Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Create Account, Local Account
File and Directory Discovery
Cron, Scheduled Task/Job
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
File and Directory Discovery
Private Keys, Unsecured Credentials
System Owner/User Discovery
Data Destruction
System Information Discovery, Rootkit
Data Destruction
Dynamic Linker Hijacking, Hijack Execution Flow
Data Transfer Size Limits
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Service Execution, System Services
SSH Authorized Keys, Account Manipulation
Local Account, Create Account
At, Scheduled Task/Job
Clipboard Data
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Systemd Timers, Scheduled Task/Job
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Private Keys, Unsecured Credentials
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Password Managers, Credentials from Password Stores
Service Stop
Unix Shell Configuration Modification, Event Triggered Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
System Network Configuration Discovery
Deobfuscate/Decode Files or Information
Hardware Additions
File and Directory Discovery
Password Managers, Credentials from Password Stores
Data Destruction
Data Transfer Size Limits
Service Stop
Dynamic Linker Hijacking, Hijack Execution Flow
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Service Stop
Setuid and Setgid, Abuse Elevation Control Mechanism
Service Stop
File and Directory Discovery
Disable or Modify System Firewall, Impair Defenses
/etc/passwd and /etc/shadow, OS Credential Dumping
Bypass User Account Control
PowerShell
Domain or Tenant Policy Modification, Group Policy Modification
Exploitation for Privilege Escalation
Kerberoasting
System Binary Proxy Execution, Mshta
Ingress Tool Transfer
Automated Exfiltration
System Services, Service Execution
Process Injection
Archive via Utility, Archive Collected Data
Create or Modify System Process, Windows Service
Archive via Utility, Archive Collected Data
SSH Authorized Keys
Exploitation for Privilege Escalation
Ingress Tool Transfer
Create or Modify System Process, Windows Service
Inhibit System Recovery
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
System Binary Proxy Execution, Regsvr32
DLL Search Order Hijacking
Compromise Software Supply Chain
Exfiltration Over Unencrypted Non-C2 Protocol
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Windows Management Instrumentation Event Subscription
Lateral Tool Transfer
Protocol Tunneling, Proxy, Web Service
System Binary Proxy Execution
Token Impersonation/Theft, Access Token Manipulation
Data Encrypted for Impact
Process Injection
File Deletion, Indicator Removal
Mavinject, System Binary Proxy Execution
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Domain Trust Discovery
Path Interception by Unquoted Path, Hijack Execution Flow
Disable or Modify Tools
Ingress Tool Transfer
Account Access Removal
Disable or Modify Tools, Impair Defenses
Deobfuscate/Decode Files or Information
Token Impersonation/Theft, Access Token Manipulation
Local Account, Domain Account
Inhibit System Recovery
Component Object Model Hijacking, Event Triggered Execution
LSASS Memory, OS Credential Dumping
Command and Scripting Interpreter, Component Object Model
OS Credential Dumping
Modify Registry
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
Archive via Utility, Archive Collected Data
System Script Proxy Execution, System Binary Proxy Execution
System Binary Proxy Execution, Compiled HTML File
Exploit Public-Facing Application
BITS Jobs, Ingress Tool Transfer
Ingress Tool Transfer
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Indicator Removal, Network Share Connection Removal
System Binary Proxy Execution, Compiled HTML File
Phishing, Spearphishing Attachment
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Install Root Certificate, Subvert Trust Controls
System Binary Proxy Execution, Compiled HTML File
User Execution
Compromise Software Supply Chain
Modify Registry
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Scheduled Task, Scheduled Task/Job
Windows Management Instrumentation
Ingress Tool Transfer, Domain Groups
Ingress Tool Transfer
Domain Account, Account Discovery
Automated Exfiltration
Exfiltration Over Unencrypted Non-C2 Protocol
Process Injection
Exploit Public-Facing Application, External Remote Services
Remote Services, SMB/Windows Admin Shares
Exfiltration Over Alternative Protocol
Account Access Removal
System Binary Proxy Execution, Rundll32
Odbcconf
Use Alternate Authentication Material, Pass the Ticket
Regsvr32, Modify Registry
System Binary Proxy Execution, Control Panel
Create or Modify System Process, Windows Service
Password Policy Discovery
Phishing, Spearphishing Attachment
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Disable or Modify Tools, Impair Defenses
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
LSASS Memory, OS Credential Dumping
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Phishing, Spearphishing Attachment
Process Injection
Exploit Public-Facing Application, External Remote Services
Security Account Manager, OS Credential Dumping
BITS Jobs
LSASS Memory, OS Credential Dumping
System Binary Proxy Execution, Regsvcs/Regasm
Steal or Forge Authentication Certificates
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Ingress Tool Transfer
Command and Scripting Interpreter, Windows Command Shell
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Security Account Manager, OS Credential Dumping
Ingress Tool Transfer
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
InstallUtil, System Binary Proxy Execution
Process Injection
DLL Side-Loading, Hijack Execution Flow
System Binary Proxy Execution, Regsvr32
System Binary Proxy Execution, Rundll32
Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Regsvcs/Regasm
Command and Scripting Interpreter, PowerShell
Ingress Tool Transfer
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter
Proxy, Non-Application Layer Protocol
Protocol Tunneling, Proxy, Web Service
System Binary Proxy Execution, Regsvcs/Regasm
Steal or Forge Authentication Certificates
Password Policy Discovery
Local Account, Create Account
Process Injection, Portable Executable Injection
LSASS Memory
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Domain Account, Account Discovery
Masquerading, Rename System Utilities
Service Stop
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
System Network Configuration Discovery
Impair Defenses, Disable or Modify Tools
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Domain Account, Account Discovery
Msiexec
Domain Account, Account Discovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Ingress Tool Transfer
Service Stop
Ingress Tool Transfer
System Binary Proxy Execution, Rundll32
Remote Access Software
Password Policy Discovery
Protocol Tunneling, SSH
Command and Scripting Interpreter
LSASS Memory, OS Credential Dumping
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Inhibit System Recovery
Server Software Component, IIS Components
Exploit Public-Facing Application, External Remote Services
Command and Scripting Interpreter
Exploitation for Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
XSL Script Processing
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Rundll32
Clipboard Data
Application Shimming, Event Triggered Execution
System Information Discovery, Rootkit
Command and Scripting Interpreter, JavaScript
System Binary Proxy Execution, Regsvcs/Regasm
Msiexec
Modify Registry
LSASS Memory, OS Credential Dumping
Phishing, Spearphishing Attachment
Obfuscated Files or Information, Unix Shell
System Binary Proxy Execution, Regsvr32
System Binary Proxy Execution, Rundll32
Use Alternate Authentication Material, Pass the Ticket
Process Injection
User Execution
Security Account Manager, OS Credential Dumping
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Ingress Tool Transfer
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
InstallUtil, System Binary Proxy Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
System Binary Proxy Execution, Rundll32
Process Injection, Portable Executable Injection
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Security Account Manager, OS Credential Dumping
Ingress Tool Transfer
Steal or Forge Authentication Certificates
Server Software Component, IIS Components
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Domain Account, Account Discovery
LSASS Memory, OS Credential Dumping
Password Policy Discovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Obfuscated Files or Information
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
System Binary Proxy Execution, CMSTP
Compiled HTML File, System Binary Proxy Execution
InstallUtil, System Binary Proxy Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Domain Account, Account Discovery
Launch Agent, Create or Modify System Process
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
LSASS Memory, OS Credential Dumping
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
InstallUtil, System Binary Proxy Execution
Data Encrypted for Impact
Odbcconf
Exploitation of Remote Services
Scheduled Task, Scheduled Task/Job
Phishing, Spearphishing Attachment
Command and Scripting Interpreter
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
File and Directory Permissions Modification
Domain Account, Account Discovery
System Binary Proxy Execution, Compiled HTML File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvr32
Odbcconf
Exploitation for Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
XSL Script Processing
Domain or Tenant Policy Modification
Disable or Modify Tools, Impair Defenses
Windows Service
IP Addresses, Gather Victim Network Information
Domain Account, Local Account
Modify Registry
Local Account, Domain Account
Domain Account, Local Account
Obfuscated Files or Information
Exploit Public-Facing Application
Indicator Removal, Clear Windows Event Logs
Exploit Public-Facing Application
Create or Modify System Process, Windows Service
Remote Services, Distributed Component Object Model
Remote Services, Windows Remote Management
Scheduled Task/Job, Scheduled Task
Disable or Modify Tools, Impair Defenses
Scheduled Task/Job, At
Create or Modify System Process, Windows Service
Indicator Removal, Clear Windows Event Logs
Modify Registry
Remote Services, Windows Remote Management
Brute Force
Brute Force
Brute Force
Brute Force
Brute Force
Brute Force
Brute Force
Brute Force
Impair Defenses, Disable or Modify System Firewall
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Remote Access Software
Remote Access Software
Remote Access Software
Event Triggered Execution
Modify Registry
Modify Registry
Modify Registry
Clear Windows Event Logs, Indicator Removal
Modify Registry
Modify Registry
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Permission Groups Discovery, Domain Groups
Masquerading
DLL Side-Loading, Hijack Execution Flow
Image File Execution Options Injection
Password Spraying, Brute Force
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Modify Registry
Abuse Elevation Control Mechanism
Steal or Forge Kerberos Tickets, Kerberoasting
Security Account Manager, OS Credential Dumping
Remote Desktop Protocol, Remote Services
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Windows Management Instrumentation
DLL Side-Loading
Query Registry
Command and Scripting Interpreter, PowerShell
Disable or Modify Tools, Impair Defenses
Modify Registry
OS Credential Dumping
Indicator Removal
Local Groups
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Virtualization/Sandbox Evasion, Time Based Evasion
Spearphishing Attachment, Phishing
Modify Registry
Account Discovery, Domain Account
Hide Artifacts, NTFS File Attributes
Modify Registry
Trusted Developer Utilities Proxy Execution, MSBuild
Unix Shell Configuration Modification, Event Triggered Execution
Data Destruction
RC Scripts, Boot or Logon Initialization Scripts
System Binary Proxy Execution
System Binary Proxy Execution, Rundll32
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Account Discovery
Private Keys, Unsecured Credentials
PowerShell, Ingress Tool Transfer
Access Token Manipulation, Token Impersonation/Theft
Exploit Public-Facing Application, External Remote Services
Services Registry Permissions Weakness
Port Monitors, Boot or Logon Autostart Execution
Pre-OS Boot, Registry Run Keys / Startup Folder
Systemd Timers, Scheduled Task/Job
Windows Management Instrumentation
System Binary Proxy Execution, Rundll32
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Disable or Modify Tools, Impair Defenses
Remote Services
Msiexec, System Binary Proxy Execution
Hidden Window
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Query Registry
Setuid and Setgid, Abuse Elevation Control Mechanism
Install Root Certificate, Subvert Trust Controls
Screen Capture
Account Discovery, Local Account
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Ingress Tool Transfer
Modify Registry
Disable or Modify Tools, Impair Defenses
Process Injection
Remote System Discovery
Account Manipulation
Command and Scripting Interpreter
Right-to-Left Override, Masquerading
System Information Discovery
Domain Account, Account Discovery
Unsecured Credentials, Group Policy Preferences
Steal or Forge Kerberos Tickets, AS-REP Roasting
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Permission Groups Discovery, Domain Groups
Modify Registry
Unix Shell, Command and Scripting Interpreter
Account Discovery, Domain Account
Data Staged
Permission Groups Discovery, Domain Groups
Time Based Evasion, Virtualization/Sandbox Evasion
Credentials in Registry, Unsecured Credentials
Password Spraying, Brute Force
Scheduled Task/Job
Defacement
Mail Protocols, Application Layer Protocol
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Disk Structure Wipe, Disk Wipe
Password Managers
Scheduled Task/Job, Scheduled Task
Password Spraying, Brute Force
System Shutdown/Reboot
Disable or Modify Tools, Impair Defenses
Domain or Tenant Policy Modification, Group Policy Modification
Password Spraying, Brute Force
Service Stop
Hide Artifacts, NTFS File Attributes
Modify Registry
System Network Connections Discovery
Spearphishing Attachment
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Query Registry
SIP and Trust Provider Hijacking
Process Injection
Spearphishing Attachment, Phishing
Security Support Provider, Boot or Logon Autostart Execution
Disable or Modify System Firewall, Impair Defenses
LSASS Memory, OS Credential Dumping
System Owner/User Discovery
Disable or Modify Tools, Impair Defenses
Indirect Command Execution
Modify Registry
Print Processors, Boot or Logon Autostart Execution
Scheduled Task/Job
Process Injection
Disable or Modify Tools, Impair Defenses
PowerShell, Command and Scripting Interpreter
Indicator Removal
Disable or Modify Tools, Impair Defenses
Active Setup, Boot or Logon Autostart Execution
Gather Victim Network Information, IP Addresses
System Binary Proxy Execution, Rundll32
Disable or Modify Tools, Impair Defenses
Credentials from Password Stores
Print Processors, Boot or Logon Autostart Execution
File and Directory Permissions Modification
Account Discovery
Disable or Modify Cloud Firewall, Impair Defenses
Systemd Timers, Scheduled Task/Job
Modify Registry
Data Destruction
User Execution, Malicious File
Command and Scripting Interpreter
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
DLL Side-Loading, Boot or Logon Autostart Execution
Credentials from Web Browsers, Credentials from Password Stores
Domain Trust Discovery
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Steal or Forge Authentication Certificates, Archive Collected Data
Steal or Forge Kerberos Tickets, Golden Ticket
Disable or Modify Tools, Impair Defenses
Archive Collected Data
Remote System Discovery
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Modify Registry
Phishing, Spearphishing Attachment
Exfiltration Over C2 Channel
Cron, Scheduled Task/Job
Password Policy Discovery
Use Alternate Authentication Material
Query Registry
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Internal Proxy, Proxy
Abuse Elevation Control Mechanism, Bypass User Account Control
Domain or Tenant Policy Modification, Group Policy Modification
PowerShell, Command and Scripting Interpreter
Account Discovery, Local Account
Process Injection, Dynamic-link Library Injection
Command and Scripting Interpreter
Disable or Modify Tools, Impair Defenses
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Exploit Public-Facing Application, External Remote Services
Query Registry
Modify Registry
PowerShell, Command and Scripting Interpreter
Data Destruction
Bypass User Account Control, Abuse Elevation Control Mechanism
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Cron, Scheduled Task/Job
Forced Authentication
Bypass User Account Control, Abuse Elevation Control Mechanism
Steal or Forge Authentication Certificates
Hidden Window
Inhibit System Recovery
OS Credential Dumping, PowerShell
Domain Account, Account Discovery
Password Spraying, Brute Force
Windows Management Instrumentation
SID-History Injection, Access Token Manipulation
Modify Registry
Disable or Modify Tools, Impair Defenses
Domain or Tenant Policy Modification
Transfer Data to Cloud Account
Phishing, Modify Registry
Password Spraying, Brute Force
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Process Injection
Data Encrypted for Impact
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Gather Victim Identity Information, Email Addresses
Valid Accounts, Domain Accounts
System Binary Proxy Execution
Modify Registry
Hardware Additions
User Execution, Malicious File
Valid Accounts
Masquerading, Rename System Utilities
Phishing, Spearphishing Attachment
Password Spraying, Brute Force
System Services, Service Execution
Remote System Discovery
Credentials from Password Stores, Credentials from Web Browsers
Remote Services, Windows Remote Management
At, Scheduled Task/Job
Remote System Discovery
Account Discovery, Local Account
Modify Registry
Print Processors, Boot or Logon Autostart Execution
Parent PID Spoofing, Access Token Manipulation
/etc/passwd and /etc/shadow, OS Credential Dumping
Event Triggered Execution, Accessibility Features
Cron, Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
Remote Desktop Protocol, Remote Services
Service Stop
Disable or Modify Tools, Impair Defenses
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Modify Registry
Domain Account, Account Discovery
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Permission Groups Discovery, Local Groups
Phishing, Spearphishing Attachment
Disable or Modify System Firewall, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Abuse Elevation Control Mechanism
Impair Defenses, PowerShell, Command and Scripting Interpreter
Setuid and Setgid, Abuse Elevation Control Mechanism
Exploitation for Privilege Escalation
Bypass User Account Control, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Process Injection, Portable Executable Injection
SSH Authorized Keys, Account Manipulation
Steal or Forge Authentication Certificates
DLL Side-Loading, Hijack Execution Flow
System Binary Proxy Execution, Mshta
System Network Configuration Discovery
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
LSA Secrets
Right-to-Left Override, Masquerading
Permission Groups Discovery, Domain Groups
Data Destruction
Virtualization/Sandbox Evasion, Time Based Evasion
Application Layer Protocol
Windows Command Shell, Command and Scripting Interpreter
Screen Capture
Steal or Forge Kerberos Tickets, AS-REP Roasting
Account Manipulation
Exploitation for Privilege Escalation
Windows Management Instrumentation
Remote Desktop Protocol, Remote Services
System Owner/User Discovery
Obfuscated Files or Information
Fileless Storage, Obfuscated Files or Information
Print Processors, Boot or Logon Autostart Execution
Remote Desktop Protocol, Remote Services
System Binary Proxy Execution, Rundll32
System Owner/User Discovery
Security Account Manager, OS Credential Dumping
Account Discovery, Local Account
Data Destruction, File Deletion, Indicator Removal
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Permission Groups Discovery, Local Groups
Inhibit System Recovery
Ingress Tool Transfer
Local Account, Create Account
Disable or Modify Tools, Impair Defenses
Account Access Removal
Data Destruction, File Deletion, Indicator Removal
Spearphishing Attachment, Phishing
System Network Connections Discovery
Disable or Modify Tools, Impair Defenses
Spearphishing Attachment, Phishing
Mail Protocols, Application Layer Protocol
Modify Registry
Inhibit System Recovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Inhibit System Recovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Account Discovery, Domain Account
Disable or Modify Tools, Impair Defenses
Data Destruction
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Plist File Modification
System Binary Proxy Execution, Rundll32
Account Discovery, Local Account
LSASS Memory, OS Credential Dumping
Modify Registry
Data Destruction
Permission Groups Discovery, Domain Groups
Remote Desktop Protocol, Remote Services
Rootkit, Exploitation for Privilege Escalation
System Binary Proxy Execution, Mshta
Account Manipulation
System Shutdown/Reboot
Application Layer Protocol
System Binary Proxy Execution, Rundll32
SID-History Injection, Access Token Manipulation
Security Account Manager, OS Credential Dumping
Permission Groups Discovery, Local Groups
Command and Scripting Interpreter, Windows Command Shell
Modify Registry
Mail Protocols, Application Layer Protocol
Modify Registry
Abuse Elevation Control Mechanism, Bypass User Account Control
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Server Software Component, IIS Components
Command and Scripting Interpreter, PowerShell
Unsecured Credentials
Disable or Modify Tools, Impair Defenses
DLL Side-Loading, Hijack Execution Flow
Windows Management Instrumentation
Archive via Utility, Archive Collected Data
Data Destruction
Windows Service, Create or Modify System Process
Remote Desktop Protocol, Remote Services
System Network Connections Discovery
Web Service
Gather Victim Host Information
Windows Management Instrumentation
Modify Registry
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Modify Registry
Disable or Modify System Firewall, Impair Defenses
Change Default File Association, Event Triggered Execution
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Disable or Modify Tools, Impair Defenses
Permission Groups Discovery, Local Groups
System Time Discovery
Dynamic-link Library Injection, Process Injection
Masquerading
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
System Services, Service Execution
System Owner/User Discovery
Compromise Software Supply Chain
Remote Access Software, OS Credential Dumping
Account Discovery, Domain Account
Verclsid, System Binary Proxy Execution
Screen Capture
Permission Groups Discovery, Local Groups
Domain Trust Discovery
Account Manipulation, Valid Accounts
User Execution
System Services, Service Execution
Shared Modules
Data Destruction, File Deletion, Indicator Removal
Modify Registry
System Binary Proxy Execution, Rundll32
Command and Scripting Interpreter, JavaScript
Exploit Public-Facing Application, External Remote Services
Gather Victim Host Information
Modify Registry
Password Spraying, Brute Force
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Rogue Domain Controller
Disable or Modify Tools, Impair Defenses
Process Injection
Create or Modify System Process
Exfiltration Over C2 Channel
Password Spraying, Brute Force
Command and Scripting Interpreter
Windows Service, Create or Modify System Process
Compile After Delivery, Obfuscated Files or Information
System Shutdown/Reboot
Process Injection
Query Registry
RDP Hijacking
Bypass User Account Control
Modify Registry
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
NTDS, OS Credential Dumping
At, Scheduled Task/Job
Windows Remote Management, Remote Services
Modify Registry
Create or Modify System Process, Windows Service
Command and Scripting Interpreter, Windows Command Shell
Process Injection
Scheduled Task
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Exploit Public-Facing Application
Steal or Forge Kerberos Tickets
Valid Accounts, Local Accounts
Permission Groups Discovery, Domain Groups
System Services, Service Execution
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Local Groups
Scheduled Task, Scheduled Task/Job
Abuse Elevation Control Mechanism
Create Process with Token, Access Token Manipulation
System Binary Proxy Execution, Rundll32
Exploitation of Remote Services
Service Stop
Domain or Tenant Policy Modification, Group Policy Modification
Process Discovery
Kernel Modules and Extensions
Data Encrypted for Impact
NTDS, OS Credential Dumping
Windows Command Shell, Command and Scripting Interpreter
DCSync, OS Credential Dumping
System Shutdown/Reboot
Indicator Removal
Exploit Public-Facing Application
Software Deployment Tools
Scheduled Task/Job, Scheduled Task
Phishing, Spearphishing Attachment
Server Software Component, Web Shell
Disable or Modify Tools, Impair Defenses
Data from Local System
Service Stop
System Owner/User Discovery
Account Manipulation, Valid Accounts
System Binary Proxy Execution, Rundll32
NTDS, OS Credential Dumping
Credentials from Password Stores, Credentials from Web Browsers
Data Destruction, File Deletion, Indicator Removal
System Network Connections Discovery
Scheduled Task, PowerShell, Command and Scripting Interpreter
System Network Configuration Discovery, Internet Connection Discovery
Network Share Discovery
Network Share Discovery
Command and Scripting Interpreter, PowerShell
System Services, Service Execution
Use Alternate Authentication Material
Disable or Modify Tools, Impair Defenses
Valid Accounts, Domain Accounts
Indirect Command Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Cron, Scheduled Task/Job
Phishing, Spearphishing Attachment
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Disable or Modify Tools, Impair Defenses
Bypass User Account Control, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
File and Directory Permissions Modification
Modify Registry
User Execution, Malicious File
Modify Authentication Process
Local Account, Create Account
Masquerading
Password Spraying, Brute Force
Modify Registry
System Owner/User Discovery
Command and Scripting Interpreter, JavaScript
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Rogue Domain Controller
Account Discovery, Domain Account
Password Spraying, Brute Force
Command and Scripting Interpreter, PowerShell
InstallUtil, System Binary Proxy Execution
Image File Execution Options Injection, Event Triggered Execution
Phishing, Spearphishing Attachment
Credentials from Password Stores
Setuid and Setgid, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Account Manipulation
Application Layer Protocol
Masquerading
Disable or Modify Tools, Impair Defenses
Network Share Discovery
Windows Service
Command and Scripting Interpreter, Process Injection, PowerShell
Steal or Forge Kerberos Tickets
Bypass User Account Control, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, PowerShell
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses, Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Disable or Modify Tools, Impair Defenses
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
System Binary Proxy Execution
Domain Trust Discovery
Bypass User Account Control, Abuse Elevation Control Mechanism
Domain Account, Account Discovery
Data Destruction
Print Processors, Boot or Logon Autostart Execution
NTDS, OS Credential Dumping
Scheduled Task, Scheduled Task/Job
Command and Scripting Interpreter, PowerShell
Archive via Utility, Archive Collected Data
Systemd Timers, Scheduled Task/Job
PowerShell
Gather Victim Host Information, PowerShell
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Application Shimming, Event Triggered Execution
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Password Spraying, Brute Force
Modify Registry
System Network Configuration Discovery
Cron, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Hidden Window, Run Virtual Instance
Disable or Modify Cloud Firewall, Impair Defenses
Domain Trust Discovery
Data Destruction, File Deletion, Indicator Removal
System Network Connections Discovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Services Registry Permissions Weakness, Hijack Execution Flow
Disable or Modify Tools, Impair Defenses
Scheduled Task, Scheduled Task/Job
Scheduled Task
Phishing, Spearphishing Attachment
Unix Shell, Command and Scripting Interpreter
Password Spraying, Brute Force
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
PowerShell, Command and Scripting Interpreter
Change Default File Association, Event Triggered Execution
PowerShell, Command and Scripting Interpreter
BITS Jobs
Domain Accounts, Permission Groups Discovery
Valid Accounts, Domain Accounts
Print Processors, Boot or Logon Autostart Execution
DLL Side-Loading
System Owner/User Discovery
Windows Management Instrumentation
Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts
Windows Management Instrumentation
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Account Discovery, Domain Account
Archive via Utility, Archive Collected Data
Disable or Modify Tools, Impair Defenses, Modify Registry
Steal or Forge Kerberos Tickets
Windows Service, Create or Modify System Process
Remote Services, SMB/Windows Admin Shares
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Service Stop
Rename System Utilities, Masquerading
Phishing, Spearphishing Attachment
Modify Registry
Launch Agent, Create or Modify System Process
System Network Connections Discovery
Credentials in Registry, Unsecured Credentials
Account Discovery, Domain Account
Steal or Forge Authentication Certificates
DLL Side-Loading, Hijack Execution Flow
Valid Accounts, Domain Accounts
Service Stop
Inhibit System Recovery
Security Account Manager
Scheduled Task, Scheduled Task/Job
Steal or Forge Kerberos Tickets, Kerberoasting
Malicious File, User Execution
DCSync, OS Credential Dumping
Modify Registry
Visual Basic, Command and Scripting Interpreter
Modify Registry
Credentials from Password Stores
Unix Shell Configuration Modification, Event Triggered Execution
Password Spraying, Brute Force
Data Destruction
Hide Artifacts, NTFS File Attributes
Service Stop
Process Injection
Modify Registry
Scheduled Task
Access Token Manipulation, SID-History Injection
Server Software Component, Web Shell
Command and Scripting Interpreter, PowerShell
Brute Force, Credential Stuffing
Windows Management Instrumentation
Bypass User Account Control, Abuse Elevation Control Mechanism
Account Discovery
Modify Registry
Steal or Forge Kerberos Tickets, Kerberoasting
Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution
Disable or Modify Tools, Impair Defenses
Command and Scripting Interpreter
SSH Authorized Keys, Account Manipulation
Gather Victim Host Information
Local Account, Create Account
File and Directory Permissions Modification
Exploitation for Privilege Escalation
Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Modify Registry
Account Discovery, Domain Account, User Execution, Malicious File
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
System Owner/User Discovery
DLL Search Order Hijacking, Hijack Execution Flow
Scheduled Task/Job
Account Discovery, Local Account, PowerShell
Modify Registry
Phishing, Spearphishing Link
Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
System Firmware, Pre-OS Boot
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Remote System Discovery
Server Software Component, IIS Components
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Exfiltration Over Alternative Protocol
Permission Groups Discovery, Domain Groups
Cron, Scheduled Task/Job
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Rundll32
Remote Access Software
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Service Stop
Scheduled Task, Command and Scripting Interpreter
Service Stop
Disable or Modify Tools, Impair Defenses, Modify Registry
Dynamic Linker Hijacking, Hijack Execution Flow
Internal Proxy, Proxy
Local Account, Create Account
Remote Services, Windows Remote Management
Disable or Modify Tools, Impair Defenses
System Information Discovery
Steal or Forge Kerberos Tickets
Modify Registry
Phishing, Spearphishing Attachment
Disable or Modify Tools, Impair Defenses
Regsvr32, System Binary Proxy Execution
Domain Trust Discovery, PowerShell
File Deletion, Indicator Removal
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Replication Through Removable Media
Phishing, Spearphishing Attachment
System Binary Proxy Execution, Mshta
Data Encrypted for Impact
Visual Basic, Command and Scripting Interpreter
Server Software Component, IIS Components
Indicator Removal, Clear Windows Event Logs
Windows Management Instrumentation
Msiexec, System Binary Proxy Execution
Masquerade Task or Service, Masquerading
Print Processors, Boot or Logon Autostart Execution
Password Spraying, Brute Force
Scheduled Task/Job, Scheduled Task
Windows Management Instrumentation
Phishing, Spearphishing Attachment
Disable or Modify Tools, Impair Defenses
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Process Injection
Process Injection
Disable or Modify Tools, Impair Defenses, Modify Registry
Inhibit System Recovery
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Remote System Discovery
Indicator Removal
Remote System Discovery
Inhibit System Recovery
Obfuscated Files or Information, Indicator Removal from Tools
Modify Registry
Steal or Forge Kerberos Tickets, Kerberoasting
Remote System Discovery
System Binary Proxy Execution, CMSTP
Command and Scripting Interpreter, PowerShell
Domain Account, Account Discovery
Modify Registry
Modify Registry
Remote Desktop Protocol, Remote Services
SIP and Trust Provider Hijacking
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Remote System Discovery
Disable or Modify Tools, Impair Defenses
Kernel Modules and Extensions, Service Execution
Time Providers, Boot or Logon Autostart Execution
Command and Scripting Interpreter
Event Triggered Execution, Screensaver
Exploit Public-Facing Application
Visual Basic, Command and Scripting Interpreter
Account Discovery, Local Account, PowerShell
MSBuild, Trusted Developer Utilities Proxy Execution
Modify Registry
Modify Registry
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Steal or Forge Kerberos Tickets
Scheduled Task, Impair Defenses
Process Injection
Disable or Modify Tools
Remote Services, Distributed Component Object Model
Screen Capture
Remote Services, Distributed Component Object Model, MMC
Remote System Discovery
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, Visual Basic
Bypass User Account Control, Abuse Elevation Control Mechanism
Account Manipulation
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Indicator Removal
Data Destruction
Phishing, Spearphishing Attachment
Steal or Forge Kerberos Tickets, AS-REP Roasting
Clipboard Data
Permission Groups Discovery, Domain Groups
Remote System Discovery
Windows Command Shell
Create or Modify System Process
User Execution
Phishing, Spearphishing Attachment
Password Spraying, Brute Force
Account Manipulation, Valid Accounts
Data Destruction
Steal or Forge Kerberos Tickets, AS-REP Roasting
Server Software Component, IIS Components
Remote Services, Windows Remote Management
Modify Registry
Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
PowerShell, Ingress Tool Transfer, Fileless Storage
Steal or Forge Kerberos Tickets
Modify Registry, OS Credential Dumping
Permission Groups Discovery, Domain Groups
Unsecured Credentials, Group Policy Preferences
Command and Scripting Interpreter, JavaScript
Domain Account, Account Discovery
File and Directory Permissions Modification
Process Injection
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Process Injection
Phishing, Spearphishing Attachment
Command and Scripting Interpreter, PowerShell
Steal or Forge Authentication Certificates
Exploit Public-Facing Application, External Remote Services
DLL Side-Loading, Hijack Execution Flow
Command and Scripting Interpreter, PowerShell
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Valid Accounts
Windows Management Instrumentation
System Owner/User Discovery
Password Policy Discovery
Steal or Forge Authentication Certificates
Disable or Modify Tools, Impair Defenses
Steal or Forge Authentication Certificates
Disable or Modify System Firewall, Impair Defenses
Mark-of-the-Web Bypass
Disable or Modify Tools, Impair Defenses
Disk Structure Wipe, Disk Wipe
DLL Search Order Hijacking, Hijack Execution Flow
Exploitation for Client Execution
Local Accounts, Credentials In Files
Rogue Domain Controller
Disable or Modify Tools, Impair Defenses
SID-History Injection, Access Token Manipulation
Cached Domain Credentials, OS Credential Dumping
GUI Input Capture, Input Capture
Disable or Modify Tools, Impair Defenses
Network Share Discovery, Valid Accounts
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Disable or Modify Tools, Impair Defenses, Modify Registry
Kerberoasting
Modify Registry
Scheduled Task, Scheduled Task/Job
Unix Shell
Modify Registry
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Remote System Discovery
Hardware, Gather Victim Host Information
Rootkit, Exploitation for Privilege Escalation
Disable or Modify System Firewall, Impair Defenses
Obfuscated Files or Information, Fileless Storage
Remote System Discovery
File Deletion, Indicator Removal
DLL Side-Loading, Hijack Execution Flow
Credentials, Gather Victim Identity Information
Data Destruction, File Deletion, Indicator Removal
Windows Management Instrumentation
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Remote System Discovery
System Owner/User Discovery
System Owner/User Discovery
Boot or Logon Initialization Scripts, Logon Script (Windows)
Indirect Command Execution
Credentials in Registry, Unsecured Credentials
Windows Service
Disable or Modify Tools, Impair Defenses
Malicious File, Masquerade File Type
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Modify Registry
Password Policy Discovery
Remote System Discovery
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Domain Account, Account Discovery
System Binary Proxy Execution, Mshta
Application Shimming, Event Triggered Execution
Steal or Forge Authentication Certificates
Command and Scripting Interpreter
SIP and Trust Provider Hijacking
Email Collection, Local Email Collection
Disable or Modify Tools, Impair Defenses
Obfuscated Files or Information
Windows Service, Create or Modify System Process
System Binary Proxy Execution, CMSTP
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Disable or Modify Tools, Impair Defenses
Trusted Developer Utilities Proxy Execution
IIS Components, Server Software Component
Masquerading, Rename System Utilities, Rundll32
Masquerading, Match Legitimate Name or Location, Rundll32
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
System Binary Proxy Execution
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Brute Force, Password Spraying
Brute Force, Password Spraying
Brute Force, Password Spraying
Brute Force, Password Spraying
Brute Force, Password Spraying
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Screen Capture
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Kerberoasting
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Password Spraying, Brute Force
Password Spraying, Brute Force
Local Account, Create Account
Local Account, Create Account
Inhibit System Recovery
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Domain or Tenant Policy Modification, Group Policy Modification
Unsecured Credentials, Group Policy Preferences
Network Share Discovery, Data from Network Shared Drive
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Phishing, Spearphishing Attachment
Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Event Triggered Execution
System Binary Proxy Execution
Odbcconf, System Binary Proxy Execution
Ingress Tool Transfer
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
LSASS Memory, OS Credential Dumping
NTDS, OS Credential Dumping
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities
NTDS, OS Credential Dumping
Masquerading, Rename System Utilities
Masquerading
File and Directory Permissions Modification
Account Access Removal
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
MSBuild, Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution, MSBuild
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
System Binary Proxy Execution, Mshta
System Binary Proxy Execution
BITS Jobs, Ingress Tool Transfer
Deobfuscate/Decode Files or Information
Ingress Tool Transfer
Ingress Tool Transfer
BITS Jobs, Ingress Tool Transfer
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
BITS Jobs
Automated Exfiltration
Automated Exfiltration
File Deletion, Indicator Removal
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Indicator Removal
Inhibit System Recovery
Inhibit System Recovery
Exfiltration Over Alternative Protocol
Automated Exfiltration
Ingress Tool Transfer
Service Stop
File and Directory Permissions Modification
Service Stop, Valid Accounts
File and Directory Permissions Modification
OS Credential Dumping, Security Account Manager
Service Stop
Service Stop, Create or Modify System Process, Windows Service
Archive via Utility, Archive Collected Data
Data Destruction, File Deletion, Indicator Removal
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Brute Force, Password Guessing, Password Spraying
Browser Session Hijacking
Additional Cloud Roles
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Account Manipulation, Additional Cloud Roles
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Cloud Account
User Execution
Steal Application Access Token
Cloud Account
Cloud Groups, Account Manipulation, Permission Groups Discovery
Cloud Service Discovery
Account Manipulation, Additional Cloud Roles
Additional Cloud Roles
Email Collection, Email Forwarding Rule
Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Account Manipulation, Additional Cloud Roles
Email Collection
Modify Authentication Process, Multi-Factor Authentication
Disable or Modify Cloud Logs, Impair Defenses
Cloud Account, Create Account
Steal Application Access Token, Phishing, Spearphishing Link
Disable or Modify Cloud Logs, Impair Defenses
Data Encrypted for Impact
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Domain or Tenant Policy Modification, Trust Modification
Account Manipulation
Container Orchestration Job
User Execution
Malicious Image, User Execution
Automated Collection
User Execution
Cloud Accounts, Valid Accounts
Account Manipulation
Container API
Steal Application Access Token
Browser Session Hijacking
User Execution
User Execution
User Execution
Cloud Account, Create Account
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Multi-Factor Authentication Request Generation
Impair Defenses, Disable or Modify Cloud Logs
Brute Force, Password Guessing, Password Spraying
Disable or Modify Cloud Logs, Impair Defenses
User Execution
Valid Accounts
Compromise Accounts, Unused/Unsupported Cloud Regions
Steal Application Access Token
Account Manipulation
Impair Defenses
User Execution
Password Policy Discovery
User Execution
Malicious Image, User Execution
User Execution
Account Manipulation, Additional Email Delegate Permissions
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Container API
Account Manipulation, Additional Cloud Roles
Password Guessing, Brute Force
Compromise Host Software Binary
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Impair Defenses, Disable or Modify Cloud Logs
Trusted Relationship
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Browser Session Hijacking
User Execution
Create Account, Cloud Account
Inhibit System Recovery
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Email Collection, Remote Email Collection
Malicious Image, User Execution
Steal Application Access Token
Account Manipulation
Email Collection, Email Forwarding Rule
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Spraying, Credential Stuffing
Cloud Infrastructure Discovery, Brute Force
Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Roles
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Valid Accounts
Email Collection, Email Forwarding Rule
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Impair Defenses
Account Manipulation, Additional Email Delegate Permissions
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Valid Accounts
Automated Collection
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Trusted Relationship
Valid Accounts
Account Manipulation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Steal Application Access Token
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Container API
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Cloud Account
User Execution
Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Phishing
Security Account Manager
Valid Accounts
Compromise Host Software Binary
Cloud Service Discovery
Cloud Infrastructure Discovery
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Exploitation for Credential Access
Data from Cloud Storage
User Execution
Cloud Account, Create Account
Data from Cloud Storage
Data from Cloud Storage
Exploitation for Credential Access
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Brute Force
Multi-Factor Authentication Request Generation
Modify Cloud Compute Configurations
Steal Application Access Token
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Remote Email Collection
Additional Cloud Roles
Data Encrypted for Impact
Cloud Accounts, Valid Accounts
Modify Authentication Process, Multi-Factor Authentication
Email Collection, Remote Email Collection
Cloud Service Discovery
Data from Cloud Storage
Modify Authentication Process
Impair Defenses, Disable or Modify Cloud Logs
Valid Accounts
Impair Defenses, Disable or Modify Cloud Logs
Cloud Account, Create Account
User Execution
Compromise Software Supply Chain, Supply Chain Compromise
Cloud Accounts, Valid Accounts
Valid Accounts
User Execution
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Remote Email Collection
Spearphishing Attachment, Phishing
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Email Collection
Brute Force, Password Guessing
Cloud Account, Create Account
Cloud Accounts, Valid Accounts
Account Manipulation, Device Registration
Email Collection, Remote Email Collection
Account Manipulation, Additional Cloud Roles
Automated Collection
Malicious Image, User Execution
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Spearphishing Attachment, Phishing
Disable or Modify Cloud Logs, Impair Defenses
Valid Accounts
Browser Session Hijacking
Account Manipulation, Device Registration
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Cloud Service Discovery
Account Manipulation, Additional Email Delegate Permissions
Valid Accounts
User Execution
Steal Application Access Token
Account Manipulation, Additional Cloud Roles
Remote Email Collection
Data from Cloud Storage
Disable or Modify Cloud Firewall, Impair Defenses
Valid Accounts
Security Account Manager
Use Alternate Authentication Material
Disable or Modify Cloud Logs, Impair Defenses
Domain or Tenant Policy Modification, Trust Modification
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Email Delegate Permissions
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Spearphishing Attachment, Phishing
User Execution
Phishing
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Transfer Data to Cloud Account
Cloud Account
Disable or Modify Cloud Logs, Impair Defenses
User Execution
Modify Authentication Process, Multi-Factor Authentication
Cloud Service Discovery
Cloud Account
User Execution
Account Manipulation, Additional Cloud Roles
User Execution
Additional Email Delegate Permissions, Additional Cloud Roles
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Credentials
Valid Accounts
Valid Accounts
User Execution
Malicious Image, User Execution
Network Service Discovery
Cloud Account, Create Account
Transfer Data to Cloud Account
Account Manipulation, Additional Cloud Credentials
User Execution
Modify Authentication Process
Cloud Account
Account Manipulation
Spearphishing Attachment, Phishing
Account Manipulation
Security Account Manager
Container API
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Create Account, Cloud Account
Additional Email Delegate Permissions, Additional Cloud Roles
Unused/Unsupported Cloud Regions
Network Service Discovery
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Password Policy Discovery
Transfer Data to Cloud Account
Brute Force, Password Spraying, Credential Stuffing
Cloud Accounts, Valid Accounts
Transfer Data to Cloud Account
Compromise Accounts, Cloud Accounts, Brute Force
Valid Accounts, Cloud Accounts
Cloud Service Discovery
Transfer Data to Cloud Account
Malicious Image, User Execution
Data from Cloud Storage
Account Manipulation, Additional Cloud Roles
Additional Cloud Roles, Account Manipulation
Cloud Account
Account Manipulation, Additional Cloud Roles
Trust Modification
Cloud Account
Exfiltration Over Web Service, Email Collection, Remote Email Collection
Cloud Account
Phishing, Spearphishing Attachment, Spearphishing Link
Email Collection, Email Forwarding Rule
Phishing, Spearphishing Attachment, Spearphishing Link
Exfiltration Over Alternative Protocol, Exfiltration Over Web Service
Phishing, Spearphishing Attachment, Spearphishing Link
Malicious File, User Execution
Phishing, Spearphishing Attachment, Spearphishing Link
Impair Defenses, Disable or Modify Cloud Logs, Disable or Modify Tools
Malicious File, User Execution
Phishing, Spearphishing Attachment
Account Manipulation
Malicious Image, User Execution
Malicious Image, User Execution
Cloud Groups, Account Manipulation, Permission Groups Discovery
Impair Defenses, Disable or Modify Cloud Logs
Disable or Modify Cloud Logs, Impair Defenses
Exploit Public-Facing Application
Abuse Elevation Control Mechanism, Indirect Command Execution
Drive-by Compromise
Drive-by Compromise
File and Directory Discovery
Endpoint Denial of Service
Exploitation of Remote Services
Drive-by Compromise
Drive-by Compromise
Exploit Public-Facing Application
Exploitation of Remote Services
Drive-by Compromise
Abuse Elevation Control Mechanism
Drive-by Compromise
Endpoint Denial of Service
Account Discovery
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Web Session Cookie, Cloud Service Dashboard
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Endpoint Denial of Service
Exploitation for Credential Access
Network Denial of Service
Steal Web Session Cookie
Spearphishing Attachment, Phishing
Cloud Account
Password Spraying
Valid Accounts, Brute Force
Drive-by Compromise
Protocol Impersonation
Network Denial of Service
HTML Smuggling
Endpoint Denial of Service
Digital Certificates
File and Directory Discovery
Exploit Public-Facing Application
Command and Scripting Interpreter
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Exfiltration Over Web Service
Log Enumeration
Endpoint Denial of Service
Application or System Exploitation
Drive-by Compromise
Account Manipulation, Device Registration
Exploitation of Remote Services
Drive-by Compromise
Process Injection
Digital Certificates
Drive-by Compromise
File and Directory Discovery
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Digital Certificates
Command and Scripting Interpreter
Drive-by Compromise
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Valid Accounts
Valid Accounts, Cloud Accounts
System Information Discovery
Drive-by Compromise
Multi-Factor Authentication Request Generation
Exploit Public-Facing Application
Multi-Factor Authentication Request Generation
Command and Scripting Interpreter
Brute Force
Email Collection, Remote Email Collection
Digital Certificates
Drive-by Compromise
File and Directory Discovery
Exploit Public-Facing Application
Exploitation of Remote Services
Exploitation of Remote Services
Exploitation of Remote Services
Account Discovery
Valid Accounts, Default Accounts, Modify Authentication Process
Access Token Manipulation
Email Collection, Local Email Collection
Abuse Elevation Control Mechanism
Command and Scripting Interpreter
Endpoint Denial of Service
Valid Accounts, Default Accounts
Drive-by Compromise
Modify Authentication Process, Multi-Factor Authentication
Cloud Account
System Information Discovery
Valid Accounts, Default Accounts
Brute Force
Abuse Elevation Control Mechanism
Cloud Accounts
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Application or System Exploitation
Domain or Tenant Policy Modification, Group Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modifica...
Domain or Tenant Policy Modification, Account Manipulation
Account Manipulation
Disable or Modify Tools, Group Policy Modification
Disable or Modify Tools, Group Policy Modification
Domain or Tenant Policy Modification, Group Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modifica...
Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Use Alternate Authentication Material, File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Domain or Tenant Policy Modification, Rogue Domain Controller, Windows File and Directory Permissions Modification
Password Spraying, Brute Force
Password Spraying, Brute Force
Account Manipulation, Impair Defenses
Account Manipulation, Impair Defenses
Account Manipulation
Valid Accounts
Cloud Accounts
LSASS Memory
Cloud Service Discovery
Brute Force
Create Account
Unused/Unsupported Cloud Regions
Cloud Accounts
Rename System Utilities
Valid Accounts, Default Accounts, Credential Stuffing
Cloud Accounts
Phishing
Domain Accounts
Unused/Unsupported Cloud Regions
Valid Accounts
Valid Accounts
Valid Accounts, Default Accounts, Password Spraying
Spearphishing via Service
Cloud Accounts
Change Default File Association
Email Forwarding Rule, Email Collection
Use Alternate Authentication Material, Pass the Hash
Cloud Accounts
Cloud Service Discovery
Unused/Unsupported Cloud Regions
Masquerading
Cloud Service Discovery
Windows Command Shell
Disable or Modify System Firewall
Cloud Accounts
Cloud Accounts
Cloud Accounts
Disable or Modify Cloud Firewall
Valid Accounts
PowerShell, Windows Command Shell
LSASS Memory
Cloud Accounts
Unused/Unsupported Cloud Regions
Exfiltration Over Unencrypted Non-C2 Protocol
Hidden Files and Directories
LSASS Memory
PowerShell
Cloud Accounts
Malicious File
Cloud Accounts
Web Protocols
Scheduled Task
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Password Spraying, Valid Accounts, Default Accounts
DLL Search Order Hijacking, Hijack Execution Flow
Password Policy Discovery
Brute Force
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Malicious Image, User Execution