atomic-red-team/atomics/Indexes/Matrices/windows-matrix.md

Windows Atomic Tests by ATT&CK Tactic & Technique

initial-access	execution	persistence	privilege-escalation	defense-evasion	credential-access	discovery	lateral-movement	collection	exfiltration	command-and-control	impact
External Remote Services	Scheduled Task/Job: Scheduled Task	Scheduled Task/Job: Scheduled Task	Extra Window Memory Injection CONTRIBUTE A TEST	Extra Window Memory Injection CONTRIBUTE A TEST	Adversary-in-the-Middle CONTRIBUTE A TEST	System Owner/User Discovery	VNC CONTRIBUTE A TEST	Archive Collected Data: Archive via Utility	Exfiltration Over Web Service CONTRIBUTE A TEST	Socket Filters CONTRIBUTE A TEST	Disk Structure Wipe CONTRIBUTE A TEST
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST	Windows Management Instrumentation	Socket Filters CONTRIBUTE A TEST	Scheduled Task/Job: Scheduled Task	Socket Filters CONTRIBUTE A TEST	Input Capture: Keylogging	Internet Connection Discovery CONTRIBUTE A TEST	Taint Shared Content CONTRIBUTE A TEST	Screen Capture	Scheduled Transfer CONTRIBUTE A TEST	Data Encoding: Standard Encoding	Direct Network Flood CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST	Shared Modules CONTRIBUTE A TEST	Bootkit CONTRIBUTE A TEST	Boot or Logon Initialization Scripts CONTRIBUTE A TEST	Indicator Removal from Tools CONTRIBUTE A TEST	Brute Force: Password Guessing	Permission Groups Discovery CONTRIBUTE A TEST	Application Deployment Software CONTRIBUTE A TEST	Adversary-in-the-Middle CONTRIBUTE A TEST	Exfiltration Over Other Network Medium CONTRIBUTE A TEST	Domain Generation Algorithms CONTRIBUTE A TEST	Stored Data Manipulation CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST	Command and Scripting Interpreter: JavaScript	Boot or Logon Initialization Scripts CONTRIBUTE A TEST	Path Interception by PATH Environment Variable CONTRIBUTE A TEST	Fileless Storage CONTRIBUTE A TEST	OS Credential Dumping	Group Policy Discovery	Replication Through Removable Media	Input Capture: Keylogging	Exfiltration Over Bluetooth CONTRIBUTE A TEST	Application Layer Protocol: DNS	External Defacement CONTRIBUTE A TEST
Phishing: Spearphishing Attachment	Regsvcs/Regasm CONTRIBUTE A TEST	Path Interception by PATH Environment Variable CONTRIBUTE A TEST	File System Permissions Weakness CONTRIBUTE A TEST	Signed Binary Proxy Execution: Rundll32	LLMNR/NBT-NS Poisoning and Relay CONTRIBUTE A TEST	Device Driver Discovery CONTRIBUTE A TEST	Remote Services: SMB/Windows Admin Shares	Sharepoint CONTRIBUTE A TEST	Automated Exfiltration	Domain Fronting CONTRIBUTE A TEST	OS Exhaustion Flood CONTRIBUTE A TEST
Compromise Hardware Supply Chain CONTRIBUTE A TEST	Inter-Process Communication: Dynamic Data Exchange	File System Permissions Weakness CONTRIBUTE A TEST	Event Triggered Execution: PowerShell Profile	Hidden Window CONTRIBUTE A TEST	Steal Web Session Cookie	Account Discovery: Domain Account	Use Alternate Authentication Material CONTRIBUTE A TEST	Audio Capture	Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST	Symmetric Cryptography CONTRIBUTE A TEST	Application Exhaustion Flood CONTRIBUTE A TEST
Replication Through Removable Media	User Execution: Malicious File	Event Triggered Execution: PowerShell Profile	Create or Modify System Process CONTRIBUTE A TEST	Embedded Payloads CONTRIBUTE A TEST	OS Credential Dumping: Security Account Manager	Security Software Discovery CONTRIBUTE A TEST	Remote Desktop Protocol CONTRIBUTE A TEST	Archive via Custom Method CONTRIBUTE A TEST	Exfiltration to Code Repository CONTRIBUTE A TEST	Fast Flux DNS CONTRIBUTE A TEST	Disk Wipe CONTRIBUTE A TEST
Supply Chain Compromise	Component Object Model CONTRIBUTE A TEST	Create or Modify System Process CONTRIBUTE A TEST	Abuse Elevation Control Mechanism: Bypass User Account Control	Signed Script Proxy Execution: Pubprn	Brute Force: Password Cracking	Account Discovery: Local Account	Remote Services CONTRIBUTE A TEST	Email Collection CONTRIBUTE A TEST	Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Application Layer Protocol CONTRIBUTE A TEST	Stored Data Manipulation CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST	Scheduled Task/Job CONTRIBUTE A TEST	External Remote Services	Hijack Execution Flow: Services Registry Permissions Weakness	Path Interception by PATH Environment Variable CONTRIBUTE A TEST	OS Credential Dumping: LSA Secrets	Virtualization/Sandbox Evasion: System Checks	Remote Service Session Hijacking CONTRIBUTE A TEST	Data from Removable Media CONTRIBUTE A TEST	Exfiltration Over C2 Channel	Custom Cryptographic Protocol CONTRIBUTE A TEST	Service Stop
Valid Accounts: Default Accounts	Native API	Component Firmware CONTRIBUTE A TEST	SID-History Injection CONTRIBUTE A TEST	Direct Volume Access	Forge Web Credentials: SAML token CONTRIBUTE A TEST	Permission Groups Discovery: Domain Groups	Remote Services: Windows Remote Management	Data Staged: Local Data Staging	Exfiltration Over Alternative Protocol	Remote Access Software	Application or System Exploitation CONTRIBUTE A TEST
Spearphishing Attachment CONTRIBUTE A TEST	Rundll32 CONTRIBUTE A TEST	System Firmware CONTRIBUTE A TEST	Boot or Logon Autostart Execution	Email Hiding Rules CONTRIBUTE A TEST	Credentials in Registry CONTRIBUTE A TEST	System Service Discovery	Remote Services: Distributed Component Object Model	Email Collection: Local Email Collection	Exfiltration over USB CONTRIBUTE A TEST	Multilayer Encryption CONTRIBUTE A TEST	Disk Structure Wipe CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST	Regsvr32 CONTRIBUTE A TEST	Hijack Execution Flow: Services Registry Permissions Weakness	Port Monitors CONTRIBUTE A TEST	Rootkit CONTRIBUTE A TEST	Password Managers CONTRIBUTE A TEST	Network Sniffing	Component Object Model and Distributed COM CONTRIBUTE A TEST	Automated Collection	Data Compressed CONTRIBUTE A TEST	Traffic Signaling CONTRIBUTE A TEST	Runtime Data Manipulation CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST	LSASS Driver CONTRIBUTE A TEST	Bootkit CONTRIBUTE A TEST	Active Setup	Component Firmware CONTRIBUTE A TEST	Network Sniffing	Network Share Discovery	Use Alternate Authentication Material: Pass the Ticket	Clipboard Data	Exfiltration to Text Storage Sites CONTRIBUTE A TEST	Standard Cryptographic Protocol CONTRIBUTE A TEST	Reflection Amplification CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST	Command and Scripting Interpreter CONTRIBUTE A TEST	Boot or Logon Autostart Execution	Domain Trust Modification CONTRIBUTE A TEST	Double File Extension CONTRIBUTE A TEST	Unsecured Credentials: Credentials in Registry	Peripheral Device Discovery	Shared Webroot CONTRIBUTE A TEST	Remote Data Staging CONTRIBUTE A TEST	Exfiltration Over Web Service: Exfiltration to Cloud Storage	Protocol Tunneling	Service Exhaustion Flood CONTRIBUTE A TEST
Compromise Software Supply Chain CONTRIBUTE A TEST	Component Object Model and Distributed COM CONTRIBUTE A TEST	Port Monitors CONTRIBUTE A TEST	Create or Modify System Process: Windows Service	Abuse Elevation Control Mechanism: Bypass User Account Control	Modify Authentication Process: Password Filter DLL	System Information Discovery	Software Deployment Tools	Data from Local System CONTRIBUTE A TEST	Data Transfer Size Limits CONTRIBUTE A TEST	Domain Generation Algorithms CONTRIBUTE A TEST	Defacement CONTRIBUTE A TEST
Domain Accounts CONTRIBUTE A TEST	CMSTP CONTRIBUTE A TEST	Active Setup	Print Processors CONTRIBUTE A TEST	Timestomp CONTRIBUTE A TEST	Steal or Forge Kerberos Tickets: AS-REP Roasting	Application Window Discovery	Exploitation of Remote Services CONTRIBUTE A TEST	Archive Collected Data: Archive via Library CONTRIBUTE A TEST	Data Encrypted CONTRIBUTE A TEST	Mail Protocols CONTRIBUTE A TEST	Defacement: Internal Defacement
Spearphishing via Service CONTRIBUTE A TEST	Scripting CONTRIBUTE A TEST	Screensaver CONTRIBUTE A TEST	Hijack Execution Flow: DLL Search Order Hijacking	System Firmware CONTRIBUTE A TEST	Steal or Forge Kerberos Tickets CONTRIBUTE A TEST	Email Account CONTRIBUTE A TEST	Internal Spearphishing CONTRIBUTE A TEST	Archive Collected Data	Exfiltration Over Physical Medium CONTRIBUTE A TEST	Communication Through Removable Media CONTRIBUTE A TEST	Data Manipulation CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST	User Execution CONTRIBUTE A TEST	Create or Modify System Process: Windows Service	AppInit DLLs CONTRIBUTE A TEST	Hijack Execution Flow: Services Registry Permissions Weakness	Credentials from Password Stores	Time Based Evasion CONTRIBUTE A TEST	Pass the Ticket CONTRIBUTE A TEST	Browser Session Hijacking CONTRIBUTE A TEST	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	External Proxy CONTRIBUTE A TEST	Account Access Removal
Drive-by Compromise CONTRIBUTE A TEST	Control Panel Items CONTRIBUTE A TEST	Office Application Startup	Scheduled Task/Job CONTRIBUTE A TEST	Bootkit CONTRIBUTE A TEST	Unsecured Credentials CONTRIBUTE A TEST	Browser Bookmark Discovery	Lateral Tool Transfer	DHCP Spoofing CONTRIBUTE A TEST		Proxy CONTRIBUTE A TEST	Data Encrypted for Impact
Spearphishing via Service CONTRIBUTE A TEST	Software Deployment Tools	Print Processors CONTRIBUTE A TEST	Service Registry Permissions Weakness CONTRIBUTE A TEST	Code Signing CONTRIBUTE A TEST	Credentials from Web Browsers CONTRIBUTE A TEST	System Network Configuration Discovery	Pass the Hash CONTRIBUTE A TEST	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay		Dynamic Resolution CONTRIBUTE A TEST	Disk Content Wipe CONTRIBUTE A TEST
Valid Accounts: Local Accounts	Command and Scripting Interpreter: PowerShell	Hijack Execution Flow: DLL Search Order Hijacking	Thread Execution Hijacking	Mavinject CONTRIBUTE A TEST	Hybrid Identity CONTRIBUTE A TEST	Account Discovery CONTRIBUTE A TEST	Windows Remote Management CONTRIBUTE A TEST	Web Portal Capture CONTRIBUTE A TEST		Multi-hop Proxy CONTRIBUTE A TEST	Endpoint Denial of Service CONTRIBUTE A TEST
	Mshta CONTRIBUTE A TEST	AppInit DLLs CONTRIBUTE A TEST	Event Triggered Execution: Application Shimming	Process Hollowing CONTRIBUTE A TEST	Private Keys CONTRIBUTE A TEST	Domain Trust Discovery	Remote Service Session Hijacking: RDP Hijacking	Video Capture		Web Service CONTRIBUTE A TEST	Runtime Data Manipulation CONTRIBUTE A TEST
	Graphical User Interface CONTRIBUTE A TEST	Office Application Startup: Add-ins	Boot or Logon Autostart Execution: Port Monitors	Masquerading: Match Legitimate Name or Location	Credentials from Password Stores: Credentials from Web Browsers	File and Directory Discovery	Use Alternate Authentication Material: Pass the Hash	Email Collection: Email Forwarding Rule CONTRIBUTE A TEST		DNS Calculation CONTRIBUTE A TEST	Transmitted Data Manipulation CONTRIBUTE A TEST
	Inter-Process Communication	Server Software Component: Transport Agent	Process Injection	Masquerade File Type CONTRIBUTE A TEST	DHCP Spoofing CONTRIBUTE A TEST	System Network Connections Discovery	Remote Services: Remote Desktop Protocol	Data Staged CONTRIBUTE A TEST		Multi-Stage Channels CONTRIBUTE A TEST	Resource Hijacking CONTRIBUTE A TEST
	Exploitation for Client Execution CONTRIBUTE A TEST	Scheduled Task/Job CONTRIBUTE A TEST	DLL Search Order Hijacking CONTRIBUTE A TEST	Regsvcs/Regasm CONTRIBUTE A TEST	Unsecured Credentials: Private Keys	Virtualization/Sandbox Evasion CONTRIBUTE A TEST	Windows Admin Shares CONTRIBUTE A TEST	Input Capture: GUI Input Capture		Port Knocking CONTRIBUTE A TEST	Transmitted Data Manipulation CONTRIBUTE A TEST
	Windows Remote Management CONTRIBUTE A TEST	Modify Authentication Process: Password Filter DLL	New Service CONTRIBUTE A TEST	Hide Artifacts	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay	Process Discovery		Data from Network Shared Drive		Multiband Communication CONTRIBUTE A TEST	Data Destruction
	Command and Scripting Interpreter: Python CONTRIBUTE A TEST	Server Software Component: Terminal Services DLL	Escape to Host CONTRIBUTE A TEST	Domain Trust Modification CONTRIBUTE A TEST	OS Credential Dumping: LSASS Memory	User Activity Based Checks CONTRIBUTE A TEST		Remote Email Collection CONTRIBUTE A TEST		File Transfer Protocols CONTRIBUTE A TEST	Network Denial of Service CONTRIBUTE A TEST
	System Services CONTRIBUTE A TEST	Browser Extensions	Boot or Logon Autostart Execution: Shortcut Modification	Impair Defenses: Safe Boot Mode	Hooking CONTRIBUTE A TEST	Permission Groups Discovery: Local Groups		Input Capture CONTRIBUTE A TEST		One-Way Communication CONTRIBUTE A TEST	Firmware Corruption CONTRIBUTE A TEST
	Command and Scripting Interpreter: Windows Command Shell	Service Registry Permissions Weakness CONTRIBUTE A TEST	AppCert DLLs CONTRIBUTE A TEST	Virtualization/Sandbox Evasion: System Checks	Brute Force: Password Spraying	Password Policy Discovery		ARP Cache Poisoning CONTRIBUTE A TEST		Proxy: Multi-hop Proxy	Inhibit System Recovery
	Compiled HTML File CONTRIBUTE A TEST	Outlook Rules CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Security Support Provider	Signed Binary Proxy Execution: InstallUtil	Web Portal Capture CONTRIBUTE A TEST	System Location Discovery: System Language Discovery		Data from Information Repositories CONTRIBUTE A TEST		Data Obfuscation CONTRIBUTE A TEST	Disk Content Wipe CONTRIBUTE A TEST
	Command and Scripting Interpreter: Visual Basic	Event Triggered Execution: Application Shimming	Extra Window Memory Injection CONTRIBUTE A TEST	Disabling Security Tools CONTRIBUTE A TEST	OS Credential Dumping: Cached Domain Credentials	Query Registry		Input Capture: Credential API Hooking		Non-Standard Port	System Shutdown/Reboot
	Dynamic Data Exchange CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Port Monitors	Hijack Execution Flow: Path Interception by Search Order Hijacking	Stripped Payloads CONTRIBUTE A TEST	Steal or Forge Kerberos Tickets: Golden Ticket	System Location Discovery CONTRIBUTE A TEST				Encrypted Channel
	Malicious Link CONTRIBUTE A TEST	Traffic Signaling CONTRIBUTE A TEST	Domain Policy Modification: Group Policy Modification	Hijack Execution Flow: DLL Search Order Hijacking	Steal or Forge Authentication Certificates	Software Discovery: Security Software Discovery				Bidirectional Communication CONTRIBUTE A TEST
	System Services: Service Execution	DLL Search Order Hijacking CONTRIBUTE A TEST	Valid Accounts: Default Accounts	Code Signing CONTRIBUTE A TEST	Unsecured Credentials: Credentials In Files	Remote System Discovery				Asymmetric Cryptography CONTRIBUTE A TEST
	Scheduled Task/Job: At	New Service CONTRIBUTE A TEST	Time Providers	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	Web Cookies CONTRIBUTE A TEST	Network Service Discovery				Non-Application Layer Protocol
	Service Execution CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Shortcut Modification	Image File Execution Options Injection CONTRIBUTE A TEST	Signed Binary Proxy Execution: Msiexec	Unsecured Credentials: Group Policy Preferences	Software Discovery				Protocol Impersonation CONTRIBUTE A TEST
	PowerShell CONTRIBUTE A TEST	Hypervisor CONTRIBUTE A TEST	Hooking CONTRIBUTE A TEST	Modify Authentication Process: Password Filter DLL	Network Provider DLL CONTRIBUTE A TEST	Debugger Evasion CONTRIBUTE A TEST				Uncommonly Used Port CONTRIBUTE A TEST
	InstallUtil CONTRIBUTE A TEST	AppCert DLLs CONTRIBUTE A TEST	Abuse Elevation Control Mechanism CONTRIBUTE A TEST	Clear Network Connection History and Configurations CONTRIBUTE A TEST	Input Prompt CONTRIBUTE A TEST	System Time Discovery				Domain Fronting CONTRIBUTE A TEST
		Boot or Logon Autostart Execution: Security Support Provider	Create Process with Token	Indicator Removal on Host: Clear Command History	Forge Web Credentials CONTRIBUTE A TEST					Data Encoding CONTRIBUTE A TEST
		Winlogon Helper DLL CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Winlogon Helper DLL	Indirect Command Execution	Multi-Factor Authentication Request Generation CONTRIBUTE A TEST					Non-Standard Encoding CONTRIBUTE A TEST
		Authentication Package CONTRIBUTE A TEST	Event Triggered Execution: Image File Execution Options Injection	Deobfuscate/Decode Files or Information	Exploitation for Credential Access CONTRIBUTE A TEST					Application Layer Protocol: Web Protocols
		Hybrid Identity CONTRIBUTE A TEST	Process Doppelgänging CONTRIBUTE A TEST	Impair Defenses	Input Capture: GUI Input Capture					Ingress Tool Transfer
		Hijack Execution Flow: Path Interception by Search Order Hijacking	Executable Installer File Permissions Weakness CONTRIBUTE A TEST	Thread Execution Hijacking	Brute Force CONTRIBUTE A TEST					Steganography CONTRIBUTE A TEST
		Server Software Component: Web Shell	Event Triggered Execution: Accessibility Features	Masquerading	Brute Force: Credential Stuffing					Fallback Channels CONTRIBUTE A TEST
		Valid Accounts: Default Accounts	PowerShell Profile CONTRIBUTE A TEST	Email Collection: Mailbox Manipulation	Kerberoasting CONTRIBUTE A TEST					Proxy: Internal Proxy
		Time Providers	Process Injection: Asynchronous Procedure Call	Process Injection	Multi-Factor Authentication CONTRIBUTE A TEST					Custom Command and Control Protocol CONTRIBUTE A TEST
		Image File Execution Options Injection CONTRIBUTE A TEST	Application Shimming CONTRIBUTE A TEST	Traffic Signaling CONTRIBUTE A TEST	Forced Authentication					Dead Drop Resolver CONTRIBUTE A TEST
		Modify Existing Service CONTRIBUTE A TEST	Event Triggered Execution: AppCert DLLs	Signed Binary Proxy Execution	Password Filter DLL CONTRIBUTE A TEST					Junk Data CONTRIBUTE A TEST
		Create Account: Local Account	Portable Executable Injection CONTRIBUTE A TEST	DLL Search Order Hijacking CONTRIBUTE A TEST	Credentials in Files CONTRIBUTE A TEST					Commonly Used Port CONTRIBUTE A TEST
		Hooking CONTRIBUTE A TEST	Access Token Manipulation: Token Impersonation/Theft	Indicator Removal on Host: Timestomp	Input Capture CONTRIBUTE A TEST
		Boot or Logon Autostart Execution: Winlogon Helper DLL	Make and Impersonate Token CONTRIBUTE A TEST	Reflective Code Loading	ARP Cache Poisoning CONTRIBUTE A TEST
		System Firmware CONTRIBUTE A TEST	Event Triggered Execution: Windows Management Instrumentation Event Subscription	Time Based Evasion CONTRIBUTE A TEST	Steal or Forge Kerberos Tickets: Silver Ticket
		Change Default File Association CONTRIBUTE A TEST	Access Token Manipulation: Parent PID Spoofing	Signed Binary Proxy Execution: CMSTP	Credentials from Password Stores: Windows Credential Manager
		Redundant Access CONTRIBUTE A TEST	Event Triggered Execution: Change Default File Association	Impair Defenses: Disable Windows Event Logging	Domain Controller Authentication CONTRIBUTE A TEST
		Security Support Provider CONTRIBUTE A TEST	Accessibility Features CONTRIBUTE A TEST	Signed Binary Proxy Execution: Control Panel	Reversible Encryption CONTRIBUTE A TEST
		Event Triggered Execution: Image File Execution Options Injection	Parent PID Spoofing CONTRIBUTE A TEST	Binary Padding CONTRIBUTE A TEST	Multi-Factor Authentication Interception CONTRIBUTE A TEST
		LSASS Driver CONTRIBUTE A TEST	Services File Permissions Weakness CONTRIBUTE A TEST	Use Alternate Authentication Material CONTRIBUTE A TEST	OS Credential Dumping: NTDS
		Executable Installer File Permissions Weakness CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Extra Window Memory Injection CONTRIBUTE A TEST	Steal or Forge Kerberos Tickets: Kerberoasting
		Event Triggered Execution: Accessibility Features	KernelCallbackTable CONTRIBUTE A TEST	Impair Defenses: Disable or Modify System Firewall	OS Credential Dumping: DCSync
		PowerShell Profile CONTRIBUTE A TEST	Hijack Execution Flow CONTRIBUTE A TEST	SIP and Trust Provider Hijacking CONTRIBUTE A TEST	Modify Authentication Process CONTRIBUTE A TEST
		SIP and Trust Provider Hijacking CONTRIBUTE A TEST	Valid Accounts CONTRIBUTE A TEST	Hybrid Identity CONTRIBUTE A TEST	Input Capture: Credential API Hooking
		Create Account: Domain Account	Process Injection: Process Hollowing	Rogue Domain Controller
		Component Firmware CONTRIBUTE A TEST	Exploitation for Privilege Escalation CONTRIBUTE A TEST	Code Signing Policy Modification CONTRIBUTE A TEST
		Office Template Macros CONTRIBUTE A TEST	Event Triggered Execution	File Deletion CONTRIBUTE A TEST
		Application Shimming CONTRIBUTE A TEST	Access Token Manipulation: SID-History Injection	Modify Registry
		Event Triggered Execution: AppCert DLLs	Authentication Package	Hijack Execution Flow: Path Interception by Search Order Hijacking
		Device Registration CONTRIBUTE A TEST	Event Triggered Execution: Component Object Model Hijacking	Obfuscated Files or Information: Binary Padding CONTRIBUTE A TEST
		Pre-OS Boot CONTRIBUTE A TEST	Hijack Execution Flow: Path Interception by Unquoted Path	Domain Policy Modification: Group Policy Modification
		Port Knocking CONTRIBUTE A TEST	Web Shell CONTRIBUTE A TEST	Valid Accounts: Default Accounts
		Network Provider DLL CONTRIBUTE A TEST	Domain Accounts CONTRIBUTE A TEST	Image File Execution Options Injection CONTRIBUTE A TEST
		Event Triggered Execution: Windows Management Instrumentation Event Subscription	Path Interception CONTRIBUTE A TEST	Rundll32 CONTRIBUTE A TEST
		Registry Run Keys / Startup Folder CONTRIBUTE A TEST	Network Logon Script CONTRIBUTE A TEST	Indicator Removal on Host: Clear Windows Event Logs
		Compromise Client Software Binary CONTRIBUTE A TEST	Bypass User Account Control CONTRIBUTE A TEST	File and Directory Permissions Modification CONTRIBUTE A TEST
		Shortcut Modification CONTRIBUTE A TEST	Event Triggered Execution: AppInit DLLs	Abuse Elevation Control Mechanism CONTRIBUTE A TEST
		Event Triggered Execution: Change Default File Association	Event Triggered Execution: Screensaver	Create Process with Token
		Component Object Model Hijacking CONTRIBUTE A TEST	Installer Packages CONTRIBUTE A TEST	Regsvr32 CONTRIBUTE A TEST
		Accessibility Features CONTRIBUTE A TEST	Access Token Manipulation CONTRIBUTE A TEST	Indicator Blocking CONTRIBUTE A TEST
		Services File Permissions Weakness CONTRIBUTE A TEST	Thread Local Storage CONTRIBUTE A TEST	Redundant Access CONTRIBUTE A TEST
		Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Hijack Execution Flow: DLL Side-Loading	Signed Binary Proxy Execution: Odbcconf
		Account Manipulation	Boot or Logon Initialization Scripts: Logon Script (Windows)	Software Packing CONTRIBUTE A TEST
		KernelCallbackTable CONTRIBUTE A TEST	ListPlanting CONTRIBUTE A TEST	Process Doppelgänging CONTRIBUTE A TEST
		Outlook Forms CONTRIBUTE A TEST	Domain Policy Modification CONTRIBUTE A TEST	Executable Installer File Permissions Weakness CONTRIBUTE A TEST
		Hijack Execution Flow CONTRIBUTE A TEST	Boot or Logon Autostart Execution: LSASS Driver	SIP and Trust Provider Hijacking CONTRIBUTE A TEST
		Valid Accounts CONTRIBUTE A TEST	Scheduled Task/Job: At	Impair Defenses: Indicator Blocking
		Multi-Factor Authentication CONTRIBUTE A TEST	Process Injection: Dynamic-link Library Injection	Right-to-Left Override CONTRIBUTE A TEST
		IIS Components	Event Triggered Execution: Netsh Helper DLL	Component Firmware CONTRIBUTE A TEST
		Event Triggered Execution	Valid Accounts: Local Accounts	Indicator Removal on Host
		Authentication Package	Hijack Execution Flow: COR_PROFILER	Use Alternate Authentication Material: Pass the Ticket
		Netsh Helper DLL CONTRIBUTE A TEST		Masquerading: Masquerade Task or Service
		Event Triggered Execution: Component Object Model Hijacking		Process Injection: Asynchronous Procedure Call
		Office Application Startup: Outlook Home Page		CMSTP CONTRIBUTE A TEST
		Hijack Execution Flow: Path Interception by Unquoted Path		Subvert Trust Controls: Mark-of-the-Web Bypass
		Web Shell CONTRIBUTE A TEST		Pre-OS Boot CONTRIBUTE A TEST
		Domain Accounts CONTRIBUTE A TEST		Scripting CONTRIBUTE A TEST
		Path Interception CONTRIBUTE A TEST		Portable Executable Injection CONTRIBUTE A TEST
		Network Logon Script CONTRIBUTE A TEST		Verclsid CONTRIBUTE A TEST
		BITS Jobs		Downgrade Attack CONTRIBUTE A TEST
		Event Triggered Execution: AppInit DLLs		Virtualization/Sandbox Evasion CONTRIBUTE A TEST
		Event Triggered Execution: Screensaver		Signed Binary Proxy Execution: Mshta
		Server Software Component CONTRIBUTE A TEST		Execution Guardrails CONTRIBUTE A TEST
		Domain Controller Authentication CONTRIBUTE A TEST		Access Token Manipulation: Token Impersonation/Theft
		Reversible Encryption CONTRIBUTE A TEST		Port Knocking CONTRIBUTE A TEST
		Installer Packages CONTRIBUTE A TEST		Hide Artifacts: Hidden Users
		Hidden Files and Directories CONTRIBUTE A TEST		Make and Impersonate Token CONTRIBUTE A TEST
		Time Providers CONTRIBUTE A TEST		Control Panel Items CONTRIBUTE A TEST
		Create Account CONTRIBUTE A TEST		Impair Defenses: HISTCONTROL CONTRIBUTE A TEST
		Hijack Execution Flow: DLL Side-Loading		Network Provider DLL CONTRIBUTE A TEST
		Additional Email Delegate Permissions CONTRIBUTE A TEST		User Activity Based Checks CONTRIBUTE A TEST
		Windows Management Instrumentation Event Subscription CONTRIBUTE A TEST		Access Token Manipulation: Parent PID Spoofing
		Boot or Logon Initialization Scripts: Logon Script (Windows)		Component Object Model Hijacking CONTRIBUTE A TEST
		Office Application Startup: Office Test		Parent PID Spoofing CONTRIBUTE A TEST
		Boot or Logon Autostart Execution: LSASS Driver		Services File Permissions Weakness CONTRIBUTE A TEST
		Scheduled Task/Job: At		Mshta CONTRIBUTE A TEST
		Modify Authentication Process CONTRIBUTE A TEST		KernelCallbackTable CONTRIBUTE A TEST
		Event Triggered Execution: Netsh Helper DLL		Signed Binary Proxy Execution: Compiled HTML File
		SQL Stored Procedures CONTRIBUTE A TEST		Indicator Removal on Host: Network Share Connection Removal
		Valid Accounts: Local Accounts		Impair Defenses: Disable or Modify Tools
		Hijack Execution Flow: COR_PROFILER		Hijack Execution Flow CONTRIBUTE A TEST
				Indicator Removal from Tools CONTRIBUTE A TEST
				Valid Accounts CONTRIBUTE A TEST
				DLL Side-Loading CONTRIBUTE A TEST
				Process Injection: Process Hollowing
				Obfuscated Files or Information
				Multi-Factor Authentication CONTRIBUTE A TEST
				Invalid Code Signature CONTRIBUTE A TEST
				Run Virtual Instance
				Access Token Manipulation: SID-History Injection
				Subvert Trust Controls CONTRIBUTE A TEST
				Signed Binary Proxy Execution: Regsvr32
				Masquerading: Rename System Utilities
				Spoof Security Alerting CONTRIBUTE A TEST
				Hijack Execution Flow: Path Interception by Unquoted Path
				Process Doppelgänging CONTRIBUTE A TEST
				Steganography CONTRIBUTE A TEST
				Domain Accounts CONTRIBUTE A TEST
				Signed Binary Proxy Execution: Regsvcs/Regasm
				Subvert Trust Controls: Install Root Certificate
				Obfuscated Files or Information: Compile After Delivery
				VBA Stomping CONTRIBUTE A TEST
				BITS Jobs
				Trusted Developer Utilities Proxy Execution: MSBuild
				Bypass User Account Control CONTRIBUTE A TEST
				Hide Artifacts: Hidden Window
				Compile After Delivery CONTRIBUTE A TEST
				Compiled HTML File CONTRIBUTE A TEST
				Clear Persistence CONTRIBUTE A TEST
				Domain Controller Authentication CONTRIBUTE A TEST
				HTML Smuggling
				Reversible Encryption CONTRIBUTE A TEST
				Command Obfuscation CONTRIBUTE A TEST
				Install Root Certificate CONTRIBUTE A TEST
				Indicator Removal on Host: File Deletion
				Hidden Files and Directories CONTRIBUTE A TEST
				Template Injection
				Access Token Manipulation CONTRIBUTE A TEST
				Obfuscated Files or Information: Software Packing CONTRIBUTE A TEST
				Hidden File System CONTRIBUTE A TEST
				Thread Local Storage CONTRIBUTE A TEST
				Debugger Evasion CONTRIBUTE A TEST
				Use Alternate Authentication Material: Pass the Hash
				Hijack Execution Flow: DLL Side-Loading
				Network Share Connection Removal CONTRIBUTE A TEST
				Dynamic API Resolution CONTRIBUTE A TEST
				ListPlanting CONTRIBUTE A TEST
				Domain Policy Modification CONTRIBUTE A TEST
				XSL Script Processing
				Hide Artifacts: Hidden Files and Directories
				Environmental Keying CONTRIBUTE A TEST
				Hide Artifacts: NTFS File Attributes
				NTFS File Attributes CONTRIBUTE A TEST
				Process Injection: Dynamic-link Library Injection
				Modify Authentication Process CONTRIBUTE A TEST
				Signed Script Proxy Execution
				InstallUtil CONTRIBUTE A TEST
				Valid Accounts: Local Accounts
				Exploitation for Defense Evasion CONTRIBUTE A TEST
				Trusted Developer Utilities Proxy Execution
				MMC CONTRIBUTE A TEST
				Process Argument Spoofing CONTRIBUTE A TEST
				Hijack Execution Flow: COR_PROFILER