adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6c85c88c558721ebf077ae47a2b67d7ee5f9643d
atomic-red-team-gs/atomics/Indexes/Matrices/matrix.md
T
Atomic Red Team doc generator 6c85c88c55 Generated docs from job=generate-docs branch=master [ci skip]
2025-10-06 15:58:23 +00:00

73 KiB
Raw Blame History

All Atomic Tests by ATT&CK Tactic & Technique

initial-access execution persistence privilege-escalation defense-evasion credential-access discovery lateral-movement collection exfiltration command-and-control impact
External Remote Services Scheduled Task/Job: Scheduled Task Scheduled Task/Job: Scheduled Task Process Injection: Extra Window Memory Injection Process Injection: Extra Window Memory Injection Adversary-in-the-Middle CONTRIBUTE A TEST System Owner/User Discovery Remote Services:VNC Archive Collected Data: Archive via Utility Exfiltration Over Web Service CONTRIBUTE A TEST Socket Filters CONTRIBUTE A TEST Disk Structure Wipe CONTRIBUTE A TEST
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST Windows Management Instrumentation Socket Filters CONTRIBUTE A TEST Scheduled Task/Job: Scheduled Task Socket Filters CONTRIBUTE A TEST Modify Authentication Process: Pluggable Authentication Modules Container and Resource Discovery Taint Shared Content CONTRIBUTE A TEST Screen Capture Exfiltration Over Webhook CONTRIBUTE A TEST Data Encoding: Standard Encoding Direct Network Flood CONTRIBUTE A TEST
Phishing: Spearphishing Link Server Software Component Boot or Logon Initialization Scripts CONTRIBUTE A TEST Boot or Logon Initialization Scripts CONTRIBUTE A TEST Fileless Storage CONTRIBUTE A TEST Input Capture: Keylogging System Network Configuration Discovery: Internet Connection Discovery Remote Services: SSH Adversary-in-the-Middle CONTRIBUTE A TEST Scheduled Transfer CONTRIBUTE A TEST Domain Generation Algorithms CONTRIBUTE A TEST External Defacement CONTRIBUTE A TEST
Phishing: Spearphishing Attachment Command and Scripting Interpreter: JavaScript Modify Authentication Process: Pluggable Authentication Modules Path Interception by PATH Environment Variable CONTRIBUTE A TEST Signed Binary Proxy Execution: Rundll32 Brute Force: Password Guessing Permission Groups Discovery CONTRIBUTE A TEST Replication Through Removable Media Input Capture: Keylogging Exfiltration Over Other Network Medium CONTRIBUTE A TEST Application Layer Protocol: DNS OS Exhaustion Flood CONTRIBUTE A TEST
Compromise Hardware Supply Chain CONTRIBUTE A TEST Kubernetes Cronjob Path Interception by PATH Environment Variable CONTRIBUTE A TEST Event Triggered Execution: PowerShell Profile Embedded Payloads CONTRIBUTE A TEST OS Credential Dumping Cloud Groups CONTRIBUTE A TEST Direct Cloud VM Connections CONTRIBUTE A TEST Data from Configuration Repository CONTRIBUTE A TEST Exfiltration Over Bluetooth CONTRIBUTE A TEST Publish/Subscribe Protocols CONTRIBUTE A TEST Lifecycle-Triggered Deletion CONTRIBUTE A TEST
Replication Through Removable Media Inter-Process Communication: Dynamic Data Exchange Event Triggered Execution: PowerShell Profile Create or Modify System Process CONTRIBUTE A TEST Modify Authentication Process: Pluggable Authentication Modules Steal Web Session Cookie Group Policy Discovery SSH Hijacking CONTRIBUTE A TEST Sharepoint CONTRIBUTE A TEST Automated Exfiltration Symmetric Cryptography CONTRIBUTE A TEST SMS Pumping CONTRIBUTE A TEST
Supply Chain Compromise User Execution: Malicious File Create or Modify System Process CONTRIBUTE A TEST LC_LOAD_DYLIB Addition CONTRIBUTE A TEST Revert Cloud Instance CONTRIBUTE A TEST OS Credential Dumping: Security Account Manager Device Driver Discovery Remote Services: SMB/Windows Admin Shares Audio Capture Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST Fast Flux DNS CONTRIBUTE A TEST Application Exhaustion Flood CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST Scheduled Task/Job: Cron External Remote Services Kubernetes Cronjob File/Path Exclusions CONTRIBUTE A TEST Unsecured Credentials: Cloud Instance Metadata API Account Discovery: Domain Account Use Alternate Authentication Material CONTRIBUTE A TEST Archive via Custom Method CONTRIBUTE A TEST Traffic Duplication CONTRIBUTE A TEST Application Layer Protocol Disk Wipe CONTRIBUTE A TEST
Content Injection CONTRIBUTE A TEST Component Object Model CONTRIBUTE A TEST LC_LOAD_DYLIB Addition CONTRIBUTE A TEST Abuse Elevation Control Mechanism: Bypass User Account Control File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification Securityd Memory CONTRIBUTE A TEST Account Discovery: Local Account Remote Services CONTRIBUTE A TEST Email Collection CONTRIBUTE A TEST Exfiltration to Code Repository CONTRIBUTE A TEST Remote Access Software Stored Data Manipulation CONTRIBUTE A TEST
Valid Accounts: Default Accounts ESXi Administration Command CONTRIBUTE A TEST Kubernetes Cronjob Abuse Elevation Control Mechanism: Sudo and Sudo Caching Signed Script Proxy Execution: Pubprn Brute Force: Password Cracking Virtualization/Sandbox Evasion: System Checks Remote Service Session Hijacking CONTRIBUTE A TEST Data from Removable Media Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Content Injection CONTRIBUTE A TEST Service Stop
Trusted Relationship CONTRIBUTE A TEST Scheduled Task/Job CONTRIBUTE A TEST Pre-OS Boot: System Firmware Hijack Execution Flow: Services Registry Permissions Weakness Path Interception by PATH Environment Variable CONTRIBUTE A TEST Credentials from Password Stores: Keychain Permission Groups Discovery: Domain Groups Remote Services: Windows Remote Management Data Staged: Local Data Staging Exfiltration Over C2 Channel Traffic Signaling CONTRIBUTE A TEST Application or System Exploitation CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST Command and Scripting Interpreter: AppleScript Hijack Execution Flow: Services Registry Permissions Weakness Boot or Logon Autostart Execution Direct Volume Access OS Credential Dumping: LSA Secrets System Service Discovery Remote Services: Distributed Component Object Model Email Collection: Local Email Collection Exfiltration Over Alternative Protocol Protocol Tunneling Runtime Data Manipulation CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST Native API Bootkit CONTRIBUTE A TEST Active Setup Modify Cloud Resource Hierarchy CONTRIBUTE A TEST Forge Web Credentials: SAML token Network Sniffing Use Alternate Authentication Material: Pass the Ticket Automated Collection Exfiltration over USB CONTRIBUTE A TEST Mail Protocols CONTRIBUTE A TEST Reflection Amplification CONTRIBUTE A TEST
Spearphishing Voice CONTRIBUTE A TEST Command and Scripting Interpreter: AutoHotKey & AutoIT Boot or Logon Autostart Execution Domain Trust Modification Hide Artifacts: Email Hiding Rules OS Credential Dumping: Proc Filesystem Network Share Discovery Cloud Services CONTRIBUTE A TEST Clipboard Data Exfiltration Over Web Service: Exfiltration to Text Storage Sites Communication Through Removable Media CONTRIBUTE A TEST Service Exhaustion Flood CONTRIBUTE A TEST
Compromise Software Supply Chain Systemctl CONTRIBUTE A TEST Active Setup Create or Modify System Process: Windows Service Obfuscated Files or Information: Encrypted/Encoded File Password Managers CONTRIBUTE A TEST Peripheral Device Discovery Software Deployment Tools Data from Cloud Storage Object Exfiltration Over Web Service: Exfiltration to Cloud Storage External Proxy CONTRIBUTE A TEST Defacement CONTRIBUTE A TEST
Domain Accounts CONTRIBUTE A TEST Cloud API CONTRIBUTE A TEST Browser Extensions CONTRIBUTE A TEST Scheduled Task/Job: Cron Rootkit Network Sniffing System Information Discovery Exploitation of Remote Services CONTRIBUTE A TEST Remote Data Staging CONTRIBUTE A TEST Data Transfer Size Limits Proxy CONTRIBUTE A TEST Bandwidth Hijacking CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST Deploy a container TFTP Boot CONTRIBUTE A TEST Account Manipulation: Additional Cloud Roles Masquerading: Double File Extension Unsecured Credentials: Credentials in Registry System Network Configuration Discovery: Wi-Fi Discovery Internal Spearphishing CONTRIBUTE A TEST Data from Local System Transfer Data to Cloud Account CONTRIBUTE A TEST IDE Tunneling CONTRIBUTE A TEST Financial Theft CONTRIBUTE A TEST
Drive-by Compromise CONTRIBUTE A TEST Input Injection CONTRIBUTE A TEST Create or Modify System Process: Windows Service Boot or Logon Autostart Execution: Print Processors Abuse Elevation Control Mechanism: Bypass User Account Control Modify Authentication Process: Password Filter DLL Application Window Discovery Lateral Tool Transfer Archive Collected Data: Archive via Library Exfiltration Over Physical Medium CONTRIBUTE A TEST Dynamic Resolution CONTRIBUTE A TEST Defacement: Internal Defacement
Valid Accounts: Cloud Accounts Command and Scripting Interpreter Scheduled Task/Job: Cron Hijack Execution Flow: DLL Abuse Elevation Control Mechanism: Sudo and Sudo Caching Ccache Files CONTRIBUTE A TEST Email Account CONTRIBUTE A TEST Web Session Cookie CONTRIBUTE A TEST Evil Twin CONTRIBUTE A TEST Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Web Service CONTRIBUTE A TEST Cloud Service Hijacking CONTRIBUTE A TEST
Spearphishing via Service CONTRIBUTE A TEST Kubernetes Exec Into Container Office Application Startup AppDomainManager CONTRIBUTE A TEST Modify Cloud Compute Infrastructure CONTRIBUTE A TEST Steal or Forge Kerberos Tickets: AS-REP Roasting Time Based Evasion Remote Service Session Hijacking: RDP Hijacking Network Device Configuration Dump CONTRIBUTE A TEST DNS Calculation CONTRIBUTE A TEST Compute Hijacking CONTRIBUTE A TEST
Valid Accounts: Local Accounts System Services: Launchctl Account Manipulation: Additional Cloud Roles Additional Container Cluster Roles CONTRIBUTE A TEST Pre-OS Boot: System Firmware Steal or Forge Kerberos Tickets CONTRIBUTE A TEST Cloud Infrastructure Discovery Use Alternate Authentication Material: Pass the Hash Archive Collected Data Multi-Stage Channels CONTRIBUTE A TEST Data Manipulation CONTRIBUTE A TEST
Wi-Fi Networks CONTRIBUTE A TEST Network Device CLI CONTRIBUTE A TEST Boot or Logon Autostart Execution: Print Processors Scheduled Task/Job CONTRIBUTE A TEST Hijack Execution Flow: Services Registry Permissions Weakness Credentials from Password Stores Browser Bookmark Discovery Remote Services: Remote Desktop Protocol Browser Session Hijacking CONTRIBUTE A TEST Port Knocking CONTRIBUTE A TEST Account Access Removal
XPC Services CONTRIBUTE A TEST Hijack Execution Flow: DLL Additional Local or Domain Groups CONTRIBUTE A TEST Bootkit CONTRIBUTE A TEST Unsecured Credentials Virtual Machine Discovery CONTRIBUTE A TEST Application Access Token CONTRIBUTE A TEST DHCP Spoofing CONTRIBUTE A TEST File Transfer Protocols CONTRIBUTE A TEST Data Encrypted for Impact
User Execution CONTRIBUTE A TEST Office Application Startup: Add-ins Thread Execution Hijacking Mavinject CONTRIBUTE A TEST Evil Twin CONTRIBUTE A TEST System Network Configuration Discovery Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay One-Way Communication CONTRIBUTE A TEST Email Bombing CONTRIBUTE A TEST
Software Deployment Tools Server Software Component: Transport Agent Event Triggered Execution: Application Shimming Masquerading: Match Legitimate Name or Location Hybrid Identity CONTRIBUTE A TEST Account Discovery CONTRIBUTE A TEST Web Portal Capture CONTRIBUTE A TEST Proxy: Multi-hop Proxy Endpoint Denial of Service CONTRIBUTE A TEST
Command and Scripting Interpreter: PowerShell AppDomainManager CONTRIBUTE A TEST Boot or Logon Autostart Execution: Port Monitors Weaken Encryption CONTRIBUTE A TEST Credentials from Password Stores: Credentials from Web Browsers Domain Trust Discovery Video Capture Remote Access Hardware CONTRIBUTE A TEST Resource Hijacking
Scheduled Task/Job: Systemd Timers Additional Container Cluster Roles CONTRIBUTE A TEST Boot or Logon Initialization Scripts: Logon Script (Mac) Masquerade File Type CONTRIBUTE A TEST DHCP Spoofing CONTRIBUTE A TEST File and Directory Discovery Confluence CONTRIBUTE A TEST Data Obfuscation CONTRIBUTE A TEST Transmitted Data Manipulation CONTRIBUTE A TEST
Command and Scripting Interpreter: Bash Scheduled Task/Job CONTRIBUTE A TEST Process Injection Hide Artifacts Unsecured Credentials: Private Keys System Network Connections Discovery Email Collection: Email Forwarding Rule Non-Standard Port Data Destruction
Inter-Process Communication Modify Authentication Process: Password Filter DLL Escape to Host Domain Trust Modification Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay Virtualization/Sandbox Evasion CONTRIBUTE A TEST Data Staged CONTRIBUTE A TEST Encrypted Channel Network Denial of Service CONTRIBUTE A TEST
Lua CONTRIBUTE A TEST Server Software Component: Terminal Services DLL Boot or Logon Autostart Execution: Shortcut Modification Impair Defenses: Safe Boot Mode OS Credential Dumping: LSASS Memory Cloud Storage Object Discovery Input Capture: GUI Input Capture Bidirectional Communication CONTRIBUTE A TEST Firmware Corruption CONTRIBUTE A TEST
User Execution: Malicious Image Browser Extensions Boot or Logon Autostart Execution: Security Support Provider TFTP Boot CONTRIBUTE A TEST Brute Force: Password Spraying Log Enumeration Data from Network Shared Drive Asymmetric Cryptography CONTRIBUTE A TEST Inhibit System Recovery
Exploitation for Client Execution CONTRIBUTE A TEST Outlook Rules CONTRIBUTE A TEST Create or Modify System Process: Launch Daemon Virtualization/Sandbox Evasion: System Checks Web Portal Capture CONTRIBUTE A TEST Cloud Account CONTRIBUTE A TEST Email Collection: Remote Email Collection Non-Application Layer Protocol Disk Content Wipe CONTRIBUTE A TEST
Command and Scripting Interpreter: Python Additional Local or Domain Groups CONTRIBUTE A TEST Hijack Execution Flow: Path Interception by Search Order Hijacking Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs OS Credential Dumping: Cached Domain Credentials Process Discovery Input Capture CONTRIBUTE A TEST Protocol or Service Impersonation CONTRIBUTE A TEST System Shutdown/Reboot
System Services CONTRIBUTE A TEST Event Triggered Execution: Application Shimming Domain Policy Modification: Group Policy Modification Signed Binary Proxy Execution: InstallUtil Steal or Forge Kerberos Tickets: Golden Ticket User Activity Based Checks CONTRIBUTE A TEST Customer Relationship Management Software CONTRIBUTE A TEST Domain Fronting CONTRIBUTE A TEST
Command and Scripting Interpreter: Windows Command Shell Boot or Logon Autostart Execution: Port Monitors Valid Accounts: Default Accounts Stripped Payloads CONTRIBUTE A TEST Steal or Forge Authentication Certificates Permission Groups Discovery: Local Groups ARP Cache Poisoning CONTRIBUTE A TEST Data Encoding CONTRIBUTE A TEST
Hypervisor CLI CONTRIBUTE A TEST Boot or Logon Initialization Scripts: Logon Script (Mac) Time Providers Hijack Execution Flow: DLL Unsecured Credentials: Bash History Password Policy Discovery Code Repositories CONTRIBUTE A TEST Remote Desktop Software CONTRIBUTE A TEST
Cloud Administration Command Traffic Signaling CONTRIBUTE A TEST Event Triggered Execution: Trap Subvert Trust Controls: Gatekeeper Bypass Unsecured Credentials: Credentials In Files System Location Discovery: System Language Discovery Data from Information Repositories CONTRIBUTE A TEST Non-Standard Encoding CONTRIBUTE A TEST
Command and Scripting Interpreter: Visual Basic Boot or Logon Autostart Execution: Shortcut Modification Hijack Execution Flow: LD_PRELOAD Code Signing CONTRIBUTE A TEST Web Cookies CONTRIBUTE A TEST Query Registry SNMP (MIB Dump) CONTRIBUTE A TEST Application Layer Protocol: Web Protocols
Malicious Copy and Paste CONTRIBUTE A TEST Implant Internal Image CONTRIBUTE A TEST Abuse Elevation Control Mechanism CONTRIBUTE A TEST Break Process Trees CONTRIBUTE A TEST Steal Application Access Token System Location Discovery Input Capture: Credential API Hooking Ingress Tool Transfer
Serverless Execution Boot or Logon Autostart Execution: Security Support Provider Create Process with Token File and Directory Permissions Modification: Windows File and Directory Permissions Modification Unsecured Credentials: Group Policy Preferences Software Discovery: Security Software Discovery Messaging Applications CONTRIBUTE A TEST Hide Infrastructure CONTRIBUTE A TEST
Malicious Link CONTRIBUTE A TEST Hybrid Identity CONTRIBUTE A TEST Abuse Elevation Control Mechanism: Setuid and Setgid AppDomainManager CONTRIBUTE A TEST Network Provider DLL CONTRIBUTE A TEST Cloud Service Discovery Data Obfuscation via Steganography
System Services: Service Execution Modify Registry Boot or Logon Autostart Execution: Winlogon Helper DLL Signed Binary Proxy Execution: Msiexec Forge Web Credentials CONTRIBUTE A TEST Remote System Discovery Fallback Channels CONTRIBUTE A TEST
Scheduled Task/Job: At Create or Modify System Process: Launch Daemon SSH Authorized Keys Modify Authentication Process: Password Filter DLL Multi-Factor Authentication Request Generation CONTRIBUTE A TEST Network Service Discovery Proxy: Internal Proxy
Hijack Execution Flow: Path Interception by Search Order Hijacking Event Triggered Execution: Image File Execution Options Injection Clear Network Connection History and Configurations CONTRIBUTE A TEST Chat Messages CONTRIBUTE A TEST Software Discovery Dead Drop Resolver CONTRIBUTE A TEST
Server Software Component: Web Shell Temporary Elevated Cloud Access CONTRIBUTE A TEST Reduce Key Space CONTRIBUTE A TEST Exploitation for Credential Access CONTRIBUTE A TEST Cloud Service Dashboard CONTRIBUTE A TEST Junk Data CONTRIBUTE A TEST
Valid Accounts: Default Accounts Process Doppelgänging CONTRIBUTE A TEST Indicator Removal on Host: Clear Command History Input Capture: GUI Input Capture Debugger Evasion
Time Providers Executable Installer File Permissions Weakness CONTRIBUTE A TEST Indirect Command Execution Brute Force CONTRIBUTE A TEST System Time Discovery
Event Triggered Execution: Trap Event Triggered Execution: Accessibility Features Deobfuscate/Decode Files or Information Brute Force: Credential Stuffing
Hijack Execution Flow: LD_PRELOAD Process Injection: Asynchronous Procedure Call Impair Defenses Multi-Factor Authentication CONTRIBUTE A TEST
Create Account: Local Account Event Triggered Execution: AppCert DLLs Thread Execution Hijacking Forced Authentication
IDE Extensions CONTRIBUTE A TEST Device Registration CONTRIBUTE A TEST Masquerading Input Capture CONTRIBUTE A TEST
Boot or Logon Autostart Execution: Winlogon Helper DLL Process Injection: Portable Executable Injection Email Collection: Mailbox Manipulation ARP Cache Poisoning CONTRIBUTE A TEST
SSH Authorized Keys Boot or Logon Autostart Execution: Login Items Process Injection Conditional Access Policies CONTRIBUTE A TEST
Event Triggered Execution: Image File Execution Options Injection Access Token Manipulation: Token Impersonation/Theft Traffic Signaling CONTRIBUTE A TEST Credentials from Password Stores: Cloud Secrets Management Stores
Executable Installer File Permissions Weakness CONTRIBUTE A TEST Account Manipulation: Additional Cloud Credentials Signed Binary Proxy Execution OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow
Event Triggered Execution: Accessibility Features Make and Impersonate Token CONTRIBUTE A TEST Indicator Removal on Host: Timestomp Steal or Forge Kerberos Tickets: Silver Ticket
Create Account: Domain Account Event Triggered Execution: Windows Management Instrumentation Event Subscription Reflective Code Loading Credentials from Password Stores: Windows Credential Manager
Component Firmware CONTRIBUTE A TEST Access Token Manipulation: Parent PID Spoofing Mutual Exclusion CONTRIBUTE A TEST Domain Controller Authentication CONTRIBUTE A TEST
Office Application Startup: Office Template Macros. Event Triggered Execution: Change Default File Association Ignore Process Interrupts CONTRIBUTE A TEST Reversible Encryption CONTRIBUTE A TEST
Event Triggered Execution: AppCert DLLs VDSO Hijacking CONTRIBUTE A TEST Time Based Evasion Multi-Factor Authentication Interception CONTRIBUTE A TEST
Device Registration CONTRIBUTE A TEST Event Triggered Execution: Emond Signed Binary Proxy Execution: CMSTP OS Credential Dumping: NTDS
Pre-OS Boot CONTRIBUTE A TEST Services File Permissions Weakness CONTRIBUTE A TEST Impair Defenses: Disable Windows Event Logging Steal or Forge Kerberos Tickets: Kerberoasting
Boot or Logon Autostart Execution: Login Items Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Signed Binary Proxy Execution: Control Panel OS Credential Dumping: DCSync
Port Knocking CONTRIBUTE A TEST Account Manipulation Network Address Translation Traversal CONTRIBUTE A TEST Modify Authentication Process CONTRIBUTE A TEST
Account Manipulation: Additional Cloud Credentials Boot or Logon Autostart Execution: Kernel Modules and Extensions Overwrite Process Arguments CONTRIBUTE A TEST Input Capture: Credential API Hooking
Network Provider DLL CONTRIBUTE A TEST KernelCallbackTable CONTRIBUTE A TEST Use Alternate Authentication Material CONTRIBUTE A TEST Kubernetes List Secrets
Event Triggered Execution: Windows Management Instrumentation Event Subscription Scheduled Task/Job: Systemd Timers Impair Defenses: Disable or Modify System Firewall Network Device Authentication CONTRIBUTE A TEST
Compromise Host Software Binary CONTRIBUTE A TEST Hijack Execution Flow CONTRIBUTE A TEST Subvert Trust Controls: SIP and Trust Provider Hijacking
Event Triggered Execution: Change Default File Association Container Service CONTRIBUTE A TEST Hybrid Identity CONTRIBUTE A TEST
Event Triggered Execution: Emond Valid Accounts CONTRIBUTE A TEST Electron Applications CONTRIBUTE A TEST
Services File Permissions Weakness CONTRIBUTE A TEST Process Injection: Process Hollowing Impair Defenses: Disable or Modify Linux Audit System
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Exploitation for Privilege Escalation CONTRIBUTE A TEST Rogue Domain Controller
Create Account: Cloud Account Event Triggered Execution Subvert Trust Controls: Code Signing Policy Modification
Account Manipulation Event Triggered Execution: .bash_profile .bashrc and .shrc Deploy a container
Boot or Logon Autostart Execution: Kernel Modules and Extensions Access Token Manipulation: SID-History Injection Modify Registry
KernelCallbackTable CONTRIBUTE A TEST Elevated Execution with Prompt CONTRIBUTE A TEST Hijack Execution Flow: Path Interception by Search Order Hijacking
Scheduled Task/Job: Systemd Timers Authentication Package Unused/Unsupported Cloud Regions CONTRIBUTE A TEST
ROMMONkit CONTRIBUTE A TEST Event Triggered Execution: Component Object Model Hijacking Bind Mounts CONTRIBUTE A TEST
Outlook Forms CONTRIBUTE A TEST Hijack Execution Flow: Path Interception by Unquoted Path Obfuscated Files or Information: Binary Padding
Hijack Execution Flow CONTRIBUTE A TEST Boot or Logon Initialization Scripts: Startup Items Domain Policy Modification: Group Policy Modification
Container Service CONTRIBUTE A TEST Domain Accounts CONTRIBUTE A TEST Valid Accounts: Default Accounts
Valid Accounts CONTRIBUTE A TEST Network Logon Script CONTRIBUTE A TEST Hijack Execution Flow: LD_PRELOAD
Multi-Factor Authentication CONTRIBUTE A TEST Event Triggered Execution: AppInit DLLs Indicator Removal on Host: Clear Windows Event Logs
IIS Components Event Triggered Execution: Screensaver File and Directory Permissions Modification
Event Triggered Execution Create or Modify System Process: Launch Agent Junk Code Insertion CONTRIBUTE A TEST
Event Triggered Execution: .bash_profile .bashrc and .shrc Proc Memory CONTRIBUTE A TEST Abuse Elevation Control Mechanism CONTRIBUTE A TEST
Authentication Package Installer Packages CONTRIBUTE A TEST Create Process with Token
Event Triggered Execution: Component Object Model Hijacking Boot or Logon Initialization Scripts: Rc.common Abuse Elevation Control Mechanism: Setuid and Setgid
Office Application Startup: Outlook Home Page Access Token Manipulation CONTRIBUTE A TEST Signed Binary Proxy Execution: Odbcconf
Hijack Execution Flow: Path Interception by Unquoted Path Create or Modify System Process: SysV/Systemd Service Temporary Elevated Cloud Access CONTRIBUTE A TEST
Boot or Logon Initialization Scripts: Startup Items XDG Autostart Entries CONTRIBUTE A TEST Process Doppelgänging CONTRIBUTE A TEST
Cloud Application Integration CONTRIBUTE A TEST Thread Local Storage CONTRIBUTE A TEST Delete Cloud Instance CONTRIBUTE A TEST
Domain Accounts CONTRIBUTE A TEST Boot or Logon Autostart Execution: Re-opened Applications Executable Installer File Permissions Weakness CONTRIBUTE A TEST
Network Logon Script CONTRIBUTE A TEST Account Manipulation: Additional Email Delegate Permissions Impair Defenses: Indicator Blocking
BITS Jobs TCC Manipulation CONTRIBUTE A TEST Extended Attributes CONTRIBUTE A TEST
Event Triggered Execution: AppInit DLLs Ptrace System Calls CONTRIBUTE A TEST Disable or Modify Cloud Firewall CONTRIBUTE A TEST
Event Triggered Execution: Screensaver Boot or Logon Initialization Scripts: Logon Script (Windows) Right-to-Left Override CONTRIBUTE A TEST
Conditional Access Policies CONTRIBUTE A TEST Process Injection: ListPlanting SVG Smuggling CONTRIBUTE A TEST
Create or Modify System Process: Launch Agent Domain or Tenant Policy Modification CONTRIBUTE A TEST Component Firmware CONTRIBUTE A TEST
Server Software Component CONTRIBUTE A TEST Boot or Logon Autostart Execution: LSASS Driver Indicator Removal on Host
Domain Controller Authentication CONTRIBUTE A TEST Valid Accounts: Cloud Accounts Use Alternate Authentication Material: Pass the Ticket
Reversible Encryption CONTRIBUTE A TEST Scheduled Task/Job: At Masquerading: Masquerade Task or Service
Installer Packages CONTRIBUTE A TEST Process Injection: Dynamic-link Library Injection Process Injection: Asynchronous Procedure Call
Boot or Logon Initialization Scripts: Rc.common Udev Rules CONTRIBUTE A TEST Plist File Modification
Create or Modify System Process: SysV/Systemd Service Event Triggered Execution: Netsh Helper DLL JamPlus CONTRIBUTE A TEST
Exclusive Control CONTRIBUTE A TEST Dylib Hijacking CONTRIBUTE A TEST Subvert Trust Controls: Mark-of-the-Web Bypass
Create Account CONTRIBUTE A TEST Valid Accounts: Local Accounts Disable Crypto Hardware CONTRIBUTE A TEST
XDG Autostart Entries CONTRIBUTE A TEST Hijack Execution Flow: COR_PROFILER Pre-OS Boot CONTRIBUTE A TEST
Boot or Logon Autostart Execution: Re-opened Applications Build Image on Host
Account Manipulation: Additional Email Delegate Permissions Process Injection: Portable Executable Injection
Power Settings CONTRIBUTE A TEST Verclsid CONTRIBUTE A TEST
Boot or Logon Initialization Scripts: Logon Script (Windows) Impair Defenses: Downgrade Attack
Office Application Startup: Office Test Virtualization/Sandbox Evasion CONTRIBUTE A TEST
Boot or Logon Autostart Execution: LSASS Driver Signed Binary Proxy Execution: Mshta
Valid Accounts: Cloud Accounts Execution Guardrails CONTRIBUTE A TEST
Scheduled Task/Job: At Access Token Manipulation: Token Impersonation/Theft
Modify Authentication Process CONTRIBUTE A TEST Port Knocking CONTRIBUTE A TEST
Udev Rules CONTRIBUTE A TEST LNK Icon Smuggling CONTRIBUTE A TEST
Event Triggered Execution: Netsh Helper DLL Hide Artifacts: Hidden Users
vSphere Installation Bundles CONTRIBUTE A TEST Make and Impersonate Token CONTRIBUTE A TEST
SQL Stored Procedures CONTRIBUTE A TEST Impair Defenses: Impair Command History Logging
Network Device Authentication CONTRIBUTE A TEST Network Provider DLL CONTRIBUTE A TEST
Dylib Hijacking CONTRIBUTE A TEST User Activity Based Checks CONTRIBUTE A TEST
Valid Accounts: Local Accounts Access Token Manipulation: Parent PID Spoofing
Hijack Execution Flow: COR_PROFILER VDSO Hijacking CONTRIBUTE A TEST
Services File Permissions Weakness CONTRIBUTE A TEST
KernelCallbackTable CONTRIBUTE A TEST
ROMMONkit CONTRIBUTE A TEST
Signed Binary Proxy Execution: Compiled HTML File
Indicator Removal on Host: Network Share Connection Removal
Impair Defenses: Disable or Modify Tools
Modify System Image CONTRIBUTE A TEST
Hijack Execution Flow CONTRIBUTE A TEST
Indicator Removal from Tools CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST
Process Injection: Process Hollowing
Resource Forking CONTRIBUTE A TEST
Obfuscated Files or Information
Multi-Factor Authentication CONTRIBUTE A TEST
Invalid Code Signature CONTRIBUTE A TEST
Run Virtual Instance
Polymorphic Code CONTRIBUTE A TEST
Access Token Manipulation: SID-History Injection
Network Boundary Bridging CONTRIBUTE A TEST
Subvert Trust Controls CONTRIBUTE A TEST
Elevated Execution with Prompt CONTRIBUTE A TEST
Signed Binary Proxy Execution: Regsvr32
Masquerading: Rename System Utilities
Spoof Security Alerting CONTRIBUTE A TEST
Hijack Execution Flow: Path Interception by Unquoted Path
Steganography CONTRIBUTE A TEST
Web Session Cookie CONTRIBUTE A TEST
Domain Accounts CONTRIBUTE A TEST
Signed Binary Proxy Execution: Regsvcs/Regasm
Subvert Trust Controls: Install Root Certificate
Obfuscated Files or Information: Compile After Delivery
VBA Stomping CONTRIBUTE A TEST
BITS Jobs
Trusted Developer Utilities Proxy Execution: MSBuild
Impersonation CONTRIBUTE A TEST
Modify Cloud Compute Configurations CONTRIBUTE A TEST
Impair Defenses: Disable Cloud Logs
Hide Artifacts: Hidden Window
ClickOnce CONTRIBUTE A TEST
Relocate Malware CONTRIBUTE A TEST
Conditional Access Policies CONTRIBUTE A TEST
Create Cloud Instance CONTRIBUTE A TEST
Proc Memory CONTRIBUTE A TEST
Patch System Image CONTRIBUTE A TEST
Clear Persistence CONTRIBUTE A TEST
Masquerade Account Name CONTRIBUTE A TEST
Domain Controller Authentication CONTRIBUTE A TEST
HTML Smuggling
Reversible Encryption CONTRIBUTE A TEST
Command Obfuscation CONTRIBUTE A TEST
Indicator Removal on Host: File Deletion
Template Injection
Access Token Manipulation CONTRIBUTE A TEST
Obfuscated Files or Information: Software Packing
Hidden File System CONTRIBUTE A TEST
Email Spoofing CONTRIBUTE A TEST
Thread Local Storage CONTRIBUTE A TEST
Debugger Evasion
Masquerading: Space after Filename
Use Alternate Authentication Material: Pass the Hash
SyncAppvPublishingServer CONTRIBUTE A TEST
TCC Manipulation CONTRIBUTE A TEST
Ptrace System Calls CONTRIBUTE A TEST
Obfuscated Files or Information: Dynamic API Resolution
Process Injection: ListPlanting
Domain or Tenant Policy Modification CONTRIBUTE A TEST
XSL Script Processing
Hide Artifacts: Hidden Files and Directories
Modify Cloud Compute Infrastructure: Create Snapshot
Application Access Token CONTRIBUTE A TEST
Valid Accounts: Cloud Accounts
Environmental Keying CONTRIBUTE A TEST
Hide Artifacts: NTFS File Attributes
Process Injection: Dynamic-link Library Injection
Modify Authentication Process CONTRIBUTE A TEST
Signed Script Proxy Execution
Network Device Authentication CONTRIBUTE A TEST
Compression CONTRIBUTE A TEST
Dylib Hijacking CONTRIBUTE A TEST
Downgrade System Image CONTRIBUTE A TEST
Valid Accounts: Local Accounts
Exploitation for Defense Evasion CONTRIBUTE A TEST
Trusted Developer Utilities Proxy Execution
MMC CONTRIBUTE A TEST
Process Argument Spoofing CONTRIBUTE A TEST
Hijack Execution Flow: COR_PROFILER
Reference in New Issue View Git Blame Copy Permalink