| External Remote Services |
Scheduled Task |
Scheduled Task |
Extra Window Memory Injection CONTRIBUTE A TEST |
Extra Window Memory Injection CONTRIBUTE A TEST |
Adversary-in-the-Middle CONTRIBUTE A TEST |
System Owner/User Discovery |
VNC CONTRIBUTE A TEST |
Archive via Utility |
Exfiltration Over Web Service |
Standard Encoding |
Disk Structure Wipe CONTRIBUTE A TEST |
| Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST |
Windows Management Instrumentation |
Malicious Shell Modification CONTRIBUTE A TEST |
Scheduled Task |
Indicator Removal from Tools CONTRIBUTE A TEST |
Pluggable Authentication Modules |
Container and Resource Discovery CONTRIBUTE A TEST |
Taint Shared Content CONTRIBUTE A TEST |
Screen Capture |
Scheduled Transfer CONTRIBUTE A TEST |
Domain Generation Algorithms CONTRIBUTE A TEST |
Direct Network Flood CONTRIBUTE A TEST |
| Spearphishing Link CONTRIBUTE A TEST |
Shared Modules CONTRIBUTE A TEST |
Bootkit CONTRIBUTE A TEST |
Boot or Logon Initialization Scripts CONTRIBUTE A TEST |
Rundll32 |
Keylogging |
Internet Connection Discovery CONTRIBUTE A TEST |
Application Access Token CONTRIBUTE A TEST |
Adversary-in-the-Middle CONTRIBUTE A TEST |
Exfiltration Over Other Network Medium CONTRIBUTE A TEST |
DNS |
Stored Data Manipulation CONTRIBUTE A TEST |
| Spearphishing Link CONTRIBUTE A TEST |
JavaScript CONTRIBUTE A TEST |
Boot or Logon Initialization Scripts CONTRIBUTE A TEST |
Plist Modification CONTRIBUTE A TEST |
Hidden Window CONTRIBUTE A TEST |
Password Guessing |
Permission Groups Discovery CONTRIBUTE A TEST |
SSH CONTRIBUTE A TEST |
Keylogging |
Exfiltration Over Bluetooth CONTRIBUTE A TEST |
Domain Fronting CONTRIBUTE A TEST |
External Defacement CONTRIBUTE A TEST |
| Spearphishing Attachment |
Container Orchestration Job |
LC_LOAD_DYLIB Addition CONTRIBUTE A TEST |
Path Interception by PATH Environment Variable CONTRIBUTE A TEST |
Plist Modification CONTRIBUTE A TEST |
OS Credential Dumping |
Cloud Groups CONTRIBUTE A TEST |
Application Deployment Software CONTRIBUTE A TEST |
Data from Configuration Repository CONTRIBUTE A TEST |
Automated Exfiltration |
Symmetric Cryptography CONTRIBUTE A TEST |
OS Exhaustion Flood CONTRIBUTE A TEST |
| Compromise Hardware Supply Chain CONTRIBUTE A TEST |
Regsvcs/Regasm CONTRIBUTE A TEST |
Plist Modification CONTRIBUTE A TEST |
File System Permissions Weakness CONTRIBUTE A TEST |
Pluggable Authentication Modules |
LLMNR/NBT-NS Poisoning and Relay CONTRIBUTE A TEST |
Group Policy Discovery |
Replication Through Removable Media |
Sharepoint CONTRIBUTE A TEST |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST |
Fast Flux DNS CONTRIBUTE A TEST |
Application Exhaustion Flood CONTRIBUTE A TEST |
| Replication Through Removable Media |
Dynamic Data Exchange |
Pluggable Authentication Modules |
PowerShell Profile |
Revert Cloud Instance CONTRIBUTE A TEST |
Steal Web Session Cookie |
Domain Account |
SSH Hijacking CONTRIBUTE A TEST |
Audio Capture |
Traffic Duplication CONTRIBUTE A TEST |
Application Layer Protocol CONTRIBUTE A TEST |
Disk Wipe CONTRIBUTE A TEST |
| Supply Chain Compromise |
Malicious File |
Path Interception by PATH Environment Variable CONTRIBUTE A TEST |
Elevated Execution with Prompt CONTRIBUTE A TEST |
HISTCONTROL CONTRIBUTE A TEST |
Security Account Manager |
Security Software Discovery CONTRIBUTE A TEST |
SMB/Windows Admin Shares |
Archive via Custom Method CONTRIBUTE A TEST |
Exfiltration to Code Repository CONTRIBUTE A TEST |
Custom Cryptographic Protocol CONTRIBUTE A TEST |
Stored Data Manipulation CONTRIBUTE A TEST |
| Exploit Public-Facing Application CONTRIBUTE A TEST |
Cron |
File System Permissions Weakness CONTRIBUTE A TEST |
Create or Modify System Process CONTRIBUTE A TEST |
Linux and Mac File and Directory Permissions Modification |
Cloud Instance Metadata API |
Local Account |
Use Alternate Authentication Material CONTRIBUTE A TEST |
Email Collection CONTRIBUTE A TEST |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Remote Access Software |
Service Stop |
| Default Accounts |
Component Object Model CONTRIBUTE A TEST |
PowerShell Profile |
LC_LOAD_DYLIB Addition CONTRIBUTE A TEST |
PubPrn |
Securityd Memory CONTRIBUTE A TEST |
System Checks |
Remote Desktop Protocol CONTRIBUTE A TEST |
Data from Removable Media CONTRIBUTE A TEST |
Exfiltration Over C2 Channel |
Multilayer Encryption CONTRIBUTE A TEST |
Application or System Exploitation CONTRIBUTE A TEST |
| Spearphishing Attachment CONTRIBUTE A TEST |
Scheduled Task/Job CONTRIBUTE A TEST |
Systemd Service CONTRIBUTE A TEST |
Container Orchestration Job |
Path Interception by PATH Environment Variable CONTRIBUTE A TEST |
Cloud Instance Metadata API CONTRIBUTE A TEST |
Domain Groups |
Remote Services CONTRIBUTE A TEST |
Local Data Staging |
Exfiltration Over Alternative Protocol |
Traffic Signaling CONTRIBUTE A TEST |
Disk Structure Wipe CONTRIBUTE A TEST |
| Trusted Relationship CONTRIBUTE A TEST |
AppleScript |
Create or Modify System Process CONTRIBUTE A TEST |
Bypass User Account Control |
Direct Volume Access |
Password Cracking |
System Service Discovery |
Remote Service Session Hijacking CONTRIBUTE A TEST |
Local Email Collection |
Exfiltration over USB CONTRIBUTE A TEST |
Standard Cryptographic Protocol CONTRIBUTE A TEST |
Runtime Data Manipulation CONTRIBUTE A TEST |
| Phishing CONTRIBUTE A TEST |
Native API |
External Remote Services |
Sudo and Sudo Caching |
Email Hiding Rules CONTRIBUTE A TEST |
Keychain |
Network Sniffing |
Windows Remote Management |
Automated Collection |
Data Compressed CONTRIBUTE A TEST |
Protocol Tunneling |
Reflection Amplification CONTRIBUTE A TEST |
| Valid Accounts CONTRIBUTE A TEST |
Source CONTRIBUTE A TEST |
Component Firmware CONTRIBUTE A TEST |
Services Registry Permissions Weakness |
Rootkit |
LSA Secrets |
Network Share Discovery |
Distributed Component Object Model |
Clipboard Data |
Exfiltration to Cloud Storage CONTRIBUTE A TEST |
Domain Generation Algorithms CONTRIBUTE A TEST |
Service Exhaustion Flood CONTRIBUTE A TEST |
| Compromise Software Supply Chain CONTRIBUTE A TEST |
Launchctl CONTRIBUTE A TEST |
LC_LOAD_DYLIB Addition CONTRIBUTE A TEST |
SID-History Injection CONTRIBUTE A TEST |
Component Firmware CONTRIBUTE A TEST |
SAML Tokens |
Peripheral Device Discovery |
Component Object Model and Distributed COM CONTRIBUTE A TEST |
Data from Cloud Storage Object |
Data Transfer Size Limits |
Mail Protocols CONTRIBUTE A TEST |
Defacement CONTRIBUTE A TEST |
| Domain Accounts CONTRIBUTE A TEST |
Deploy Container CONTRIBUTE A TEST |
Container Orchestration Job |
Boot or Logon Autostart Execution |
Double File Extension CONTRIBUTE A TEST |
Securityd Memory CONTRIBUTE A TEST |
System Information Discovery |
Pass the Ticket |
Remote Data Staging CONTRIBUTE A TEST |
Transfer Data to Cloud Account CONTRIBUTE A TEST |
Communication Through Removable Media CONTRIBUTE A TEST |
Internal Defacement |
| Spearphishing via Service CONTRIBUTE A TEST |
AppleScript CONTRIBUTE A TEST |
System Firmware CONTRIBUTE A TEST |
Port Monitors CONTRIBUTE A TEST |
Bypass User Account Control |
Credentials in Registry CONTRIBUTE A TEST |
Application Window Discovery |
Shared Webroot CONTRIBUTE A TEST |
Data from Local System CONTRIBUTE A TEST |
Data Encrypted CONTRIBUTE A TEST |
External Proxy CONTRIBUTE A TEST |
Data Manipulation CONTRIBUTE A TEST |
| Hardware Additions CONTRIBUTE A TEST |
Rundll32 CONTRIBUTE A TEST |
Services Registry Permissions Weakness |
Sudo Caching CONTRIBUTE A TEST |
Timestomp CONTRIBUTE A TEST |
Proc Filesystem |
Email Account CONTRIBUTE A TEST |
Software Deployment Tools |
Archive via Library |
Exfiltration Over Physical Medium CONTRIBUTE A TEST |
Proxy CONTRIBUTE A TEST |
Account Access Removal |
| Drive-by Compromise CONTRIBUTE A TEST |
At (Linux) CONTRIBUTE A TEST |
Rc.common CONTRIBUTE A TEST |
Active Setup CONTRIBUTE A TEST |
Sudo and Sudo Caching |
Password Managers CONTRIBUTE A TEST |
Time Based Evasion CONTRIBUTE A TEST |
Exploitation of Remote Services CONTRIBUTE A TEST |
Network Device Configuration Dump CONTRIBUTE A TEST |
Exfiltration Over Unencrypted Non-C2 Protocol |
Dynamic Resolution CONTRIBUTE A TEST |
Data Encrypted for Impact |
| Cloud Accounts |
Regsvr32 CONTRIBUTE A TEST |
Bootkit CONTRIBUTE A TEST |
Domain Trust Modification |
Modify Cloud Compute Infrastructure CONTRIBUTE A TEST |
Network Sniffing |
Cloud Infrastructure Discovery CONTRIBUTE A TEST |
Internal Spearphishing CONTRIBUTE A TEST |
Archive Collected Data |
|
Multi-hop Proxy CONTRIBUTE A TEST |
Disk Content Wipe CONTRIBUTE A TEST |
| Spearphishing via Service CONTRIBUTE A TEST |
LSASS Driver CONTRIBUTE A TEST |
Boot or Logon Autostart Execution |
Windows Service |
System Firmware CONTRIBUTE A TEST |
Credentials in Registry |
Browser Bookmark Discovery |
Pass the Ticket CONTRIBUTE A TEST |
Browser Session Hijacking CONTRIBUTE A TEST |
|
Web Service CONTRIBUTE A TEST |
Endpoint Denial of Service CONTRIBUTE A TEST |
| Local Accounts |
Command and Scripting Interpreter CONTRIBUTE A TEST |
Port Monitors CONTRIBUTE A TEST |
Cron |
Services Registry Permissions Weakness |
Password Filter DLL |
System Network Configuration Discovery |
Lateral Tool Transfer CONTRIBUTE A TEST |
DHCP Spoofing CONTRIBUTE A TEST |
|
DNS Calculation CONTRIBUTE A TEST |
Runtime Data Manipulation CONTRIBUTE A TEST |
|
Component Object Model and Distributed COM CONTRIBUTE A TEST |
Active Setup CONTRIBUTE A TEST |
Startup Items CONTRIBUTE A TEST |
Bootkit CONTRIBUTE A TEST |
AS-REP Roasting |
Account Discovery CONTRIBUTE A TEST |
SSH Hijacking CONTRIBUTE A TEST |
LLMNR/NBT-NS Poisoning and SMB Relay |
|
Multi-Stage Channels CONTRIBUTE A TEST |
Transmitted Data Manipulation CONTRIBUTE A TEST |
|
Container Administration Command |
Screensaver CONTRIBUTE A TEST |
Print Processors CONTRIBUTE A TEST |
Code Signing CONTRIBUTE A TEST |
Steal or Forge Kerberos Tickets CONTRIBUTE A TEST |
Domain Trust Discovery |
Pass the Hash CONTRIBUTE A TEST |
Web Portal Capture CONTRIBUTE A TEST |
|
Port Knocking CONTRIBUTE A TEST |
Resource Hijacking |
|
CMSTP CONTRIBUTE A TEST |
TFTP Boot CONTRIBUTE A TEST |
DLL Search Order Hijacking |
Mavinject CONTRIBUTE A TEST |
Credentials from Password Stores |
File and Directory Discovery |
Windows Remote Management CONTRIBUTE A TEST |
Video Capture |
|
Multiband Communication CONTRIBUTE A TEST |
Transmitted Data Manipulation CONTRIBUTE A TEST |
|
Scripting CONTRIBUTE A TEST |
Windows Service |
AppInit DLLs CONTRIBUTE A TEST |
Process Hollowing CONTRIBUTE A TEST |
Unsecured Credentials CONTRIBUTE A TEST |
System Network Connections Discovery |
Web Session Cookie CONTRIBUTE A TEST |
Confluence CONTRIBUTE A TEST |
|
File Transfer Protocols CONTRIBUTE A TEST |
Data Destruction |
|
Launchctl |
Cron |
Scheduled Task/Job CONTRIBUTE A TEST |
Match Legitimate Name or Location |
Bash History CONTRIBUTE A TEST |
Virtualization/Sandbox Evasion CONTRIBUTE A TEST |
Web Session Cookie CONTRIBUTE A TEST |
Email Forwarding Rule CONTRIBUTE A TEST |
|
One-Way Communication CONTRIBUTE A TEST |
Network Denial of Service CONTRIBUTE A TEST |
|
Network Device CLI CONTRIBUTE A TEST |
Startup Items CONTRIBUTE A TEST |
Service Registry Permissions Weakness CONTRIBUTE A TEST |
Weaken Encryption CONTRIBUTE A TEST |
Credentials from Web Browsers CONTRIBUTE A TEST |
Cloud Storage Object Discovery CONTRIBUTE A TEST |
RDP Hijacking |
Data Staged CONTRIBUTE A TEST |
|
Multi-hop Proxy |
Firmware Corruption CONTRIBUTE A TEST |
|
XPC Services CONTRIBUTE A TEST |
Office Application Startup |
Thread Execution Hijacking CONTRIBUTE A TEST |
Regsvcs/Regasm CONTRIBUTE A TEST |
Private Keys CONTRIBUTE A TEST |
Cloud Account CONTRIBUTE A TEST |
Pass the Hash |
GUI Input Capture |
|
Data Obfuscation CONTRIBUTE A TEST |
Inhibit System Recovery |
|
User Execution CONTRIBUTE A TEST |
Additional Cloud Roles CONTRIBUTE A TEST |
Application Shimming |
Hide Artifacts |
Credentials from Web Browsers |
Process Discovery |
Remote Desktop Protocol |
Data from Network Shared Drive |
|
Non-Standard Port |
Disk Content Wipe CONTRIBUTE A TEST |
|
Control Panel Items CONTRIBUTE A TEST |
Print Processors CONTRIBUTE A TEST |
Port Monitors |
Domain Trust Modification |
DHCP Spoofing CONTRIBUTE A TEST |
User Activity Based Checks CONTRIBUTE A TEST |
Application Access Token CONTRIBUTE A TEST |
Remote Email Collection CONTRIBUTE A TEST |
|
Encrypted Channel |
System Shutdown/Reboot |
|
Launchd CONTRIBUTE A TEST |
DLL Search Order Hijacking |
Login Hook |
Application Access Token CONTRIBUTE A TEST |
Private Keys |
Local Groups |
Windows Admin Shares CONTRIBUTE A TEST |
Input Capture CONTRIBUTE A TEST |
|
Bidirectional Communication CONTRIBUTE A TEST |
|
|
Software Deployment Tools |
AppInit DLLs CONTRIBUTE A TEST |
Process Injection |
Safe Mode Boot CONTRIBUTE A TEST |
LLMNR/NBT-NS Poisoning and SMB Relay |
Password Policy Discovery |
|
ARP Cache Poisoning CONTRIBUTE A TEST |
|
Asymmetric Cryptography CONTRIBUTE A TEST |
|
|
PowerShell |
Add-ins |
DLL Search Order Hijacking CONTRIBUTE A TEST |
TFTP Boot CONTRIBUTE A TEST |
LSASS Memory |
System Language Discovery |
|
Code Repositories CONTRIBUTE A TEST |
|
Non-Application Layer Protocol |
|
|
Mshta CONTRIBUTE A TEST |
Transport Agent |
New Service CONTRIBUTE A TEST |
System Checks |
Hooking CONTRIBUTE A TEST |
Query Registry |
|
Data from Information Repositories CONTRIBUTE A TEST |
|
Protocol Impersonation CONTRIBUTE A TEST |
|
|
Systemd Timers |
Scheduled Task/Job CONTRIBUTE A TEST |
Escape to Host |
Clear Linux or Mac System Logs |
Password Spraying |
System Location Discovery CONTRIBUTE A TEST |
|
SNMP (MIB Dump) CONTRIBUTE A TEST |
|
Uncommonly Used Port CONTRIBUTE A TEST |
|
|
Graphical User Interface CONTRIBUTE A TEST |
Login Item CONTRIBUTE A TEST |
Shortcut Modification |
InstallUtil |
Web Portal Capture CONTRIBUTE A TEST |
Security Software Discovery |
|
Credential API Hooking |
|
Domain Fronting CONTRIBUTE A TEST |
|
|
Unix Shell |
Password Filter DLL |
AppCert DLLs CONTRIBUTE A TEST |
Disabling Security Tools CONTRIBUTE A TEST |
Cached Domain Credentials |
Cloud Service Discovery |
|
|
|
Data Encoding CONTRIBUTE A TEST |
|
|
Inter-Process Communication CONTRIBUTE A TEST |
Terminal Services DLL CONTRIBUTE A TEST |
Security Support Provider |
DLL Search Order Hijacking |
Golden Ticket |
Remote System Discovery |
|
|
|
Non-Standard Encoding CONTRIBUTE A TEST |
|
|
Malicious Image CONTRIBUTE A TEST |
Browser Extensions |
Extra Window Memory Injection CONTRIBUTE A TEST |
Gatekeeper Bypass |
Bash History |
Network Service Discovery |
|
|
|
Web Protocols |
|
|
Trap CONTRIBUTE A TEST |
Service Registry Permissions Weakness CONTRIBUTE A TEST |
Launch Daemon |
Code Signing CONTRIBUTE A TEST |
Credentials In Files |
Software Discovery |
|
|
|
Ingress Tool Transfer |
|
|
Exploitation for Client Execution CONTRIBUTE A TEST |
Outlook Rules CONTRIBUTE A TEST |
Path Interception by Search Order Hijacking |
Windows File and Directory Permissions Modification |
Web Cookies CONTRIBUTE A TEST |
Cloud Service Dashboard CONTRIBUTE A TEST |
|
|
|
Steganography CONTRIBUTE A TEST |
|
|
Local Job Scheduling CONTRIBUTE A TEST |
Application Shimming |
Group Policy Modification CONTRIBUTE A TEST |
Msiexec |
Steal Application Access Token CONTRIBUTE A TEST |
Debugger Evasion CONTRIBUTE A TEST |
|
|
|
Fallback Channels CONTRIBUTE A TEST |
|
|
Windows Remote Management CONTRIBUTE A TEST |
Port Monitors |
Default Accounts |
Password Filter DLL |
Group Policy Preferences |
System Time Discovery |
|
|
|
Internal Proxy |
|
|
Python |
Login Hook |
Time Providers |
Reduce Key Space CONTRIBUTE A TEST |
Input Prompt CONTRIBUTE A TEST |
|
|
|
|
Custom Command and Control Protocol CONTRIBUTE A TEST |
|
|
System Services CONTRIBUTE A TEST |
Traffic Signaling CONTRIBUTE A TEST |
Image File Execution Options Injection CONTRIBUTE A TEST |
Clear Command History |
Forge Web Credentials CONTRIBUTE A TEST |
|
|
|
|
Dead Drop Resolver CONTRIBUTE A TEST |
|
|
Windows Command Shell |
DLL Search Order Hijacking CONTRIBUTE A TEST |
Trap |
Indirect Command Execution |
Multi-Factor Authentication Request Generation CONTRIBUTE A TEST |
|
|
|
|
Junk Data CONTRIBUTE A TEST |
|
|
Compiled HTML File CONTRIBUTE A TEST |
New Service CONTRIBUTE A TEST |
Dynamic Linker Hijacking |
Revert Cloud Instance CONTRIBUTE A TEST |
Exploitation for Credential Access CONTRIBUTE A TEST |
|
|
|
|
Commonly Used Port CONTRIBUTE A TEST |
|
|
Visual Basic |
Shortcut Modification |
At (Linux) CONTRIBUTE A TEST |
Deobfuscate/Decode Files or Information |
Keychain CONTRIBUTE A TEST |
|
|
|
|
|
|
|
Space after Filename CONTRIBUTE A TEST |
Hypervisor CONTRIBUTE A TEST |
Hooking CONTRIBUTE A TEST |
Impair Defenses CONTRIBUTE A TEST |
GUI Input Capture |
|
|
|
|
|
|
|
Dynamic Data Exchange CONTRIBUTE A TEST |
AppCert DLLs CONTRIBUTE A TEST |
Plist Modification CONTRIBUTE A TEST |
Thread Execution Hijacking CONTRIBUTE A TEST |
Brute Force CONTRIBUTE A TEST |
|
|
|
|
|
|
|
Malicious Link CONTRIBUTE A TEST |
Implant Internal Image CONTRIBUTE A TEST |
Abuse Elevation Control Mechanism CONTRIBUTE A TEST |
Masquerading |
Credential Stuffing |
|
|
|
|
|
|
|
Service Execution |
Security Support Provider |
Create Process with Token |
Process Injection |
Kerberoasting CONTRIBUTE A TEST |
|
|
|
|
|
|
|
At |
Winlogon Helper DLL CONTRIBUTE A TEST |
Setuid and Setgid |
Traffic Signaling CONTRIBUTE A TEST |
Forced Authentication |
|
|
|
|
|
|
|
Service Execution CONTRIBUTE A TEST |
Authentication Package CONTRIBUTE A TEST |
Winlogon Helper DLL |
System Binary Proxy Execution |
Password Filter DLL CONTRIBUTE A TEST |
|
|
|
|
|
|
|
PowerShell CONTRIBUTE A TEST |
Launchctl CONTRIBUTE A TEST |
Image File Execution Options Injection |
DLL Search Order Hijacking CONTRIBUTE A TEST |
Credentials in Files CONTRIBUTE A TEST |
|
|
|
|
|
|
|
InstallUtil CONTRIBUTE A TEST |
Launch Daemon |
Process Doppelgänging CONTRIBUTE A TEST |
Timestomp |
Input Capture CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Path Interception by Search Order Hijacking |
Executable Installer File Permissions Weakness CONTRIBUTE A TEST |
Reflective Code Loading |
ARP Cache Poisoning CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Web Shell |
Accessibility Features |
Time Based Evasion CONTRIBUTE A TEST |
/etc/passwd and /etc/shadow |
|
|
|
|
|
|
|
|
Default Accounts |
PowerShell Profile CONTRIBUTE A TEST |
CMSTP |
Silver Ticket |
|
|
|
|
|
|
|
|
Time Providers |
Asynchronous Procedure Call |
Disable Windows Event Logging |
Windows Credential Manager |
|
|
|
|
|
|
|
|
Image File Execution Options Injection CONTRIBUTE A TEST |
Application Shimming CONTRIBUTE A TEST |
Control Panel |
Domain Controller Authentication CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Modify Existing Service CONTRIBUTE A TEST |
AppCert DLLs |
Network Address Translation Traversal CONTRIBUTE A TEST |
Reversible Encryption CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Trap |
Portable Executable Injection CONTRIBUTE A TEST |
Binary Padding CONTRIBUTE A TEST |
Multi-Factor Authentication Interception CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Dynamic Linker Hijacking |
Login Items CONTRIBUTE A TEST |
Use Alternate Authentication Material CONTRIBUTE A TEST |
NTDS |
|
|
|
|
|
|
|
|
Local Account |
Token Impersonation/Theft |
Extra Window Memory Injection CONTRIBUTE A TEST |
Kerberoasting |
|
|
|
|
|
|
|
|
At (Linux) CONTRIBUTE A TEST |
Make and Impersonate Token CONTRIBUTE A TEST |
Disable or Modify System Firewall |
DCSync |
|
|
|
|
|
|
|
|
Hooking CONTRIBUTE A TEST |
Launchd CONTRIBUTE A TEST |
Launchctl CONTRIBUTE A TEST |
Modify Authentication Process CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Plist Modification CONTRIBUTE A TEST |
Windows Management Instrumentation Event Subscription |
SIP and Trust Provider Hijacking CONTRIBUTE A TEST |
Credential API Hooking |
|
|
|
|
|
|
|
|
Winlogon Helper DLL |
Parent PID Spoofing |
Rogue Domain Controller |
Container API |
|
|
|
|
|
|
|
|
System Firmware CONTRIBUTE A TEST |
Change Default File Association |
Code Signing Policy Modification CONTRIBUTE A TEST |
Network Device Authentication CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
Change Default File Association CONTRIBUTE A TEST |
VDSO Hijacking CONTRIBUTE A TEST |
Deploy Container CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Re-opened Applications CONTRIBUTE A TEST |
Accessibility Features CONTRIBUTE A TEST |
File Deletion CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Redundant Access CONTRIBUTE A TEST |
Emond |
Modify Registry |
|
|
|
|
|
|
|
|
|
SSH Authorized Keys |
Parent PID Spoofing CONTRIBUTE A TEST |
Path Interception by Search Order Hijacking |
|
|
|
|
|
|
|
|
|
Kernel Modules and Extensions CONTRIBUTE A TEST |
Sudo CONTRIBUTE A TEST |
Unused/Unsupported Cloud Regions CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Security Support Provider CONTRIBUTE A TEST |
Services File Permissions Weakness CONTRIBUTE A TEST |
Binary Padding |
|
|
|
|
|
|
|
|
|
Image File Execution Options Injection |
Registry Run Keys / Startup Folder |
Group Policy Modification CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
LSASS Driver CONTRIBUTE A TEST |
Kernel Modules and Extensions |
Default Accounts |
|
|
|
|
|
|
|
|
|
Executable Installer File Permissions Weakness CONTRIBUTE A TEST |
KernelCallbackTable CONTRIBUTE A TEST |
Image File Execution Options Injection CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Accessibility Features |
Systemd Timers |
Rundll32 CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
PowerShell Profile CONTRIBUTE A TEST |
Dylib Hijacking CONTRIBUTE A TEST |
Dynamic Linker Hijacking |
|
|
|
|
|
|
|
|
|
SIP and Trust Provider Hijacking CONTRIBUTE A TEST |
Hijack Execution Flow CONTRIBUTE A TEST |
Clear Windows Event Logs |
|
|
|
|
|
|
|
|
|
Domain Account |
Valid Accounts CONTRIBUTE A TEST |
File and Directory Permissions Modification CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Component Firmware CONTRIBUTE A TEST |
Process Hollowing |
Abuse Elevation Control Mechanism CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Office Template Macros CONTRIBUTE A TEST |
Exploitation for Privilege Escalation CONTRIBUTE A TEST |
Create Process with Token |
|
|
|
|
|
|
|
|
|
Application Shimming CONTRIBUTE A TEST |
Event Triggered Execution CONTRIBUTE A TEST |
Setuid and Setgid |
|
|
|
|
|
|
|
|
|
AppCert DLLs |
Unix Shell Configuration Modification |
Regsvr32 CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Device Registration CONTRIBUTE A TEST |
SID-History Injection |
Indicator Blocking CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Pre-OS Boot CONTRIBUTE A TEST |
Elevated Execution with Prompt CONTRIBUTE A TEST |
Redundant Access CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Login Items CONTRIBUTE A TEST |
Authentication Package |
Odbcconf |
|
|
|
|
|
|
|
|
|
Port Knocking CONTRIBUTE A TEST |
Component Object Model Hijacking |
Gatekeeper Bypass CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Additional Cloud Credentials |
Path Interception by Unquoted Path |
Software Packing CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Launchd CONTRIBUTE A TEST |
Setuid and Setgid CONTRIBUTE A TEST |
Process Doppelgänging CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Windows Management Instrumentation Event Subscription |
Startup Items |
Delete Cloud Instance CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Registry Run Keys / Startup Folder CONTRIBUTE A TEST |
Web Shell CONTRIBUTE A TEST |
Executable Installer File Permissions Weakness CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Compromise Client Software Binary CONTRIBUTE A TEST |
Domain Accounts CONTRIBUTE A TEST |
SIP and Trust Provider Hijacking CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Shortcut Modification CONTRIBUTE A TEST |
Path Interception CONTRIBUTE A TEST |
Indicator Blocking |
|
|
|
|
|
|
|
|
|
Change Default File Association |
Network Logon Script CONTRIBUTE A TEST |
Disable or Modify Cloud Firewall CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Component Object Model Hijacking CONTRIBUTE A TEST |
Bypass User Account Control CONTRIBUTE A TEST |
Right-to-Left Override CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Accessibility Features CONTRIBUTE A TEST |
AppInit DLLs |
Component Firmware CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Emond |
Screensaver |
Indicator Removal on Host |
|
|
|
|
|
|
|
|
|
Services File Permissions Weakness CONTRIBUTE A TEST |
Launch Agent |
Pass the Ticket |
|
|
|
|
|
|
|
|
|
Registry Run Keys / Startup Folder |
Proc Memory CONTRIBUTE A TEST |
Masquerade Task or Service |
|
|
|
|
|
|
|
|
|
Cloud Account |
Emond CONTRIBUTE A TEST |
Asynchronous Procedure Call |
|
|
|
|
|
|
|
|
|
Account Manipulation |
RC Scripts |
Plist File Modification |
|
|
|
|
|
|
|
|
|
Kernel Modules and Extensions |
Access Token Manipulation CONTRIBUTE A TEST |
CMSTP CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
KernelCallbackTable CONTRIBUTE A TEST |
Systemd Service |
Mark-of-the-Web Bypass |
|
|
|
|
|
|
|
|
|
Systemd Timers |
XDG Autostart Entries CONTRIBUTE A TEST |
Disable Crypto Hardware CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
ROMMONkit CONTRIBUTE A TEST |
Thread Local Storage CONTRIBUTE A TEST |
Pre-OS Boot CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Outlook Forms CONTRIBUTE A TEST |
Re-opened Applications |
Scripting CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Dylib Hijacking CONTRIBUTE A TEST |
DLL Side-Loading |
Build Image on Host CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Hijack Execution Flow CONTRIBUTE A TEST |
Launch Daemon CONTRIBUTE A TEST |
Portable Executable Injection CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Valid Accounts CONTRIBUTE A TEST |
Ptrace System Calls CONTRIBUTE A TEST |
Verclsid CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
IIS Components CONTRIBUTE A TEST |
Logon Script (Windows) |
Downgrade Attack CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Trap CONTRIBUTE A TEST |
ListPlanting CONTRIBUTE A TEST |
Virtualization/Sandbox Evasion CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Event Triggered Execution CONTRIBUTE A TEST |
Domain Policy Modification CONTRIBUTE A TEST |
Mshta |
|
|
|
|
|
|
|
|
|
Unix Shell Configuration Modification |
LSASS Driver CONTRIBUTE A TEST |
Execution Guardrails CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Authentication Package |
Cloud Accounts |
Token Impersonation/Theft |
|
|
|
|
|
|
|
|
|
Netsh Helper DLL CONTRIBUTE A TEST |
At |
Port Knocking CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Component Object Model Hijacking |
Dynamic-link Library Injection |
Hidden Users |
|
|
|
|
|
|
|
|
|
Outlook Home Page |
Netsh Helper DLL |
Make and Impersonate Token CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Path Interception by Unquoted Path |
Dylib Hijacking CONTRIBUTE A TEST |
Control Panel Items CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Local Job Scheduling CONTRIBUTE A TEST |
Local Accounts |
Impair Command History Logging |
|
|
|
|
|
|
|
|
|
Setuid and Setgid CONTRIBUTE A TEST |
COR_PROFILER |
User Activity Based Checks CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Startup Items |
|
Parent PID Spoofing |
|
|
|
|
|
|
|
|
|
Web Shell CONTRIBUTE A TEST |
|
VDSO Hijacking CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Domain Accounts CONTRIBUTE A TEST |
|
Component Object Model Hijacking CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Path Interception CONTRIBUTE A TEST |
|
Parent PID Spoofing CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Network Logon Script CONTRIBUTE A TEST |
|
Services File Permissions Weakness CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
BITS Jobs |
|
LC_MAIN Hijacking CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
AppInit DLLs |
|
Mshta CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Screensaver |
|
KernelCallbackTable CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Launch Agent |
|
ROMMONkit CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Emond CONTRIBUTE A TEST |
|
Compiled HTML File |
|
|
|
|
|
|
|
|
|
Server Software Component CONTRIBUTE A TEST |
|
Network Share Connection Removal |
|
|
|
|
|
|
|
|
|
Domain Controller Authentication CONTRIBUTE A TEST |
|
Disable or Modify Tools |
|
|
|
|
|
|
|
|
|
Reversible Encryption CONTRIBUTE A TEST |
|
Modify System Image CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Hidden Files and Directories CONTRIBUTE A TEST |
|
Hijack Execution Flow CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
RC Scripts |
|
Indicator Removal from Tools CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Time Providers CONTRIBUTE A TEST |
|
Valid Accounts CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Launch Agent CONTRIBUTE A TEST |
|
DLL Side-Loading CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Systemd Service |
|
Process Hollowing |
|
|
|
|
|
|
|
|
|
Create Account CONTRIBUTE A TEST |
|
Resource Forking CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
XDG Autostart Entries CONTRIBUTE A TEST |
|
Obfuscated Files or Information |
|
|
|
|
|
|
|
|
|
Re-opened Applications |
|
Invalid Code Signature CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
DLL Side-Loading |
|
Run Virtual Instance |
|
|
|
|
|
|
|
|
|
Additional Email Delegate Permissions CONTRIBUTE A TEST |
|
SID-History Injection |
|
|
|
|
|
|
|
|
|
Windows Management Instrumentation Event Subscription CONTRIBUTE A TEST |
|
Network Boundary Bridging CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Launch Daemon CONTRIBUTE A TEST |
|
Subvert Trust Controls CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Logon Script (Windows) |
|
Elevated Execution with Prompt CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Office Test |
|
Regsvr32 |
|
|
|
|
|
|
|
|
|
LSASS Driver CONTRIBUTE A TEST |
|
Rename System Utilities |
|
|
|
|
|
|
|
|
|
Cloud Accounts |
|
Path Interception by Unquoted Path |
|
|
|
|
|
|
|
|
|
At |
|
Process Doppelgänging CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Modify Authentication Process CONTRIBUTE A TEST |
|
Steganography CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Netsh Helper DLL |
|
Web Session Cookie CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
SQL Stored Procedures CONTRIBUTE A TEST |
|
Domain Accounts CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Network Device Authentication CONTRIBUTE A TEST |
|
Regsvcs/Regasm |
|
|
|
|
|
|
|
|
|
Dylib Hijacking CONTRIBUTE A TEST |
|
Web Session Cookie CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
Local Accounts |
|
Install Root Certificate |
|
|
|
|
|
|
|
|
|
COR_PROFILER |
|
Compile After Delivery |
|
|
|
|
|
|
|
|
|
|
|
VBA Stomping CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
BITS Jobs |
|
|
|
|
|
|
|
|
|
|
|
MSBuild |
|
|
|
|
|
|
|
|
|
|
|
Bypass User Account Control CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Disable Cloud Logs |
|
|
|
|
|
|
|
|
|
|
|
Hidden Window |
|
|
|
|
|
|
|
|
|
|
|
Hidden Users CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Create Cloud Instance CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Compile After Delivery CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Proc Memory CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Compiled HTML File CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Patch System Image CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Clear Command History CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Domain Controller Authentication CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
HTML Smuggling CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Reversible Encryption CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Install Root Certificate CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
File Deletion |
|
|
|
|
|
|
|
|
|
|
|
Hidden Files and Directories CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Template Injection |
|
|
|
|
|
|
|
|
|
|
|
Access Token Manipulation CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Software Packing |
|
|
|
|
|
|
|
|
|
|
|
Hidden File System CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Space after Filename CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Thread Local Storage CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Debugger Evasion CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Space after Filename |
|
|
|
|
|
|
|
|
|
|
|
Pass the Hash |
|
|
|
|
|
|
|
|
|
|
|
DLL Side-Loading |
|
|
|
|
|
|
|
|
|
|
|
Network Share Connection Removal CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Ptrace System Calls CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
ListPlanting CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Domain Policy Modification CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
XSL Script Processing |
|
|
|
|
|
|
|
|
|
|
|
Hidden Files and Directories |
|
|
|
|
|
|
|
|
|
|
|
Create Snapshot CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Application Access Token CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Cloud Accounts |
|
|
|
|
|
|
|
|
|
|
|
Environmental Keying CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
NTFS File Attributes |
|
|
|
|
|
|
|
|
|
|
|
NTFS File Attributes CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Dynamic-link Library Injection |
|
|
|
|
|
|
|
|
|
|
|
Modify Authentication Process CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
System Script Proxy Execution |
|
|
|
|
|
|
|
|
|
|
|
InstallUtil CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Network Device Authentication CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Dylib Hijacking CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Downgrade System Image CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Local Accounts |
|
|
|
|
|
|
|
|
|
|
|
Exploitation for Defense Evasion CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Trusted Developer Utilities Proxy Execution |
|
|
|
|
|
|
|
|
|
|
|
MMC CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
Process Argument Spoofing CONTRIBUTE A TEST |
|
|
|
|
|
|
|
|
|
|
|
COR_PROFILER |
|
|
|
|
|
|
|
Atomic Red Team doc generator