T1649
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Reflective Code Loading
Group Policy Discovery
System Location Discovery: System Language Discovery
Gather Victim Host Information: Hardware
Hijack Execution Flow: COR_PROFILER
Hijack Execution Flow: Services Registry Permissions Weakness
Hijack Execution Flow: Path Interception by Unquoted Path
Hijack Execution Flow: Path Interception by Search Order Hijacking
Hijack Execution Flow: DLL Side-Loading
Hijack Execution Flow: DLL Search Order Hijacking
Encrypted Channel
Protocol Tunneling
Non-Standard Port
Lateral Tool Transfer
System Services: Service Execution
Exfiltration Over Web Service: Exfiltration to Text Storage Sites
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Phishing: Spearphishing Attachment
Hide Artifacts
Run Virtual Instance
Hide Artifacts: NTFS File Attributes
Hide Artifacts: Hidden Window
Hide Artifacts: Hidden Users
Hide Artifacts: Hidden Files and Directories
Remote Service Session Hijacking: RDP Hijacking
Impair Defenses
Impair Defenses: Safe Boot Mode
Impair Defenses: Indicator Blocking
Impair Defenses: Disable or Modify System Firewall
Impair Defenses: Disable Windows Event Logging
Impair Defenses: Disable or Modify Tools
Archive Collected Data
Archive Collected Data: Archive via Utility
Inter-Process Communication
Inter-Process Communication: Dynamic Data Exchange
Steal or Forge Kerberos Tickets: AS-REP Roasting
Steal or Forge Kerberos Tickets: Kerberoasting
Steal or Forge Kerberos Tickets: Silver Ticket
Steal or Forge Kerberos Tickets: Golden Ticket
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Modify Authentication Process: Password Filter DLL
Credentials from Password Stores
Credentials from Password Stores: Windows Credential Manager
Credentials from Password Stores: Credentials from Web Browsers
Subvert Trust Controls: Mark-of-the-Web Bypass
Subvert Trust Controls: Install Root Certificate
Subvert Trust Controls: SIP and Trust Provider Hijacking
Unsecured Credentials: Group Policy Preferences
Unsecured Credentials: Private Keys
Unsecured Credentials: Credentials in Registry
Unsecured Credentials: Credentials In Files
Use Alternate Authentication Material: Pass the Ticket
Use Alternate Authentication Material: Pass the Hash
Abuse Elevation Control Mechanism: Bypass User Account Control
Boot or Logon Autostart Execution
Boot or Logon Autostart Execution: Login Items
Active Setup
Boot or Logon Autostart Execution: Print Processors
Boot or Logon Autostart Execution: Port Monitors
Boot or Logon Autostart Execution: Shortcut Modification
Boot or Logon Autostart Execution: LSASS Driver
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Boot or Logon Autostart Execution: Security Support Provider
Boot or Logon Autostart Execution: Winlogon Helper DLL
Time Providers
Authentication Package
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Event Triggered Execution
Event Triggered Execution: Component Object Model Hijacking
Event Triggered Execution: PowerShell Profile
Event Triggered Execution: Image File Execution Options Injection
Event Triggered Execution: Application Shimming
Event Triggered Execution: AppInit DLLs
Event Triggered Execution: AppCert DLLs
Event Triggered Execution: Accessibility Features
Event Triggered Execution: Netsh Helper DLL
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Event Triggered Execution: Screensaver
Event Triggered Execution: Change Default File Association
Create or Modify System Process: Windows Service
Steal Web Session Cookie
Account Access Removal
System Shutdown/Reboot
Software Discovery
Software Discovery: Security Software Discovery
Server Software Component: Terminal Services DLL
IIS Components
Server Software Component: Web Shell
Server Software Component: Transport Agent
Virtualization/Sandbox Evasion: System Checks
Defacement: Internal Defacement
Inhibit System Recovery
Service Stop
Data Encrypted for Impact
Data Destruction
Domain Policy Modification: Group Policy Modification
Domain Trust Discovery
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Template Injection
XSL Script Processing
Remote Access Software
Signed Binary Proxy Execution
Signed Binary Proxy Execution: Rundll32
Signed Binary Proxy Execution: Regsvr32
Signed Binary Proxy Execution: Regsvcs/Regasm
Signed Binary Proxy Execution: Odbcconf
Signed Binary Proxy Execution: Msiexec
Signed Binary Proxy Execution: Mshta
Signed Binary Proxy Execution: InstallUtil
Signed Binary Proxy Execution: CMSTP
Signed Binary Proxy Execution: Control Panel
Signed Binary Proxy Execution: Compiled HTML File
Browser Bookmark Discovery
Signed Script Proxy Execution
Signed Script Proxy Execution: Pubprn
Rogue Domain Controller
User Execution: Malicious Image
User Execution: Malicious File
Indirect Command Execution
Password Policy Discovery
BITS Jobs
Supply Chain Compromise
Forced Authentication
Browser Extensions
Deobfuscate/Decode Files or Information
Office Application Startup
Office Application Startup: Add-ins
Office Application Startup: Outlook Home Page
Office Application Startup: Office Test
Create Account: Domain Account
Create Account: Local Account
Network Share Discovery
Access Token Manipulation: SID-History Injection
Access Token Manipulation: Parent PID Spoofing
Create Process with Token
Access Token Manipulation: Token Impersonation/Theft
External Remote Services
Data Encoding: Standard Encoding
Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution: MSBuild
Video Capture
System Time Discovery
Audio Capture
Peripheral Device Discovery
Automated Collection
Clipboard Data
Email Collection: Local Email Collection
Screen Capture
Modify Registry
Brute Force: Credential Stuffing
Brute Force: Password Spraying
Brute Force: Password Cracking
Brute Force: Password Guessing
Native API
Ingress Tool Transfer
Account Manipulation
Non-Application Layer Protocol
Replication Through Removable Media
Proxy: Multi-hop Proxy
Proxy: Internal Proxy
Account Discovery: Domain Account
Account Discovery: Local Account
File and Directory Discovery
System Information Discovery
Valid Accounts: Local Accounts
Valid Accounts: Default Accounts
Data Staged: Local Data Staging
Software Deployment Tools
Application Layer Protocol: DNS
Application Layer Protocol: Web Protocols
Indicator Removal on Host
Email Collection: Mailbox Manipulation
Indicator Removal on Host: Timestomp
Indicator Removal on Host: Network Share Connection Removal
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Clear Command History
Indicator Removal on Host: Clear Windows Event Logs
Permission Groups Discovery: Domain Groups
Permission Groups Discovery: Local Groups
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: Visual Basic
Command and Scripting Interpreter: Windows Command Shell
Command and Scripting Interpreter: PowerShell
Process Discovery
Input Capture: Credential API Hooking
Input Capture: GUI Input Capture
Input Capture: Keylogging
Process Injection
Process Injection: Process Hollowing
Process Injection: Extra Window Memory Injection
Process Injection: Asynchronous Procedure Call
Thread Execution Hijacking
Process Injection: Portable Executable Injection
Process Injection: Dynamic-link Library Injection
Scheduled Task/Job: Scheduled Task
Scheduled Task/Job: At
System Network Connections Discovery
Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Windows Management Instrumentation
Network Service Discovery
Exfiltration Over C2 Channel
Network Sniffing
Data from Network Shared Drive
Boot or Logon Initialization Scripts: Logon Script (Windows)
Masquerading
Masquerading: Match Legitimate Name or Location
Masquerading: Masquerade Task or Service
Masquerading: Rename System Utilities
System Owner/User Discovery
Obfuscated Files or Information
HTML Smuggling
Obfuscated Files or Information: Compile After Delivery
Remote Services: Windows Remote Management
Remote Services: Distributed Component Object Model
Remote Services: SMB/Windows Admin Shares
Remote Services: Remote Desktop Protocol
Automated Exfiltration
Remote System Discovery
System Network Configuration Discovery
Query Registry
Application Window Discovery
System Service Discovery
Direct Volume Access
Data from Local System
OS Credential Dumping
OS Credential Dumping: DCSync
OS Credential Dumping: Cached Domain Credentials
OS Credential Dumping: LSA Secrets
OS Credential Dumping: NTDS
OS Credential Dumping: Security Account Manager
OS Credential Dumping: LSASS Memory
Steal or Forge Authentication Certificates
Reflective Code Loading
Group Policy Discovery
Forge Web Credentials: SAML token
Gather Victim Host Information: Hardware
Hijack Execution Flow: COR_PROFILER
Hijack Execution Flow: Services Registry Permissions Weakness
Hijack Execution Flow: Path Interception by Search Order Hijacking
Encrypted Channel
Protocol Tunneling
Non-Standard Port
Lateral Tool Transfer
System Services: Service Execution
Exfiltration Over Web Service: Exfiltration to Text Storage Sites
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Phishing: Spearphishing Attachment
Hide Artifacts
Run Virtual Instance
Hide Artifacts: NTFS File Attributes
Hide Artifacts: Hidden Window
Hide Artifacts: Hidden Files and Directories
Impair Defenses: Disable Cloud Logs
Impair Defenses: Indicator Blocking
Impair Defenses: Disable or Modify System Firewall
Impair Defenses: Disable Windows Event Logging
Impair Defenses: Disable or Modify Tools
Archive Collected Data
Steal or Forge Kerberos Tickets: AS-REP Roasting
Steal or Forge Kerberos Tickets: Kerberoasting
Steal or Forge Kerberos Tickets: Silver Ticket
Steal or Forge Kerberos Tickets: Golden Ticket
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Modify Authentication Process: Password Filter DLL
Credentials from Password Stores
Credentials from Password Stores: Windows Credential Manager
Credentials from Password Stores: Credentials from Web Browsers
Subvert Trust Controls: Mark-of-the-Web Bypass
Subvert Trust Controls: Install Root Certificate
Unsecured Credentials: Group Policy Preferences
Unsecured Credentials: Cloud Instance Metadata API
Unsecured Credentials: Private Keys
Unsecured Credentials: Credentials In Files
Use Alternate Authentication Material: Pass the Ticket
Use Alternate Authentication Material: Pass the Hash
Abuse Elevation Control Mechanism: Bypass User Account Control
Boot or Logon Autostart Execution: Login Items
Active Setup
Boot or Logon Autostart Execution: Print Processors
Boot or Logon Autostart Execution: Shortcut Modification
Boot or Logon Autostart Execution: LSASS Driver
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Boot or Logon Autostart Execution: Security Support Provider
Boot or Logon Autostart Execution: Winlogon Helper DLL
Time Providers
Authentication Package
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Event Triggered Execution
Event Triggered Execution: Component Object Model Hijacking
Event Triggered Execution: PowerShell Profile
Event Triggered Execution: Image File Execution Options Injection
Event Triggered Execution: Application Shimming
Event Triggered Execution: AppCert DLLs
Event Triggered Execution: Accessibility Features
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Create or Modify System Process: Windows Service
Steal Web Session Cookie
Account Access Removal
Data from Cloud Storage Object
Steal Application Access Token
Cloud Service Discovery
Software Discovery
Software Discovery: Security Software Discovery
Server Software Component: Terminal Services DLL
IIS Components
Server Software Component: Transport Agent
Virtualization/Sandbox Evasion: System Checks
Defacement: Internal Defacement
Inhibit System Recovery
Data Encrypted for Impact
Data Destruction
Domain Trust Modification
Domain Policy Modification: Group Policy Modification
Domain Trust Discovery
Remote Access Software
Signed Binary Proxy Execution
Signed Binary Proxy Execution: Rundll32
Signed Binary Proxy Execution: Regsvcs/Regasm
Signed Binary Proxy Execution: Msiexec
Signed Binary Proxy Execution: Mshta
Signed Binary Proxy Execution: InstallUtil
Signed Binary Proxy Execution: Compiled HTML File
Browser Bookmark Discovery
Rogue Domain Controller
User Execution: Malicious Image
User Execution: Malicious File
Password Policy Discovery
BITS Jobs
Forced Authentication
Browser Extensions
Office Application Startup: Add-ins
Office Application Startup: Office Test
Create Account: Cloud Account
Create Account: Domain Account
Create Account: Local Account
Network Share Discovery
Access Token Manipulation: Parent PID Spoofing
Create Process with Token
Access Token Manipulation: Token Impersonation/Theft
External Remote Services
Data Encoding: Standard Encoding
System Time Discovery
Audio Capture
Peripheral Device Discovery
Automated Collection
Clipboard Data
Email Collection: Email Forwarding Rule
Email Collection: Local Email Collection
Screen Capture
Modify Registry
Brute Force: Credential Stuffing
Brute Force: Password Spraying
Brute Force: Password Guessing
Native API
Ingress Tool Transfer
Account Manipulation
Account Manipulation: Additional Cloud Roles
Account Manipulation: Additional Email Delegate Permissions
Account Manipulation: Additional Cloud Credentials
Non-Application Layer Protocol
Replication Through Removable Media
Proxy: Multi-hop Proxy
Proxy: Internal Proxy
Account Discovery: Domain Account
Account Discovery: Local Account
File and Directory Discovery
System Information Discovery
Valid Accounts: Cloud Accounts
Valid Accounts: Local Accounts
Data Staged: Local Data Staging
Application Layer Protocol: DNS
Application Layer Protocol: Web Protocols
Indicator Removal on Host
Email Collection: Mailbox Manipulation
Indicator Removal on Host: Timestomp
Indicator Removal on Host: Network Share Connection Removal
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Clear Command History
Indicator Removal on Host: Clear Windows Event Logs
Permission Groups Discovery: Domain Groups
Permission Groups Discovery: Local Groups
Command and Scripting Interpreter: Visual Basic
Command and Scripting Interpreter: Windows Command Shell
Command and Scripting Interpreter: PowerShell
Process Discovery
Input Capture: Credential API Hooking
Input Capture: GUI Input Capture
Input Capture: Keylogging
Process Injection
Process Injection: Process Hollowing
Process Injection: Extra Window Memory Injection
Thread Execution Hijacking
Process Injection: Portable Executable Injection
Process Injection: Dynamic-link Library Injection
Scheduled Task/Job: Scheduled Task
System Network Connections Discovery
Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Windows Management Instrumentation
Network Service Discovery
Exfiltration Over C2 Channel
Data from Network Shared Drive
Masquerading
Masquerading: Match Legitimate Name or Location
Masquerading: Rename System Utilities
System Owner/User Discovery
Obfuscated Files or Information
HTML Smuggling
Obfuscated Files or Information: Compile After Delivery
Remote Services: Windows Remote Management
Remote Services: Distributed Component Object Model
Remote Services: SMB/Windows Admin Shares
Remote Services: Remote Desktop Protocol
Automated Exfiltration
Remote System Discovery
System Network Configuration Discovery
Query Registry
Direct Volume Access
Data from Local System
OS Credential Dumping
OS Credential Dumping: DCSync
OS Credential Dumping: NTDS
OS Credential Dumping: Security Account Manager
OS Credential Dumping: LSASS Memory
Group Policy Discovery
System Location Discovery: System Language Discovery
Hijack Execution Flow: Services Registry Permissions Weakness
Hijack Execution Flow: Path Interception by Unquoted Path
Hijack Execution Flow: DLL Side-Loading
Hijack Execution Flow: DLL Search Order Hijacking
System Services: Service Execution
Hide Artifacts
Run Virtual Instance
Hide Artifacts: NTFS File Attributes
Hide Artifacts: Hidden Window
Hide Artifacts: Hidden Users
Hide Artifacts: Hidden Files and Directories
Remote Service Session Hijacking: RDP Hijacking
Impair Defenses
Impair Defenses: Safe Boot Mode
Impair Defenses: Indicator Blocking
Impair Defenses: Disable or Modify System Firewall
Impair Defenses: Disable Windows Event Logging
Impair Defenses: Disable or Modify Tools
Archive Collected Data: Archive via Utility
Inter-Process Communication
Inter-Process Communication: Dynamic Data Exchange
Steal or Forge Kerberos Tickets: Kerberoasting
Credentials from Password Stores: Windows Credential Manager
Credentials from Password Stores: Credentials from Web Browsers
Subvert Trust Controls: SIP and Trust Provider Hijacking
Unsecured Credentials: Group Policy Preferences
Unsecured Credentials: Private Keys
Unsecured Credentials: Credentials in Registry
Unsecured Credentials: Credentials In Files
Use Alternate Authentication Material: Pass the Ticket
Use Alternate Authentication Material: Pass the Hash
Abuse Elevation Control Mechanism: Bypass User Account Control
Boot or Logon Autostart Execution
Boot or Logon Autostart Execution: Port Monitors
Boot or Logon Autostart Execution: Shortcut Modification
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Event Triggered Execution: Image File Execution Options Injection
Event Triggered Execution: Application Shimming
Event Triggered Execution: AppInit DLLs
Event Triggered Execution: Accessibility Features
Event Triggered Execution: Netsh Helper DLL
Event Triggered Execution: Screensaver
Event Triggered Execution: Change Default File Association
Create or Modify System Process: Windows Service
Account Access Removal
System Shutdown/Reboot
Software Discovery
Software Discovery: Security Software Discovery
IIS Components
Server Software Component: Web Shell
Inhibit System Recovery
Service Stop
Data Encrypted for Impact
Data Destruction
Domain Policy Modification: Group Policy Modification
Domain Trust Discovery
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Template Injection
XSL Script Processing
Signed Binary Proxy Execution
Signed Binary Proxy Execution: Rundll32
Signed Binary Proxy Execution: Regsvr32
Signed Binary Proxy Execution: Regsvcs/Regasm
Signed Binary Proxy Execution: Odbcconf
Signed Binary Proxy Execution: Msiexec
Signed Binary Proxy Execution: Mshta
Signed Binary Proxy Execution: CMSTP
Signed Binary Proxy Execution: Control Panel
Signed Binary Proxy Execution: Compiled HTML File
Browser Bookmark Discovery
Signed Script Proxy Execution
Signed Script Proxy Execution: Pubprn
User Execution: Malicious File
Indirect Command Execution
Password Policy Discovery
BITS Jobs
Supply Chain Compromise
Deobfuscate/Decode Files or Information
Office Application Startup
Office Application Startup: Outlook Home Page
Create Account: Domain Account
Create Account: Local Account
Network Share Discovery
Access Token Manipulation: SID-History Injection
Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution: MSBuild
Video Capture
System Time Discovery
Audio Capture
Automated Collection
Clipboard Data
Modify Registry
Brute Force: Password Spraying
Brute Force: Password Cracking
Brute Force: Password Guessing
Native API
Ingress Tool Transfer
Account Manipulation
Account Discovery: Domain Account
Account Discovery: Local Account
File and Directory Discovery
System Information Discovery
Valid Accounts: Local Accounts
Valid Accounts: Default Accounts
Software Deployment Tools
Application Layer Protocol: Web Protocols
Indicator Removal on Host
Indicator Removal on Host: Network Share Connection Removal
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Clear Windows Event Logs
Permission Groups Discovery: Domain Groups
Permission Groups Discovery: Local Groups
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: Windows Command Shell
Command and Scripting Interpreter: PowerShell
Process Discovery
Process Injection
Process Injection: Asynchronous Procedure Call
Scheduled Task/Job: Scheduled Task
Scheduled Task/Job: At
System Network Connections Discovery
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Windows Management Instrumentation
Network Sniffing
Data from Network Shared Drive
Boot or Logon Initialization Scripts: Logon Script (Windows)
Masquerading: Masquerade Task or Service
Masquerading: Rename System Utilities
System Owner/User Discovery
Obfuscated Files or Information
Obfuscated Files or Information: Compile After Delivery
Remote Services: SMB/Windows Admin Shares
Remote Services: Remote Desktop Protocol
Remote System Discovery
System Network Configuration Discovery
Query Registry
Application Window Discovery
System Service Discovery
OS Credential Dumping
OS Credential Dumping: DCSync
OS Credential Dumping: Cached Domain Credentials
OS Credential Dumping: LSA Secrets
OS Credential Dumping: NTDS
OS Credential Dumping: Security Account Manager
OS Credential Dumping: LSASS Memory
Cloud Storage Object Discovery
System Location Discovery: System Language Discovery
Container and Resource Discovery
Build Image on Host
Escape to Host
Cloud Infrastructure Discovery
Non-Standard Port
Hide Artifacts: Hidden Users
Hide Artifacts: Hidden Files and Directories
Impair Defenses
Impair Defenses: Disable Cloud Logs
Impair Defenses: Indicator Blocking
Impair Defenses: Disable or Modify System Firewall
Impair Defenses: HISTCONTROL
Impair Defenses: Disable or Modify Tools
Archive Collected Data: Archive via Library
Archive Collected Data: Archive via Utility
Modify Authentication Process: Pluggable Authentication Modules
Credentials from Password Stores: Credentials from Web Browsers
Credentials from Password Stores: Keychain
Subvert Trust Controls: Install Root Certificate
Subvert Trust Controls: Gatekeeper Bypass
Unsecured Credentials
Kubernetes List Secrets
Unsecured Credentials: Private Keys
Unsecured Credentials: Bash History
Unsecured Credentials: Credentials In Files
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse Elevation Control Mechanism: Setuid and Setgid
Boot or Logon Autostart Execution: Re-opened Applications
Event Triggered Execution: Emond
Event Triggered Execution: Trap
Event Triggered Execution: .bash_profile .bashrc and .shrc
Create or Modify System Process: SysV/Systemd Service
Account Access Removal
Data from Cloud Storage Object
System Shutdown/Reboot
Software Discovery
Software Discovery: Security Software Discovery
Virtualization/Sandbox Evasion: System Checks
Resource Hijacking
Data Encrypted for Impact
Data Destruction
File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification
Browser Bookmark Discovery
Password Policy Discovery
Deobfuscate/Decode Files or Information
Create Account: Cloud Account
Create Account: Domain Account
Create Account: Local Account
Network Share Discovery
Data Encoding: Standard Encoding
System Time Discovery
Audio Capture
Clipboard Data
Screen Capture
Brute Force: Credential Stuffing
Brute Force: Password Spraying
Ingress Tool Transfer
Account Manipulation
SSH Authorized Keys
Account Manipulation: Additional Cloud Credentials
Proxy: Multi-hop Proxy
Proxy: Internal Proxy
Account Discovery: Domain Account
Account Discovery: Local Account
File and Directory Discovery
System Information Discovery
Valid Accounts: Cloud Accounts
Valid Accounts: Local Accounts
Data Staged: Local Data Staging
Application Layer Protocol: Web Protocols
Indicator Removal on Host: Timestomp
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Clear Command History
Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Permission Groups Discovery: Domain Groups
Permission Groups Discovery: Local Groups
Command and Scripting Interpreter: Python
Command and Scripting Interpreter: Bash
Command and Scripting Interpreter: AppleScript
Process Discovery
Input Capture: Keylogging
Scheduled Task/Job: Systemd Timers
Scheduled Task/Job: Cron
Scheduled Task/Job: At
System Network Connections Discovery
Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Network Service Discovery
Network Sniffing
Boot or Logon Initialization Scripts: Startup Items
Boot or Logon Initialization Scripts: Rc.common
Masquerading: Space after Filename
Masquerading: Match Legitimate Name or Location
Masquerading: Masquerade Task or Service
Masquerading: Rename System Utilities
System Owner/User Discovery
Data Transfer Size Limits
Obfuscated Files or Information
Obfuscated Files or Information: Compile After Delivery
Obfuscated Files or Information: Software Packing
Obfuscated Files or Information: Binary Padding
Remote Services:VNC
Remote System Discovery
System Network Configuration Discovery
Rootkit
System Service Discovery
OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow
OS Credential Dumping: Proc Filesystem
System Location Discovery: System Language Discovery
Cloud Infrastructure Discovery
Hijack Execution Flow: LD_PRELOAD
Non-Standard Port
System Services: Service Execution
Hide Artifacts: Hidden Files and Directories
Impair Defenses
Impair Defenses: Disable Cloud Logs
Impair Defenses: Indicator Blocking
Impair Defenses: Disable or Modify System Firewall
Impair Defenses: HISTCONTROL
Impair Defenses: Disable or Modify Tools
Archive Collected Data: Archive via Library
Archive Collected Data: Archive via Utility
Modify Authentication Process: Pluggable Authentication Modules
Credentials from Password Stores: Credentials from Web Browsers
Subvert Trust Controls: Install Root Certificate
Unsecured Credentials
Kubernetes List Secrets
Unsecured Credentials: Private Keys
Unsecured Credentials: Bash History
Unsecured Credentials: Credentials In Files
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse Elevation Control Mechanism: Setuid and Setgid
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Event Triggered Execution: Trap
Event Triggered Execution: .bash_profile .bashrc and .shrc
Create or Modify System Process: SysV/Systemd Service
Account Access Removal
System Shutdown/Reboot
Software Discovery: Security Software Discovery
Virtualization/Sandbox Evasion: System Checks
Resource Hijacking
Data Encrypted for Impact
Data Destruction
File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification
Browser Bookmark Discovery
Password Policy Discovery
Browser Extensions
Deobfuscate/Decode Files or Information
Create Account: Domain Account
Create Account: Local Account
Network Share Discovery
Data Encoding: Standard Encoding
Clipboard Data
Screen Capture
Brute Force: Credential Stuffing
Brute Force: Password Guessing
Ingress Tool Transfer
SSH Authorized Keys
Proxy: Multi-hop Proxy
Proxy: Internal Proxy
Account Discovery: Domain Account
Account Discovery: Local Account
File and Directory Discovery
System Information Discovery
Valid Accounts: Local Accounts
Data Staged: Local Data Staging
Application Layer Protocol: Web Protocols
Email Collection: Mailbox Manipulation
Indicator Removal on Host: Timestomp
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Clear Command History
Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Permission Groups Discovery: Domain Groups
Permission Groups Discovery: Local Groups
Command and Scripting Interpreter: Python
Command and Scripting Interpreter: Bash
Process Discovery
Input Capture: Keylogging
Scheduled Task/Job: Systemd Timers
Scheduled Task/Job: Cron
Scheduled Task/Job: At
System Network Connections Discovery
Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Network Service Discovery
Network Sniffing
Boot or Logon Initialization Scripts: Rc.common
Masquerading: Space after Filename
Masquerading: Match Legitimate Name or Location
Masquerading: Masquerade Task or Service
Masquerading: Rename System Utilities
System Owner/User Discovery
Data Transfer Size Limits
Obfuscated Files or Information
Obfuscated Files or Information: Compile After Delivery
Obfuscated Files or Information: Software Packing
Obfuscated Files or Information: Binary Padding
Remote System Discovery
System Network Configuration Discovery
Rootkit
System Service Discovery
OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow
OS Credential Dumping: Proc Filesystem
Plist File Modification
Cloud Infrastructure Discovery
Hijack Execution Flow: LD_PRELOAD
Non-Standard Port
System Services: Launchctl
Hide Artifacts: Hidden Users
Hide Artifacts: Hidden Files and Directories
Impair Defenses: Disable Cloud Logs
Impair Defenses: HISTCONTROL
Impair Defenses: Disable or Modify Tools
Archive Collected Data: Archive via Utility
Credentials from Password Stores: Credentials from Web Browsers
Credentials from Password Stores: Keychain
Subvert Trust Controls: Install Root Certificate
Subvert Trust Controls: Gatekeeper Bypass
Unsecured Credentials
Unsecured Credentials: Private Keys
Unsecured Credentials: Bash History
Unsecured Credentials: Credentials In Files
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse Elevation Control Mechanism: Setuid and Setgid
Boot or Logon Autostart Execution: Login Items
Boot or Logon Autostart Execution: Re-opened Applications
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Event Triggered Execution: Emond
Event Triggered Execution: Trap
Event Triggered Execution: .bash_profile .bashrc and .shrc
Create or Modify System Process: Launch Daemon
Create or Modify System Process: Launch Agent
Steal Web Session Cookie
Account Access Removal
System Shutdown/Reboot
Software Discovery
Software Discovery: Security Software Discovery
Virtualization/Sandbox Evasion: System Checks
Resource Hijacking
Data Encrypted for Impact
Data Destruction
File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification
Browser Bookmark Discovery
Password Policy Discovery
Browser Extensions
Deobfuscate/Decode Files or Information
Create Account: Local Account
Network Share Discovery
Data Encoding: Standard Encoding
System Time Discovery
Audio Capture
Clipboard Data
Screen Capture
Brute Force: Credential Stuffing
Ingress Tool Transfer
SSH Authorized Keys
Proxy: Multi-hop Proxy
Proxy: Internal Proxy
Account Discovery: Local Account
File and Directory Discovery
System Information Discovery
Valid Accounts: Local Accounts
Valid Accounts: Default Accounts
Data Staged: Local Data Staging
Application Layer Protocol: Web Protocols
Email Collection: Mailbox Manipulation
Indicator Removal on Host: Timestomp
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Clear Command History
Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Permission Groups Discovery: Local Groups
Command and Scripting Interpreter: Bash
Command and Scripting Interpreter: AppleScript
Process Discovery
Input Capture: GUI Input Capture
Input Capture: Keylogging
Scheduled Task/Job: Cron
System Network Connections Discovery
Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Network Service Discovery
Network Sniffing
Boot or Logon Initialization Scripts: Startup Items
Boot or Logon Initialization Scripts: Rc.common
Boot or Logon Initialization Scripts: Logon Script (Mac)
Masquerading: Space after Filename
Masquerading: Match Legitimate Name or Location
System Owner/User Discovery
Data Transfer Size Limits
Obfuscated Files or Information
Obfuscated Files or Information: Compile After Delivery
Obfuscated Files or Information: Software Packing
Obfuscated Files or Information: Binary Padding
Remote Services:VNC
Remote System Discovery
System Network Configuration Discovery
System Location Discovery: System Language Discovery
Non-Standard Port
Hide Artifacts: Hidden Files and Directories
Impair Defenses: Indicator Blocking
Impair Defenses: Disable or Modify System Firewall
Impair Defenses: HISTCONTROL
Impair Defenses: Disable or Modify Tools
Archive Collected Data: Archive via Library
Archive Collected Data: Archive via Utility
Modify Authentication Process: Pluggable Authentication Modules
Subvert Trust Controls: Install Root Certificate
Unsecured Credentials: Private Keys
Unsecured Credentials: Bash History
Unsecured Credentials: Credentials In Files
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse Elevation Control Mechanism: Setuid and Setgid
Event Triggered Execution: Trap
Event Triggered Execution: .bash_profile .bashrc and .shrc
Create or Modify System Process: SysV/Systemd Service
System Shutdown/Reboot
Software Discovery: Security Software Discovery
Virtualization/Sandbox Evasion: System Checks
Resource Hijacking
Data Encrypted for Impact
Data Destruction
File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification
Browser Bookmark Discovery
Password Policy Discovery
Browser Extensions
Deobfuscate/Decode Files or Information
Create Account: Local Account
Network Share Discovery
Data Encoding: Standard Encoding
System Time Discovery
Screen Capture
Brute Force: Credential Stuffing
Brute Force: Password Guessing
Ingress Tool Transfer
SSH Authorized Keys
Proxy: Multi-hop Proxy
Proxy: Internal Proxy
Account Discovery: Local Account
File and Directory Discovery
System Information Discovery
Valid Accounts: Local Accounts
Data Staged: Local Data Staging
Application Layer Protocol: Web Protocols
Indicator Removal on Host: Timestomp
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Clear Command History
Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Permission Groups Discovery: Local Groups
Command and Scripting Interpreter: Python
Command and Scripting Interpreter: Bash
Process Discovery
Input Capture: Keylogging
Scheduled Task/Job: Cron
Scheduled Task/Job: At
System Network Connections Discovery
Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Network Service Discovery
Network Sniffing
Boot or Logon Initialization Scripts: Rc.common
Masquerading: Space after Filename
Masquerading: Match Legitimate Name or Location
Masquerading: Rename System Utilities
System Owner/User Discovery
Data Transfer Size Limits
Obfuscated Files or Information
Obfuscated Files or Information: Compile After Delivery
Obfuscated Files or Information: Binary Padding
Remote System Discovery
System Network Configuration Discovery
System Service Discovery
OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow
OS Credential Dumping: Proc Filesystem
Deploy a container
Kubernetes Exec Into Container
Hijack Execution Flow: LD_PRELOAD
System Services: Service Execution
System Services: Launchctl
Impair Defenses: Indicator Blocking
Impair Defenses: HISTCONTROL
Impair Defenses: Disable or Modify Tools
Archive Collected Data: Archive via Utility
Kubernetes List Secrets
Unsecured Credentials: Credentials In Files
Boot or Logon Autostart Execution: Login Items
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Event Triggered Execution: .bash_profile .bashrc and .shrc
Create or Modify System Process: Launch Daemon
Create or Modify System Process: SysV/Systemd Service
Create or Modify System Process: Launch Agent
Steal Web Session Cookie
System Shutdown/Reboot
File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification
Password Policy Discovery
Deobfuscate/Decode Files or Information
Create Account: Local Account
Network Share Discovery
Clipboard Data
Screen Capture
Brute Force: Credential Stuffing
Brute Force: Password Guessing
System Information Discovery
Valid Accounts: Local Accounts
Data Staged: Local Data Staging
Email Collection: Mailbox Manipulation
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Command and Scripting Interpreter: Bash
Input Capture: GUI Input Capture
Input Capture: Keylogging
Kubernetes Cronjob
Scheduled Task/Job: Systemd Timers
Scheduled Task/Job: Cron
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Network Service Discovery
Network Sniffing
Boot or Logon Initialization Scripts: Rc.common
Masquerading: Space after Filename
System Network Configuration Discovery
System Service Discovery
OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow
OS Credential Dumping: Proc Filesystem
Forge Web Credentials: SAML token
Unsecured Credentials: Cloud Instance Metadata API
Account Access Removal
Domain Trust Modification
Create Account: Cloud Account
Brute Force: Password Spraying
Brute Force: Password Guessing
Account Manipulation
Account Manipulation: Additional Cloud Roles
Account Manipulation: Additional Cloud Credentials
System Information Discovery
Cloud Storage Object Discovery
Cloud Infrastructure Discovery
Impair Defenses: Disable Cloud Logs
Impair Defenses: Disable or Modify Tools
Unsecured Credentials
Data from Cloud Storage Object
Password Policy Discovery
Create Account: Cloud Account
Brute Force: Password Spraying
Account Manipulation
Account Manipulation: Additional Cloud Credentials
Plist File Modification
Impair Defenses: HISTCONTROL
Inter-Process Communication: Dynamic Data Exchange
Browser Extensions
Command and Scripting Interpreter: PowerShell
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Boot or Logon Initialization Scripts: Logon Script (Mac)
Masquerading: Space after Filename
Obfuscated Files or Information
OS Credential Dumping: LSASS Memory
Container and Resource Discovery
Build Image on Host
Escape to Host
Deploy a container
Kubernetes Exec Into Container
Kubernetes List Secrets
Permission Groups Discovery: Local Groups
Kubernetes Cronjob
Network Service Discovery
Impair Defenses: Disable Cloud Logs
Unsecured Credentials: Cloud Instance Metadata API
Data from Cloud Storage Object
Steal Application Access Token
Cloud Service Discovery
Account Manipulation
Valid Accounts: Cloud Accounts
Impair Defenses: Disable Cloud Logs
Data Destruction
Account Manipulation
Valid Accounts: Cloud Accounts
Impair Defenses: Disable Cloud Logs
Impair Defenses: Disable or Modify Tools
Email Collection: Email Forwarding Rule
Account Manipulation: Additional Email Delegate Permissions
Valid Accounts: Cloud Accounts