing
T1039
Data from Network Shared Drive
T1037.001
Boot or Logon Initialization Scripts: Logon Script (Windows)
T1036
Masquerading
T1036.005
Masquerading: Match Legitimate Name or Location
T1036.004
Masquerading: Masquerade Task or Service
T1036.003
Masquerading: Rename System Utilities
T1033
System Owner/User Discovery
T1027
Obfuscated Files or Information
T1027.006
HTML Smuggling
T1027.004
Obfuscated Files or Information: Compile After Delivery
T1021.006
Remote Services: Windows Remote Management
T1021.003
Remote Services: Distributed Component Object Model
T1021.002
Remote Services: SMB/Windows Admin Shares
T1021.001
Remote Services: Remote Desktop Protocol
T1020
Automated Exfiltration
T1018
Remote System Discovery
T1016
System Network Configuration Discovery
T1012
Query Registry
T1010
Application Window Discovery
T1007
System Service Discovery
T1006
Direct Volume Access
T1003
OS Credential Dumping
T1003.006
OS Credential Dumping: DCSync
T1003.005
OS Credential Dumping: Cached Domain Credentials
T1003.004
OS Credential Dumping: LSA Secrets
T1003.003
OS Credential Dumping: NTDS
T1003.002
OS Credential Dumping: Security Account Manager
T1003.001
OS Credential Dumping: LSASS Memory
powershell
T1620
Reflective Code Loading
T1615
Group Policy Discovery
T1606.002
Forge Web Credentials: SAML token
T1592.001
Gather Victim Host Information: Hardware
T1574.012
Hijack Execution Flow: COR_PROFILER
T1574.011
Hijack Execution Flow: Services Registry Permissions Weakness
T1574.008
Hijack Execution Flow: Path Interception by Search Order Hijacking
T1573
Encrypted Channel
T1572
Protocol Tunneling
T1571
Non-Standard Port
T1569.002
System Services: Service Execution
T1567.002
Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1566.001
Phishing: Spearphishing Attachment
T1564
Hide Artifacts
T1564.006
Run Virtual Instance
T1564.004
Hide Artifacts: NTFS File Attributes
T1564.003
Hide Artifacts: Hidden Window
T1562.008
Impair Defenses: Disable Cloud Logs
T1562.006
Impair Defenses: Indicator Blocking
T1562.004
Impair Defenses: Disable or Modify System Firewall
T1562.002
Impair Defenses: Disable Windows Event Logging
T1562.001
Impair Defenses: Disable or Modify Tools
T1560
Archive Collected Data
T1558.004
Steal or Forge Kerberos Tickets: AS-REP Roasting
T1558.003
Steal or Forge Kerberos Tickets: Kerberoasting
T1558.002
Steal or Forge Kerberos Tickets: Silver Ticket
T1558.001
Steal or Forge Kerberos Tickets: Golden Ticket
T1557.001
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
T1556.002
Modify Authentication Process: Password Filter DLL
T1555
Credentials from Password Stores
T1555.004
Credentials from Password Stores: Windows Credential Manager
T1555.003
Credentials from Password Stores: Credentials from Web Browsers
T1553.005
Subvert Trust Controls: Mark-of-the-Web Bypass
T1553.004
Subvert Trust Controls: Install Root Certificate
T1552.006
Unsecured Credentials: Group Policy Preferences
T1552.005
Unsecured Credentials: Cloud Instance Metadata API
T1552.004
Unsecured Credentials: Private Keys
T1552.001
Unsecured Credentials: Credentials In Files
T1550.003
Use Alternate Authentication Material: Pass the Ticket
T1550.002
Use Alternate Authentication Material: Pass the Hash
T1548.002
Abuse Elevation Control Mechanism: Bypass User Account Control
T1547.015
Boot or Logon Autostart Execution: Login Items
T1547.014
Active Setup
T1547.009
Boot or Logon Autostart Execution: Shortcut Modification
T1547.008
Boot or Logon Autostart Execution: LSASS Driver
T1547.005
Boot or Logon Autostart Execution: Security Support Provider
T1547.004
Boot or Logon Autostart Execution: Winlogon Helper DLL
T1547.003
Time Providers
T1547.002
Authentication Package
T1547.001
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1546
Event Triggered Execution
T1546.015
Event Triggered Execution: Component Object Model Hijacking
T1546.013
Event Triggered Execution: PowerShell Profile
T1546.012
Event Triggered Execution: Image File Execution Options Injection
T1546.011
Event Triggered Execution: Application Shimming
T1546.009
Event Triggered Execution: AppCert DLLs
T1546.008
Event Triggered Execution: Accessibility Features
T1546.003
Event Triggered Execution: Windows Management Instrumentation Event Subscription
T1543.003
Create or Modify System Process: Windows Service
T1539
Steal Web Session Cookie
T1531
Account Access Removal
T1530
Data from Cloud Storage Object
T1528
Steal Application Access Token
T1526
Cloud Service Discovery
T1518
Software Discovery
T1518.001
Software Discovery: Security Software Discovery
T1505.004
IIS Components
T1505.002
Server Software Component: Transport Agent
T1497.001
Virtualization/Sandbox Evasion: System Checks
T1491.001
Defacement: Internal Defacement
T1490
Inhibit System Recovery
T1486
Data Encrypted for Impact
T1485
Data Destruction
T1484.002
Domain Trust Modification
T1484.001
Domain Policy Modification: Group Policy Modification
T1482
Domain Trust Discovery
T1219
Remote Access Software
T1218
Signed Binary Proxy Execution
T1218.011
Signed Binary Proxy Execution: Rundll32
T1218.009
Signed Binary Proxy Execution: Regsvcs/Regasm
T1218.007
Signed Binary Proxy Execution: Msiexec
T1218.005
Signed Binary Proxy Execution: Mshta
T1218.004
Signed Binary Proxy Execution: InstallUtil
T1218.001
Signed Binary Proxy Execution: Compiled HTML File
T1217
Browser Bookmark Discovery
T1207
Rogue Domain Controller
T1204.002
User Execution: Malicious File
T1201
Password Policy Discovery
T1197
BITS Jobs
T1187
Forced Authentication
T1137.006
Office Application Startup: Add-ins
T1137.002
Office Application Startup: Office Test
T1136.003
Create Account: Cloud Account
T1136.002
Create Account: Domain Account
T1136.001
Create Account: Local Account
T1135
Network Share Discovery
T1134.004
Access Token Manipulation: Parent PID Spoofing
T1134.002
Create Process with Token
T1134.001
Access Token Manipulation: Token Impersonation/Theft
T1133
External Remote Services
T1132.001
Data Encoding: Standard Encoding
T1124
System Time Discovery
T1123
Audio Capture
T1120
Peripheral Device Discovery
T1119
Automated Collection
T1115
Clipboard Data
T1114.003
Email Collection: Email Forwarding Rule
T1114.001
Email Collection: Local Email Collection
T1113
Screen Capture
T1112
Modify Registry
T1110.004
Brute Force: Credential Stuffing
T1110.003
Brute Force: Password Spraying
T1110.001
Brute Force: Password Guessing
T1106
Native API
T1105
Ingress Tool Transfer
T1098
Account Manipulation
T1098.001
Account Manipulation: Additional Cloud Credentials
T1095
Non-Application Layer Protocol
T1091
Replication Through Removable Media
T1090.003
Proxy: Multi-hop Proxy
T1090.001
Proxy: Internal Proxy
T1087.002
Account Discovery: Domain Account
T1087.001
Account Discovery: Local Account
T1083
File and Directory Discovery
T1082
System Information Discovery
T1078.004
Valid Accounts: Cloud Accounts
T1078.003
Valid Accounts: Local Accounts
T1074.001
Data Staged: Local Data Staging
T1071.004
Application Layer Protocol: DNS
T1071.001
Application Layer Protocol: Web Protocols
T1070.006
Indicator Removal on Host: Timestomp
T1070.005
Indicator Removal on Host: Network Share Connection Removal
T1070.004
Indicator Removal on Host: File Deletion
T1070.003
Indicator Removal on Host: Clear Command History
T1070.001
Indicator Removal on Host: Clear Windows Event Logs
T1069.002
Permission Groups Discovery: Domain Groups
T1069.001
Permission Groups Discovery: Local Groups
T1059.005
Command and Scripting Interpreter: Visual Basic
T1059.003
Command and Scripting Interpreter: Windows Command Shell
T1059.001
Command and Scripting Interpreter: PowerShell
T1057
Process Discovery
T1056.004
Input Capture: Credential API Hooking
T1056.002
Input Capture: GUI Input Capture
T1056.001
Input Capture: Keylogging
T1055
Process Injection
T1055.012
Process Injection: Process Hollowing
T1055.003
Thread Execution Hijacking
T1055.001
Process Injection: Dynamic-link Library Injection
T1053.005
Scheduled Task/Job: Scheduled Task
T1049
System Network Connections Discovery
T1048
Exfiltration Over Alternative Protocol
T1048.003
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1047
Windows Management Instrumentation
T1046
Network Service Scanning
T1041
Exfiltration Over C2 Channel
T1039
Data from Network Shared Drive
T1036
Masquerading
T1036.005
Masquerading: Match Legitimate Name or Location
T1036.003
Masquerading: Rename System Utilities
T1033
System Owner/User Discovery
T1027
Obfuscated Files or Information
T1027.006
HTML Smuggling
T1027.004
Obfuscated Files or Information: Compile After Delivery
T1021.006
Remote Services: Windows Remote Management
T1021.003
Remote Services: Distributed Component Object Model
T1021.002
Remote Services: SMB/Windows Admin Shares
T1021.001
Remote Services: Remote Desktop Protocol
T1020
Automated Exfiltration
T1018
Remote System Discovery
T1016
System Network Configuration Discovery
T1012
Query Registry
T1006
Direct Volume Access
T1003
OS Credential Dumping
T1003.006
OS Credential Dumping: DCSync
T1003.003
OS Credential Dumping: NTDS
T1003.002
OS Credential Dumping: Security Account Manager
T1003.001
OS Credential Dumping: LSASS Memory
command_prompt
T1615
Group Policy Discovery
T1614.001
System Location Discovery: System Language Discovery
T1574.011
Hijack Execution Flow: Services Registry Permissions Weakness
T1574.009
Hijack Execution Flow: Path Interception by Unquoted Path
T1574.002
Hijack Execution Flow: DLL Side-Loading
T1574.001
Hijack Execution Flow: DLL Search Order Hijacking
T1569.002
System Services: Service Execution
T1564
Hide Artifacts
T1564.006
Run Virtual Instance
T1564.004
Hide Artifacts: NTFS File Attributes
T1564.002
Hide Artifacts: Hidden Users
T1564.001
Hide Artifacts: Hidden Files and Directories
T1563.002
Remote Service Session Hijacking: RDP Hijacking
T1562
Impair Defenses
T1562.006
Impair Defenses: Indicator Blocking
T1562.004
Impair Defenses: Disable or Modify System Firewall
T1562.002
Impair Defenses: Disable Windows Event Logging
T1562.001
Impair Defenses: Disable or Modify Tools
T1560.001
Archive Collected Data: Archive via Utility
T1559
Inter-Process Communication
T1559.002
Inter-Process Communication: Dynamic Data Exchange
T1558.003
Steal or Forge Kerberos Tickets: Kerberoasting
T1555.004
Credentials from Password Stores: Windows Credential Manager
T1555.003
Credentials from Password Stores: Credentials from Web Browsers
T1552.006
Unsecured Credentials: Group Policy Preferences
T1552.004
Unsecured Credentials: Private Keys
T1552.002
Unsecured Credentials: Credentials in Registry
T1552.001
Unsecured Credentials: Credentials In Files
T1550.003
Use Alternate Authentication Material: Pass the Ticket
T1550.002
Use Alternate Authentication Material: Pass the Hash
T1548.002
Abuse Elevation Control Mechanism: Bypass User Account Control
T1547
Boot or Logon Autostart Execution
T1547.010
Boot or Logon Autostart Execution: Port Monitors
T1547.009
Boot or Logon Autostart Execution: Shortcut Modification
T1547.001
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1546.012
Event Triggered Execution: Image File Execution Options Injection
T1546.011
Event Triggered Execution: Application Shimming
T1546.010
Event Triggered Execution: AppInit DLLs
T1546.008
Event Triggered Execution: Accessibility Features
T1546.007
Event Triggered Execution: Netsh Helper DLL
T1546.002
Event Triggered Execution: Screensaver
T1546.001
Event Triggered Execution: Change Default File Association
T1543.003
Create or Modify System Process: Windows Service
T1531
Account Access Removal
T1529
System Shutdown/Reboot
T1518
Software Discovery
T1518.001
Software Discovery: Security Software Discovery
T1505.004
IIS Components
T1505.003
Server Software Component: Web Shell
T1490
Inhibit System Recovery
T1489
Service Stop
T1486
Data Encrypted for Impact
T1485
Data Destruction
T1484.001
Domain Policy Modification: Group Policy Modification
T1482
Domain Trust Discovery
T1222.001
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1221
Template Injection
T1220
XSL Script Processing
T1218
Signed Binary Proxy Execution
T1218.011
Signed Binary Proxy Execution: Rundll32
T1218.010
Signed Binary Proxy Execution: Regsvr32
T1218.009
Signed Binary Proxy Execution: Regsvcs/Regasm
T1218.008
Signed Binary Proxy Execution: Odbcconf
T1218.007
Signed Binary Proxy Execution: Msiexec
T1218.005
Signed Binary Proxy Execution: Mshta
T1218.003
Signed Binary Proxy Execution: CMSTP
T1218.002
Signed Binary Proxy Execution: Control Panel
T1218.001
Signed Binary Proxy Execution: Compiled HTML File
T1217
Browser Bookmark Discovery
T1216
Signed Script Proxy Execution
T1216.001
Signed Script Proxy Execution: Pubprn
T1204.002
User Execution: Malicious File
T1202
Indirect Command Execution
T1201
Password Policy Discovery
T1197
BITS Jobs
T1195
Supply Chain Compromise
T1140
Deobfuscate/Decode Files or Information
T1137
Office Application Startup
T1137.004
Office Application Startup: Outlook Home Page
T1136.002
Create Account: Domain Account
T1136.001
Create Account: Local Account
T1135
Network Share Discovery
T1134.005
Access Token Manipulation: SID-History Injection
T1127
Trusted Developer Utilities Proxy Execution
T1127.001
Trusted Developer Utilities Proxy Execution: MSBuild
T1125
Video Capture
T1124
System Time Discovery
T1123
Audio Capture
T1119
Automated Collection
T1115
Clipboard Data
T1112
Modify Registry
T1110.003
Brute Force: Password Spraying
T1110.002
Brute Force: Password Cracking
T1110.001
Brute Force: Password Guessing
T1106
Native API
T1105
Ingress Tool Transfer
T1098
Account Manipulation
T1087.002
Account Discovery: Domain Account
T1087.001
Account Discovery: Local Account
T1083
File and Directory Discovery
T1082
System Information Discovery
T1078.003
Valid Accounts: Local Accounts
T1078.001
Valid Accounts: Default Accounts
T1072
Software Deployment Tools
T1071.001
Application Layer Protocol: Web Protocols
T1070
Indicator Removal on Host
T1070.005
Indicator Removal on Host: Network Share Connection Removal
T1070.004
Indicator Removal on Host: File Deletion
T1070.001
Indicator Removal on Host: Clear Windows Event Logs
T1069.002
Permission Groups Discovery: Domain Groups
T1069.001
Permission Groups Discovery: Local Groups
T1059.007
Command and Scripting Interpreter: JavaScript
T1059.003
Command and Scripting Interpreter: Windows Command Shell
T1059.001
Command and Scripting Interpreter: PowerShell
T1057
Process Discovery
T1055
Process Injection
T1055.004
Process Injection: Asynchronous Procedure Call
T1053.005
Scheduled Task/Job: Scheduled Task
T1053.002
Scheduled Task/Job: At
T1049
System Network Connections Discovery
T1048.002
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
T1047
Windows Management Instrumentation
T1040
Network Sniffing
T1039
Data from Network Shared Drive
T1037.001
Boot or Logon Initialization Scripts: Logon Script (Windows)
T1036.004
Masquerading: Masquerade Task or Service
T1036.003
Masquerading: Rename System Utilities
T1033
System Owner/User Discovery
T1027
Obfuscated Files or Information
T1027.004
Obfuscated Files or Information: Compile After Delivery
T1021.002
Remote Services: SMB/Windows Admin Shares
T1021.001
Remote Services: Remote Desktop Protocol
T1018
Remote System Discovery
T1016
System Network Configuration Discovery
T1012
Query Registry
T1010
Application Window Discovery
T1007
System Service Discovery
T1003
OS Credential Dumping
T1003.006
OS Credential Dumping: DCSync
T1003.005
OS Credential Dumping: Cached Domain Credentials
T1003.004
OS Credential Dumping: LSA Secrets
T1003.003
OS Credential Dumping: NTDS
T1003.002
OS Credential Dumping: Security Account Manager
T1003.001
OS Credential Dumping: LSASS Memory
linux
T1614.001
System Location Discovery: System Language Discovery
T1580
Cloud Infrastructure Discovery
T1574.006
Hijack Execution Flow: LD_PRELOAD
T1571
Non-Standard Port
T1569.002
System Services: Service Execution
T1564.001
Hide Artifacts: Hidden Files and Directories
T1562
Impair Defenses
T1562.008
Impair Defenses: Disable Cloud Logs
T1562.006
Impair Defenses: Indicator Blocking
T1562.004
Impair Defenses: Disable or Modify System Firewall
T1562.003
Impair Defenses: HISTCONTROL
T1562.001
Impair Defenses: Disable or Modify Tools
T1560.002
Archive Collected Data: Archive via Library
T1560.001
Archive Collected Data: Archive via Utility
T1556.003
Modify Authentication Process: Pluggable Authentication Modules
T1555.003
Credentials from Password Stores: Credentials from Web Browsers
T1553.004
Subvert Trust Controls: Install Root Certificate
T1552
Unsecured Credentials
T1552.007
Kubernetes List Secrets
T1552.004
Unsecured Credentials: Private Keys
T1552.003
Unsecured Credentials: Bash History
T1552.001
Unsecured Credentials: Credentials In Files
T1548.003
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
T1548.001
Abuse Elevation Control Mechanism: Setuid and Setgid
T1547.006
Boot or Logon Autostart Execution: Kernel Modules and Extensions
T1546.005
Event Triggered Execution: Trap
T1546.004
Event Triggered Execution: .bash_profile and .bashrc
T1543.002
Create or Modify System Process: Systemd Service
T1529
System Shutdown/Reboot
T1518.001
Software Discovery: Security Software Discovery
T1497.001
Virtualization/Sandbox Evasion: System Checks
T1496
Resource Hijacking
T1486
Data Encrypted for Impact
T1485
Data Destruction
T1222.002
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
T1217
Browser Bookmark Discovery
T1201
Password Policy Discovery
T1176
Browser Extensions
T1140
Deobfuscate/Decode Files or Information
T1136.001
Create Account: Local Account
T1135
Network Share Discovery
T1132.001
Data Encoding: Standard Encoding
T1115
Clipboard Data
T1113
Screen Capture
T1110.004
Brute Force: Credential Stuffing
T1110.001
Brute Force: Password Guessing
T1105
Ingress Tool Transfer
T1098.004
SSH Authorized Keys
T1090.003
Proxy: Multi-hop Proxy
T1090.001
Proxy: Internal Proxy
T1087.001
Account Discovery: Local Account
T1083
File and Directory Discovery
T1082
System Information Discovery
T1074.001
Data Staged: Local Data Staging
T1071.001
Application Layer Protocol: Web Protocols
T1070.006
Indicator Removal on Host: Timestomp
T1070.004
Indicator Removal on Host: File Deletion
T1070.003
Indicator Removal on Host: Clear Command History
T1070.002
Indicator Removal on Host: Clear Linux or Mac System Logs
T1069.001
Permission Groups Discovery: Local Groups
T1059.006
Command and Scripting Interpreter: Python
T1059.004
Command and Scripting Interpreter: Bash
T1057
Process Discovery
T1056.001
Input Capture: Keylogging
T1053.006
Scheduled Task/Job: Systemd Timers
T1053.003
Scheduled Task/Job: Cron
T1053.002
Scheduled Task/Job: At
T1049
System Network Connections Discovery
T1048
Exfiltration Over Alternative Protocol
T1048.003
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1048.002
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
T1046
Network Service Scanning
T1040
Network Sniffing
T1037.004
Boot or Logon Initialization Scripts: Rc.common
T1036.006
Masquerading: Space after Filename
T1036.005
Masquerading: Match Legitimate Name or Location
T1036.003
Masquerading: Rename System Utilities
T1033
System Owner/User Discovery
T1030
Data Transfer Size Limits
T1027
Obfuscated Files or Information
T1027.004
Obfuscated Files or Information: Compile After Delivery
T1027.002
Obfuscated Files or Information: Software Packing
T1027.001
Obfuscated Files or Information: Binary Padding
T1018
Remote System Discovery
T1016
System Network Configuration Discovery
T1014
Rootkit
T1007
System Service Discovery
T1003.008
OS Credential Dumping: /etc/passwd and /etc/shadow
T1003.007
OS Credential Dumping: Proc Filesystem
macos
T1647
Plist File Modification
T1580
Cloud Infrastructure Discovery
T1574.006
Hijack Execution Flow: LD_PRELOAD
T1571
Non-Standard Port
T1569.001
System Services: Launchctl
T1564.002
Hide Artifacts: Hidden Users
T1564.001
Hide Artifacts: Hidden Files and Directories
T1562.008
Impair Defenses: Disable Cloud Logs
T1562.003
Impair Defenses: HISTCONTROL
T1562.001
Impair Defenses: Disable or Modify Tools
T1560.001
Archive Collected Data: Archive via Utility
T1555.003
Credentials from Password Stores: Credentials from Web Browsers
T1555.001
Credentials from Password Stores: Keychain
T1553.004
Subvert Trust Controls: Install Root Certificate
T1553.001
Subvert Trust Controls: Gatekeeper Bypass
T1552
Unsecured Credentials
T1552.004
Unsecured Credentials: Private Keys
T1552.003
Unsecured Credentials: Bash History
T1552.001
Unsecured Credentials: Credentials In Files
T1548.003
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
T1548.001
Abuse Elevation Control Mechanism: Setuid and Setgid
T1547.015
Boot or Logon Autostart Execution: Login Items
T1547.007
Boot or Logon Autostart Execution: Re-opened Applications
T1547.006
Boot or Logon Autostart Execution: Kernel Modules and Extensions
T1546.014
Event Triggered Execution: Emond
T1546.005
Event Triggered Execution: Trap
T1546.004
Event Triggered Execution: .bash_profile and .bashrc
T1543.004
Create or Modify System Process: Launch Daemon
T1543.001
Create or Modify System Process: Launch Agent
T1529
System Shutdown/Reboot
T1518
Software Discovery
T1518.001
Software Discovery: Security Software Discovery
T1497.001
Virtualization/Sandbox Evasion: System Checks
T1496
Resource Hijacking
T1485
Data Destruction
T1222.002
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
T1217
Browser Bookmark Discovery
T1201
Password Policy Discovery
T1176
Browser Extensions
T1140
Deobfuscate/Decode Files or Information
T1136.001
Create Account: Local Account
T1135
Network Share Discovery
T1132.001
Data Encoding: Standard Encoding
T1124
System Time Discovery
T1123
Audio Capture
T1115
Clipboard Data
T1113
Screen Capture
T1110.004
Brute Force: Credential Stuffing
T1105
Ingress Tool Transfer
T1098.004
SSH Authorized Keys
T1090.003
Proxy: Multi-hop Proxy
T1090.001
Proxy: Internal Proxy
T1087.001
Account Discovery: Local Account
T1083
File and Directory Discovery
T1082
System Information Discovery
T1078.003
Valid Accounts: Local Accounts
T1074.001
Data Staged: Local Data Staging
T1071.001
Application Layer Protocol: Web Protocols
T1070.006
Indicator Removal on Host: Timestomp
T1070.004
Indicator Removal on Host: File Deletion
T1070.003
Indicator Removal on Host: Clear Command History
T1070.002
Indicator Removal on Host: Clear Linux or Mac System Logs
T1069.001
Permission Groups Discovery: Local Groups
T1059.004
Command and Scripting Interpreter: Bash
T1059.002
Command and Scripting Interpreter: AppleScript
T1057
Process Discovery
T1056.002
Input Capture: GUI Input Capture
T1056.001
Input Capture: Keylogging
T1053.003
Scheduled Task/Job: Cron
T1049
System Network Connections Discovery
T1048
Exfiltration Over Alternative Protocol
T1048.003
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1048.002
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
T1046
Network Service Scanning
T1040
Network Sniffing
T1037.005
Boot or Logon Initialization Scripts: Startup Items
T1037.004
Boot or Logon Initialization Scripts: Rc.common
T1037.002
Boot or Logon Initialization Scripts: Logon Script (Mac)
T1036.006
Masquerading: Space after Filename
T1036.005
Masquerading: Match Legitimate Name or Location
T1033
System Owner/User Discovery
T1030
Data Transfer Size Limits
T1027
Obfuscated Files or Information
T1027.004
Obfuscated Files or Information: Compile After Delivery
T1027.002
Obfuscated Files or Information: Software Packing
T1027.001
Obfuscated Files or Information: Binary Padding
T1018
Remote System Discovery
T1016
System Network Configuration Discovery
sh
T1619
Cloud Storage Object Discovery
T1614.001
System Location Discovery: System Language Discovery
T1613
Container and Resource Discovery
T1611
Escape to Host
T1580
Cloud Infrastructure Discovery
T1571
Non-Standard Port
T1564.002
Hide Artifacts: Hidden Users
T1564.001
Hide Artifacts: Hidden Files and Directories
T1562
Impair Defenses
T1562.008
Impair Defenses: Disable Cloud Logs
T1562.004
Impair Defenses: Disable or Modify System Firewall
T1562.003
Impair Defenses: HISTCONTROL
T1562.001
Impair Defenses: Disable or Modify Tools
T1560.001
Archive Collected Data: Archive via Utility
T1556.003
Modify Authentication Process: Pluggable Authentication Modules
T1555.003
Credentials from Password Stores: Credentials from Web Browsers
T1555.001
Credentials from Password Stores: Keychain
T1553.004
Subvert Trust Controls: Install Root Certificate
T1553.001
Subvert Trust Controls: Gatekeeper Bypass
T1552
Unsecured Credentials
T1552.007
Kubernetes List Secrets
T1552.004
Unsecured Credentials: Private Keys
T1552.003
Unsecured Credentials: Bash History
T1552.001
Unsecured Credentials: Credentials In Files
T1548.003
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
T1548.001
Abuse Elevation Control Mechanism: Setuid and Setgid
T1547.007
Boot or Logon Autostart Execution: Re-opened Applications
T1546.014
Event Triggered Execution: Emond
T1546.005
Event Triggered Execution: Trap
T1546.004
Event Triggered Execution: .bash_profile and .bashrc
T1530
Data from Cloud Storage Object
T1518
Software Discovery
T1518.001
Software Discovery: Security Software Discovery
T1497.001
Virtualization/Sandbox Evasion: System Checks
T1222.002
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
T1217
Browser Bookmark Discovery
T1201
Password Policy Discovery
T1140
Deobfuscate/Decode Files or Information
T1136.003
Create Account: Cloud Account
T1135
Network Share Discovery
T1132.001
Data Encoding: Standard Encoding
T1124
System Time Discovery
T1123
Audio Capture
T1115
Clipboard Data
T1110.003
Brute Force: Password Spraying
T1105
Ingress Tool Transfer
T1098
Account Manipulation
T1098.001
Account Manipulation: Additional Cloud Credentials
T1090.003
Proxy: Multi-hop Proxy
T1090.001
Proxy: Internal Proxy
T1087.001
Account Discovery: Local Account
T1083
File and Directory Discovery
T1082
System Information Discovery
T1078.004
Valid Accounts: Cloud Accounts
T1071.001
Application Layer Protocol: Web Protocols
T1070.006
Indicator Removal on Host: Timestomp
T1070.004
Indicator Removal on Host: File Deletion
T1070.003
Indicator Removal on Host: Clear Command History
T1070.002
Indicator Removal on Host: Clear Linux or Mac System Logs
T1069.001
Permission Groups Discovery: Local Groups
T1059.006
Command and Scripting Interpreter: Python
T1059.004
Command and Scripting Interpreter: Bash
T1059.002
Command and Scripting Interpreter: AppleScript
T1057
Process Discovery
T1056.001
Input Capture: Keylogging
T1053.006
Scheduled Task/Job: Systemd Timers
T1053.002
Scheduled Task/Job: At
T1049
System Network Connections Discovery
T1048
Exfiltration Over Alternative Protocol
T1048.003
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1046
Network Service Scanning
T1037.005
Boot or Logon Initialization Scripts: Startup Items
T1036.005
Masquerading: Match Legitimate Name or Location
T1036.003
Masquerading: Rename System Utilities
T1033
System Owner/User Discovery
T1030
Data Transfer Size Limits
T1027
Obfuscated Files or Information
T1027.002
Obfuscated Files or Information: Software Packing
T1027.001
Obfuscated Files or Information: Binary Padding
T1018
Remote System Discovery
T1016
System Network Configuration Discovery
T1014
Rootkit
T1003.008
OS Credential Dumping: /etc/passwd and /etc/shadow
T1003.007
OS Credential Dumping: Proc Filesystem
bash
T1610
Deploy a container
T1609
Kubernetes Exec Into Container
T1574.006
Hijack Execution Flow: LD_PRELOAD
T1569.002
System Services: Service Execution
T1569.001
System Services: Launchctl
T1562.006
Impair Defenses: Indicator Blocking
T1560.002
Archive Collected Data: Archive via Library
T1552.007
Kubernetes List Secrets
T1552.001
Unsecured Credentials: Credentials In Files
T1547.015
Boot or Logon Autostart Execution: Login Items
T1547.006
Boot or Logon Autostart Execution: Kernel Modules and Extensions
T1543.004
Create or Modify System Process: Launch Daemon
T1543.002
Create or Modify System Process: Systemd Service
T1543.001
Create or Modify System Process: Launch Agent
T1529
System Shutdown/Reboot
T1496
Resource Hijacking
T1486
Data Encrypted for Impact
T1485
Data Destruction
T1222.002
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
T1201
Password Policy Discovery
T1136.001
Create Account: Local Account
T1135
Network Share Discovery
T1115
Clipboard Data
T1113
Screen Capture
T1110.004
Brute Force: Credential Stuffing
T1110.001
Brute Force: Password Guessing
T1105
Ingress Tool Transfer
T1098.004
SSH Authorized Keys
T1082
System Information Discovery
T1078.003
Valid Accounts: Local Accounts
T1074.001
Data Staged: Local Data Staging
T1070.004
Indicator Removal on Host: File Deletion
T1070.002
Indicator Removal on Host: Clear Linux or Mac System Logs
T1059.006
Command and Scripting Interpreter: Python
T1059.004
Command and Scripting Interpreter: Bash
T1056.002
Input Capture: GUI Input Capture
T1056.001
Input Capture: Keylogging
T1053.007
Kubernetes Cronjob
T1053.006
Scheduled Task/Job: Systemd Timers
T1053.003
Scheduled Task/Job: Cron
T1048.002
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
T1046
Network Service Scanning
T1040
Network Sniffing
T1037.004
Boot or Logon Initialization Scripts: Rc.common
T1036.006
Masquerading: Space after Filename
T1027.004
Obfuscated Files or Information: Compile After Delivery
T1016
System Network Configuration Discovery
T1007
System Service Discovery
T1003.008
OS Credential Dumping: /etc/passwd and /etc/shadow
T1003.007
OS Credential Dumping: Proc Filesystem
manual
T1647
Plist File Modification
T1562.003
Impair Defenses: HISTCONTROL
T1559.002
Inter-Process Communication: Dynamic Data Exchange
T1176
Browser Extensions
T1059.001
Command and Scripting Interpreter: PowerShell
T1048.003
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1037.002
Boot or Logon Initialization Scripts: Logon Script (Mac)
T1036.006
Masquerading: Space after Filename
T1027
Obfuscated Files or Information
T1003.001
OS Credential Dumping: LSASS Memory
azure-ad
T1606.002
Forge Web Credentials: SAML token
T1552.005
Unsecured Credentials: Cloud Instance Metadata API
T1531
Account Access Removal
T1484.002
Domain Trust Modification
T1136.003
Create Account: Cloud Account
T1110.003
Brute Force: Password Spraying
T1110.001
Brute Force: Password Guessing
T1098
Account Manipulation
T1098.001
Account Manipulation: Additional Cloud Credentials
T1082
System Information Discovery
iaas:azure
T1619
Cloud Storage Object Discovery
T1562.008
Impair Defenses: Disable Cloud Logs
T1552.005
Unsecured Credentials: Cloud Instance Metadata API
T1530
Data from Cloud Storage Object
T1528
Steal Application Access Token
T1526
Cloud Service Discovery
T1098
Account Manipulation
T1078.004
Valid Accounts: Cloud Accounts
iaas:aws
T1562.008
Impair Defenses: Disable Cloud Logs
T1530
Data from Cloud Storage Object
T1201
Password Policy Discovery
T1136.003
Create Account: Cloud Account
T1110.003
Brute Force: Password Spraying
T1098
Account Manipulation
T1098.001
Account Manipulation: Additional Cloud Credentials
containers
T1613
Container and Resource Discovery
T1611
Escape to Host
T1610
Deploy a container
T1609
Kubernetes Exec Into Container
T1552.007
Kubernetes List Secrets
T1053.007
Kubernetes Cronjob
office-365
T1562.008
Impair Defenses: Disable Cloud Logs
T1562.001
Impair Defenses: Disable or Modify Tools
T1114.003
Email Collection: Email Forwarding Rule
iaas:gcp
T1078.004
Valid Accounts: Cloud Accounts
google-workspace
T1078.004
Valid Accounts: Cloud Accounts