atomic-red-team/atomics/Indexes/Matrices/windows-matrix.md

Windows Atomic Tests by ATT&CK Tactic & Technique

initial-access	execution	persistence	privilege-escalation	defense-evasion	credential-access	discovery	lateral-movement	collection	exfiltration	command-and-control	impact
External Remote Services	Scheduled Task/Job: Scheduled Task	Scheduled Task/Job: Scheduled Task	Extra Window Memory Injection CONTRIBUTE A TEST	Extra Window Memory Injection CONTRIBUTE A TEST	Adversary-in-the-Middle CONTRIBUTE A TEST	System Owner/User Discovery	VNC CONTRIBUTE A TEST	Archive Collected Data: Archive via Utility	Exfiltration Over Web Service	Data Encoding: Standard Encoding	Disk Structure Wipe CONTRIBUTE A TEST
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST	Windows Management Instrumentation	Bootkit CONTRIBUTE A TEST	Scheduled Task/Job: Scheduled Task	Indicator Removal from Tools CONTRIBUTE A TEST	Input Capture: Keylogging	Internet Connection Discovery CONTRIBUTE A TEST	Taint Shared Content CONTRIBUTE A TEST	Screen Capture	Scheduled Transfer CONTRIBUTE A TEST	Domain Generation Algorithms CONTRIBUTE A TEST	Direct Network Flood CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST	Shared Modules CONTRIBUTE A TEST	Boot or Logon Initialization Scripts CONTRIBUTE A TEST	Boot or Logon Initialization Scripts CONTRIBUTE A TEST	Signed Binary Proxy Execution: Rundll32	Brute Force: Password Guessing	Permission Groups Discovery CONTRIBUTE A TEST	Application Deployment Software CONTRIBUTE A TEST	Adversary-in-the-Middle CONTRIBUTE A TEST	Exfiltration Over Other Network Medium CONTRIBUTE A TEST	Application Layer Protocol: DNS	Stored Data Manipulation CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST	JavaScript CONTRIBUTE A TEST	Path Interception by PATH Environment Variable CONTRIBUTE A TEST	Path Interception by PATH Environment Variable CONTRIBUTE A TEST	Hidden Window CONTRIBUTE A TEST	OS Credential Dumping	Group Policy Discovery	Replication Through Removable Media	Input Capture: Keylogging	Exfiltration Over Bluetooth CONTRIBUTE A TEST	Domain Fronting CONTRIBUTE A TEST	External Defacement CONTRIBUTE A TEST
Phishing: Spearphishing Attachment	Regsvcs/Regasm CONTRIBUTE A TEST	File System Permissions Weakness CONTRIBUTE A TEST	File System Permissions Weakness CONTRIBUTE A TEST	Signed Script Proxy Execution: Pubprn	LLMNR/NBT-NS Poisoning and Relay CONTRIBUTE A TEST	Account Discovery: Domain Account	Remote Services: SMB/Windows Admin Shares	Sharepoint CONTRIBUTE A TEST	Automated Exfiltration	Symmetric Cryptography CONTRIBUTE A TEST	OS Exhaustion Flood CONTRIBUTE A TEST
Compromise Hardware Supply Chain CONTRIBUTE A TEST	Inter-Process Communication: Dynamic Data Exchange	Event Triggered Execution: PowerShell Profile	Event Triggered Execution: PowerShell Profile	Path Interception by PATH Environment Variable CONTRIBUTE A TEST	Steal Web Session Cookie	Security Software Discovery CONTRIBUTE A TEST	Use Alternate Authentication Material CONTRIBUTE A TEST	Audio Capture	Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST	Fast Flux DNS CONTRIBUTE A TEST	Application Exhaustion Flood CONTRIBUTE A TEST
Replication Through Removable Media	User Execution: Malicious File	Create or Modify System Process CONTRIBUTE A TEST	Create or Modify System Process CONTRIBUTE A TEST	Direct Volume Access	OS Credential Dumping: Security Account Manager	Account Discovery: Local Account	Remote Desktop Protocol CONTRIBUTE A TEST	Archive via Custom Method CONTRIBUTE A TEST	Exfiltration to Code Repository CONTRIBUTE A TEST	Application Layer Protocol CONTRIBUTE A TEST	Disk Wipe CONTRIBUTE A TEST
Supply Chain Compromise	Component Object Model CONTRIBUTE A TEST	External Remote Services	Abuse Elevation Control Mechanism: Bypass User Access Control	Email Hiding Rules CONTRIBUTE A TEST	Brute Force: Password Cracking	Virtualization/Sandbox Evasion: System Checks	Remote Services CONTRIBUTE A TEST	Email Collection CONTRIBUTE A TEST	Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Custom Cryptographic Protocol CONTRIBUTE A TEST	Stored Data Manipulation CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST	Scheduled Task/Job CONTRIBUTE A TEST	Component Firmware CONTRIBUTE A TEST	Hijack Execution Flow: Services Registry Permissions Weakness	Rootkit CONTRIBUTE A TEST	OS Credential Dumping: LSA Secrets	Permission Groups Discovery: Domain Groups	Remote Service Session Hijacking CONTRIBUTE A TEST	Data from Removable Media CONTRIBUTE A TEST	Exfiltration Over C2 Channel	Remote Access Software	Service Stop
Valid Accounts: Default Accounts	Native API	System Firmware CONTRIBUTE A TEST	SID-History Injection CONTRIBUTE A TEST	Component Firmware CONTRIBUTE A TEST	Forge Web Credentials: SAML token CONTRIBUTE A TEST	System Service Discovery	Remote Services: Windows Remote Management	Data Staged: Local Data Staging	Exfiltration Over Alternative Protocol	Multilayer Encryption CONTRIBUTE A TEST	Application or System Exploitation CONTRIBUTE A TEST
Spearphishing Attachment CONTRIBUTE A TEST	Rundll32 CONTRIBUTE A TEST	Hijack Execution Flow: Services Registry Permissions Weakness	Boot or Logon Autostart Execution	Double File Extension CONTRIBUTE A TEST	Credentials in Registry CONTRIBUTE A TEST	Network Sniffing	Remote Services: Distributed Component Object Model	Email Collection: Local Email Collection	Exfiltration over USB CONTRIBUTE A TEST	Traffic Signaling CONTRIBUTE A TEST	Disk Structure Wipe CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST	Regsvr32 CONTRIBUTE A TEST	Bootkit CONTRIBUTE A TEST	Port Monitors CONTRIBUTE A TEST	Abuse Elevation Control Mechanism: Bypass User Access Control	Password Managers CONTRIBUTE A TEST	Network Share Discovery	Component Object Model and Distributed COM CONTRIBUTE A TEST	Automated Collection	Data Compressed CONTRIBUTE A TEST	Standard Cryptographic Protocol CONTRIBUTE A TEST	Runtime Data Manipulation CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST	LSASS Driver CONTRIBUTE A TEST	Boot or Logon Autostart Execution	Active Setup CONTRIBUTE A TEST	Timestomp CONTRIBUTE A TEST	Network Sniffing	Peripheral Device Discovery	Use Alternate Authentication Material: Pass the Ticket	Clipboard Data	Exfiltration to Cloud Storage CONTRIBUTE A TEST	Protocol Tunneling	Reflection Amplification CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST	Command and Scripting Interpreter CONTRIBUTE A TEST	Port Monitors CONTRIBUTE A TEST	Domain Trust Modification CONTRIBUTE A TEST	System Firmware CONTRIBUTE A TEST	Unsecured Credentials: Credentials in Registry	System Information Discovery	Shared Webroot CONTRIBUTE A TEST	Remote Data Staging CONTRIBUTE A TEST	Data Transfer Size Limits CONTRIBUTE A TEST	Domain Generation Algorithms CONTRIBUTE A TEST	Service Exhaustion Flood CONTRIBUTE A TEST
Compromise Software Supply Chain CONTRIBUTE A TEST	Component Object Model and Distributed COM CONTRIBUTE A TEST	Active Setup CONTRIBUTE A TEST	Create or Modify System Process: Windows Service	Hijack Execution Flow: Services Registry Permissions Weakness	Modify Authentication Process: Password Filter DLL	Application Window Discovery	Software Deployment Tools	Data from Local System CONTRIBUTE A TEST	Data Encrypted CONTRIBUTE A TEST	Mail Protocols CONTRIBUTE A TEST	Defacement CONTRIBUTE A TEST
Domain Accounts CONTRIBUTE A TEST	CMSTP CONTRIBUTE A TEST	Screensaver CONTRIBUTE A TEST	Print Processors CONTRIBUTE A TEST	Bootkit CONTRIBUTE A TEST	Steal or Forge Kerberos Tickets: AS-REP Roasting	Email Account CONTRIBUTE A TEST	Exploitation of Remote Services CONTRIBUTE A TEST	Archive Collected Data: Archive via Library CONTRIBUTE A TEST	Exfiltration Over Physical Medium CONTRIBUTE A TEST	Communication Through Removable Media CONTRIBUTE A TEST	Defacement: Internal Defacement
Spearphishing via Service CONTRIBUTE A TEST	Scripting CONTRIBUTE A TEST	Create or Modify System Process: Windows Service	Hijack Execution Flow: DLL Search Order Hijacking	Code Signing CONTRIBUTE A TEST	Steal or Forge Kerberos Tickets CONTRIBUTE A TEST	Time Based Evasion CONTRIBUTE A TEST	Internal Spearphishing CONTRIBUTE A TEST	Archive Collected Data	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	External Proxy CONTRIBUTE A TEST	Data Manipulation CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST	User Execution CONTRIBUTE A TEST	Office Application Startup	AppInit DLLs CONTRIBUTE A TEST	Mavinject CONTRIBUTE A TEST	Credentials from Password Stores	Browser Bookmark Discovery	Pass the Ticket CONTRIBUTE A TEST	Browser Session Hijacking CONTRIBUTE A TEST		Proxy CONTRIBUTE A TEST	Account Access Removal
Drive-by Compromise CONTRIBUTE A TEST	Control Panel Items CONTRIBUTE A TEST	Print Processors CONTRIBUTE A TEST	Scheduled Task/Job CONTRIBUTE A TEST	Process Hollowing CONTRIBUTE A TEST	Unsecured Credentials CONTRIBUTE A TEST	System Network Configuration Discovery	Lateral Tool Transfer CONTRIBUTE A TEST	DHCP Spoofing CONTRIBUTE A TEST		Dynamic Resolution CONTRIBUTE A TEST	Data Encrypted for Impact
Spearphishing via Service CONTRIBUTE A TEST	Software Deployment Tools	Hijack Execution Flow: DLL Search Order Hijacking	Service Registry Permissions Weakness CONTRIBUTE A TEST	Masquerading: Match Legitimate Name or Location	Credentials from Web Browsers CONTRIBUTE A TEST	Account Discovery CONTRIBUTE A TEST	Pass the Hash CONTRIBUTE A TEST	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay		Multi-hop Proxy CONTRIBUTE A TEST	Disk Content Wipe CONTRIBUTE A TEST
Valid Accounts: Local Accounts	Command and Scripting Interpreter: PowerShell	AppInit DLLs CONTRIBUTE A TEST	Thread Execution Hijacking CONTRIBUTE A TEST	Regsvcs/Regasm CONTRIBUTE A TEST	Private Keys CONTRIBUTE A TEST	Domain Trust Discovery	Windows Remote Management CONTRIBUTE A TEST	Web Portal Capture CONTRIBUTE A TEST		Web Service CONTRIBUTE A TEST	Endpoint Denial of Service CONTRIBUTE A TEST
	Mshta CONTRIBUTE A TEST	Office Application Startup: Add-ins	Event Triggered Execution: Application Shimming	Hide Artifacts	Credentials from Password Stores: Credentials from Web Browsers	File and Directory Discovery	Remote Service Session Hijacking: RDP Hijacking	Video Capture		DNS Calculation CONTRIBUTE A TEST	Runtime Data Manipulation CONTRIBUTE A TEST
	Graphical User Interface CONTRIBUTE A TEST	Server Software Component: Transport Agent	Boot or Logon Autostart Execution: Port Monitors	Domain Trust Modification CONTRIBUTE A TEST	DHCP Spoofing CONTRIBUTE A TEST	System Network Connections Discovery	Use Alternate Authentication Material: Pass the Hash	Email Forwarding Rule CONTRIBUTE A TEST		Multi-Stage Channels CONTRIBUTE A TEST	Transmitted Data Manipulation CONTRIBUTE A TEST
	Inter-Process Communication CONTRIBUTE A TEST	Scheduled Task/Job CONTRIBUTE A TEST	Process Injection	Safe Mode Boot CONTRIBUTE A TEST	Unsecured Credentials: Private Keys	Virtualization/Sandbox Evasion CONTRIBUTE A TEST	Remote Services: Remote Desktop Protocol	Data Staged CONTRIBUTE A TEST		Port Knocking CONTRIBUTE A TEST	Resource Hijacking CONTRIBUTE A TEST
	Exploitation for Client Execution CONTRIBUTE A TEST	Modify Authentication Process: Password Filter DLL	DLL Search Order Hijacking CONTRIBUTE A TEST	Virtualization/Sandbox Evasion: System Checks	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay	Process Discovery	Windows Admin Shares CONTRIBUTE A TEST	Input Capture: GUI Input Capture		Multiband Communication CONTRIBUTE A TEST	Transmitted Data Manipulation CONTRIBUTE A TEST
	Windows Remote Management CONTRIBUTE A TEST	Terminal Services DLL CONTRIBUTE A TEST	New Service CONTRIBUTE A TEST	Signed Binary Proxy Execution: InstallUtil	OS Credential Dumping: LSASS Memory	User Activity Based Checks CONTRIBUTE A TEST		Data from Network Shared Drive		File Transfer Protocols CONTRIBUTE A TEST	Data Destruction
	Command and Scripting Interpreter: Python CONTRIBUTE A TEST	Browser Extensions	Escape to Host CONTRIBUTE A TEST	Disabling Security Tools CONTRIBUTE A TEST	Hooking CONTRIBUTE A TEST	Permission Groups Discovery: Local Groups		Remote Email Collection CONTRIBUTE A TEST		One-Way Communication CONTRIBUTE A TEST	Network Denial of Service CONTRIBUTE A TEST
	System Services CONTRIBUTE A TEST	Service Registry Permissions Weakness CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Shortcut Modification	Hijack Execution Flow: DLL Search Order Hijacking	Brute Force: Password Spraying	Password Policy Discovery		Input Capture CONTRIBUTE A TEST		Proxy: Multi-hop Proxy	Firmware Corruption CONTRIBUTE A TEST
	Command and Scripting Interpreter: Windows Command Shell	Outlook Rules CONTRIBUTE A TEST	AppCert DLLs CONTRIBUTE A TEST	Code Signing CONTRIBUTE A TEST	Web Portal Capture CONTRIBUTE A TEST	System Location Discovery: System Language Discovery		ARP Cache Poisoning CONTRIBUTE A TEST		Data Obfuscation CONTRIBUTE A TEST	Inhibit System Recovery
	Compiled HTML File CONTRIBUTE A TEST	Event Triggered Execution: Application Shimming	Boot or Logon Autostart Execution: Security Support Provider	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	OS Credential Dumping: Cached Domain Credentials	Query Registry		Data from Information Repositories CONTRIBUTE A TEST		Non-Standard Port	Disk Content Wipe CONTRIBUTE A TEST
	Command and Scripting Interpreter: Visual Basic	Boot or Logon Autostart Execution: Port Monitors	Extra Window Memory Injection CONTRIBUTE A TEST	Signed Binary Proxy Execution: Msiexec	Steal or Forge Kerberos Tickets: Golden Ticket	System Location Discovery CONTRIBUTE A TEST		Input Capture: Credential API Hooking		Encrypted Channel	System Shutdown/Reboot
	Dynamic Data Exchange CONTRIBUTE A TEST	Traffic Signaling CONTRIBUTE A TEST	Hijack Execution Flow: Path Interception by Search Order Hijacking	Modify Authentication Process: Password Filter DLL	Unsecured Credentials: Credentials In Files	Software Discovery: Security Software Discovery				Bidirectional Communication CONTRIBUTE A TEST
	Malicious Link CONTRIBUTE A TEST	DLL Search Order Hijacking CONTRIBUTE A TEST	Domain Policy Modification: Group Policy Modification	Indicator Removal on Host: Clear Command History	Web Cookies CONTRIBUTE A TEST	Remote System Discovery				Asymmetric Cryptography CONTRIBUTE A TEST
	System Services: Service Execution	New Service CONTRIBUTE A TEST	Valid Accounts: Default Accounts	Indirect Command Execution	Unsecured Credentials: Group Policy Preferences	Network Service Scanning				Non-Application Layer Protocol
	Scheduled Task/Job: At	Boot or Logon Autostart Execution: Shortcut Modification	Time Providers	Deobfuscate/Decode Files or Information	Input Prompt CONTRIBUTE A TEST	Software Discovery				Protocol Impersonation CONTRIBUTE A TEST
	Service Execution CONTRIBUTE A TEST	Hypervisor CONTRIBUTE A TEST	Image File Execution Options Injection CONTRIBUTE A TEST	Impair Defenses CONTRIBUTE A TEST	Forge Web Credentials CONTRIBUTE A TEST	Debugger Evasion CONTRIBUTE A TEST				Uncommonly Used Port CONTRIBUTE A TEST
	PowerShell CONTRIBUTE A TEST	AppCert DLLs CONTRIBUTE A TEST	Hooking CONTRIBUTE A TEST	Thread Execution Hijacking CONTRIBUTE A TEST	Multi-Factor Authentication Request Generation CONTRIBUTE A TEST	System Time Discovery				Domain Fronting CONTRIBUTE A TEST
	InstallUtil CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Security Support Provider	Abuse Elevation Control Mechanism CONTRIBUTE A TEST	Masquerading	Exploitation for Credential Access CONTRIBUTE A TEST					Data Encoding CONTRIBUTE A TEST
		Winlogon Helper DLL CONTRIBUTE A TEST	Create Process with Token	Process Injection	Input Capture: GUI Input Capture					Non-Standard Encoding CONTRIBUTE A TEST
		Authentication Package CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Winlogon Helper DLL	Traffic Signaling CONTRIBUTE A TEST	Brute Force CONTRIBUTE A TEST					Application Layer Protocol: Web Protocols
		Hijack Execution Flow: Path Interception by Search Order Hijacking	Event Triggered Execution: Image File Execution Options Injection	Signed Binary Proxy Execution	Brute Force: Credential Stuffing					Ingress Tool Transfer
		Server Software Component: Web Shell	Process Doppelgänging CONTRIBUTE A TEST	DLL Search Order Hijacking CONTRIBUTE A TEST	Kerberoasting CONTRIBUTE A TEST					Steganography CONTRIBUTE A TEST
		Valid Accounts: Default Accounts	Executable Installer File Permissions Weakness CONTRIBUTE A TEST	Indicator Removal on Host: Timestomp	Forced Authentication					Fallback Channels CONTRIBUTE A TEST
		Time Providers	Event Triggered Execution: Accessibility Features	Reflective Code Loading	Password Filter DLL CONTRIBUTE A TEST					Proxy: Internal Proxy
		Image File Execution Options Injection CONTRIBUTE A TEST	PowerShell Profile CONTRIBUTE A TEST	Time Based Evasion CONTRIBUTE A TEST	Credentials in Files CONTRIBUTE A TEST					Custom Command and Control Protocol CONTRIBUTE A TEST
		Modify Existing Service CONTRIBUTE A TEST	Process Injection: Asynchronous Procedure Call	Signed Binary Proxy Execution: CMSTP	Input Capture CONTRIBUTE A TEST					Dead Drop Resolver CONTRIBUTE A TEST
		Create Account: Local Account	Application Shimming CONTRIBUTE A TEST	Impair Defenses: Disable Windows Event Logging	ARP Cache Poisoning CONTRIBUTE A TEST					Junk Data CONTRIBUTE A TEST
		Hooking CONTRIBUTE A TEST	Event Triggered Execution: AppCert DLLs	Signed Binary Proxy Execution: Control Panel	Steal or Forge Kerberos Tickets: Silver Ticket					Commonly Used Port CONTRIBUTE A TEST
		Boot or Logon Autostart Execution: Winlogon Helper DLL	Portable Executable Injection CONTRIBUTE A TEST	Binary Padding CONTRIBUTE A TEST	Credentials from Password Stores: Windows Credential Manager
		System Firmware CONTRIBUTE A TEST	Access Token Manipulation: Token Impersonation/Theft	Use Alternate Authentication Material CONTRIBUTE A TEST	Domain Controller Authentication CONTRIBUTE A TEST
		Change Default File Association CONTRIBUTE A TEST	Make and Impersonate Token CONTRIBUTE A TEST	Extra Window Memory Injection CONTRIBUTE A TEST	Reversible Encryption CONTRIBUTE A TEST
		Redundant Access CONTRIBUTE A TEST	Event Triggered Execution: Windows Management Instrumentation Event Subscription	Impair Defenses: Disable or Modify System Firewall	Multi-Factor Authentication Interception CONTRIBUTE A TEST
		Security Support Provider CONTRIBUTE A TEST	Access Token Manipulation: Parent PID Spoofing	SIP and Trust Provider Hijacking CONTRIBUTE A TEST	OS Credential Dumping: NTDS
		Event Triggered Execution: Image File Execution Options Injection	Event Triggered Execution: Change Default File Association	Rogue Domain Controller	Steal or Forge Kerberos Tickets: Kerberoasting
		LSASS Driver CONTRIBUTE A TEST	Accessibility Features CONTRIBUTE A TEST	Code Signing Policy Modification CONTRIBUTE A TEST	OS Credential Dumping: DCSync
		Executable Installer File Permissions Weakness CONTRIBUTE A TEST	Parent PID Spoofing CONTRIBUTE A TEST	File Deletion CONTRIBUTE A TEST	Modify Authentication Process CONTRIBUTE A TEST
		Event Triggered Execution: Accessibility Features	Services File Permissions Weakness CONTRIBUTE A TEST	Modify Registry	Input Capture: Credential API Hooking
		PowerShell Profile CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Hijack Execution Flow: Path Interception by Search Order Hijacking
		SIP and Trust Provider Hijacking CONTRIBUTE A TEST	KernelCallbackTable CONTRIBUTE A TEST	Obfuscated Files or Information: Binary Padding CONTRIBUTE A TEST
		Create Account: Domain Account	Hijack Execution Flow CONTRIBUTE A TEST	Domain Policy Modification: Group Policy Modification
		Component Firmware CONTRIBUTE A TEST	Valid Accounts CONTRIBUTE A TEST	Valid Accounts: Default Accounts
		Office Template Macros CONTRIBUTE A TEST	Process Injection: Process Hollowing	Image File Execution Options Injection CONTRIBUTE A TEST
		Application Shimming CONTRIBUTE A TEST	Exploitation for Privilege Escalation CONTRIBUTE A TEST	Rundll32 CONTRIBUTE A TEST
		Event Triggered Execution: AppCert DLLs	Event Triggered Execution CONTRIBUTE A TEST	Indicator Removal on Host: Clear Windows Event Logs
		Device Registration CONTRIBUTE A TEST	Access Token Manipulation: SID-History Injection	File and Directory Permissions Modification CONTRIBUTE A TEST
		Pre-OS Boot CONTRIBUTE A TEST	Authentication Package	Abuse Elevation Control Mechanism CONTRIBUTE A TEST
		Port Knocking CONTRIBUTE A TEST	Event Triggered Execution: Component Object Model Hijacking	Create Process with Token
		Event Triggered Execution: Windows Management Instrumentation Event Subscription	Hijack Execution Flow: Path Interception by Unquoted Path	Regsvr32 CONTRIBUTE A TEST
		Registry Run Keys / Startup Folder CONTRIBUTE A TEST	Web Shell CONTRIBUTE A TEST	Indicator Blocking CONTRIBUTE A TEST
		Compromise Client Software Binary CONTRIBUTE A TEST	Domain Accounts CONTRIBUTE A TEST	Redundant Access CONTRIBUTE A TEST
		Shortcut Modification CONTRIBUTE A TEST	Path Interception CONTRIBUTE A TEST	Signed Binary Proxy Execution: Odbcconf
		Event Triggered Execution: Change Default File Association	Network Logon Script CONTRIBUTE A TEST	Software Packing CONTRIBUTE A TEST
		Component Object Model Hijacking CONTRIBUTE A TEST	Bypass User Account Control CONTRIBUTE A TEST	Process Doppelgänging CONTRIBUTE A TEST
		Accessibility Features CONTRIBUTE A TEST	Event Triggered Execution: AppInit DLLs	Executable Installer File Permissions Weakness CONTRIBUTE A TEST
		Services File Permissions Weakness CONTRIBUTE A TEST	Event Triggered Execution: Screensaver	SIP and Trust Provider Hijacking CONTRIBUTE A TEST
		Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Access Token Manipulation CONTRIBUTE A TEST	Impair Defenses: Indicator Blocking
		Account Manipulation	Thread Local Storage CONTRIBUTE A TEST	Right-to-Left Override CONTRIBUTE A TEST
		KernelCallbackTable CONTRIBUTE A TEST	Hijack Execution Flow: DLL Side-Loading	Component Firmware CONTRIBUTE A TEST
		Outlook Forms CONTRIBUTE A TEST	Boot or Logon Initialization Scripts: Logon Script (Windows)	Indicator Removal on Host
		Hijack Execution Flow CONTRIBUTE A TEST	ListPlanting CONTRIBUTE A TEST	Use Alternate Authentication Material: Pass the Ticket
		Valid Accounts CONTRIBUTE A TEST	Domain Policy Modification CONTRIBUTE A TEST	Masquerading: Masquerade Task or Service
		IIS Components CONTRIBUTE A TEST	Boot or Logon Autostart Execution: LSASS Driver	Process Injection: Asynchronous Procedure Call
		Event Triggered Execution CONTRIBUTE A TEST	Scheduled Task/Job: At	CMSTP CONTRIBUTE A TEST
		Authentication Package	Process Injection: Dynamic-link Library Injection	Subvert Trust Controls: Mark-of-the-Web Bypass
		Netsh Helper DLL CONTRIBUTE A TEST	Event Triggered Execution: Netsh Helper DLL	Pre-OS Boot CONTRIBUTE A TEST
		Event Triggered Execution: Component Object Model Hijacking	Valid Accounts: Local Accounts	Scripting CONTRIBUTE A TEST
		Office Application Startup: Outlook Home Page	Hijack Execution Flow: COR_PROFILER	Portable Executable Injection CONTRIBUTE A TEST
		Hijack Execution Flow: Path Interception by Unquoted Path		Verclsid CONTRIBUTE A TEST
		Web Shell CONTRIBUTE A TEST		Downgrade Attack CONTRIBUTE A TEST
		Domain Accounts CONTRIBUTE A TEST		Virtualization/Sandbox Evasion CONTRIBUTE A TEST
		Path Interception CONTRIBUTE A TEST		Signed Binary Proxy Execution: Mshta
		Network Logon Script CONTRIBUTE A TEST		Execution Guardrails CONTRIBUTE A TEST
		BITS Jobs		Access Token Manipulation: Token Impersonation/Theft
		Event Triggered Execution: AppInit DLLs		Port Knocking CONTRIBUTE A TEST
		Event Triggered Execution: Screensaver		Hide Artifacts: Hidden Users
		Server Software Component CONTRIBUTE A TEST		Make and Impersonate Token CONTRIBUTE A TEST
		Domain Controller Authentication CONTRIBUTE A TEST		Control Panel Items CONTRIBUTE A TEST
		Reversible Encryption CONTRIBUTE A TEST		Impair Defenses: HISTCONTROL CONTRIBUTE A TEST
		Hidden Files and Directories CONTRIBUTE A TEST		User Activity Based Checks CONTRIBUTE A TEST
		Time Providers CONTRIBUTE A TEST		Access Token Manipulation: Parent PID Spoofing
		Create Account CONTRIBUTE A TEST		Component Object Model Hijacking CONTRIBUTE A TEST
		Hijack Execution Flow: DLL Side-Loading		Parent PID Spoofing CONTRIBUTE A TEST
		Additional Email Delegate Permissions CONTRIBUTE A TEST		Services File Permissions Weakness CONTRIBUTE A TEST
		Windows Management Instrumentation Event Subscription CONTRIBUTE A TEST		Mshta CONTRIBUTE A TEST
		Boot or Logon Initialization Scripts: Logon Script (Windows)		KernelCallbackTable CONTRIBUTE A TEST
		Office Application Startup: Office Test		Signed Binary Proxy Execution: Compiled HTML File
		Boot or Logon Autostart Execution: LSASS Driver		Indicator Removal on Host: Network Share Connection Removal
		Scheduled Task/Job: At		Impair Defenses: Disable or Modify Tools
		Modify Authentication Process CONTRIBUTE A TEST		Hijack Execution Flow CONTRIBUTE A TEST
		Event Triggered Execution: Netsh Helper DLL		Indicator Removal from Tools CONTRIBUTE A TEST
		SQL Stored Procedures CONTRIBUTE A TEST		Valid Accounts CONTRIBUTE A TEST
		Valid Accounts: Local Accounts		DLL Side-Loading CONTRIBUTE A TEST
		Hijack Execution Flow: COR_PROFILER		Process Injection: Process Hollowing
				Obfuscated Files or Information
				Invalid Code Signature CONTRIBUTE A TEST
				Run Virtual Instance
				Access Token Manipulation: SID-History Injection
				Subvert Trust Controls CONTRIBUTE A TEST
				Signed Binary Proxy Execution: Regsvr32
				Masquerading: Rename System Utilities
				Hijack Execution Flow: Path Interception by Unquoted Path
				Process Doppelgänging CONTRIBUTE A TEST
				Steganography CONTRIBUTE A TEST
				Domain Accounts CONTRIBUTE A TEST
				Signed Binary Proxy Execution: Regsvcs/Regasm
				Subvert Trust Controls: Install Root Certificate
				Obfuscated Files or Information: Compile After Delivery
				VBA Stomping CONTRIBUTE A TEST
				BITS Jobs
				Trusted Developer Utilities Proxy Execution: MSBuild
				Bypass User Account Control CONTRIBUTE A TEST
				Hide Artifacts: Hidden Window
				Compile After Delivery CONTRIBUTE A TEST
				Compiled HTML File CONTRIBUTE A TEST
				Domain Controller Authentication CONTRIBUTE A TEST
				HTML Smuggling CONTRIBUTE A TEST
				Reversible Encryption CONTRIBUTE A TEST
				Install Root Certificate CONTRIBUTE A TEST
				Indicator Removal on Host: File Deletion
				Hidden Files and Directories CONTRIBUTE A TEST
				Template Injection
				Access Token Manipulation CONTRIBUTE A TEST
				Obfuscated Files or Information: Software Packing CONTRIBUTE A TEST
				Hidden File System CONTRIBUTE A TEST
				Thread Local Storage CONTRIBUTE A TEST
				Debugger Evasion CONTRIBUTE A TEST
				Use Alternate Authentication Material: Pass the Hash
				Hijack Execution Flow: DLL Side-Loading
				Network Share Connection Removal CONTRIBUTE A TEST
				ListPlanting CONTRIBUTE A TEST
				Domain Policy Modification CONTRIBUTE A TEST
				XSL Script Processing
				Hide Artifacts: Hidden Files and Directories
				Environmental Keying CONTRIBUTE A TEST
				Hide Artifacts: NTFS File Attributes
				NTFS File Attributes CONTRIBUTE A TEST
				Process Injection: Dynamic-link Library Injection
				Modify Authentication Process CONTRIBUTE A TEST
				Signed Script Proxy Execution
				InstallUtil CONTRIBUTE A TEST
				Valid Accounts: Local Accounts
				Exploitation for Defense Evasion CONTRIBUTE A TEST
				Trusted Developer Utilities Proxy Execution
				MMC CONTRIBUTE A TEST
				Process Argument Spoofing CONTRIBUTE A TEST
				Hijack Execution Flow: COR_PROFILER