| Drive-by Compromise CONTRIBUTE A TEST |
AppleScript |
.bash_profile and .bashrc |
Access Token Manipulation |
Access Token Manipulation |
Account Manipulation |
Account Discovery |
AppleScript |
Audio Capture |
Automated Exfiltration CONTRIBUTE A TEST |
Commonly Used Port CONTRIBUTE A TEST |
| Exploit Public-Facing Application CONTRIBUTE A TEST |
CMSTP |
Accessibility Features |
Accessibility Features |
Application Access Token CONTRIBUTE A TEST |
Bash History |
Application Window Discovery |
Application Access Token CONTRIBUTE A TEST |
Automated Collection |
Data Compressed |
Communication Through Removable Media CONTRIBUTE A TEST |
| External Remote Services CONTRIBUTE A TEST |
Command-Line Interface |
Account Manipulation |
AppCert DLLs CONTRIBUTE A TEST |
BITS Jobs |
Brute Force |
Browser Bookmark Discovery |
Application Deployment Software CONTRIBUTE A TEST |
Clipboard Data |
Data Encrypted |
Connection Proxy |
| Hardware Additions CONTRIBUTE A TEST |
Compiled HTML File |
AppCert DLLs CONTRIBUTE A TEST |
AppInit DLLs |
Binary Padding |
Cloud Instance Metadata API CONTRIBUTE A TEST |
Cloud Service Dashboard CONTRIBUTE A TEST |
Component Object Model and Distributed COM CONTRIBUTE A TEST |
Data Staged |
Data Transfer Size Limits |
Custom Command and Control Protocol CONTRIBUTE A TEST |
| Replication Through Removable Media CONTRIBUTE A TEST |
Component Object Model and Distributed COM CONTRIBUTE A TEST |
AppInit DLLs |
Application Shimming |
Bypass User Account Control |
Credential Dumping |
Cloud Service Discovery CONTRIBUTE A TEST |
Exploitation of Remote Services CONTRIBUTE A TEST |
Data from Cloud Storage Object CONTRIBUTE A TEST |
Exfiltration Over Alternative Protocol |
Custom Cryptographic Protocol CONTRIBUTE A TEST |
| Spearphishing Attachment |
Control Panel Items |
Application Shimming |
Bypass User Account Control |
CMSTP |
Credentials from Web Browsers CONTRIBUTE A TEST |
Domain Trust Discovery |
Internal Spearphishing CONTRIBUTE A TEST |
Data from Information Repositories CONTRIBUTE A TEST |
Exfiltration Over Command and Control Channel CONTRIBUTE A TEST |
Data Encoding |
| Spearphishing Link CONTRIBUTE A TEST |
Dynamic Data Exchange |
Authentication Package CONTRIBUTE A TEST |
DLL Search Order Hijacking |
Clear Command History |
Credentials in Files |
File and Directory Discovery |
Logon Scripts |
Data from Local System |
Exfiltration Over Other Network Medium CONTRIBUTE A TEST |
Data Obfuscation CONTRIBUTE A TEST |
| Spearphishing via Service CONTRIBUTE A TEST |
Execution through API CONTRIBUTE A TEST |
BITS Jobs |
Dylib Hijacking CONTRIBUTE A TEST |
Code Signing CONTRIBUTE A TEST |
Credentials in Registry |
Network Service Scanning |
Pass the Hash |
Data from Network Shared Drive CONTRIBUTE A TEST |
Exfiltration Over Physical Medium CONTRIBUTE A TEST |
Domain Fronting CONTRIBUTE A TEST |
| Supply Chain Compromise CONTRIBUTE A TEST |
Execution through Module Load CONTRIBUTE A TEST |
Bootkit CONTRIBUTE A TEST |
Elevated Execution with Prompt CONTRIBUTE A TEST |
Compile After Delivery |
Exploitation for Credential Access CONTRIBUTE A TEST |
Network Share Discovery |
Pass the Ticket |
Data from Removable Media CONTRIBUTE A TEST |
Scheduled Transfer CONTRIBUTE A TEST |
Domain Generation Algorithms CONTRIBUTE A TEST |
| Trusted Relationship CONTRIBUTE A TEST |
Exploitation for Client Execution CONTRIBUTE A TEST |
Browser Extensions |
Emond |
Compiled HTML File |
Forced Authentication CONTRIBUTE A TEST |
Network Sniffing |
Remote Desktop Protocol |
Email Collection |
Transfer Data to Cloud Account CONTRIBUTE A TEST |
Fallback Channels CONTRIBUTE A TEST |
| Valid Accounts CONTRIBUTE A TEST |
Graphical User Interface CONTRIBUTE A TEST |
Change Default File Association |
Exploitation for Privilege Escalation CONTRIBUTE A TEST |
Component Firmware CONTRIBUTE A TEST |
Hooking |
Password Policy Discovery |
Remote File Copy |
Input Capture |
|
Multi-Stage Channels CONTRIBUTE A TEST |
|
InstallUtil |
Component Firmware CONTRIBUTE A TEST |
Extra Window Memory Injection CONTRIBUTE A TEST |
Component Object Model Hijacking CONTRIBUTE A TEST |
Input Capture |
Peripheral Device Discovery CONTRIBUTE A TEST |
Remote Services CONTRIBUTE A TEST |
Man in the Browser CONTRIBUTE A TEST |
|
Multi-hop Proxy CONTRIBUTE A TEST |
|
LSASS Driver CONTRIBUTE A TEST |
Component Object Model Hijacking CONTRIBUTE A TEST |
File System Permissions Weakness |
Connection Proxy |
Input Prompt |
Permission Groups Discovery |
Replication Through Removable Media CONTRIBUTE A TEST |
Screen Capture |
|
Multiband Communication CONTRIBUTE A TEST |
|
Launchctl |
Create Account |
Hooking |
Control Panel Items |
Kerberoasting |
Process Discovery |
SSH Hijacking CONTRIBUTE A TEST |
Video Capture CONTRIBUTE A TEST |
|
Multilayer Encryption CONTRIBUTE A TEST |
|
Local Job Scheduling |
DLL Search Order Hijacking |
Image File Execution Options Injection |
DCShadow |
Keychain |
Query Registry |
Shared Webroot CONTRIBUTE A TEST |
|
|
Port Knocking CONTRIBUTE A TEST |
|
Mshta |
Dylib Hijacking CONTRIBUTE A TEST |
Launch Daemon |
DLL Search Order Hijacking |
LLMNR/NBT-NS Poisoning and Relay CONTRIBUTE A TEST |
Remote System Discovery |
Taint Shared Content CONTRIBUTE A TEST |
|
|
Remote Access Tools |
|
PowerShell |
Emond |
New Service |
DLL Side-Loading |
Network Sniffing |
Security Software Discovery |
Third-party Software CONTRIBUTE A TEST |
|
|
Remote File Copy |
|
Regsvcs/Regasm |
External Remote Services CONTRIBUTE A TEST |
Parent PID Spoofing |
Deobfuscate/Decode Files or Information |
Password Filter DLL |
Software Discovery |
Web Session Cookie CONTRIBUTE A TEST |
|
|
Standard Application Layer Protocol |
|
Regsvr32 |
File System Permissions Weakness |
Path Interception CONTRIBUTE A TEST |
Disabling Security Tools |
Private Keys |
System Information Discovery |
Windows Admin Shares |
|
|
Standard Cryptographic Protocol |
|
Rundll32 |
Hidden Files and Directories |
Plist Modification |
Execution Guardrails CONTRIBUTE A TEST |
Securityd Memory CONTRIBUTE A TEST |
System Network Configuration Discovery |
Windows Remote Management |
|
|
Standard Non-Application Layer Protocol |
|
Scheduled Task |
Hooking |
Port Monitors CONTRIBUTE A TEST |
Exploitation for Defense Evasion CONTRIBUTE A TEST |
Steal Application Access Token CONTRIBUTE A TEST |
System Network Connections Discovery |
|
|
|
Uncommonly Used Port |
|
Scripting |
Hypervisor |
PowerShell Profile |
Extra Window Memory Injection CONTRIBUTE A TEST |
Steal Web Session Cookie CONTRIBUTE A TEST |
System Owner/User Discovery |
|
|
|
Web Service |
|
Service Execution |
Image File Execution Options Injection |
Process Injection |
File Deletion |
Two-Factor Authentication Interception CONTRIBUTE A TEST |
System Service Discovery |
|
|
|
|
|
Signed Binary Proxy Execution |
Implant Container Image CONTRIBUTE A TEST |
SID-History Injection CONTRIBUTE A TEST |
File System Logical Offsets CONTRIBUTE A TEST |
|
System Time Discovery |
|
|
|
|
|
Signed Script Proxy Execution |
Kernel Modules and Extensions |
Scheduled Task |
File and Directory Permissions Modification |
|
Virtualization/Sandbox Evasion CONTRIBUTE A TEST |
|
|
|
|
|
Source |
LC_LOAD_DYLIB Addition CONTRIBUTE A TEST |
Service Registry Permissions Weakness |
Gatekeeper Bypass |
|
|
|
|
|
|
|
Space after Filename |
LSASS Driver CONTRIBUTE A TEST |
Setuid and Setgid |
Group Policy Modification CONTRIBUTE A TEST |
|
|
|
|
|
|
|
Third-party Software CONTRIBUTE A TEST |
Launch Agent |
Startup Items |
HISTCONTROL |
|
|
|
|
|
|
|
Trap |
Launch Daemon |
Sudo |
Hidden Files and Directories |
|
|
|
|
|
|
|
Trusted Developer Utilities |
Launchctl |
Sudo Caching |
Hidden Users |
|
|
|
|
|
|
|
User Execution |
Local Job Scheduling |
Valid Accounts CONTRIBUTE A TEST |
Hidden Window |
|
|
|
|
|
|
|
Windows Management Instrumentation |
Login Item CONTRIBUTE A TEST |
Web Shell |
Image File Execution Options Injection |
|
|
|
|
|
|
|
Windows Remote Management |
Logon Scripts |
|
Indicator Blocking CONTRIBUTE A TEST |
|
|
|
|
|
|
|
XSL Script Processing |
Modify Existing Service |
|
Indicator Removal from Tools CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Netsh Helper DLL |
|
Indicator Removal on Host |
|
|
|
|
|
|
|
|
New Service |
|
Indirect Command Execution |
|
|
|
|
|
|
|
|
Office Application Startup |
|
Install Root Certificate |
|
|
|
|
|
|
|
|
Path Interception CONTRIBUTE A TEST |
|
InstallUtil |
|
|
|
|
|
|
|
|
Plist Modification |
|
LC_MAIN Hijacking CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Port Knocking CONTRIBUTE A TEST |
|
Launchctl |
|
|
|
|
|
|
|
|
Port Monitors CONTRIBUTE A TEST |
|
Masquerading |
|
|
|
|
|
|
|
|
PowerShell Profile |
|
Modify Registry |
|
|
|
|
|
|
|
|
Rc.common |
|
Mshta |
|
|
|
|
|
|
|
|
Re-opened Applications |
|
NTFS File Attributes |
|
|
|
|
|
|
|
|
Redundant Access CONTRIBUTE A TEST |
|
Network Share Connection Removal |
|
|
|
|
|
|
|
|
Registry Run Keys / Startup Folder |
|
Obfuscated Files or Information |
|
|
|
|
|
|
|
|
SIP and Trust Provider Hijacking CONTRIBUTE A TEST |
|
Parent PID Spoofing |
|
|
|
|
|
|
|
|
Scheduled Task |
|
Plist Modification |
|
|
|
|
|
|
|
|
Screensaver |
|
Port Knocking CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Security Support Provider |
|
Process Doppelgänging CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Server Software Component |
|
Process Hollowing |
|
|
|
|
|
|
|
|
Service Registry Permissions Weakness |
|
Process Injection |
|
|
|
|
|
|
|
|
Setuid and Setgid |
|
Redundant Access CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Shortcut Modification |
|
Regsvcs/Regasm |
|
|
|
|
|
|
|
|
Startup Items |
|
Regsvr32 |
|
|
|
|
|
|
|
|
System Firmware CONTRIBUTE A TEST |
|
Revert Cloud Instance CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Systemd Service |
|
Rootkit |
|
|
|
|
|
|
|
|
Time Providers CONTRIBUTE A TEST |
|
Rundll32 |
|
|
|
|
|
|
|
|
Trap |
|
SIP and Trust Provider Hijacking CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Valid Accounts CONTRIBUTE A TEST |
|
Scripting |
|
|
|
|
|
|
|
|
Web Shell |
|
Signed Binary Proxy Execution |
|
|
|
|
|
|
|
|
Windows Management Instrumentation Event Subscription |
|
Signed Script Proxy Execution |
|
|
|
|
|
|
|
|
Winlogon Helper DLL |
|
Software Packing CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
Space after Filename |
|
|
|
|
|
|
|
|
|
|
Template Injection CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
Timestomp |
|
|
|
|
|
|
|
|
|
|
Trusted Developer Utilities |
|
|
|
|
|
|
|
|
|
|
Unused/Unsupported Cloud Regions CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
Valid Accounts CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
Virtualization/Sandbox Evasion CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
Web Service |
|
|
|
|
|
|
|
|
|
|
Web Session Cookie CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
XSL Script Processing |
|
|
|
|
|
|