T1649
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Reflective Code Loading
Group Policy Discovery
System Location Discovery: System Language Discovery
Gather Victim Host Information: Hardware
Hijack Execution Flow: COR_PROFILER
Hijack Execution Flow: Services Registry Permissions Weakness
Hijack Execution Flow: Path Interception by Unquoted Path
Hijack Execution Flow: Path Interception by Search Order Hijacking
Hijack Execution Flow: DLL Side-Loading
Hijack Execution Flow: DLL Search Order Hijacking
Encrypted Channel
Protocol Tunneling
Non-Standard Port
System Services: Service Execution
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Phishing: Spearphishing Attachment
Hide Artifacts
Run Virtual Instance
Hide Artifacts: NTFS File Attributes
Hide Artifacts: Hidden Window
Hide Artifacts: Hidden Users
Hide Artifacts: Hidden Files and Directories
Remote Service Session Hijacking: RDP Hijacking
Impair Defenses
Impair Defenses: Indicator Blocking
Impair Defenses: Disable or Modify System Firewall
Impair Defenses: Disable Windows Event Logging
Impair Defenses: Disable or Modify Tools
Archive Collected Data
Archive Collected Data: Archive via Utility
Inter-Process Communication
Inter-Process Communication: Dynamic Data Exchange
Steal or Forge Kerberos Tickets: AS-REP Roasting
Steal or Forge Kerberos Tickets: Kerberoasting
Steal or Forge Kerberos Tickets: Silver Ticket
Steal or Forge Kerberos Tickets: Golden Ticket
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Modify Authentication Process: Password Filter DLL
Credentials from Password Stores
Credentials from Password Stores: Windows Credential Manager
Credentials from Password Stores: Credentials from Web Browsers
Subvert Trust Controls: Mark-of-the-Web Bypass
Subvert Trust Controls: Install Root Certificate
Unsecured Credentials: Group Policy Preferences
Unsecured Credentials: Private Keys
Unsecured Credentials: Credentials in Registry
Unsecured Credentials: Credentials In Files
Use Alternate Authentication Material: Pass the Ticket
Use Alternate Authentication Material: Pass the Hash
Abuse Elevation Control Mechanism: Bypass User Account Control
Boot or Logon Autostart Execution
Boot or Logon Autostart Execution: Login Items
Active Setup
Boot or Logon Autostart Execution: Port Monitors
Boot or Logon Autostart Execution: Shortcut Modification
Boot or Logon Autostart Execution: LSASS Driver
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Boot or Logon Autostart Execution: Security Support Provider
Boot or Logon Autostart Execution: Winlogon Helper DLL
Time Providers
Authentication Package
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Event Triggered Execution
Event Triggered Execution: Component Object Model Hijacking
Event Triggered Execution: PowerShell Profile
Event Triggered Execution: Image File Execution Options Injection
Event Triggered Execution: Application Shimming
Event Triggered Execution: AppInit DLLs
Event Triggered Execution: AppCert DLLs
Event Triggered Execution: Accessibility Features
Event Triggered Execution: Netsh Helper DLL
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Event Triggered Execution: Screensaver
Event Triggered Execution: Change Default File Association
Create or Modify System Process: Windows Service
Steal Web Session Cookie
Account Access Removal
System Shutdown/Reboot
Software Discovery
Software Discovery: Security Software Discovery
Server Software Component: Terminal Services DLL
IIS Components
Server Software Component: Web Shell
Server Software Component: Transport Agent
Virtualization/Sandbox Evasion: System Checks
Defacement: Internal Defacement
Inhibit System Recovery
Service Stop
Data Encrypted for Impact
Data Destruction
Domain Policy Modification: Group Policy Modification
Domain Trust Discovery
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Template Injection
XSL Script Processing
Remote Access Software
Signed Binary Proxy Execution
Signed Binary Proxy Execution: Rundll32
Signed Binary Proxy Execution: Regsvr32
Signed Binary Proxy Execution: Regsvcs/Regasm
Signed Binary Proxy Execution: Odbcconf
Signed Binary Proxy Execution: Msiexec
Signed Binary Proxy Execution: Mshta
Signed Binary Proxy Execution: InstallUtil
Signed Binary Proxy Execution: CMSTP
Signed Binary Proxy Execution: Control Panel
Signed Binary Proxy Execution: Compiled HTML File
Browser Bookmark Discovery
Signed Script Proxy Execution
Signed Script Proxy Execution: Pubprn
Rogue Domain Controller
User Execution: Malicious Image
User Execution: Malicious File
Indirect Command Execution
Password Policy Discovery
BITS Jobs
Supply Chain Compromise
Forced Authentication
Browser Extensions
Deobfuscate/Decode Files or Information
Office Application Startup
Office Application Startup: Add-ins
Office Application Startup: Outlook Home Page
Office Application Startup: Office Test
Create Account: Domain Account
Create Account: Local Account
Network Share Discovery
Access Token Manipulation: SID-History Injection
Access Token Manipulation: Parent PID Spoofing
Create Process with Token
Access Token Manipulation: Token Impersonation/Theft
External Remote Services
Data Encoding: Standard Encoding
Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution: MSBuild
Video Capture
System Time Discovery
Audio Capture
Peripheral Device Discovery
Automated Collection
Clipboard Data
Email Collection: Local Email Collection
Screen Capture
Modify Registry
Brute Force: Credential Stuffing
Brute Force: Password Spraying
Brute Force: Password Cracking
Brute Force: Password Guessing
Native API
Ingress Tool Transfer
Account Manipulation
Non-Application Layer Protocol
Replication Through Removable Media
Proxy: Multi-hop Proxy
Proxy: Internal Proxy
Account Discovery: Domain Account
Account Discovery: Local Account
File and Directory Discovery
System Information Discovery
Valid Accounts: Local Accounts
Valid Accounts: Default Accounts
Data Staged: Local Data Staging
Software Deployment Tools
Application Layer Protocol: DNS
Application Layer Protocol: Web Protocols
Indicator Removal on Host
Email Collection: Mailbox Manipulation
Indicator Removal on Host: Timestomp
Indicator Removal on Host: Network Share Connection Removal
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Clear Command History
Indicator Removal on Host: Clear Windows Event Logs
Permission Groups Discovery: Domain Groups
Permission Groups Discovery: Local Groups
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: Visual Basic
Command and Scripting Interpreter: Windows Command Shell
Command and Scripting Interpreter: PowerShell
Process Discovery
Input Capture: Credential API Hooking
Input Capture: GUI Input Capture
Input Capture: Keylogging
Process Injection
Process Injection: Process Hollowing
Process Injection: Asynchronous Procedure Call
Thread Execution Hijacking
Process Injection: Dynamic-link Library Injection
Scheduled Task/Job: Scheduled Task
Scheduled Task/Job: At
System Network Connections Discovery
Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Windows Management Instrumentation
Network Service Discovery
Exfiltration Over C2 Channel
Network Sniffing
Data from Network Shared Drive
Boot or Logon Initialization Scripts: Logon Script (Windows)
Masquerading
Masquerading: Match Legitimate Name or Location
Masquerading: Masquerade Task or Service
Masquerading: Rename System Utilities
System Owner/User Discovery
Obfuscated Files or Information
HTML Smuggling
Obfuscated Files or Information: Compile After Delivery
Remote Services: Windows Remote Management
Remote Services: Distributed Component Object Model
Remote Services: SMB/Windows Admin Shares
Remote Services: Remote Desktop Protocol
Automated Exfiltration
Remote System Discovery
System Network Configuration Discovery
Query Registry
Application Window Discovery
System Service Discovery
Direct Volume Access
OS Credential Dumping
OS Credential Dumping: DCSync
OS Credential Dumping: Cached Domain Credentials
OS Credential Dumping: LSA Secrets
OS Credential Dumping: NTDS
OS Credential Dumping: Security Account Manager
OS Credential Dumping: LSASS Memory
Steal or Forge Authentication Certificates
Reflective Code Loading
Group Policy Discovery
Forge Web Credentials: SAML token
Gather Victim Host Information: Hardware
Hijack Execution Flow: COR_PROFILER
Hijack Execution Flow: Services Registry Permissions Weakness
Hijack Execution Flow: Path Interception by Search Order Hijacking
Encrypted Channel
Protocol Tunneling
Non-Standard Port
System Services: Service Execution
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Phishing: Spearphishing Attachment
Hide Artifacts
Run Virtual Instance
Hide Artifacts: NTFS File Attributes
Hide Artifacts: Hidden Window
Impair Defenses: Disable Cloud Logs
Impair Defenses: Indicator Blocking
Impair Defenses: Disable or Modify System Firewall
Impair Defenses: Disable Windows Event Logging
Impair Defenses: Disable or Modify Tools
Archive Collected Data
Steal or Forge Kerberos Tickets: AS-REP Roasting
Steal or Forge Kerberos Tickets: Kerberoasting
Steal or Forge Kerberos Tickets: Silver Ticket
Steal or Forge Kerberos Tickets: Golden Ticket
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Modify Authentication Process: Password Filter DLL
Credentials from Password Stores
Credentials from Password Stores: Windows Credential Manager
Credentials from Password Stores: Credentials from Web Browsers
Subvert Trust Controls: Mark-of-the-Web Bypass
Subvert Trust Controls: Install Root Certificate
Unsecured Credentials: Group Policy Preferences
Unsecured Credentials: Cloud Instance Metadata API
Unsecured Credentials: Private Keys
Unsecured Credentials: Credentials In Files
Use Alternate Authentication Material: Pass the Ticket
Use Alternate Authentication Material: Pass the Hash
Abuse Elevation Control Mechanism: Bypass User Account Control
Boot or Logon Autostart Execution: Login Items
Active Setup
Boot or Logon Autostart Execution: Shortcut Modification
Boot or Logon Autostart Execution: LSASS Driver
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Boot or Logon Autostart Execution: Security Support Provider
Boot or Logon Autostart Execution: Winlogon Helper DLL
Time Providers
Authentication Package
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Event Triggered Execution
Event Triggered Execution: Component Object Model Hijacking
Event Triggered Execution: PowerShell Profile
Event Triggered Execution: Image File Execution Options Injection
Event Triggered Execution: Application Shimming
Event Triggered Execution: AppCert DLLs
Event Triggered Execution: Accessibility Features
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Create or Modify System Process: Windows Service
Steal Web Session Cookie
Account Access Removal
Data from Cloud Storage Object
Steal Application Access Token
Cloud Service Discovery
Software Discovery
Software Discovery: Security Software Discovery
Server Software Component: Terminal Services DLL
IIS Components
Server Software Component: Transport Agent
Virtualization/Sandbox Evasion: System Checks
Defacement: Internal Defacement
Inhibit System Recovery
Data Encrypted for Impact
Data Destruction
Domain Trust Modification
Domain Policy Modification: Group Policy Modification
Domain Trust Discovery
Remote Access Software
Signed Binary Proxy Execution
Signed Binary Proxy Execution: Rundll32
Signed Binary Proxy Execution: Regsvcs/Regasm
Signed Binary Proxy Execution: Msiexec
Signed Binary Proxy Execution: Mshta
Signed Binary Proxy Execution: InstallUtil
Signed Binary Proxy Execution: Compiled HTML File
Browser Bookmark Discovery
Rogue Domain Controller
User Execution: Malicious Image
User Execution: Malicious File
Password Policy Discovery
BITS Jobs
Forced Authentication
Office Application Startup: Add-ins
Office Application Startup: Office Test
Create Account: Cloud Account
Create Account: Domain Account
Create Account: Local Account
Network Share Discovery
Access Token Manipulation: Parent PID Spoofing
Create Process with Token
Access Token Manipulation: Token Impersonation/Theft
External Remote Services
Data Encoding: Standard Encoding
System Time Discovery
Audio Capture
Peripheral Device Discovery
Automated Collection
Clipboard Data
Email Collection: Email Forwarding Rule
Email Collection: Local Email Collection
Screen Capture
Modify Registry
Brute Force: Credential Stuffing
Brute Force: Password Spraying
Brute Force: Password Guessing
Native API
Ingress Tool Transfer
Account Manipulation
Account Manipulation: Additional Cloud Credentials
Non-Application Layer Protocol
Replication Through Removable Media
Proxy: Multi-hop Proxy
Proxy: Internal Proxy
Account Discovery: Domain Account
Account Discovery: Local Account
File and Directory Discovery
System Information Discovery
Valid Accounts: Cloud Accounts
Valid Accounts: Local Accounts
Data Staged: Local Data Staging
Application Layer Protocol: DNS
Application Layer Protocol: Web Protocols
Email Collection: Mailbox Manipulation
Indicator Removal on Host: Timestomp
Indicator Removal on Host: Network Share Connection Removal
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Clear Command History
Indicator Removal on Host: Clear Windows Event Logs
Permission Groups Discovery: Domain Groups
Permission Groups Discovery: Local Groups
Command and Scripting Interpreter: Visual Basic
Command and Scripting Interpreter: Windows Command Shell
Command and Scripting Interpreter: PowerShell
Process Discovery
Input Capture: Credential API Hooking
Input Capture: GUI Input Capture
Input Capture: Keylogging
Process Injection
Process Injection: Process Hollowing
Thread Execution Hijacking
Process Injection: Dynamic-link Library Injection
Scheduled Task/Job: Scheduled Task
System Network Connections Discovery
Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Windows Management Instrumentation
Network Service Discovery
Exfiltration Over C2 Channel
Data from Network Shared Drive
Masquerading
Masquerading: Match Legitimate Name or Location
Masquerading: Rename System Utilities
System Owner/User Discovery
Obfuscated Files or Information
HTML Smuggling
Obfuscated Files or Information: Compile After Delivery
Remote Services: Windows Remote Management
Remote Services: Distributed Component Object Model
Remote Services: SMB/Windows Admin Shares
Remote Services: Remote Desktop Protocol
Automated Exfiltration
Remote System Discovery
System Network Configuration Discovery
Query Registry
Direct Volume Access
OS Credential Dumping
OS Credential Dumping: DCSync
OS Credential Dumping: NTDS
OS Credential Dumping: Security Account Manager
OS Credential Dumping: LSASS Memory
Group Policy Discovery
System Location Discovery: System Language Discovery
Hijack Execution Flow: Services Registry Permissions Weakness
Hijack Execution Flow: Path Interception by Unquoted Path
Hijack Execution Flow: DLL Side-Loading
Hijack Execution Flow: DLL Search Order Hijacking
System Services: Service Execution
Hide Artifacts
Run Virtual Instance
Hide Artifacts: NTFS File Attributes
Hide Artifacts: Hidden Users
Hide Artifacts: Hidden Files and Directories
Remote Service Session Hijacking: RDP Hijacking
Impair Defenses
Impair Defenses: Indicator Blocking
Impair Defenses: Disable or Modify System Firewall
Impair Defenses: Disable Windows Event Logging
Impair Defenses: Disable or Modify Tools
Archive Collected Data: Archive via Utility
Inter-Process Communication
Inter-Process Communication: Dynamic Data Exchange
Steal or Forge Kerberos Tickets: Kerberoasting
Credentials from Password Stores: Windows Credential Manager
Credentials from Password Stores: Credentials from Web Browsers
Unsecured Credentials: Group Policy Preferences
Unsecured Credentials: Private Keys
Unsecured Credentials: Credentials in Registry
Unsecured Credentials: Credentials In Files
Use Alternate Authentication Material: Pass the Ticket
Use Alternate Authentication Material: Pass the Hash
Abuse Elevation Control Mechanism: Bypass User Account Control
Boot or Logon Autostart Execution
Boot or Logon Autostart Execution: Port Monitors
Boot or Logon Autostart Execution: Shortcut Modification
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Event Triggered Execution: Image File Execution Options Injection
Event Triggered Execution: Application Shimming
Event Triggered Execution: AppInit DLLs
Event Triggered Execution: Accessibility Features
Event Triggered Execution: Netsh Helper DLL
Event Triggered Execution: Screensaver
Event Triggered Execution: Change Default File Association
Create or Modify System Process: Windows Service
Account Access Removal
System Shutdown/Reboot
Software Discovery
Software Discovery: Security Software Discovery
IIS Components
Server Software Component: Web Shell
Inhibit System Recovery
Service Stop
Data Encrypted for Impact
Data Destruction
Domain Policy Modification: Group Policy Modification
Domain Trust Discovery
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Template Injection
XSL Script Processing
Signed Binary Proxy Execution
Signed Binary Proxy Execution: Rundll32
Signed Binary Proxy Execution: Regsvr32
Signed Binary Proxy Execution: Regsvcs/Regasm
Signed Binary Proxy Execution: Odbcconf
Signed Binary Proxy Execution: Msiexec
Signed Binary Proxy Execution: Mshta
Signed Binary Proxy Execution: CMSTP
Signed Binary Proxy Execution: Control Panel
Signed Binary Proxy Execution: Compiled HTML File
Browser Bookmark Discovery
Signed Script Proxy Execution
Signed Script Proxy Execution: Pubprn
User Execution: Malicious File
Indirect Command Execution
Password Policy Discovery
BITS Jobs
Supply Chain Compromise
Deobfuscate/Decode Files or Information
Office Application Startup
Office Application Startup: Outlook Home Page
Create Account: Domain Account
Create Account: Local Account
Network Share Discovery
Access Token Manipulation: SID-History Injection
Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution: MSBuild
Video Capture
System Time Discovery
Audio Capture
Automated Collection
Clipboard Data
Modify Registry
Brute Force: Password Spraying
Brute Force: Password Cracking
Brute Force: Password Guessing
Native API
Ingress Tool Transfer
Account Manipulation
Account Discovery: Domain Account
Account Discovery: Local Account
File and Directory Discovery
System Information Discovery
Valid Accounts: Local Accounts
Valid Accounts: Default Accounts
Software Deployment Tools
Application Layer Protocol: Web Protocols
Indicator Removal on Host
Indicator Removal on Host: Network Share Connection Removal
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Clear Windows Event Logs
Permission Groups Discovery: Domain Groups
Permission Groups Discovery: Local Groups
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: Windows Command Shell
Command and Scripting Interpreter: PowerShell
Process Discovery
Process Injection
Process Injection: Asynchronous Procedure Call
Scheduled Task/Job: Scheduled Task
Scheduled Task/Job: At
System Network Connections Discovery
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Windows Management Instrumentation
Network Sniffing
Data from Network Shared Drive
Boot or Logon Initialization Scripts: Logon Script (Windows)
Masquerading: Masquerade Task or Service
Masquerading: Rename System Utilities
System Owner/User Discovery
Obfuscated Files or Information
Obfuscated Files or Information: Compile After Delivery
Remote Services: SMB/Windows Admin Shares
Remote Services: Remote Desktop Protocol
Remote System Discovery
System Network Configuration Discovery
Query Registry
Application Window Discovery
System Service Discovery
OS Credential Dumping
OS Credential Dumping: DCSync
OS Credential Dumping: Cached Domain Credentials
OS Credential Dumping: LSA Secrets
OS Credential Dumping: NTDS
OS Credential Dumping: Security Account Manager
OS Credential Dumping: LSASS Memory
System Location Discovery: System Language Discovery
Cloud Infrastructure Discovery
Hijack Execution Flow: LD_PRELOAD
Non-Standard Port
System Services: Service Execution
Hide Artifacts: Hidden Files and Directories
Impair Defenses
Impair Defenses: Disable Cloud Logs
Impair Defenses: Indicator Blocking
Impair Defenses: Disable or Modify System Firewall
Impair Defenses: HISTCONTROL
Impair Defenses: Disable or Modify Tools
Archive Collected Data: Archive via Library
Archive Collected Data: Archive via Utility
Modify Authentication Process: Pluggable Authentication Modules
Credentials from Password Stores: Credentials from Web Browsers
Subvert Trust Controls: Install Root Certificate
Unsecured Credentials
Kubernetes List Secrets
Unsecured Credentials: Private Keys
Unsecured Credentials: Bash History
Unsecured Credentials: Credentials In Files
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse Elevation Control Mechanism: Setuid and Setgid
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Event Triggered Execution: Trap
Event Triggered Execution: .bash_profile and .bashrc
Create or Modify System Process: Systemd Service
Account Access Removal
System Shutdown/Reboot
Software Discovery: Security Software Discovery
Virtualization/Sandbox Evasion: System Checks
Resource Hijacking
Data Encrypted for Impact
Data Destruction
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
Browser Bookmark Discovery
Password Policy Discovery
Browser Extensions
Deobfuscate/Decode Files or Information
Create Account: Local Account
Network Share Discovery
Data Encoding: Standard Encoding
Clipboard Data
Screen Capture
Brute Force: Credential Stuffing
Brute Force: Password Guessing
Ingress Tool Transfer
SSH Authorized Keys
Proxy: Multi-hop Proxy
Proxy: Internal Proxy
Account Discovery: Local Account
File and Directory Discovery
System Information Discovery
Valid Accounts: Local Accounts
Data Staged: Local Data Staging
Application Layer Protocol: Web Protocols
Email Collection: Mailbox Manipulation
Indicator Removal on Host: Timestomp
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Clear Command History
Indicator Removal on Host: Clear Linux or Mac System Logs
Permission Groups Discovery: Local Groups
Command and Scripting Interpreter: Python
Command and Scripting Interpreter: Bash
Process Discovery
Input Capture: Keylogging
Scheduled Task/Job: Systemd Timers
Scheduled Task/Job: Cron
Scheduled Task/Job: At
System Network Connections Discovery
Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Network Service Discovery
Network Sniffing
Boot or Logon Initialization Scripts: Rc.common
Masquerading: Space after Filename
Masquerading: Match Legitimate Name or Location
Masquerading: Rename System Utilities
System Owner/User Discovery
Data Transfer Size Limits
Obfuscated Files or Information
Obfuscated Files or Information: Compile After Delivery
Obfuscated Files or Information: Software Packing
Obfuscated Files or Information: Binary Padding
Remote System Discovery
System Network Configuration Discovery
Rootkit
System Service Discovery
OS Credential Dumping: /etc/passwd and /etc/shadow
OS Credential Dumping: Proc Filesystem
Plist File Modification
Cloud Infrastructure Discovery
Hijack Execution Flow: LD_PRELOAD
Non-Standard Port
System Services: Launchctl
Hide Artifacts: Hidden Users
Hide Artifacts: Hidden Files and Directories
Impair Defenses: Disable Cloud Logs
Impair Defenses: HISTCONTROL
Impair Defenses: Disable or Modify Tools
Archive Collected Data: Archive via Utility
Credentials from Password Stores: Credentials from Web Browsers
Credentials from Password Stores: Keychain
Subvert Trust Controls: Install Root Certificate
Subvert Trust Controls: Gatekeeper Bypass
Unsecured Credentials
Unsecured Credentials: Private Keys
Unsecured Credentials: Bash History
Unsecured Credentials: Credentials In Files
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse Elevation Control Mechanism: Setuid and Setgid
Boot or Logon Autostart Execution: Login Items
Boot or Logon Autostart Execution: Re-opened Applications
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Event Triggered Execution: Emond
Event Triggered Execution: Trap
Event Triggered Execution: .bash_profile and .bashrc
Create or Modify System Process: Launch Daemon
Create or Modify System Process: Launch Agent
Account Access Removal
System Shutdown/Reboot
Software Discovery
Software Discovery: Security Software Discovery
Virtualization/Sandbox Evasion: System Checks
Resource Hijacking
Data Destruction
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
Browser Bookmark Discovery
Password Policy Discovery
Browser Extensions
Deobfuscate/Decode Files or Information
Create Account: Local Account
Network Share Discovery
Data Encoding: Standard Encoding
System Time Discovery
Audio Capture
Clipboard Data
Screen Capture
Brute Force: Credential Stuffing
Ingress Tool Transfer
SSH Authorized Keys
Proxy: Multi-hop Proxy
Proxy: Internal Proxy
Account Discovery: Local Account
File and Directory Discovery
System Information Discovery
Valid Accounts: Local Accounts
Valid Accounts: Default Accounts
Data Staged: Local Data Staging
Application Layer Protocol: Web Protocols
Email Collection: Mailbox Manipulation
Indicator Removal on Host: Timestomp
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Clear Command History
Indicator Removal on Host: Clear Linux or Mac System Logs
Permission Groups Discovery: Local Groups
Command and Scripting Interpreter: Bash
Command and Scripting Interpreter: AppleScript
Process Discovery
Input Capture: GUI Input Capture
Input Capture: Keylogging
Scheduled Task/Job: Cron
System Network Connections Discovery
Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Network Service Discovery
Network Sniffing
Boot or Logon Initialization Scripts: Startup Items
Boot or Logon Initialization Scripts: Rc.common
Boot or Logon Initialization Scripts: Logon Script (Mac)
Masquerading: Space after Filename
Masquerading: Match Legitimate Name or Location
System Owner/User Discovery
Data Transfer Size Limits
Obfuscated Files or Information
Obfuscated Files or Information: Compile After Delivery
Obfuscated Files or Information: Software Packing
Obfuscated Files or Information: Binary Padding
Remote System Discovery
System Network Configuration Discovery
Cloud Storage Object Discovery
System Location Discovery: System Language Discovery
Container and Resource Discovery
Build Image on Host
Escape to Host
Cloud Infrastructure Discovery
Non-Standard Port
Hide Artifacts: Hidden Users
Hide Artifacts: Hidden Files and Directories
Impair Defenses
Impair Defenses: Disable Cloud Logs
Impair Defenses: Disable or Modify System Firewall
Impair Defenses: HISTCONTROL
Impair Defenses: Disable or Modify Tools
Archive Collected Data: Archive via Utility
Modify Authentication Process: Pluggable Authentication Modules
Credentials from Password Stores: Credentials from Web Browsers
Credentials from Password Stores: Keychain
Subvert Trust Controls: Install Root Certificate
Subvert Trust Controls: Gatekeeper Bypass
Unsecured Credentials
Kubernetes List Secrets
Unsecured Credentials: Private Keys
Unsecured Credentials: Bash History
Unsecured Credentials: Credentials In Files
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse Elevation Control Mechanism: Setuid and Setgid
Boot or Logon Autostart Execution: Re-opened Applications
Event Triggered Execution: Emond
Event Triggered Execution: Trap
Event Triggered Execution: .bash_profile and .bashrc
Account Access Removal
Data from Cloud Storage Object
Software Discovery
Software Discovery: Security Software Discovery
Virtualization/Sandbox Evasion: System Checks
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
Browser Bookmark Discovery
Password Policy Discovery
Deobfuscate/Decode Files or Information
Create Account: Cloud Account
Network Share Discovery
Data Encoding: Standard Encoding
System Time Discovery
Audio Capture
Clipboard Data
Brute Force: Password Spraying
Ingress Tool Transfer
Account Manipulation
Account Manipulation: Additional Cloud Credentials
Proxy: Multi-hop Proxy
Proxy: Internal Proxy
Account Discovery: Local Account
File and Directory Discovery
System Information Discovery
Valid Accounts: Cloud Accounts
Application Layer Protocol: Web Protocols
Indicator Removal on Host: Timestomp
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Clear Command History
Indicator Removal on Host: Clear Linux or Mac System Logs
Permission Groups Discovery: Local Groups
Command and Scripting Interpreter: Python
Command and Scripting Interpreter: Bash
Command and Scripting Interpreter: AppleScript
Process Discovery
Input Capture: Keylogging
Scheduled Task/Job: Systemd Timers
Scheduled Task/Job: At
System Network Connections Discovery
Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Network Service Discovery
Boot or Logon Initialization Scripts: Startup Items
Masquerading: Match Legitimate Name or Location
Masquerading: Rename System Utilities
System Owner/User Discovery
Data Transfer Size Limits
Obfuscated Files or Information
Obfuscated Files or Information: Software Packing
Obfuscated Files or Information: Binary Padding
Remote System Discovery
System Network Configuration Discovery
Rootkit
OS Credential Dumping: /etc/passwd and /etc/shadow
OS Credential Dumping: Proc Filesystem
Deploy a container
Kubernetes Exec Into Container
Hijack Execution Flow: LD_PRELOAD
System Services: Service Execution
System Services: Launchctl
Impair Defenses: Indicator Blocking
Impair Defenses: HISTCONTROL
Archive Collected Data: Archive via Library
Archive Collected Data: Archive via Utility
Kubernetes List Secrets
Unsecured Credentials: Credentials In Files
Boot or Logon Autostart Execution: Login Items
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Event Triggered Execution: .bash_profile and .bashrc
Create or Modify System Process: Launch Daemon
Create or Modify System Process: Systemd Service
Create or Modify System Process: Launch Agent
System Shutdown/Reboot
Resource Hijacking
Data Encrypted for Impact
Data Destruction
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
Password Policy Discovery
Deobfuscate/Decode Files or Information
Create Account: Local Account
Network Share Discovery
Clipboard Data
Screen Capture
Brute Force: Credential Stuffing
Brute Force: Password Guessing
Ingress Tool Transfer
SSH Authorized Keys
System Information Discovery
Valid Accounts: Local Accounts
Data Staged: Local Data Staging
Email Collection: Mailbox Manipulation
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Clear Linux or Mac System Logs
Command and Scripting Interpreter: Python
Command and Scripting Interpreter: Bash
Input Capture: GUI Input Capture
Input Capture: Keylogging
Kubernetes Cronjob
Scheduled Task/Job: Systemd Timers
Scheduled Task/Job: Cron
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Network Service Discovery
Network Sniffing
Boot or Logon Initialization Scripts: Rc.common
Masquerading: Space after Filename
Obfuscated Files or Information: Compile After Delivery
System Network Configuration Discovery
System Service Discovery
OS Credential Dumping: /etc/passwd and /etc/shadow
OS Credential Dumping: Proc Filesystem
Plist File Modification
Impair Defenses: HISTCONTROL
Inter-Process Communication: Dynamic Data Exchange
Browser Extensions
Command and Scripting Interpreter: PowerShell
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Boot or Logon Initialization Scripts: Logon Script (Mac)
Masquerading: Space after Filename
Obfuscated Files or Information
OS Credential Dumping: LSASS Memory
Forge Web Credentials: SAML token
Unsecured Credentials: Cloud Instance Metadata API
Account Access Removal
Domain Trust Modification
Create Account: Cloud Account
Brute Force: Password Spraying
Brute Force: Password Guessing
Account Manipulation
Account Manipulation: Additional Cloud Credentials
System Information Discovery
Container and Resource Discovery
Build Image on Host
Escape to Host
Deploy a container
Kubernetes Exec Into Container
Kubernetes List Secrets
Permission Groups Discovery: Local Groups
Kubernetes Cronjob
Network Service Discovery
Cloud Storage Object Discovery
Impair Defenses: Disable Cloud Logs
Unsecured Credentials: Cloud Instance Metadata API
Data from Cloud Storage Object
Steal Application Access Token
Cloud Service Discovery
Account Manipulation
Valid Accounts: Cloud Accounts
Impair Defenses: Disable Cloud Logs
Data from Cloud Storage Object
Password Policy Discovery
Create Account: Cloud Account
Brute Force: Password Spraying
Account Manipulation
Account Manipulation: Additional Cloud Credentials
Impair Defenses: Disable Cloud Logs
Impair Defenses: Disable or Modify Tools
Email Collection: Email Forwarding Rule
Valid Accounts: Cloud Accounts
Valid Accounts: Cloud Accounts