security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
remove_ruby
atomic-red-team/atomics/Indexes/Matrices/matrix.md
T
philhagen-rc 113f30c97c Attack v19 migration (#3329)
2026-05-01 23:10:14 -04:00

81 KiB
Raw Permalink Blame History

All Atomic Tests by ATT&CK Tactic & Technique

reconnaissance resource-development initial-access execution persistence privilege-escalation stealth defense-impairment credential-access discovery lateral-movement collection command-and-control exfiltration impact
Gather Victim Host Information CONTRIBUTE A TEST Acquire Infrastructure CONTRIBUTE A TEST External Remote Services Scheduled Task/Job: Scheduled Task Scheduled Task/Job: Scheduled Task Process Injection: Extra Window Memory Injection Process Injection: Extra Window Memory Injection Exploitation for Defense Impairment CONTRIBUTE A TEST Adversary-in-the-Middle CONTRIBUTE A TEST System Owner/User Discovery Remote Services:VNC Archive Collected Data: Archive via Utility Socket Filters CONTRIBUTE A TEST Exfiltration Over Web Service CONTRIBUTE A TEST Disk Structure Wipe CONTRIBUTE A TEST
Digital Certificates CONTRIBUTE A TEST Serverless CONTRIBUTE A TEST Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST Windows Management Instrumentation Socket Filters CONTRIBUTE A TEST Scheduled Task/Job: Scheduled Task Socket Filters CONTRIBUTE A TEST Modify Authentication Process: Pluggable Authentication Modules Modify Authentication Process: Pluggable Authentication Modules Container and Resource Discovery Taint Shared Content CONTRIBUTE A TEST Screen Capture Data Encoding: Standard Encoding Exfiltration Over Webhook CONTRIBUTE A TEST Direct Network Flood CONTRIBUTE A TEST
Purchase Technical Data CONTRIBUTE A TEST Artificial Intelligence CONTRIBUTE A TEST Phishing: Spearphishing Link Server Software Component Boot or Logon Initialization Scripts CONTRIBUTE A TEST Boot or Logon Initialization Scripts CONTRIBUTE A TEST Fileless Storage CONTRIBUTE A TEST Revert Cloud Instance CONTRIBUTE A TEST Input Capture: Keylogging System Network Configuration Discovery: Internet Connection Discovery Remote Services: SSH Adversary-in-the-Middle CONTRIBUTE A TEST Dynamic Resolution: Domain Generation Algorithms Scheduled Transfer CONTRIBUTE A TEST External Defacement CONTRIBUTE A TEST
IP Addresses CONTRIBUTE A TEST Network Devices CONTRIBUTE A TEST Phishing: Spearphishing Attachment Path Interception by PATH Environment Variable CONTRIBUTE A TEST Modify Authentication Process: Pluggable Authentication Modules Event Triggered Execution: PowerShell Profile Signed Binary Proxy Execution: Rundll32 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification Brute Force: Password Guessing Permission Groups Discovery CONTRIBUTE A TEST Replication Through Removable Media Input Capture: Keylogging Application Layer Protocol: DNS Exfiltration Over Other Network Medium CONTRIBUTE A TEST OS Exhaustion Flood CONTRIBUTE A TEST
DNS CONTRIBUTE A TEST Malvertising CONTRIBUTE A TEST Compromise Hardware Supply Chain CONTRIBUTE A TEST Command and Scripting Interpreter: JavaScript Event Triggered Execution: PowerShell Profile Create or Modify System Process CONTRIBUTE A TEST Embedded Payloads CONTRIBUTE A TEST Modify Cloud Resource Hierarchy CONTRIBUTE A TEST OS Credential Dumping Cloud Groups CONTRIBUTE A TEST Direct Cloud VM Connections CONTRIBUTE A TEST Data from Configuration Repository CONTRIBUTE A TEST Publish/Subscribe Protocols CONTRIBUTE A TEST Exfiltration Over Bluetooth CONTRIBUTE A TEST Lifecycle-Triggered Deletion CONTRIBUTE A TEST
Query Public AI Services CONTRIBUTE A TEST Digital Certificates CONTRIBUTE A TEST Replication Through Removable Media Kubernetes Cronjob Create or Modify System Process CONTRIBUTE A TEST LC_LOAD_DYLIB Addition CONTRIBUTE A TEST File/Path Exclusions CONTRIBUTE A TEST Modify or Spoof Tool UI CONTRIBUTE A TEST Steal Web Session Cookie Group Policy Discovery SSH Hijacking CONTRIBUTE A TEST Sharepoint CONTRIBUTE A TEST Symmetric Cryptography CONTRIBUTE A TEST Automated Exfiltration SMS Pumping CONTRIBUTE A TEST
WHOIS CONTRIBUTE A TEST DNS Server CONTRIBUTE A TEST Supply Chain Compromise Hijack Execution Flow: Services Registry Permissions Weakness External Remote Services Kubernetes Cronjob Signed Script Proxy Execution: Pubprn Disable or Modify Tools: Disable or Modify Windows Event Log OS Credential Dumping: Security Account Manager Device Driver Discovery Remote Services: SMB/Windows Admin Shares Audio Capture Fast Flux DNS CONTRIBUTE A TEST Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST Application Exhaustion Flood CONTRIBUTE A TEST
Search Victim-Owned Websites CONTRIBUTE A TEST Digital Certificates CONTRIBUTE A TEST Exploit Public-Facing Application CONTRIBUTE A TEST Inter-Process Communication: Dynamic Data Exchange LC_LOAD_DYLIB Addition CONTRIBUTE A TEST Abuse Elevation Control Mechanism: Bypass User Account Control Path Interception by PATH Environment Variable CONTRIBUTE A TEST Modify Cloud Compute Infrastructure CONTRIBUTE A TEST Unsecured Credentials: Cloud Instance Metadata API Account Discovery: Domain Account Use Alternate Authentication Material CONTRIBUTE A TEST Archive via Custom Method CONTRIBUTE A TEST Application Layer Protocol Traffic Duplication CONTRIBUTE A TEST Disk Wipe CONTRIBUTE A TEST
DNS/Passive DNS CONTRIBUTE A TEST Malware CONTRIBUTE A TEST Content Injection User Execution: Malicious File Kubernetes Cronjob Abuse Elevation Control Mechanism: Sudo and Sudo Caching Direct Volume Access Weaken Encryption CONTRIBUTE A TEST Securityd Memory CONTRIBUTE A TEST Account Discovery: Local Account Remote Services CONTRIBUTE A TEST Email Collection CONTRIBUTE A TEST Remote Access Software Exfiltration to Code Repository CONTRIBUTE A TEST Stored Data Manipulation CONTRIBUTE A TEST
Identify Business Tempo CONTRIBUTE A TEST Social Media Accounts CONTRIBUTE A TEST Valid Accounts: Default Accounts Scheduled Task/Job: Cron Pre-OS Boot: System Firmware Boot or Logon Autostart Execution Hide Artifacts: Email Hiding Rules Disable or Modify Tools: Disable or Modify Linux Audit System Log Brute Force: Password Cracking Virtualization/Sandbox Evasion: System Checks Remote Service Session Hijacking CONTRIBUTE A TEST Data from Removable Media Content Injection Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Service Stop
Gather Victim Host Information: Hardware Vulnerabilities CONTRIBUTE A TEST Trusted Relationship CONTRIBUTE A TEST Component Object Model CONTRIBUTE A TEST Bootkit CONTRIBUTE A TEST Active Setup Obfuscated Files or Information: Encrypted/Encoded File Domain Trust Modification Credentials from Password Stores: Keychain Permission Groups Discovery: Domain Groups Remote Services: Windows Remote Management Data Staged: Local Data Staging Traffic Signaling CONTRIBUTE A TEST Exfiltration Over C2 Channel Application or System Exploitation CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST Botnet CONTRIBUTE A TEST Phishing CONTRIBUTE A TEST Hijack Execution Flow: DLL Boot or Logon Autostart Execution Domain Trust Modification Rootkit Windows Host Firewall CONTRIBUTE A TEST OS Credential Dumping: LSA Secrets System Service Discovery Remote Services: Distributed Component Object Model Email Collection: Local Email Collection Protocol Tunneling Exfiltration Over Alternative Protocol Runtime Data Manipulation CONTRIBUTE A TEST
Network Topology CONTRIBUTE A TEST Drive-by Target CONTRIBUTE A TEST Valid Accounts CONTRIBUTE A TEST ESXi Administration Command CONTRIBUTE A TEST Active Setup Create or Modify System Process: Windows Service Masquerading: Double File Extension Downgrade Attack Forge Web Credentials: SAML token Network Sniffing Use Alternate Authentication Material: Pass the Ticket Databases CONTRIBUTE A TEST Mail Protocols CONTRIBUTE A TEST Exfiltration over USB CONTRIBUTE A TEST Reflection Amplification CONTRIBUTE A TEST
Network Trust Dependencies CONTRIBUTE A TEST Code Signing Certificates CONTRIBUTE A TEST Spearphishing Voice CONTRIBUTE A TEST AppDomainManager CONTRIBUTE A TEST Browser Extensions CONTRIBUTE A TEST Scheduled Task/Job: Cron Pre-OS Boot: System Firmware Subvert Trust Controls: Gatekeeper Bypass OS Credential Dumping: Proc Filesystem Network Share Discovery Cloud Services CONTRIBUTE A TEST Automated Collection Communication Through Removable Media CONTRIBUTE A TEST Exfiltration Over Web Service: Exfiltration to Text Storage Sites Service Exhaustion Flood CONTRIBUTE A TEST
Threat Intel Vendors CONTRIBUTE A TEST Virtual Private Server CONTRIBUTE A TEST Compromise Software Supply Chain Scheduled Task/Job CONTRIBUTE A TEST TFTP Boot CONTRIBUTE A TEST Account Manipulation: Additional Cloud Roles Hijack Execution Flow: Services Registry Permissions Weakness Code Signing CONTRIBUTE A TEST Password Managers CONTRIBUTE A TEST Peripheral Device Discovery Software Deployment Tools Clipboard Data External Proxy CONTRIBUTE A TEST Exfiltration Over Web Service: Exfiltration to Cloud Storage Defacement CONTRIBUTE A TEST
Gather Victim Identity Information CONTRIBUTE A TEST Cloud Accounts CONTRIBUTE A TEST Domain Accounts CONTRIBUTE A TEST Command and Scripting Interpreter: AppleScript Create or Modify System Process: Windows Service Boot or Logon Autostart Execution: Print Processors Bootkit CONTRIBUTE A TEST File and Directory Permissions Modification: Windows File and Directory Permissions Modification Network Sniffing System Information Discovery Exploitation of Remote Services CONTRIBUTE A TEST Data from Cloud Storage Object Proxy CONTRIBUTE A TEST Data Transfer Size Limits Bandwidth Hijacking CONTRIBUTE A TEST
Vulnerability Scanning CONTRIBUTE A TEST Email Accounts CONTRIBUTE A TEST Hardware Additions CONTRIBUTE A TEST Native API Scheduled Task/Job: Cron Additional Container Cluster Roles CONTRIBUTE A TEST Mavinject CONTRIBUTE A TEST Disable or Modify Tools: Disable or Modify Cloud Log Unsecured Credentials: Credentials in Registry System Network Configuration Discovery: Wi-Fi Discovery Internal Spearphishing CONTRIBUTE A TEST Remote Data Staging CONTRIBUTE A TEST IDE Tunneling CONTRIBUTE A TEST Transfer Data to Cloud Account CONTRIBUTE A TEST Financial Theft CONTRIBUTE A TEST
Search Open Technical Databases CONTRIBUTE A TEST Upload Malware CONTRIBUTE A TEST Drive-by Compromise CONTRIBUTE A TEST Command and Scripting Interpreter: AutoHotKey & AutoIT Office Application Startup Scheduled Task/Job CONTRIBUTE A TEST Masquerading: Match Legitimate Name or Location Modify Authentication Process: Password Filter DLL Modify Authentication Process: Password Filter DLL Backup Software Discovery CONTRIBUTE A TEST Lateral Tool Transfer Data from Local System Dynamic Resolution CONTRIBUTE A TEST Exfiltration Over Physical Medium CONTRIBUTE A TEST Defacement: Internal Defacement
Search Threat Vendor Data CONTRIBUTE A TEST Domains CONTRIBUTE A TEST Valid Accounts: Cloud Accounts System Services: Systemctl Account Manipulation: Additional Cloud Roles Additional Local or Domain Groups CONTRIBUTE A TEST Masquerade File Type CONTRIBUTE A TEST Reduce Key Space CONTRIBUTE A TEST Ccache Files CONTRIBUTE A TEST Application Window Discovery Web Session Cookie CONTRIBUTE A TEST Archive Collected Data: Archive via Library Web Service CONTRIBUTE A TEST Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Cloud Service Hijacking CONTRIBUTE A TEST
Active Scanning CONTRIBUTE A TEST Upload Tool CONTRIBUTE A TEST Spearphishing via Service CONTRIBUTE A TEST Cloud API CONTRIBUTE A TEST Boot or Logon Autostart Execution: Print Processors Thread Execution Hijacking Hide Artifacts Network Address Translation Traversal CONTRIBUTE A TEST Steal or Forge Kerberos Tickets: AS-REP Roasting Email Account CONTRIBUTE A TEST Remote Service Session Hijacking: RDP Hijacking Evil Twin CONTRIBUTE A TEST DNS Calculation CONTRIBUTE A TEST Compute Hijacking CONTRIBUTE A TEST
Email Addresses CONTRIBUTE A TEST Server CONTRIBUTE A TEST Valid Accounts: Local Accounts Deploy a container Office Application Startup: Add-ins Event Triggered Execution: Application Shimming TFTP Boot CONTRIBUTE A TEST Subvert Trust Controls: SIP and Trust Provider Hijacking Steal or Forge Kerberos Tickets CONTRIBUTE A TEST Time Based Evasion Use Alternate Authentication Material: Pass the Hash Network Device Configuration Dump CONTRIBUTE A TEST Multi-Stage Channels CONTRIBUTE A TEST Data Manipulation CONTRIBUTE A TEST
Spearphishing Voice CONTRIBUTE A TEST Email Accounts CONTRIBUTE A TEST Wi-Fi Networks CONTRIBUTE A TEST Hijack Execution Flow: Path Interception by Search Order Hijacking Server Software Component: Transport Agent Boot or Logon Autostart Execution: Port Monitors Virtualization/Sandbox Evasion: System Checks Hybrid Identity CONTRIBUTE A TEST Credentials from Password Stores Cloud Infrastructure Discovery Remote Services: Remote Desktop Protocol Archive Collected Data Port Knocking CONTRIBUTE A TEST Account Access Removal
Network Security Appliances CONTRIBUTE A TEST Written Content CONTRIBUTE A TEST Hijack Execution Flow: LD_PRELOAD Additional Container Cluster Roles CONTRIBUTE A TEST Boot or Logon Initialization Scripts: Logon Script (Mac) Signed Binary Proxy Execution: InstallUtil Rogue Domain Controller Unsecured Credentials Browser Bookmark Discovery Application Access Token CONTRIBUTE A TEST Browser Session Hijacking CONTRIBUTE A TEST File Transfer Protocols CONTRIBUTE A TEST Data Encrypted for Impact
Search Engines CONTRIBUTE A TEST Malware CONTRIBUTE A TEST Input Injection CONTRIBUTE A TEST Scheduled Task/Job CONTRIBUTE A TEST Process Injection Stripped Payloads CONTRIBUTE A TEST Subvert Trust Controls: Code Signing Policy Modification Evil Twin CONTRIBUTE A TEST Virtual Machine Discovery CONTRIBUTE A TEST DHCP Spoofing CONTRIBUTE A TEST One-Way Communication CONTRIBUTE A TEST Email Bombing CONTRIBUTE A TEST
Business Relationships CONTRIBUTE A TEST Virtual Private Server CONTRIBUTE A TEST Executable Installer File Permissions Weakness CONTRIBUTE A TEST Modify Authentication Process: Password Filter DLL Escape to Host Hijack Execution Flow: DLL Modify Registry Hybrid Identity CONTRIBUTE A TEST System Network Configuration Discovery Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay Proxy: Multi-hop Proxy Endpoint Denial of Service CONTRIBUTE A TEST
Code Repositories CONTRIBUTE A TEST Compromise Infrastructure CONTRIBUTE A TEST Command and Scripting Interpreter Server Software Component: Terminal Services DLL Boot or Logon Autostart Execution: Shortcut Modification Break Process Trees CONTRIBUTE A TEST Domain Policy Modification: Group Policy Modification Credentials from Password Stores: Credentials from Web Browsers Account Discovery CONTRIBUTE A TEST Web Portal Capture CONTRIBUTE A TEST Remote Access Hardware CONTRIBUTE A TEST Resource Hijacking
Employee Names CONTRIBUTE A TEST Compromise Accounts CONTRIBUTE A TEST Malicious Library CONTRIBUTE A TEST Browser Extensions Boot or Logon Autostart Execution: Security Support Provider AppDomainManager CONTRIBUTE A TEST Disable or Modify Tools: Clear Linux or Mac System Logs DHCP Spoofing CONTRIBUTE A TEST Domain Trust Discovery Video Capture Data Obfuscation CONTRIBUTE A TEST Transmitted Data Manipulation CONTRIBUTE A TEST
Client Configurations CONTRIBUTE A TEST Botnet CONTRIBUTE A TEST Poisoned Pipeline Execution CONTRIBUTE A TEST Office Application Startup: Outlook Rules Create or Modify System Process: Launch Daemon Signed Binary Proxy Execution: Msiexec File and Directory Permissions Modification Unsecured Credentials: Private Keys File and Directory Discovery Confluence CONTRIBUTE A TEST Non-Standard Port Data Destruction
Spearphishing Attachment CONTRIBUTE A TEST Stage Capabilities CONTRIBUTE A TEST Kubernetes Exec Into Container Additional Local or Domain Groups CONTRIBUTE A TEST Domain Policy Modification: Group Policy Modification Clear Network Connection History and Configurations CONTRIBUTE A TEST Delete Cloud Instance CONTRIBUTE A TEST Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay System Network Connections Discovery Email Collection: Email Forwarding Rule Encrypted Channel Network Denial of Service CONTRIBUTE A TEST
CDNs CONTRIBUTE A TEST Link Target CONTRIBUTE A TEST JamPlus CONTRIBUTE A TEST Event Triggered Execution: Application Shimming Valid Accounts: Default Accounts Indicator Removal on Host: Clear Command History Disable or Modify Tools: Clear Windows Event Logs OS Credential Dumping: LSASS Memory Virtualization/Sandbox Evasion CONTRIBUTE A TEST Data Staged CONTRIBUTE A TEST Bidirectional Communication CONTRIBUTE A TEST Firmware Corruption CONTRIBUTE A TEST
Gather Victim Org Information CONTRIBUTE A TEST Web Services CONTRIBUTE A TEST System Services: Launchctl Boot or Logon Autostart Execution: Port Monitors Time Providers Indirect Command Execution Plist File Modification Brute Force: Password Spraying Cloud Storage Object Discovery Input Capture: GUI Input Capture Asymmetric Cryptography CONTRIBUTE A TEST Inhibit System Recovery
Gather Victim Network Information CONTRIBUTE A TEST Audio-Visual Content CONTRIBUTE A TEST Network Device CLI CONTRIBUTE A TEST Boot or Logon Initialization Scripts: Logon Script (Mac) Event Triggered Execution: Trap Deobfuscate/Decode Files or Information Subvert Trust Controls: Mark-of-the-Web Bypass Web Portal Capture CONTRIBUTE A TEST Log Enumeration Data from Network Shared Drive Non-Application Layer Protocol Disk Content Wipe CONTRIBUTE A TEST
Search Open Websites/Domains CONTRIBUTE A TEST Cloud Accounts CONTRIBUTE A TEST XPC Services CONTRIBUTE A TEST Traffic Signaling CONTRIBUTE A TEST Abuse Elevation Control Mechanism CONTRIBUTE A TEST Thread Execution Hijacking Disable Crypto Hardware CONTRIBUTE A TEST OS Credential Dumping: Cached Domain Credentials Cloud Account CONTRIBUTE A TEST Email Collection: Remote Email Collection Protocol or Service Impersonation CONTRIBUTE A TEST System Shutdown/Reboot
Search Closed Sources CONTRIBUTE A TEST Tool CONTRIBUTE A TEST User Execution CONTRIBUTE A TEST Boot or Logon Autostart Execution: Shortcut Modification Create Process with Token Social Engineering CONTRIBUTE A TEST Network Provider DLL CONTRIBUTE A TEST Steal or Forge Kerberos Tickets: Golden Ticket Process Discovery Input Capture CONTRIBUTE A TEST Domain Fronting CONTRIBUTE A TEST
Firmware CONTRIBUTE A TEST Web Services CONTRIBUTE A TEST Software Deployment Tools Implant Internal Image CONTRIBUTE A TEST Abuse Elevation Control Mechanism: Setuid and Setgid Masquerading Network Device Firewall CONTRIBUTE A TEST Steal or Forge Authentication Certificates User Activity Based Checks CONTRIBUTE A TEST Customer Relationship Management Software CONTRIBUTE A TEST Data Encoding CONTRIBUTE A TEST
Software CONTRIBUTE A TEST Social Media Accounts CONTRIBUTE A TEST Command and Scripting Interpreter: PowerShell Boot or Logon Autostart Execution: Security Support Provider Boot or Logon Autostart Execution: Winlogon Helper DLL Email Collection: Mailbox Manipulation Modify System Image CONTRIBUTE A TEST Unsecured Credentials: Bash History Permission Groups Discovery: Local Groups ARP Cache Poisoning CONTRIBUTE A TEST Remote Desktop Software CONTRIBUTE A TEST
Social Media CONTRIBUTE A TEST Generate Content CONTRIBUTE A TEST Services File Permissions Weakness CONTRIBUTE A TEST Hybrid Identity CONTRIBUTE A TEST SSH Authorized Keys Process Injection Multi-Factor Authentication CONTRIBUTE A TEST Unsecured Credentials: Credentials In Files Password Policy Discovery Code Repositories CONTRIBUTE A TEST Non-Standard Encoding CONTRIBUTE A TEST
Credentials CONTRIBUTE A TEST Exploits CONTRIBUTE A TEST KernelCallbackTable CONTRIBUTE A TEST Modify Registry Event Triggered Execution: Image File Execution Options Injection Traffic Signaling CONTRIBUTE A TEST Network Boundary Bridging CONTRIBUTE A TEST Web Cookies CONTRIBUTE A TEST System Location Discovery: System Language Discovery Data from Information Repositories CONTRIBUTE A TEST Application Layer Protocol: Web Protocols
Active Scanning: Wordlist Scanning Install Digital Certificate CONTRIBUTE A TEST Scheduled Task/Job: Systemd Timers Create or Modify System Process: Launch Daemon Temporary Elevated Cloud Access CONTRIBUTE A TEST Signed Binary Proxy Execution Prevent Command History Logging Steal Application Access Token Query Registry SNMP (MIB Dump) CONTRIBUTE A TEST Ingress Tool Transfer
Identify Roles CONTRIBUTE A TEST DNS Server CONTRIBUTE A TEST Command and Scripting Interpreter: Bash Server Software Component: Web Shell Process Doppelgänging CONTRIBUTE A TEST Indicator Removal on Host: Timestomp Subvert Trust Controls CONTRIBUTE A TEST Unsecured Credentials: Group Policy Preferences System Location Discovery Input Capture: Credential API Hooking Hide Infrastructure CONTRIBUTE A TEST
Phishing for Information CONTRIBUTE A TEST Establish Accounts CONTRIBUTE A TEST Inter-Process Communication Valid Accounts: Default Accounts Event Triggered Execution: Accessibility Features Reflective Code Loading Disable or Modify Tools Network Provider DLL CONTRIBUTE A TEST Software Discovery: Security Software Discovery Messaging Applications CONTRIBUTE A TEST Data Obfuscation via Steganography
Scanning IP Blocks CONTRIBUTE A TEST Obtain Capabilities CONTRIBUTE A TEST Hijack Execution Flow CONTRIBUTE A TEST Time Providers Process Injection: Asynchronous Procedure Call Mutual Exclusion CONTRIBUTE A TEST Subvert Trust Controls: Install Root Certificate Forge Web Credentials CONTRIBUTE A TEST Cloud Service Discovery Fallback Channels CONTRIBUTE A TEST
Domain Properties CONTRIBUTE A TEST Acquire Access CONTRIBUTE A TEST Lua CONTRIBUTE A TEST Event Triggered Execution: Trap Event Triggered Execution: AppCert DLLs Ignore Process Interrupts CONTRIBUTE A TEST Safe Mode Boot Multi-Factor Authentication Request Generation CONTRIBUTE A TEST Remote System Discovery Proxy: Internal Proxy
Scan Databases CONTRIBUTE A TEST Serverless CONTRIBUTE A TEST User Execution: Malicious Image Create Account: Local Account Device Registration CONTRIBUTE A TEST Time Based Evasion Modify Cloud Compute Configurations CONTRIBUTE A TEST Chat Messages CONTRIBUTE A TEST Network Service Discovery Dead Drop Resolver CONTRIBUTE A TEST
Determine Physical Locations CONTRIBUTE A TEST Server CONTRIBUTE A TEST Exploitation for Client Execution CONTRIBUTE A TEST IDE Extensions CONTRIBUTE A TEST Process Injection: Portable Executable Injection Signed Binary Proxy Execution: CMSTP Conditional Access Policies CONTRIBUTE A TEST Exploitation for Credential Access CONTRIBUTE A TEST Software Discovery Junk Data CONTRIBUTE A TEST
Spearphishing Service CONTRIBUTE A TEST SEO Poisoning CONTRIBUTE A TEST Hijack Execution Flow: Path Interception by Unquoted Path Boot or Logon Autostart Execution: Winlogon Helper DLL Boot or Logon Autostart Execution: Login Items Signed Binary Proxy Execution: Control Panel Create Cloud Instance CONTRIBUTE A TEST Input Capture: GUI Input Capture Cloud Service Dashboard CONTRIBUTE A TEST
Code Signing Certificates CONTRIBUTE A TEST Container CLI/API CONTRIBUTE A TEST SSH Authorized Keys Access Token Manipulation: Token Impersonation/Theft Overwrite Process Arguments CONTRIBUTE A TEST Patch System Image CONTRIBUTE A TEST Brute Force CONTRIBUTE A TEST Debugger Evasion
Develop Capabilities CONTRIBUTE A TEST BITS Jobs Event Triggered Execution: Image File Execution Options Injection Account Manipulation: Additional Cloud Credentials Electron Applications CONTRIBUTE A TEST Modify Authentication Process: Domain Controller Authentication Brute Force: Credential Stuffing Local Storage Discovery CONTRIBUTE A TEST
Exploits CONTRIBUTE A TEST Trusted Developer Utilities Proxy Execution: MSBuild Event Triggered Execution: Accessibility Features Make and Impersonate Token CONTRIBUTE A TEST Hijack Execution Flow: Path Interception by Search Order Hijacking Reversible Encryption CONTRIBUTE A TEST Multi-Factor Authentication CONTRIBUTE A TEST System Time Discovery
Domains CONTRIBUTE A TEST ClickOnce CONTRIBUTE A TEST Create Account: Domain Account Event Triggered Execution: Windows Management Instrumentation Event Subscription Unused/Unsupported Cloud Regions CONTRIBUTE A TEST Domain or Tenant Policy Modification CONTRIBUTE A TEST Forced Authentication
Command and Scripting Interpreter: Python Component Firmware CONTRIBUTE A TEST Access Token Manipulation: Parent PID Spoofing Bind Mounts CONTRIBUTE A TEST Modify Cloud Compute Infrastructure: Create Snapshot Input Capture CONTRIBUTE A TEST
System Services CONTRIBUTE A TEST Office Application Startup: Office Template Macros. Event Triggered Execution: Change Default File Association Obfuscated Files or Information: Binary Padding Cloud Firewall CONTRIBUTE A TEST ARP Cache Poisoning CONTRIBUTE A TEST
Command and Scripting Interpreter: Windows Command Shell Event Triggered Execution: AppCert DLLs VDSO Hijacking CONTRIBUTE A TEST Valid Accounts: Default Accounts Disable or Modify System Firewall Conditional Access Policies CONTRIBUTE A TEST
Hypervisor CLI CONTRIBUTE A TEST Device Registration CONTRIBUTE A TEST Event Triggered Execution: Emond Hijack Execution Flow: LD_PRELOAD Modify Authentication Process CONTRIBUTE A TEST Credentials from Password Stores: Cloud Secrets Management Stores
Cloud Administration Command Pre-OS Boot CONTRIBUTE A TEST Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Junk Code Insertion CONTRIBUTE A TEST Network Device Authentication CONTRIBUTE A TEST OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow
Command and Scripting Interpreter: Visual Basic Boot or Logon Autostart Execution: Login Items Account Manipulation Create Process with Token Downgrade System Image CONTRIBUTE A TEST Steal or Forge Kerberos Tickets: Silver Ticket
Malicious Copy and Paste CONTRIBUTE A TEST Port Knocking CONTRIBUTE A TEST Boot or Logon Autostart Execution: Kernel Modules and Extensions Signed Binary Proxy Execution: Odbcconf Credentials from Password Stores: Windows Credential Manager
Serverless Execution Account Manipulation: Additional Cloud Credentials Scheduled Task/Job: Systemd Timers Process Doppelgänging CONTRIBUTE A TEST Modify Authentication Process: Domain Controller Authentication
Malicious Link CONTRIBUTE A TEST Network Provider DLL CONTRIBUTE A TEST Container Service CONTRIBUTE A TEST Executable Installer File Permissions Weakness CONTRIBUTE A TEST Reversible Encryption CONTRIBUTE A TEST
System Services: Service Execution Event Triggered Execution: Windows Management Instrumentation Event Subscription Valid Accounts CONTRIBUTE A TEST Extended Attributes CONTRIBUTE A TEST Multi-Factor Authentication Interception CONTRIBUTE A TEST
Scheduled Task/Job: At Compromise Host Software Binary CONTRIBUTE A TEST Process Injection: Process Hollowing Right-to-Left Override CONTRIBUTE A TEST OS Credential Dumping: NTDS
Dylib Hijacking CONTRIBUTE A TEST Event Triggered Execution: Change Default File Association Exploitation for Privilege Escalation CONTRIBUTE A TEST SVG Smuggling CONTRIBUTE A TEST Steal or Forge Kerberos Tickets: Kerberoasting
Trusted Developer Utilities Proxy Execution Event Triggered Execution: Emond Event Triggered Execution Component Firmware CONTRIBUTE A TEST OS Credential Dumping: DCSync
Hijack Execution Flow: COR_PROFILER Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Event Triggered Execution: .bash_profile .bashrc and .shrc Indicator Removal on Host Modify Authentication Process CONTRIBUTE A TEST
Create Account: Cloud Account Access Token Manipulation: SID-History Injection Masquerading: Masquerade Task or Service Input Capture: Credential API Hooking
Account Manipulation Elevated Execution with Prompt CONTRIBUTE A TEST Process Injection: Asynchronous Procedure Call Kubernetes List Secrets
Boot or Logon Autostart Execution: Kernel Modules and Extensions Authentication Package JamPlus CONTRIBUTE A TEST Network Device Authentication CONTRIBUTE A TEST
Scheduled Task/Job: Systemd Timers Event Triggered Execution: Component Object Model Hijacking Pre-OS Boot CONTRIBUTE A TEST
ROMMONkit CONTRIBUTE A TEST Boot or Logon Initialization Scripts: Startup Items Build Image on Host
Outlook Forms CONTRIBUTE A TEST Domain Accounts CONTRIBUTE A TEST Process Injection: Portable Executable Injection
Container Service CONTRIBUTE A TEST Event Triggered Execution: Python Startup Hooks Verclsid CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST Network Logon Script CONTRIBUTE A TEST Virtualization/Sandbox Evasion CONTRIBUTE A TEST
Multi-Factor Authentication CONTRIBUTE A TEST Event Triggered Execution: AppInit DLLs Signed Binary Proxy Execution: Mshta
IIS Components Event Triggered Execution: Screensaver Execution Guardrails CONTRIBUTE A TEST
Event Triggered Execution Create or Modify System Process: Launch Agent Access Token Manipulation: Token Impersonation/Theft
Event Triggered Execution: .bash_profile .bashrc and .shrc Proc Memory CONTRIBUTE A TEST Port Knocking CONTRIBUTE A TEST
Authentication Package Installer Packages CONTRIBUTE A TEST LNK Icon Smuggling CONTRIBUTE A TEST
Event Triggered Execution: Component Object Model Hijacking Boot or Logon Initialization Scripts: Rc.common Hide Artifacts: Hidden Users
Office Application Startup: Outlook Home Page Access Token Manipulation CONTRIBUTE A TEST Make and Impersonate Token CONTRIBUTE A TEST
Boot or Logon Initialization Scripts: Startup Items Create or Modify System Process: SysV/Systemd Service User Activity Based Checks CONTRIBUTE A TEST
Cloud Application Integration CONTRIBUTE A TEST XDG Autostart Entries CONTRIBUTE A TEST Access Token Manipulation: Parent PID Spoofing
Domain Accounts CONTRIBUTE A TEST Thread Local Storage CONTRIBUTE A TEST VDSO Hijacking CONTRIBUTE A TEST
Event Triggered Execution: Python Startup Hooks Boot or Logon Autostart Execution: Re-opened Applications Selective Exclusion CONTRIBUTE A TEST
Network Logon Script CONTRIBUTE A TEST Account Manipulation: Additional Email Delegate Permissions Services File Permissions Weakness CONTRIBUTE A TEST
BITS Jobs TCC Manipulation CONTRIBUTE A TEST Delay Execution CONTRIBUTE A TEST
Event Triggered Execution: AppInit DLLs Ptrace System Calls CONTRIBUTE A TEST KernelCallbackTable CONTRIBUTE A TEST
Event Triggered Execution: Screensaver Boot or Logon Initialization Scripts: Logon Script (Windows) ROMMONkit CONTRIBUTE A TEST
Conditional Access Policies CONTRIBUTE A TEST Process Injection: ListPlanting Signed Binary Proxy Execution: Compiled HTML File
Create or Modify System Process: Launch Agent Domain or Tenant Policy Modification CONTRIBUTE A TEST Indicator Removal on Host: Network Share Connection Removal
Server Software Component CONTRIBUTE A TEST Boot or Logon Autostart Execution: LSASS Driver Hijack Execution Flow CONTRIBUTE A TEST
Modify Authentication Process: Domain Controller Authentication Valid Accounts: Cloud Accounts Browser Fingerprint CONTRIBUTE A TEST
Reversible Encryption CONTRIBUTE A TEST Scheduled Task/Job: At Indicator Removal from Tools CONTRIBUTE A TEST
Installer Packages CONTRIBUTE A TEST Process Injection: Dynamic-link Library Injection Valid Accounts CONTRIBUTE A TEST
Boot or Logon Initialization Scripts: Rc.common Udev Rules CONTRIBUTE A TEST Process Injection: Process Hollowing
Create or Modify System Process: SysV/Systemd Service Event Triggered Execution: Netsh Helper DLL Resource Forking CONTRIBUTE A TEST
Exclusive Control CONTRIBUTE A TEST Valid Accounts: Local Accounts Obfuscated Files or Information
Create Account CONTRIBUTE A TEST Invalid Code Signature CONTRIBUTE A TEST
XDG Autostart Entries CONTRIBUTE A TEST Run Virtual Instance
Boot or Logon Autostart Execution: Re-opened Applications Polymorphic Code CONTRIBUTE A TEST
Account Manipulation: Additional Email Delegate Permissions Access Token Manipulation: SID-History Injection
Power Settings CONTRIBUTE A TEST Signed Binary Proxy Execution: Regsvr32
Boot or Logon Initialization Scripts: Logon Script (Windows) Masquerading: Rename System Utilities
Office Application Startup: Office Test Hijack Execution Flow: Path Interception by Unquoted Path
Boot or Logon Autostart Execution: LSASS Driver Steganography CONTRIBUTE A TEST
Valid Accounts: Cloud Accounts Domain Accounts CONTRIBUTE A TEST
Scheduled Task/Job: At Signed Binary Proxy Execution: Regsvcs/Regasm
Modify Authentication Process CONTRIBUTE A TEST Obfuscated Files or Information: Compile After Delivery
Udev Rules CONTRIBUTE A TEST VBA Stomping CONTRIBUTE A TEST
Event Triggered Execution: Netsh Helper DLL BITS Jobs
vSphere Installation Bundles CONTRIBUTE A TEST Trusted Developer Utilities Proxy Execution: MSBuild
SQL Stored Procedures CONTRIBUTE A TEST Hide Artifacts: Hidden Window
Network Device Authentication CONTRIBUTE A TEST ClickOnce CONTRIBUTE A TEST
Valid Accounts: Local Accounts Relocate Malware CONTRIBUTE A TEST
Impersonation CONTRIBUTE A TEST
Proc Memory CONTRIBUTE A TEST
Clear Persistence CONTRIBUTE A TEST
Masquerade Account Name CONTRIBUTE A TEST
HTML Smuggling
Command Obfuscation CONTRIBUTE A TEST
Indicator Removal on Host: File Deletion
Template Injection
Access Token Manipulation CONTRIBUTE A TEST
Obfuscated Files or Information: Software Packing
Hidden File System CONTRIBUTE A TEST
Thread Local Storage CONTRIBUTE A TEST
Debugger Evasion
Masquerading: Space after Filename
SyncAppvPublishingServer CONTRIBUTE A TEST
Invisible Unicode CONTRIBUTE A TEST
Ptrace System Calls CONTRIBUTE A TEST
Obfuscated Files or Information: Dynamic API Resolution
Process Injection: ListPlanting
XSL Script Processing
Hide Artifacts: Hidden Files and Directories
Valid Accounts: Cloud Accounts
Environmental Keying CONTRIBUTE A TEST
Hide Artifacts: NTFS File Attributes
Process Injection: Dynamic-link Library Injection
Signed Script Proxy Execution
Compression CONTRIBUTE A TEST
Dylib Hijacking CONTRIBUTE A TEST
Email Spoofing CONTRIBUTE A TEST
Valid Accounts: Local Accounts
Exploitation for Stealth CONTRIBUTE A TEST
Trusted Developer Utilities Proxy Execution
MMC CONTRIBUTE A TEST
Process Argument Spoofing CONTRIBUTE A TEST
Hijack Execution Flow: COR_PROFILER
Reference in New Issue View Git Blame Copy Permalink