| External Remote Services |
Scheduled Task/Job: Scheduled Task |
Scheduled Task/Job: Scheduled Task |
Process Injection: Extra Window Memory Injection |
Process Injection: Extra Window Memory Injection |
Adversary-in-the-Middle CONTRIBUTE A TEST |
System Owner/User Discovery |
Remote Services:VNC |
Archive Collected Data: Archive via Utility |
Exfiltration Over Web Service CONTRIBUTE A TEST |
Socket Filters CONTRIBUTE A TEST |
Disk Structure Wipe CONTRIBUTE A TEST |
| Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST |
Windows Management Instrumentation |
Socket Filters CONTRIBUTE A TEST |
Scheduled Task/Job: Scheduled Task |
Socket Filters CONTRIBUTE A TEST |
Modify Authentication Process: Pluggable Authentication Modules |
Container and Resource Discovery |
Taint Shared Content CONTRIBUTE A TEST |
Screen Capture |
Exfiltration Over Webhook CONTRIBUTE A TEST |
Data Encoding: Standard Encoding |
Direct Network Flood CONTRIBUTE A TEST |
| Phishing: Spearphishing Link |
Server Software Component |
Boot or Logon Initialization Scripts CONTRIBUTE A TEST |
Boot or Logon Initialization Scripts CONTRIBUTE A TEST |
Fileless Storage CONTRIBUTE A TEST |
Input Capture: Keylogging |
System Network Configuration Discovery: Internet Connection Discovery |
Remote Services: SSH |
Adversary-in-the-Middle CONTRIBUTE A TEST |
Scheduled Transfer CONTRIBUTE A TEST |
Domain Generation Algorithms CONTRIBUTE A TEST |
External Defacement CONTRIBUTE A TEST |
| Phishing: Spearphishing Attachment |
Command and Scripting Interpreter: JavaScript |
Modify Authentication Process: Pluggable Authentication Modules |
Path Interception by PATH Environment Variable CONTRIBUTE A TEST |
Signed Binary Proxy Execution: Rundll32 |
Brute Force: Password Guessing |
Permission Groups Discovery CONTRIBUTE A TEST |
Replication Through Removable Media |
Input Capture: Keylogging |
Exfiltration Over Other Network Medium CONTRIBUTE A TEST |
Application Layer Protocol: DNS |
OS Exhaustion Flood CONTRIBUTE A TEST |
| Compromise Hardware Supply Chain CONTRIBUTE A TEST |
Kubernetes Cronjob |
Path Interception by PATH Environment Variable CONTRIBUTE A TEST |
Event Triggered Execution: PowerShell Profile |
Embedded Payloads CONTRIBUTE A TEST |
OS Credential Dumping |
Cloud Groups CONTRIBUTE A TEST |
Direct Cloud VM Connections CONTRIBUTE A TEST |
Data from Configuration Repository CONTRIBUTE A TEST |
Exfiltration Over Bluetooth CONTRIBUTE A TEST |
Publish/Subscribe Protocols CONTRIBUTE A TEST |
Lifecycle-Triggered Deletion CONTRIBUTE A TEST |
| Replication Through Removable Media |
Inter-Process Communication: Dynamic Data Exchange |
Event Triggered Execution: PowerShell Profile |
Create or Modify System Process CONTRIBUTE A TEST |
Modify Authentication Process: Pluggable Authentication Modules |
Steal Web Session Cookie |
Group Policy Discovery |
SSH Hijacking CONTRIBUTE A TEST |
Sharepoint CONTRIBUTE A TEST |
Automated Exfiltration |
Symmetric Cryptography CONTRIBUTE A TEST |
SMS Pumping CONTRIBUTE A TEST |
| Supply Chain Compromise |
User Execution: Malicious File |
Create or Modify System Process CONTRIBUTE A TEST |
LC_LOAD_DYLIB Addition CONTRIBUTE A TEST |
Revert Cloud Instance CONTRIBUTE A TEST |
OS Credential Dumping: Security Account Manager |
Device Driver Discovery |
Remote Services: SMB/Windows Admin Shares |
Audio Capture |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST |
Fast Flux DNS CONTRIBUTE A TEST |
Application Exhaustion Flood CONTRIBUTE A TEST |
| Exploit Public-Facing Application CONTRIBUTE A TEST |
Scheduled Task/Job: Cron |
External Remote Services |
Kubernetes Cronjob |
File/Path Exclusions CONTRIBUTE A TEST |
Unsecured Credentials: Cloud Instance Metadata API |
Account Discovery: Domain Account |
Use Alternate Authentication Material CONTRIBUTE A TEST |
Archive via Custom Method CONTRIBUTE A TEST |
Traffic Duplication CONTRIBUTE A TEST |
Application Layer Protocol |
Disk Wipe CONTRIBUTE A TEST |
| Content Injection |
Component Object Model CONTRIBUTE A TEST |
LC_LOAD_DYLIB Addition CONTRIBUTE A TEST |
Abuse Elevation Control Mechanism: Bypass User Account Control |
File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification |
Securityd Memory CONTRIBUTE A TEST |
Account Discovery: Local Account |
Remote Services CONTRIBUTE A TEST |
Email Collection CONTRIBUTE A TEST |
Exfiltration to Code Repository CONTRIBUTE A TEST |
Remote Access Software |
Stored Data Manipulation CONTRIBUTE A TEST |
| Valid Accounts: Default Accounts |
ESXi Administration Command CONTRIBUTE A TEST |
Kubernetes Cronjob |
Abuse Elevation Control Mechanism: Sudo and Sudo Caching |
Signed Script Proxy Execution: Pubprn |
Brute Force: Password Cracking |
Virtualization/Sandbox Evasion: System Checks |
Remote Service Session Hijacking CONTRIBUTE A TEST |
Data from Removable Media |
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Content Injection |
Service Stop |
| Trusted Relationship CONTRIBUTE A TEST |
Scheduled Task/Job CONTRIBUTE A TEST |
Pre-OS Boot: System Firmware |
Hijack Execution Flow: Services Registry Permissions Weakness |
Path Interception by PATH Environment Variable CONTRIBUTE A TEST |
Credentials from Password Stores: Keychain |
Permission Groups Discovery: Domain Groups |
Remote Services: Windows Remote Management |
Data Staged: Local Data Staging |
Exfiltration Over C2 Channel |
Traffic Signaling CONTRIBUTE A TEST |
Application or System Exploitation CONTRIBUTE A TEST |
| Phishing CONTRIBUTE A TEST |
Command and Scripting Interpreter: AppleScript |
Hijack Execution Flow: Services Registry Permissions Weakness |
Boot or Logon Autostart Execution |
Direct Volume Access |
OS Credential Dumping: LSA Secrets |
System Service Discovery |
Remote Services: Distributed Component Object Model |
Email Collection: Local Email Collection |
Exfiltration Over Alternative Protocol |
Protocol Tunneling |
Runtime Data Manipulation CONTRIBUTE A TEST |
| Valid Accounts CONTRIBUTE A TEST |
Native API |
Bootkit CONTRIBUTE A TEST |
Active Setup |
Modify Cloud Resource Hierarchy CONTRIBUTE A TEST |
Forge Web Credentials: SAML token |
Network Sniffing |
Use Alternate Authentication Material: Pass the Ticket |
Databases CONTRIBUTE A TEST |
Exfiltration over USB CONTRIBUTE A TEST |
Mail Protocols CONTRIBUTE A TEST |
Reflection Amplification CONTRIBUTE A TEST |
| Spearphishing Voice CONTRIBUTE A TEST |
Command and Scripting Interpreter: AutoHotKey & AutoIT |
Boot or Logon Autostart Execution |
Domain Trust Modification |
Hide Artifacts: Email Hiding Rules |
OS Credential Dumping: Proc Filesystem |
Network Share Discovery |
Cloud Services CONTRIBUTE A TEST |
Automated Collection |
Exfiltration Over Web Service: Exfiltration to Text Storage Sites |
Communication Through Removable Media CONTRIBUTE A TEST |
Service Exhaustion Flood CONTRIBUTE A TEST |
| Compromise Software Supply Chain |
System Services: Systemctl |
Active Setup |
Create or Modify System Process: Windows Service |
Obfuscated Files or Information: Encrypted/Encoded File |
Password Managers CONTRIBUTE A TEST |
Peripheral Device Discovery |
Software Deployment Tools |
Clipboard Data |
Exfiltration Over Web Service: Exfiltration to Cloud Storage |
External Proxy CONTRIBUTE A TEST |
Defacement CONTRIBUTE A TEST |
| Domain Accounts CONTRIBUTE A TEST |
Cloud API CONTRIBUTE A TEST |
Browser Extensions CONTRIBUTE A TEST |
Scheduled Task/Job: Cron |
Rootkit |
Network Sniffing |
System Information Discovery |
Exploitation of Remote Services CONTRIBUTE A TEST |
Data from Cloud Storage Object |
Data Transfer Size Limits |
Proxy CONTRIBUTE A TEST |
Bandwidth Hijacking CONTRIBUTE A TEST |
| Hardware Additions CONTRIBUTE A TEST |
Deploy a container |
TFTP Boot CONTRIBUTE A TEST |
Account Manipulation: Additional Cloud Roles |
Masquerading: Double File Extension |
Unsecured Credentials: Credentials in Registry |
System Network Configuration Discovery: Wi-Fi Discovery |
Internal Spearphishing CONTRIBUTE A TEST |
Remote Data Staging CONTRIBUTE A TEST |
Transfer Data to Cloud Account CONTRIBUTE A TEST |
IDE Tunneling CONTRIBUTE A TEST |
Financial Theft CONTRIBUTE A TEST |
| Drive-by Compromise CONTRIBUTE A TEST |
Input Injection CONTRIBUTE A TEST |
Create or Modify System Process: Windows Service |
Boot or Logon Autostart Execution: Print Processors |
Abuse Elevation Control Mechanism: Bypass User Account Control |
Modify Authentication Process: Password Filter DLL |
Backup Software Discovery CONTRIBUTE A TEST |
Lateral Tool Transfer |
Data from Local System |
Exfiltration Over Physical Medium CONTRIBUTE A TEST |
Dynamic Resolution CONTRIBUTE A TEST |
Defacement: Internal Defacement |
| Valid Accounts: Cloud Accounts |
Command and Scripting Interpreter |
Scheduled Task/Job: Cron |
Hijack Execution Flow: DLL |
Abuse Elevation Control Mechanism: Sudo and Sudo Caching |
Ccache Files CONTRIBUTE A TEST |
Application Window Discovery |
Web Session Cookie CONTRIBUTE A TEST |
Archive Collected Data: Archive via Library |
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
Web Service CONTRIBUTE A TEST |
Cloud Service Hijacking CONTRIBUTE A TEST |
| Spearphishing via Service CONTRIBUTE A TEST |
Malicious Library CONTRIBUTE A TEST |
Office Application Startup |
AppDomainManager CONTRIBUTE A TEST |
Modify Cloud Compute Infrastructure CONTRIBUTE A TEST |
Steal or Forge Kerberos Tickets: AS-REP Roasting |
Email Account CONTRIBUTE A TEST |
Remote Service Session Hijacking: RDP Hijacking |
Evil Twin CONTRIBUTE A TEST |
|
DNS Calculation CONTRIBUTE A TEST |
Compute Hijacking CONTRIBUTE A TEST |
| Valid Accounts: Local Accounts |
Poisoned Pipeline Execution CONTRIBUTE A TEST |
Account Manipulation: Additional Cloud Roles |
Additional Container Cluster Roles CONTRIBUTE A TEST |
Pre-OS Boot: System Firmware |
Steal or Forge Kerberos Tickets CONTRIBUTE A TEST |
Time Based Evasion |
Use Alternate Authentication Material: Pass the Hash |
Network Device Configuration Dump CONTRIBUTE A TEST |
|
Multi-Stage Channels CONTRIBUTE A TEST |
Data Manipulation CONTRIBUTE A TEST |
| Wi-Fi Networks CONTRIBUTE A TEST |
Kubernetes Exec Into Container |
Boot or Logon Autostart Execution: Print Processors |
Scheduled Task/Job CONTRIBUTE A TEST |
Hijack Execution Flow: Services Registry Permissions Weakness |
Credentials from Password Stores |
Cloud Infrastructure Discovery |
Remote Services: Remote Desktop Protocol |
Archive Collected Data |
|
Port Knocking CONTRIBUTE A TEST |
Account Access Removal |
|
System Services: Launchctl |
Hijack Execution Flow: DLL |
Additional Local or Domain Groups CONTRIBUTE A TEST |
Bootkit CONTRIBUTE A TEST |
Unsecured Credentials |
Browser Bookmark Discovery |
Application Access Token CONTRIBUTE A TEST |
Browser Session Hijacking CONTRIBUTE A TEST |
|
File Transfer Protocols CONTRIBUTE A TEST |
Data Encrypted for Impact |
|
Network Device CLI CONTRIBUTE A TEST |
Office Application Startup: Add-ins |
Thread Execution Hijacking |
Mavinject CONTRIBUTE A TEST |
Evil Twin CONTRIBUTE A TEST |
Virtual Machine Discovery CONTRIBUTE A TEST |
|
DHCP Spoofing CONTRIBUTE A TEST |
|
One-Way Communication CONTRIBUTE A TEST |
Email Bombing CONTRIBUTE A TEST |
|
XPC Services CONTRIBUTE A TEST |
Server Software Component: Transport Agent |
Event Triggered Execution: Application Shimming |
Masquerading: Match Legitimate Name or Location |
Hybrid Identity CONTRIBUTE A TEST |
System Network Configuration Discovery |
|
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
|
Proxy: Multi-hop Proxy |
Endpoint Denial of Service CONTRIBUTE A TEST |
|
User Execution CONTRIBUTE A TEST |
AppDomainManager CONTRIBUTE A TEST |
Boot or Logon Autostart Execution: Port Monitors |
Weaken Encryption CONTRIBUTE A TEST |
Credentials from Password Stores: Credentials from Web Browsers |
Account Discovery CONTRIBUTE A TEST |
|
Web Portal Capture CONTRIBUTE A TEST |
|
Remote Access Hardware CONTRIBUTE A TEST |
Resource Hijacking |
|
Software Deployment Tools |
Additional Container Cluster Roles CONTRIBUTE A TEST |
Boot or Logon Initialization Scripts: Logon Script (Mac) |
Masquerade File Type CONTRIBUTE A TEST |
DHCP Spoofing CONTRIBUTE A TEST |
Domain Trust Discovery |
|
Video Capture |
|
Data Obfuscation CONTRIBUTE A TEST |
Transmitted Data Manipulation CONTRIBUTE A TEST |
|
Command and Scripting Interpreter: PowerShell |
Scheduled Task/Job CONTRIBUTE A TEST |
Process Injection |
Hide Artifacts |
Unsecured Credentials: Private Keys |
File and Directory Discovery |
|
Confluence CONTRIBUTE A TEST |
|
Non-Standard Port |
Data Destruction |
|
Scheduled Task/Job: Systemd Timers |
Modify Authentication Process: Password Filter DLL |
Escape to Host |
Domain Trust Modification |
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
System Network Connections Discovery |
|
Email Collection: Email Forwarding Rule |
|
Encrypted Channel |
Network Denial of Service CONTRIBUTE A TEST |
|
Command and Scripting Interpreter: Bash |
Server Software Component: Terminal Services DLL |
Boot or Logon Autostart Execution: Shortcut Modification |
Impair Defenses: Safe Boot Mode |
OS Credential Dumping: LSASS Memory |
Virtualization/Sandbox Evasion CONTRIBUTE A TEST |
|
Data Staged CONTRIBUTE A TEST |
|
Bidirectional Communication CONTRIBUTE A TEST |
Firmware Corruption CONTRIBUTE A TEST |
|
Inter-Process Communication |
Browser Extensions |
Boot or Logon Autostart Execution: Security Support Provider |
TFTP Boot CONTRIBUTE A TEST |
Brute Force: Password Spraying |
Cloud Storage Object Discovery |
|
Input Capture: GUI Input Capture |
|
Asymmetric Cryptography CONTRIBUTE A TEST |
Inhibit System Recovery |
|
Lua CONTRIBUTE A TEST |
Office Application Startup: Outlook Rules |
Create or Modify System Process: Launch Daemon |
Virtualization/Sandbox Evasion: System Checks |
Web Portal Capture CONTRIBUTE A TEST |
Log Enumeration |
|
Data from Network Shared Drive |
|
Non-Application Layer Protocol |
Disk Content Wipe CONTRIBUTE A TEST |
|
User Execution: Malicious Image |
Additional Local or Domain Groups CONTRIBUTE A TEST |
Hijack Execution Flow: Path Interception by Search Order Hijacking |
Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs |
OS Credential Dumping: Cached Domain Credentials |
Cloud Account CONTRIBUTE A TEST |
|
Email Collection: Remote Email Collection |
|
Protocol or Service Impersonation CONTRIBUTE A TEST |
System Shutdown/Reboot |
|
Exploitation for Client Execution CONTRIBUTE A TEST |
Event Triggered Execution: Application Shimming |
Domain Policy Modification: Group Policy Modification |
Signed Binary Proxy Execution: InstallUtil |
Steal or Forge Kerberos Tickets: Golden Ticket |
Process Discovery |
|
Input Capture CONTRIBUTE A TEST |
|
Domain Fronting CONTRIBUTE A TEST |
|
|
Container CLI/API CONTRIBUTE A TEST |
Boot or Logon Autostart Execution: Port Monitors |
Valid Accounts: Default Accounts |
Stripped Payloads CONTRIBUTE A TEST |
Steal or Forge Authentication Certificates |
User Activity Based Checks CONTRIBUTE A TEST |
|
Customer Relationship Management Software CONTRIBUTE A TEST |
|
Data Encoding CONTRIBUTE A TEST |
|
|
Command and Scripting Interpreter: Python |
Boot or Logon Initialization Scripts: Logon Script (Mac) |
Time Providers |
Hijack Execution Flow: DLL |
Unsecured Credentials: Bash History |
Permission Groups Discovery: Local Groups |
|
ARP Cache Poisoning CONTRIBUTE A TEST |
|
Remote Desktop Software CONTRIBUTE A TEST |
|
|
System Services CONTRIBUTE A TEST |
Traffic Signaling CONTRIBUTE A TEST |
Event Triggered Execution: Trap |
Subvert Trust Controls: Gatekeeper Bypass |
Unsecured Credentials: Credentials In Files |
Password Policy Discovery |
|
Code Repositories CONTRIBUTE A TEST |
|
Non-Standard Encoding CONTRIBUTE A TEST |
|
|
Command and Scripting Interpreter: Windows Command Shell |
Boot or Logon Autostart Execution: Shortcut Modification |
Hijack Execution Flow: LD_PRELOAD |
Code Signing CONTRIBUTE A TEST |
Web Cookies CONTRIBUTE A TEST |
System Location Discovery: System Language Discovery |
|
Data from Information Repositories CONTRIBUTE A TEST |
|
Application Layer Protocol: Web Protocols |
|
|
Hypervisor CLI CONTRIBUTE A TEST |
Implant Internal Image CONTRIBUTE A TEST |
Abuse Elevation Control Mechanism CONTRIBUTE A TEST |
Break Process Trees CONTRIBUTE A TEST |
Steal Application Access Token |
Query Registry |
|
SNMP (MIB Dump) CONTRIBUTE A TEST |
|
Ingress Tool Transfer |
|
|
Cloud Administration Command |
Boot or Logon Autostart Execution: Security Support Provider |
Create Process with Token |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification |
Unsecured Credentials: Group Policy Preferences |
System Location Discovery |
|
Input Capture: Credential API Hooking |
|
Hide Infrastructure CONTRIBUTE A TEST |
|
|
Command and Scripting Interpreter: Visual Basic |
Hybrid Identity CONTRIBUTE A TEST |
Abuse Elevation Control Mechanism: Setuid and Setgid |
AppDomainManager CONTRIBUTE A TEST |
Network Provider DLL CONTRIBUTE A TEST |
Software Discovery: Security Software Discovery |
|
Messaging Applications CONTRIBUTE A TEST |
|
Data Obfuscation via Steganography |
|
|
Malicious Copy and Paste CONTRIBUTE A TEST |
Modify Registry |
Boot or Logon Autostart Execution: Winlogon Helper DLL |
Signed Binary Proxy Execution: Msiexec |
Forge Web Credentials CONTRIBUTE A TEST |
Cloud Service Discovery |
|
|
|
Fallback Channels CONTRIBUTE A TEST |
|
|
Serverless Execution |
Create or Modify System Process: Launch Daemon |
SSH Authorized Keys |
Modify Authentication Process: Password Filter DLL |
Multi-Factor Authentication Request Generation CONTRIBUTE A TEST |
Remote System Discovery |
|
|
|
Proxy: Internal Proxy |
|
|
Malicious Link CONTRIBUTE A TEST |
Hijack Execution Flow: Path Interception by Search Order Hijacking |
Event Triggered Execution: Image File Execution Options Injection |
Clear Network Connection History and Configurations CONTRIBUTE A TEST |
Chat Messages CONTRIBUTE A TEST |
Network Service Discovery |
|
|
|
Dead Drop Resolver CONTRIBUTE A TEST |
|
|
System Services: Service Execution |
Server Software Component: Web Shell |
Temporary Elevated Cloud Access CONTRIBUTE A TEST |
Reduce Key Space CONTRIBUTE A TEST |
Exploitation for Credential Access CONTRIBUTE A TEST |
Software Discovery |
|
|
|
Junk Data CONTRIBUTE A TEST |
|
|
Scheduled Task/Job: At |
Valid Accounts: Default Accounts |
Process Doppelgänging CONTRIBUTE A TEST |
Indicator Removal on Host: Clear Command History |
Input Capture: GUI Input Capture |
Cloud Service Dashboard CONTRIBUTE A TEST |
|
|
|
|
|
|
|
Time Providers |
Executable Installer File Permissions Weakness CONTRIBUTE A TEST |
Indirect Command Execution |
Brute Force CONTRIBUTE A TEST |
Debugger Evasion |
|
|
|
|
|
|
|
Event Triggered Execution: Trap |
Event Triggered Execution: Accessibility Features |
Deobfuscate/Decode Files or Information |
Brute Force: Credential Stuffing |
Local Storage Discovery CONTRIBUTE A TEST |
|
|
|
|
|
|
|
Hijack Execution Flow: LD_PRELOAD |
Process Injection: Asynchronous Procedure Call |
Impair Defenses |
Multi-Factor Authentication CONTRIBUTE A TEST |
System Time Discovery |
|
|
|
|
|
|
|
Create Account: Local Account |
Event Triggered Execution: AppCert DLLs |
Thread Execution Hijacking |
Forced Authentication |
|
|
|
|
|
|
|
|
IDE Extensions CONTRIBUTE A TEST |
Device Registration CONTRIBUTE A TEST |
Masquerading |
Input Capture CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Boot or Logon Autostart Execution: Winlogon Helper DLL |
Process Injection: Portable Executable Injection |
Email Collection: Mailbox Manipulation |
ARP Cache Poisoning CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
SSH Authorized Keys |
Boot or Logon Autostart Execution: Login Items |
Process Injection |
Conditional Access Policies CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Event Triggered Execution: Image File Execution Options Injection |
Access Token Manipulation: Token Impersonation/Theft |
Traffic Signaling CONTRIBUTE A TEST |
Credentials from Password Stores: Cloud Secrets Management Stores |
|
|
|
|
|
|
|
|
Executable Installer File Permissions Weakness CONTRIBUTE A TEST |
Account Manipulation: Additional Cloud Credentials |
Signed Binary Proxy Execution |
OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow |
|
|
|
|
|
|
|
|
Event Triggered Execution: Accessibility Features |
Make and Impersonate Token CONTRIBUTE A TEST |
Indicator Removal on Host: Timestomp |
Steal or Forge Kerberos Tickets: Silver Ticket |
|
|
|
|
|
|
|
|
Create Account: Domain Account |
Event Triggered Execution: Windows Management Instrumentation Event Subscription |
Reflective Code Loading |
Credentials from Password Stores: Windows Credential Manager |
|
|
|
|
|
|
|
|
Component Firmware CONTRIBUTE A TEST |
Access Token Manipulation: Parent PID Spoofing |
Mutual Exclusion CONTRIBUTE A TEST |
Modify Authentication Process: Domain Controller Authentication |
|
|
|
|
|
|
|
|
Office Application Startup: Office Template Macros. |
Event Triggered Execution: Change Default File Association |
Ignore Process Interrupts CONTRIBUTE A TEST |
Reversible Encryption CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Event Triggered Execution: AppCert DLLs |
VDSO Hijacking CONTRIBUTE A TEST |
Time Based Evasion |
Multi-Factor Authentication Interception CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Device Registration CONTRIBUTE A TEST |
Event Triggered Execution: Emond |
Signed Binary Proxy Execution: CMSTP |
OS Credential Dumping: NTDS |
|
|
|
|
|
|
|
|
Pre-OS Boot CONTRIBUTE A TEST |
Services File Permissions Weakness CONTRIBUTE A TEST |
Impair Defenses: Disable Windows Event Logging |
Steal or Forge Kerberos Tickets: Kerberoasting |
|
|
|
|
|
|
|
|
Boot or Logon Autostart Execution: Login Items |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Signed Binary Proxy Execution: Control Panel |
OS Credential Dumping: DCSync |
|
|
|
|
|
|
|
|
Port Knocking CONTRIBUTE A TEST |
Account Manipulation |
Network Address Translation Traversal CONTRIBUTE A TEST |
Modify Authentication Process CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Account Manipulation: Additional Cloud Credentials |
Boot or Logon Autostart Execution: Kernel Modules and Extensions |
Overwrite Process Arguments CONTRIBUTE A TEST |
Input Capture: Credential API Hooking |
|
|
|
|
|
|
|
|
Network Provider DLL CONTRIBUTE A TEST |
KernelCallbackTable CONTRIBUTE A TEST |
Use Alternate Authentication Material CONTRIBUTE A TEST |
Kubernetes List Secrets |
|
|
|
|
|
|
|
|
Event Triggered Execution: Windows Management Instrumentation Event Subscription |
Scheduled Task/Job: Systemd Timers |
Impair Defenses: Disable or Modify System Firewall |
Network Device Authentication CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Compromise Host Software Binary CONTRIBUTE A TEST |
Hijack Execution Flow CONTRIBUTE A TEST |
Subvert Trust Controls: SIP and Trust Provider Hijacking |
|
|
|
|
|
|
|
|
|
Event Triggered Execution: Change Default File Association |
Container Service CONTRIBUTE A TEST |
Hybrid Identity CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Event Triggered Execution: Emond |
Valid Accounts CONTRIBUTE A TEST |
Electron Applications CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Services File Permissions Weakness CONTRIBUTE A TEST |
Process Injection: Process Hollowing |
Impair Defenses: Disable or Modify Linux Audit System |
|
|
|
|
|
|
|
|
|
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Exploitation for Privilege Escalation CONTRIBUTE A TEST |
Rogue Domain Controller |
|
|
|
|
|
|
|
|
|
Create Account: Cloud Account |
Event Triggered Execution |
Subvert Trust Controls: Code Signing Policy Modification |
|
|
|
|
|
|
|
|
|
Account Manipulation |
Event Triggered Execution: .bash_profile .bashrc and .shrc |
Deploy a container |
|
|
|
|
|
|
|
|
|
Boot or Logon Autostart Execution: Kernel Modules and Extensions |
Access Token Manipulation: SID-History Injection |
Modify Registry |
|
|
|
|
|
|
|
|
|
KernelCallbackTable CONTRIBUTE A TEST |
Elevated Execution with Prompt CONTRIBUTE A TEST |
Hijack Execution Flow: Path Interception by Search Order Hijacking |
|
|
|
|
|
|
|
|
|
Scheduled Task/Job: Systemd Timers |
Authentication Package |
Unused/Unsupported Cloud Regions CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
ROMMONkit CONTRIBUTE A TEST |
Event Triggered Execution: Component Object Model Hijacking |
Bind Mounts CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Outlook Forms CONTRIBUTE A TEST |
Hijack Execution Flow: Path Interception by Unquoted Path |
Obfuscated Files or Information: Binary Padding |
|
|
|
|
|
|
|
|
|
Hijack Execution Flow CONTRIBUTE A TEST |
Boot or Logon Initialization Scripts: Startup Items |
Domain Policy Modification: Group Policy Modification |
|
|
|
|
|
|
|
|
|
Container Service CONTRIBUTE A TEST |
Domain Accounts CONTRIBUTE A TEST |
Valid Accounts: Default Accounts |
|
|
|
|
|
|
|
|
|
Valid Accounts CONTRIBUTE A TEST |
Event Triggered Execution: Python Startup Hooks |
Hijack Execution Flow: LD_PRELOAD |
|
|
|
|
|
|
|
|
|
Multi-Factor Authentication CONTRIBUTE A TEST |
Network Logon Script CONTRIBUTE A TEST |
Indicator Removal on Host: Clear Windows Event Logs |
|
|
|
|
|
|
|
|
|
IIS Components |
Event Triggered Execution: AppInit DLLs |
File and Directory Permissions Modification |
|
|
|
|
|
|
|
|
|
Event Triggered Execution |
Event Triggered Execution: Screensaver |
Junk Code Insertion CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Event Triggered Execution: .bash_profile .bashrc and .shrc |
Create or Modify System Process: Launch Agent |
Abuse Elevation Control Mechanism CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Authentication Package |
Proc Memory CONTRIBUTE A TEST |
Create Process with Token |
|
|
|
|
|
|
|
|
|
Event Triggered Execution: Component Object Model Hijacking |
Installer Packages CONTRIBUTE A TEST |
Abuse Elevation Control Mechanism: Setuid and Setgid |
|
|
|
|
|
|
|
|
|
Office Application Startup: Outlook Home Page |
Boot or Logon Initialization Scripts: Rc.common |
Signed Binary Proxy Execution: Odbcconf |
|
|
|
|
|
|
|
|
|
Hijack Execution Flow: Path Interception by Unquoted Path |
Access Token Manipulation CONTRIBUTE A TEST |
Temporary Elevated Cloud Access CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Boot or Logon Initialization Scripts: Startup Items |
Create or Modify System Process: SysV/Systemd Service |
Process Doppelgänging CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Cloud Application Integration CONTRIBUTE A TEST |
XDG Autostart Entries CONTRIBUTE A TEST |
Delete Cloud Instance CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Domain Accounts CONTRIBUTE A TEST |
Thread Local Storage CONTRIBUTE A TEST |
Executable Installer File Permissions Weakness CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Event Triggered Execution: Python Startup Hooks |
Boot or Logon Autostart Execution: Re-opened Applications |
Impair Defenses: Indicator Blocking |
|
|
|
|
|
|
|
|
|
Network Logon Script CONTRIBUTE A TEST |
Account Manipulation: Additional Email Delegate Permissions |
Extended Attributes CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
BITS Jobs |
TCC Manipulation CONTRIBUTE A TEST |
Disable or Modify Cloud Firewall CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Event Triggered Execution: AppInit DLLs |
Ptrace System Calls CONTRIBUTE A TEST |
Right-to-Left Override CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Event Triggered Execution: Screensaver |
Boot or Logon Initialization Scripts: Logon Script (Windows) |
SVG Smuggling CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Conditional Access Policies CONTRIBUTE A TEST |
Process Injection: ListPlanting |
Component Firmware CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Create or Modify System Process: Launch Agent |
Domain or Tenant Policy Modification CONTRIBUTE A TEST |
Indicator Removal on Host |
|
|
|
|
|
|
|
|
|
Server Software Component CONTRIBUTE A TEST |
Boot or Logon Autostart Execution: LSASS Driver |
Use Alternate Authentication Material: Pass the Ticket |
|
|
|
|
|
|
|
|
|
Modify Authentication Process: Domain Controller Authentication |
Valid Accounts: Cloud Accounts |
Masquerading: Masquerade Task or Service |
|
|
|
|
|
|
|
|
|
Reversible Encryption CONTRIBUTE A TEST |
Scheduled Task/Job: At |
Process Injection: Asynchronous Procedure Call |
|
|
|
|
|
|
|
|
|
Installer Packages CONTRIBUTE A TEST |
Process Injection: Dynamic-link Library Injection |
Plist File Modification |
|
|
|
|
|
|
|
|
|
Boot or Logon Initialization Scripts: Rc.common |
Udev Rules CONTRIBUTE A TEST |
JamPlus CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Create or Modify System Process: SysV/Systemd Service |
Event Triggered Execution: Netsh Helper DLL |
Subvert Trust Controls: Mark-of-the-Web Bypass |
|
|
|
|
|
|
|
|
|
Exclusive Control CONTRIBUTE A TEST |
Dylib Hijacking CONTRIBUTE A TEST |
Disable Crypto Hardware CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Create Account CONTRIBUTE A TEST |
Valid Accounts: Local Accounts |
Pre-OS Boot CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
XDG Autostart Entries CONTRIBUTE A TEST |
Hijack Execution Flow: COR_PROFILER |
Build Image on Host |
|
|
|
|
|
|
|
|
|
Boot or Logon Autostart Execution: Re-opened Applications |
|
Process Injection: Portable Executable Injection |
|
|
|
|
|
|
|
|
|
Account Manipulation: Additional Email Delegate Permissions |
|
Verclsid CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Power Settings CONTRIBUTE A TEST |
|
Impair Defenses: Downgrade Attack |
|
|
|
|
|
|
|
|
|
Boot or Logon Initialization Scripts: Logon Script (Windows) |
|
Virtualization/Sandbox Evasion CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Office Application Startup: Office Test |
|
Signed Binary Proxy Execution: Mshta |
|
|
|
|
|
|
|
|
|
Boot or Logon Autostart Execution: LSASS Driver |
|
Execution Guardrails CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Valid Accounts: Cloud Accounts |
|
Access Token Manipulation: Token Impersonation/Theft |
|
|
|
|
|
|
|
|
|
Scheduled Task/Job: At |
|
Port Knocking CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Modify Authentication Process CONTRIBUTE A TEST |
|
LNK Icon Smuggling CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Udev Rules CONTRIBUTE A TEST |
|
Hide Artifacts: Hidden Users |
|
|
|
|
|
|
|
|
|
Event Triggered Execution: Netsh Helper DLL |
|
Make and Impersonate Token CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
vSphere Installation Bundles CONTRIBUTE A TEST |
|
Impair Defenses: Impair Command History Logging |
|
|
|
|
|
|
|
|
|
SQL Stored Procedures CONTRIBUTE A TEST |
|
Network Provider DLL CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Network Device Authentication CONTRIBUTE A TEST |
|
User Activity Based Checks CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Dylib Hijacking CONTRIBUTE A TEST |
|
Access Token Manipulation: Parent PID Spoofing |
|
|
|
|
|
|
|
|
|
Valid Accounts: Local Accounts |
|
VDSO Hijacking CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Hijack Execution Flow: COR_PROFILER |
|
Selective Exclusion CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Services File Permissions Weakness CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Disable or Modify Network Device Firewall CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Delay Execution CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
KernelCallbackTable CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
ROMMONkit CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Signed Binary Proxy Execution: Compiled HTML File |
|
|
|
|
|
|
|
|
|
|
|
Indicator Removal on Host: Network Share Connection Removal |
|
|
|
|
|
|
|
|
|
|
|
Impair Defenses: Disable or Modify Tools |
|
|
|
|
|
|
|
|
|
|
|
Modify System Image CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Hijack Execution Flow CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Browser Fingerprint CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Indicator Removal from Tools CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Valid Accounts CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Process Injection: Process Hollowing |
|
|
|
|
|
|
|
|
|
|
|
Resource Forking CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Obfuscated Files or Information |
|
|
|
|
|
|
|
|
|
|
|
Multi-Factor Authentication CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Invalid Code Signature CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Run Virtual Instance |
|
|
|
|
|
|
|
|
|
|
|
Polymorphic Code CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Access Token Manipulation: SID-History Injection |
|
|
|
|
|
|
|
|
|
|
|
Network Boundary Bridging CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Subvert Trust Controls CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Elevated Execution with Prompt CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Signed Binary Proxy Execution: Regsvr32 |
|
|
|
|
|
|
|
|
|
|
|
Masquerading: Rename System Utilities |
|
|
|
|
|
|
|
|
|
|
|
Spoof Security Alerting CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Hijack Execution Flow: Path Interception by Unquoted Path |
|
|
|
|
|
|
|
|
|
|
|
Steganography CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Web Session Cookie CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Domain Accounts CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Signed Binary Proxy Execution: Regsvcs/Regasm |
|
|
|
|
|
|
|
|
|
|
|
Subvert Trust Controls: Install Root Certificate |
|
|
|
|
|
|
|
|
|
|
|
Obfuscated Files or Information: Compile After Delivery |
|
|
|
|
|
|
|
|
|
|
|
VBA Stomping CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
BITS Jobs |
|
|
|
|
|
|
|
|
|
|
|
Trusted Developer Utilities Proxy Execution: MSBuild |
|
|
|
|
|
|
|
|
|
|
|
Impersonation CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Modify Cloud Compute Configurations CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Impair Defenses: Disable Cloud Logs |
|
|
|
|
|
|
|
|
|
|
|
Hide Artifacts: Hidden Window |
|
|
|
|
|
|
|
|
|
|
|
ClickOnce CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Relocate Malware CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Conditional Access Policies CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Create Cloud Instance CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Proc Memory CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Patch System Image CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Clear Persistence CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Masquerade Account Name CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Modify Authentication Process: Domain Controller Authentication |
|
|
|
|
|
|
|
|
|
|
|
HTML Smuggling |
|
|
|
|
|
|
|
|
|
|
|
Reversible Encryption CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Command Obfuscation CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Indicator Removal on Host: File Deletion |
|
|
|
|
|
|
|
|
|
|
|
Template Injection |
|
|
|
|
|
|
|
|
|
|
|
Access Token Manipulation CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Obfuscated Files or Information: Software Packing |
|
|
|
|
|
|
|
|
|
|
|
Hidden File System CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Email Spoofing CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Thread Local Storage CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Debugger Evasion |
|
|
|
|
|
|
|
|
|
|
|
Masquerading: Space after Filename |
|
|
|
|
|
|
|
|
|
|
|
Use Alternate Authentication Material: Pass the Hash |
|
|
|
|
|
|
|
|
|
|
|
SyncAppvPublishingServer CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
TCC Manipulation CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Ptrace System Calls CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Obfuscated Files or Information: Dynamic API Resolution |
|
|
|
|
|
|
|
|
|
|
|
Process Injection: ListPlanting |
|
|
|
|
|
|
|
|
|
|
|
Domain or Tenant Policy Modification CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
XSL Script Processing |
|
|
|
|
|
|
|
|
|
|
|
Hide Artifacts: Hidden Files and Directories |
|
|
|
|
|
|
|
|
|
|
|
Modify Cloud Compute Infrastructure: Create Snapshot |
|
|
|
|
|
|
|
|
|
|
|
Application Access Token CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Valid Accounts: Cloud Accounts |
|
|
|
|
|
|
|
|
|
|
|
Environmental Keying CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Hide Artifacts: NTFS File Attributes |
|
|
|
|
|
|
|
|
|
|
|
Process Injection: Dynamic-link Library Injection |
|
|
|
|
|
|
|
|
|
|
|
Modify Authentication Process CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Signed Script Proxy Execution |
|
|
|
|
|
|
|
|
|
|
|
Network Device Authentication CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Compression CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Dylib Hijacking CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Downgrade System Image CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Valid Accounts: Local Accounts |
|
|
|
|
|
|
|
|
|
|
|
Exploitation for Defense Evasion CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Trusted Developer Utilities Proxy Execution |
|
|
|
|
|
|
|
|
|
|
|
MMC CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Process Argument Spoofing CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Hijack Execution Flow: COR_PROFILER |
|
|
|
|
|
|
|
Atomic Red Team doc generator