Elevated Group Discovery with PowerView
Permission Groups Discovery, Domain Groups
| Name | Technique | Datamodel | | ——–| ——— |————|
Permission Groups Discovery, Domain Groups
Masquerading
DLL Side-Loading, Hijack Execution Flow
Image File Execution Options Injection
Password Spraying, Brute Force
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
LSASS Memory, OS Credential Dumping
Modify Registry
Domain Trust Discovery
Abuse Elevation Control Mechanism
Steal or Forge Kerberos Tickets, Kerberoasting
Security Account Manager, OS Credential Dumping
Remote Desktop Protocol, Remote Services
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Windows Management Instrumentation
User Execution
DLL Side-Loading
Query Registry
Command and Scripting Interpreter, PowerShell
Disable or Modify Tools, Impair Defenses
Modify Registry
OS Credential Dumping
Indicator Removal
Local Groups
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Virtualization/Sandbox Evasion, Time Based Evasion
Spearphishing Attachment, Phishing
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Modify Registry
Account Discovery, Domain Account
Hide Artifacts, NTFS File Attributes
Modify Registry
Trusted Developer Utilities Proxy Execution, MSBuild
Unix Shell Configuration Modification, Event Triggered Execution
Data Destruction
RC Scripts, Boot or Logon Initialization Scripts
System Binary Proxy Execution
System Binary Proxy Execution, Rundll32
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Account Discovery
Private Keys, Unsecured Credentials
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
PowerShell, Ingress Tool Transfer
Access Token Manipulation, Token Impersonation/Theft
Exploit Public-Facing Application, External Remote Services
Services Registry Permissions Weakness
Create or Modify System Process, Windows Service
Use Alternate Authentication Material, Pass the Ticket
Regsvr32, Modify Registry
Port Monitors, Boot or Logon Autostart Execution
System Binary Proxy Execution, Regsvr32
Pre-OS Boot, Registry Run Keys / Startup Folder
Systemd Timers, Scheduled Task/Job
Data Encrypted for Impact
Windows Management Instrumentation
Mavinject, System Binary Proxy Execution
DLL Side-Loading, Hijack Execution Flow
Remote Access Software
System Binary Proxy Execution, Rundll32
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Disable or Modify Tools, Impair Defenses
Remote Services
Msiexec, System Binary Proxy Execution
Hidden Window
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Query Registry
Phishing, Spearphishing Attachment
Setuid and Setgid, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Regsvr32
Install Root Certificate, Subvert Trust Controls
Screen Capture
Account Discovery, Local Account
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Ingress Tool Transfer
Modify Registry
Inhibit System Recovery
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Process Injection
Remote System Discovery
Account Manipulation
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Command and Scripting Interpreter
Right-to-Left Override, Masquerading
System Information Discovery
Domain Account, Account Discovery
Unsecured Credentials, Group Policy Preferences
Steal or Forge Kerberos Tickets, AS-REP Roasting
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Compiled HTML File
Permission Groups Discovery, Domain Groups
Modify Registry
Unix Shell, Command and Scripting Interpreter
Account Discovery, Domain Account
Data Staged
Permission Groups Discovery, Domain Groups
Time Based Evasion, Virtualization/Sandbox Evasion
Credentials in Registry, Unsecured Credentials
Ingress Tool Transfer
Password Spraying, Brute Force
Protocol Tunneling, Proxy, Web Service
Scheduled Task/Job
Defacement
Mail Protocols, Application Layer Protocol
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Disk Structure Wipe, Disk Wipe
Impair Defenses, Disable or Modify Tools
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Password Managers
Scheduled Task/Job, Scheduled Task
Msiexec
Password Spraying, Brute Force
System Shutdown/Reboot
Disable or Modify Tools, Impair Defenses
Domain or Tenant Policy Modification, Group Policy Modification
Password Spraying, Brute Force
Service Stop
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Hide Artifacts, NTFS File Attributes
Modify Registry
System Network Connections Discovery
Spearphishing Attachment
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Query Registry
SIP and Trust Provider Hijacking
Process Injection
Spearphishing Attachment, Phishing
Security Support Provider, Boot or Logon Autostart Execution
Disable or Modify System Firewall, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
LSASS Memory, OS Credential Dumping
System Owner/User Discovery
Disable or Modify Tools, Impair Defenses
Indirect Command Execution
Modify Registry
System Binary Proxy Execution, Rundll32
Print Processors, Boot or Logon Autostart Execution
Exploitation for Privilege Escalation
Command and Scripting Interpreter
Scheduled Task/Job
Process Injection
Disable or Modify Tools, Impair Defenses
PowerShell, Command and Scripting Interpreter
Indicator Removal
Disable or Modify Tools, Impair Defenses
Active Setup, Boot or Logon Autostart Execution
Phishing, Spearphishing Attachment
Gather Victim Network Information, IP Addresses
Exploit Public-Facing Application, External Remote Services
System Binary Proxy Execution, Rundll32
Disable or Modify Tools, Impair Defenses
Credentials from Password Stores
Print Processors, Boot or Logon Autostart Execution
File and Directory Permissions Modification
Account Discovery
Disable or Modify Cloud Firewall, Impair Defenses
Systemd Timers, Scheduled Task/Job
Deobfuscate/Decode Files or Information
Token Impersonation/Theft, Access Token Manipulation
Modify Registry
Data Destruction
OS Credential Dumping
User Execution, Malicious File
Command and Scripting Interpreter
Domain Account, Account Discovery
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
DLL Side-Loading, Boot or Logon Autostart Execution
Credentials from Web Browsers, Credentials from Password Stores
Domain Trust Discovery
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Steal or Forge Authentication Certificates, Archive Collected Data
Steal or Forge Kerberos Tickets, Golden Ticket
XSL Script Processing
Disable or Modify Tools, Impair Defenses
Archive Collected Data
System Binary Proxy Execution, Rundll32
Remote System Discovery
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Modify Registry
Phishing, Spearphishing Attachment
Use Alternate Authentication Material, Pass the Ticket
Exfiltration Over C2 Channel
Cron, Scheduled Task/Job
Server Software Component, IIS Components
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Password Policy Discovery
Use Alternate Authentication Material
Query Registry
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Exploitation for Privilege Escalation
Internal Proxy, Proxy
Abuse Elevation Control Mechanism, Bypass User Account Control
Domain or Tenant Policy Modification, Group Policy Modification
PowerShell, Command and Scripting Interpreter
Process Injection
Account Discovery, Local Account
Process Injection, Dynamic-link Library Injection
Command and Scripting Interpreter
Disable or Modify Tools, Impair Defenses
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Exploit Public-Facing Application, External Remote Services
Query Registry
Modify Registry
System Binary Proxy Execution, Regsvcs/Regasm
PowerShell, Command and Scripting Interpreter
Disable or Modify Tools, Impair Defenses
Command and Scripting Interpreter
LSASS Memory
Domain Account, Account Discovery
Masquerading, Rename System Utilities
Data Destruction
Bypass User Account Control, Abuse Elevation Control Mechanism
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
System Binary Proxy Execution, Mshta
Cron, Scheduled Task/Job
Forced Authentication
Disable or Modify Tools, Impair Defenses
Bypass User Account Control, Abuse Elevation Control Mechanism
Steal or Forge Authentication Certificates
Hidden Window
Inhibit System Recovery
OS Credential Dumping, PowerShell
Domain Account, Account Discovery
Password Spraying, Brute Force
Indicator Removal, Network Share Connection Removal
System Binary Proxy Execution, Regsvcs/Regasm
Windows Management Instrumentation
SID-History Injection, Access Token Manipulation
Modify Registry
Modify Registry
LSASS Memory, OS Credential Dumping
Disable or Modify Tools, Impair Defenses
Domain or Tenant Policy Modification
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Transfer Data to Cloud Account
Automated Exfiltration
Phishing, Modify Registry
Password Spraying, Brute Force
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Process Injection
Data Encrypted for Impact
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Gather Victim Identity Information, Email Addresses
Valid Accounts, Domain Accounts
System Binary Proxy Execution
Ingress Tool Transfer
Modify Registry
Hardware Additions
User Execution, Malicious File
Service Stop
Valid Accounts
Masquerading, Rename System Utilities
Scheduled Task/Job, Scheduled Task
Phishing, Spearphishing Attachment
Archive via Utility, Archive Collected Data
Password Spraying, Brute Force
System Binary Proxy Execution, Compiled HTML File
Password Policy Discovery
System Services, Service Execution
LSASS Memory, OS Credential Dumping
Remote System Discovery
Credentials from Password Stores, Credentials from Web Browsers
Remote Services, Windows Remote Management
Server Software Component, IIS Components
At, Scheduled Task/Job
Remote System Discovery
Account Discovery, Local Account
Modify Registry
Process Injection
Print Processors, Boot or Logon Autostart Execution
Archive via Utility, Archive Collected Data
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
InstallUtil, System Binary Proxy Execution
Parent PID Spoofing, Access Token Manipulation
/etc/passwd and /etc/shadow, OS Credential Dumping
Event Triggered Execution, Accessibility Features
Phishing, Spearphishing Attachment
Cron, Scheduled Task/Job
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Remote Desktop Protocol, Remote Services
Service Stop
Disable or Modify Tools, Impair Defenses
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Domain or Tenant Policy Modification, Group Policy Modification
Windows Management Instrumentation Event Subscription
Modify Registry
Domain Account, Account Discovery
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Permission Groups Discovery, Local Groups
System Binary Proxy Execution, Regsvcs/Regasm
Phishing, Spearphishing Attachment
Disable or Modify System Firewall, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Abuse Elevation Control Mechanism
Impair Defenses, PowerShell, Command and Scripting Interpreter
Setuid and Setgid, Abuse Elevation Control Mechanism
Exploitation for Privilege Escalation
Bypass User Account Control, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Protocol Tunneling, SSH
Process Injection, Portable Executable Injection
SSH Authorized Keys, Account Manipulation
Steal or Forge Authentication Certificates
System Binary Proxy Execution, Compiled HTML File
DLL Side-Loading, Hijack Execution Flow
System Binary Proxy Execution, Mshta
System Network Configuration Discovery
InstallUtil, System Binary Proxy Execution
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Scheduled Task/Job, At
LSA Secrets
Right-to-Left Override, Masquerading
Permission Groups Discovery, Domain Groups
Data Destruction
Virtualization/Sandbox Evasion, Time Based Evasion
Application Layer Protocol
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Command Shell, Command and Scripting Interpreter
Screen Capture
Steal or Forge Kerberos Tickets, AS-REP Roasting
Account Manipulation
System Binary Proxy Execution, Regsvcs/Regasm
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Remote Access Software
Disable or Modify Tools, Impair Defenses
Exploitation for Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Management Instrumentation
System Binary Proxy Execution, Rundll32
Remote Desktop Protocol, Remote Services
Account Access Removal
System Owner/User Discovery
Obfuscated Files or Information
Fileless Storage, Obfuscated Files or Information
Print Processors, Boot or Logon Autostart Execution
Remote Desktop Protocol, Remote Services
System Binary Proxy Execution, Rundll32
System Owner/User Discovery
Ingress Tool Transfer
Security Account Manager, OS Credential Dumping
Account Discovery, Local Account
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Permission Groups Discovery, Local Groups
Inhibit System Recovery
Ingress Tool Transfer
Local Account, Create Account
Disable or Modify Tools, Impair Defenses
Account Access Removal
Data Destruction, File Deletion, Indicator Removal
Spearphishing Attachment, Phishing
System Network Connections Discovery
Remote Services, SMB/Windows Admin Shares
Disable or Modify Tools, Impair Defenses
Spearphishing Attachment, Phishing
Mail Protocols, Application Layer Protocol
Modify Registry
Inhibit System Recovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Token Impersonation/Theft, Access Token Manipulation
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Inhibit System Recovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Account Discovery, Domain Account
Disable or Modify Tools, Impair Defenses
Data Destruction
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Plist File Modification
System Binary Proxy Execution, Rundll32
Account Discovery, Local Account
LSASS Memory, OS Credential Dumping
Modify Registry
Data Destruction
Permission Groups Discovery, Domain Groups
Remote Desktop Protocol, Remote Services
Domain Account, Account Discovery
Rootkit, Exploitation for Privilege Escalation
System Binary Proxy Execution, Mshta
Account Manipulation
System Shutdown/Reboot
Application Layer Protocol
Obfuscated Files or Information, Unix Shell
System Binary Proxy Execution, Rundll32
SID-History Injection, Access Token Manipulation
Security Account Manager, OS Credential Dumping
Permission Groups Discovery, Local Groups
Command and Scripting Interpreter, Windows Command Shell
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Registry
Mail Protocols, Application Layer Protocol
Modify Registry
Abuse Elevation Control Mechanism, Bypass User Account Control
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Server Software Component, IIS Components
Command and Scripting Interpreter, PowerShell
Unsecured Credentials
Domain Account, Account Discovery
Exfiltration Over Unencrypted Non-C2 Protocol
Disable or Modify Tools, Impair Defenses
DLL Side-Loading, Hijack Execution Flow
Windows Management Instrumentation
Launch Agent, Create or Modify System Process
Archive via Utility, Archive Collected Data
Data Destruction
Windows Service, Create or Modify System Process
Remote Desktop Protocol, Remote Services
System Network Connections Discovery
System Binary Proxy Execution, Regsvr32
Web Service
Gather Victim Host Information
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Management Instrumentation
Modify Registry
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
BITS Jobs
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, PowerShell
Create or Modify System Process, Windows Service
Modify Registry
Disable or Modify System Firewall, Impair Defenses
Change Default File Association, Event Triggered Execution
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Disable or Modify Tools, Impair Defenses
Permission Groups Discovery, Local Groups
System Time Discovery
Command and Scripting Interpreter, Component Object Model
Dynamic-link Library Injection, Process Injection
Masquerading
System Binary Proxy Execution, Mshta
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
System Services, Service Execution
System Owner/User Discovery
Compromise Software Supply Chain
Remote Access Software, OS Credential Dumping
Account Discovery, Domain Account
User Execution
Verclsid, System Binary Proxy Execution
Screen Capture
Permission Groups Discovery, Local Groups
Domain Trust Discovery
Account Manipulation, Valid Accounts
User Execution
System Services, Service Execution
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Shared Modules
Data Destruction, File Deletion, Indicator Removal
Modify Registry
System Binary Proxy Execution, Rundll32
Command and Scripting Interpreter, JavaScript
Exploit Public-Facing Application, External Remote Services
Gather Victim Host Information
Modify Registry
Password Spraying, Brute Force
Account Access Removal
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Rogue Domain Controller
Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Control Panel
Process Injection
Domain Account, Account Discovery
Create or Modify System Process
Exfiltration Over C2 Channel
Password Spraying, Brute Force
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter
Windows Service, Create or Modify System Process
Compile After Delivery, Obfuscated Files or Information
Exploitation for Privilege Escalation
System Shutdown/Reboot
Remote Services, Distributed Component Object Model
Process Injection
Query Registry
RDP Hijacking
Bypass User Account Control
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Modify Registry
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
NTDS, OS Credential Dumping
At, Scheduled Task/Job
Windows Remote Management, Remote Services
Modify Registry
Create or Modify System Process, Windows Service
Command and Scripting Interpreter, Windows Command Shell
Process Injection
Scheduled Task
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Exploit Public-Facing Application
Steal or Forge Kerberos Tickets
Valid Accounts, Local Accounts
Permission Groups Discovery, Domain Groups
System Services, Service Execution
System Binary Proxy Execution, Rundll32
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Local Groups
BITS Jobs, Ingress Tool Transfer
Scheduled Task, Scheduled Task/Job
Abuse Elevation Control Mechanism
Create Process with Token, Access Token Manipulation
System Binary Proxy Execution, Rundll32
Exploitation of Remote Services
Service Stop
Domain or Tenant Policy Modification, Group Policy Modification
Process Discovery
Kernel Modules and Extensions
Security Account Manager, OS Credential Dumping
Data Encrypted for Impact
NTDS, OS Credential Dumping
Windows Command Shell, Command and Scripting Interpreter
DCSync, OS Credential Dumping
System Shutdown/Reboot
Indicator Removal
Exploit Public-Facing Application
Ingress Tool Transfer
Archive via Utility, Archive Collected Data
Software Deployment Tools
Scheduled Task/Job, Scheduled Task
Phishing, Spearphishing Attachment
Server Software Component, Web Shell
LSASS Memory, OS Credential Dumping
Disable or Modify Tools, Impair Defenses
Data from Local System
Service Stop
System Owner/User Discovery
Odbcconf
Account Manipulation, Valid Accounts
System Binary Proxy Execution, Rundll32
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
NTDS, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Credentials from Password Stores, Credentials from Web Browsers
System Binary Proxy Execution, Regsvcs/Regasm
Data Destruction, File Deletion, Indicator Removal
System Binary Proxy Execution
System Network Connections Discovery
Scheduled Task, PowerShell, Command and Scripting Interpreter
System Network Configuration Discovery, Internet Connection Discovery
Network Share Discovery
Network Share Discovery
Command and Scripting Interpreter, PowerShell
Path Interception by Unquoted Path, Hijack Execution Flow
System Services, Service Execution
Use Alternate Authentication Material
Obfuscated Files or Information
Disable or Modify Tools, Impair Defenses
Valid Accounts, Domain Accounts
Indirect Command Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Proxy, Non-Application Layer Protocol
Password Policy Discovery
Cron, Scheduled Task/Job
Impair Defenses, Disable or Modify System Firewall
Modify Registry
System Network Configuration Discovery
Phishing, Spearphishing Attachment
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Disable or Modify Tools, Impair Defenses
Bypass User Account Control, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
File and Directory Permissions Modification
Disable or Modify Tools, Impair Defenses
Application Shimming, Event Triggered Execution
System Binary Proxy Execution, Regsvcs/Regasm
Modify Registry
User Execution, Malicious File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Authentication Process
Local Account, Create Account
Clear Windows Event Logs, Indicator Removal
Exfiltration Over Alternative Protocol
Masquerading
Password Spraying, Brute Force
Modify Registry
System Owner/User Discovery
Command and Scripting Interpreter, JavaScript
Password Policy Discovery
Compromise Software Supply Chain
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Rogue Domain Controller
Account Discovery, Domain Account
Password Spraying, Brute Force
Command and Scripting Interpreter, PowerShell
InstallUtil, System Binary Proxy Execution
Image File Execution Options Injection, Event Triggered Execution
Phishing, Spearphishing Attachment
Ingress Tool Transfer
Credentials from Password Stores
Setuid and Setgid, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Inhibit System Recovery
Component Object Model Hijacking, Event Triggered Execution
Account Manipulation
Application Layer Protocol
Masquerading
Disable or Modify Tools, Impair Defenses
Network Share Discovery
Windows Service
Command and Scripting Interpreter, Process Injection, PowerShell
Steal or Forge Kerberos Tickets
System Script Proxy Execution, System Binary Proxy Execution
Bypass User Account Control, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, PowerShell
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Ingress Tool Transfer
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses, Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Disable or Modify Tools, Impair Defenses
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Process Injection
System Binary Proxy Execution
Domain Trust Discovery
Bypass User Account Control, Abuse Elevation Control Mechanism
Domain Account, Account Discovery
Data Destruction
Ingress Tool Transfer, Domain Groups
Print Processors, Boot or Logon Autostart Execution
NTDS, OS Credential Dumping
Scheduled Task, Scheduled Task/Job
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Command and Scripting Interpreter, PowerShell
Exploitation of Remote Services
Archive via Utility, Archive Collected Data
Systemd Timers, Scheduled Task/Job
PowerShell
Gather Victim Host Information, PowerShell
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Application Shimming, Event Triggered Execution
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Password Spraying, Brute Force
Modify Registry
System Network Configuration Discovery
Ingress Tool Transfer
Cron, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Hidden Window, Run Virtual Instance
Disable or Modify Cloud Firewall, Impair Defenses
File Deletion, Indicator Removal
Domain Trust Discovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Data Destruction, File Deletion, Indicator Removal
Phishing, Spearphishing Attachment
System Network Connections Discovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Mshta
Command and Scripting Interpreter
Disable or Modify Tools, Impair Defenses
Services Registry Permissions Weakness, Hijack Execution Flow
Disable or Modify Tools, Impair Defenses
Ingress Tool Transfer
Scheduled Task, Scheduled Task/Job
Clipboard Data
Scheduled Task
Phishing, Spearphishing Attachment
Unix Shell, Command and Scripting Interpreter
Password Spraying, Brute Force
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Rundll32
PowerShell, Command and Scripting Interpreter
Change Default File Association, Event Triggered Execution
PowerShell, Command and Scripting Interpreter
BITS Jobs
Domain Accounts, Permission Groups Discovery
Valid Accounts, Domain Accounts
Print Processors, Boot or Logon Autostart Execution
DLL Side-Loading
System Owner/User Discovery
Compiled HTML File, System Binary Proxy Execution
Windows Management Instrumentation
Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Management Instrumentation
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Account Discovery, Domain Account
Archive via Utility, Archive Collected Data
Disable or Modify Tools, Impair Defenses, Modify Registry
Steal or Forge Kerberos Tickets
Windows Service, Create or Modify System Process
Remote Services, SMB/Windows Admin Shares
Command and Scripting Interpreter, Windows Command Shell
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Service Stop
Security Account Manager, OS Credential Dumping
Process Injection
Process Injection
Rename System Utilities, Masquerading
Phishing, Spearphishing Attachment
Modify Registry
Launch Agent, Create or Modify System Process
System Network Connections Discovery
Credentials in Registry, Unsecured Credentials
Account Discovery, Domain Account
Steal or Forge Authentication Certificates
Domain or Tenant Policy Modification
DLL Side-Loading, Hijack Execution Flow
Valid Accounts, Domain Accounts
Exploit Public-Facing Application
Service Stop
Exploitation for Privilege Escalation
Inhibit System Recovery
Command and Scripting Interpreter, JavaScript
Phishing, Spearphishing Attachment
System Binary Proxy Execution, Compiled HTML File
Security Account Manager
Scheduled Task, Scheduled Task/Job
Steal or Forge Kerberos Tickets, Kerberoasting
Malicious File, User Execution
Process Injection
DCSync, OS Credential Dumping
Modify Registry
Visual Basic, Command and Scripting Interpreter
Modify Registry
Credentials from Password Stores
Unix Shell Configuration Modification, Event Triggered Execution
Modify Registry
Password Spraying, Brute Force
Data Destruction
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Hide Artifacts, NTFS File Attributes
InstallUtil, System Binary Proxy Execution
Domain Account, Account Discovery
Service Stop
Process Injection
Modify Registry
Scheduled Task
Access Token Manipulation, SID-History Injection
Server Software Component, Web Shell
Remote Services, Windows Remote Management
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, PowerShell
Brute Force, Credential Stuffing
Windows Management Instrumentation
Bypass User Account Control, Abuse Elevation Control Mechanism
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Account Discovery
Modify Registry
Steal or Forge Kerberos Tickets, Kerberoasting
Disable or Modify Tools, Impair Defenses
Lateral Tool Transfer
System Binary Proxy Execution
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter
SSH Authorized Keys, Account Manipulation
Gather Victim Host Information
Local Account, Create Account
File and Directory Permissions Modification
Exploitation for Privilege Escalation
Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Modify Registry
Account Discovery, Domain Account, User Execution, Malicious File
Exploitation for Privilege Escalation
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Remote Access Software
System Owner/User Discovery
DLL Search Order Hijacking, Hijack Execution Flow
Inhibit System Recovery
Scheduled Task/Job
System Information Discovery, Rootkit
Automated Exfiltration
Account Discovery, Local Account, PowerShell
Modify Registry
Phishing, Spearphishing Link
Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
System Firmware, Pre-OS Boot
Security Account Manager, OS Credential Dumping
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Remote System Discovery
Server Software Component, IIS Components
Create or Modify System Process, Windows Service
Steal or Forge Authentication Certificates
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Obfuscated Files or Information
Odbcconf
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Odbcconf
File and Directory Permissions Modification
Exfiltration Over Alternative Protocol
Permission Groups Discovery, Domain Groups
Cron, Scheduled Task/Job
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Rundll32
Remote Access Software
Protocol Tunneling, Proxy, Web Service
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Service Stop
Scheduled Task, Command and Scripting Interpreter
Service Stop
InstallUtil, System Binary Proxy Execution
Disable or Modify Tools, Impair Defenses, Modify Registry
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Dynamic Linker Hijacking, Hijack Execution Flow
Internal Proxy, Proxy
Remote Services, Windows Remote Management
Process Injection, Portable Executable Injection
Local Account, Create Account
Remote Services, Windows Remote Management
Disable or Modify Tools, Impair Defenses
System Information Discovery
Steal or Forge Kerberos Tickets
Modify Registry
Phishing, Spearphishing Attachment
Disable or Modify Tools, Impair Defenses
Regsvr32, System Binary Proxy Execution
Domain Trust Discovery, PowerShell
IP Addresses, Gather Victim Network Information
File Deletion, Indicator Removal
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Replication Through Removable Media
Phishing, Spearphishing Attachment
Compromise Software Supply Chain
System Binary Proxy Execution, Mshta
Data Encrypted for Impact
Password Policy Discovery
Visual Basic, Command and Scripting Interpreter
Server Software Component, IIS Components
Indicator Removal, Clear Windows Event Logs
Windows Management Instrumentation
Msiexec, System Binary Proxy Execution
Masquerade Task or Service, Masquerading
Print Processors, Boot or Logon Autostart Execution
Password Spraying, Brute Force
Scheduled Task, Scheduled Task/Job
Create or Modify System Process, Windows Service
Scheduled Task/Job, Scheduled Task
Windows Management Instrumentation
Phishing, Spearphishing Attachment
Disable or Modify Tools, Impair Defenses
LSASS Memory, OS Credential Dumping
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Process Injection
Process Injection
Disable or Modify Tools, Impair Defenses, Modify Registry
Inhibit System Recovery
Disable or Modify Tools
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Remote System Discovery
Indicator Removal
Remote System Discovery
Inhibit System Recovery
Obfuscated Files or Information, Indicator Removal from Tools
Kerberoasting
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Registry
Steal or Forge Kerberos Tickets, Kerberoasting
Remote System Discovery
System Binary Proxy Execution, CMSTP
Command and Scripting Interpreter, PowerShell
Domain Account, Account Discovery
Modify Registry
Modify Registry
Remote Desktop Protocol, Remote Services
Exploit Public-Facing Application, External Remote Services
SIP and Trust Provider Hijacking
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Remote System Discovery
Disable or Modify Tools, Impair Defenses
Kernel Modules and Extensions, Service Execution
Time Providers, Boot or Logon Autostart Execution
Command and Scripting Interpreter
Event Triggered Execution, Screensaver
Exploit Public-Facing Application
Visual Basic, Command and Scripting Interpreter
Remote Access Software
Account Discovery, Local Account, PowerShell
System Binary Proxy Execution, CMSTP
Indicator Removal, Clear Windows Event Logs
MSBuild, Trusted Developer Utilities Proxy Execution
Exploitation for Privilege Escalation
Modify Registry
Modify Registry
Modify Registry
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Steal or Forge Kerberos Tickets
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Event Triggered Execution
XSL Script Processing
Scheduled Task, Impair Defenses
Process Injection
Disable or Modify Tools
Remote Services, Distributed Component Object Model
Screen Capture
Remote Services, Distributed Component Object Model, MMC
Remote System Discovery
SSH Authorized Keys
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, Visual Basic
Bypass User Account Control, Abuse Elevation Control Mechanism
Account Manipulation
Command and Scripting Interpreter, PowerShell
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Indicator Removal
Data Destruction
Phishing, Spearphishing Attachment
Steal or Forge Kerberos Tickets, AS-REP Roasting
Indicator Removal, Clear Windows Event Logs
Clipboard Data
Permission Groups Discovery, Domain Groups
Remote System Discovery
Windows Command Shell
Create or Modify System Process
User Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Phishing, Spearphishing Attachment
Password Spraying, Brute Force
Install Root Certificate, Subvert Trust Controls
Account Manipulation, Valid Accounts
Data Destruction
Steal or Forge Kerberos Tickets, AS-REP Roasting
Server Software Component, IIS Components
Scheduled Task, Scheduled Task/Job
Windows Management Instrumentation
Ingress Tool Transfer
Remote Services, Windows Remote Management
Modify Registry
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Data Encrypted for Impact
PowerShell, Ingress Tool Transfer, Fileless Storage
Steal or Forge Kerberos Tickets
Modify Registry, OS Credential Dumping
Permission Groups Discovery, Domain Groups
Unsecured Credentials, Group Policy Preferences
Command and Scripting Interpreter, JavaScript
Domain Account, Account Discovery
File and Directory Permissions Modification
Process Injection
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
DLL Search Order Hijacking
Process Injection
Exfiltration Over Unencrypted Non-C2 Protocol
Phishing, Spearphishing Attachment
Command and Scripting Interpreter, PowerShell
Steal or Forge Authentication Certificates
System Binary Proxy Execution, Regsvr32
Exploit Public-Facing Application, External Remote Services
DLL Side-Loading, Hijack Execution Flow
Command and Scripting Interpreter, PowerShell
Local Account, Create Account
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Valid Accounts
Windows Management Instrumentation
System Owner/User Discovery
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Password Policy Discovery
Steal or Forge Authentication Certificates
Disable or Modify Tools, Impair Defenses
Steal or Forge Authentication Certificates
Disable or Modify System Firewall, Impair Defenses
Ingress Tool Transfer
Mark-of-the-Web Bypass
Disable or Modify Tools, Impair Defenses
Disk Structure Wipe, Disk Wipe
Command and Scripting Interpreter
DLL Search Order Hijacking, Hijack Execution Flow
Exploitation for Client Execution
System Services, Service Execution
System Binary Proxy Execution, Rundll32
Local Accounts, Credentials In Files
Rogue Domain Controller
Disable or Modify Tools, Impair Defenses
SID-History Injection, Access Token Manipulation
Ingress Tool Transfer
Cached Domain Credentials, OS Credential Dumping
GUI Input Capture, Input Capture
Disable or Modify Tools, Impair Defenses
Network Share Discovery, Valid Accounts
Domain Account, Account Discovery
LSASS Memory, OS Credential Dumping
Exploit Public-Facing Application, External Remote Services
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Disable or Modify Tools, Impair Defenses, Modify Registry
Kerberoasting
Modify Registry
Scheduled Task, Scheduled Task/Job
Unix Shell
Modify Registry
Phishing, Spearphishing Attachment
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Remote System Discovery
Hardware, Gather Victim Host Information
Steal or Forge Authentication Certificates
Rootkit, Exploitation for Privilege Escalation
Disable or Modify System Firewall, Impair Defenses
Obfuscated Files or Information, Fileless Storage
Remote System Discovery
File Deletion, Indicator Removal
Phishing, Spearphishing Attachment
DLL Side-Loading, Hijack Execution Flow
Credentials, Gather Victim Identity Information
Data Destruction, File Deletion, Indicator Removal
Windows Management Instrumentation
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Remote System Discovery
System Owner/User Discovery
System Owner/User Discovery
Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Boot or Logon Initialization Scripts, Logon Script (Windows)
Process Injection, Portable Executable Injection
Create or Modify System Process, Windows Service
Indirect Command Execution
Credentials in Registry, Unsecured Credentials
Windows Service
Disable or Modify Tools, Impair Defenses
Malicious File, Masquerade File Type
Spearphishing Attachment, Phishing, Malicious Link, User Execution
LSASS Memory, OS Credential Dumping
Modify Registry
Password Policy Discovery
Remote System Discovery
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Domain Account, Account Discovery
System Binary Proxy Execution, Mshta
Application Shimming, Event Triggered Execution
Steal or Forge Authentication Certificates
Command and Scripting Interpreter
SIP and Trust Provider Hijacking
Msiexec
Email Collection, Local Email Collection
Disable or Modify Tools, Impair Defenses
Obfuscated Files or Information
Windows Service, Create or Modify System Process
System Binary Proxy Execution, CMSTP
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Steal or Forge Authentication Certificates
Service Stop
Disable or Modify Tools, Impair Defenses
Trusted Developer Utilities Proxy Execution
IIS Components, Server Software Component
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
System Binary Proxy Execution
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Screen Capture
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Kerberoasting
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Local Account, Create Account
Local Account, Create Account
Inhibit System Recovery
Windows Service
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Domain or Tenant Policy Modification, Group Policy Modification
Unsecured Credentials, Group Policy Preferences
Network Share Discovery, Data from Network Shared Drive
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Phishing, Spearphishing Attachment
Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Event Triggered Execution
System Binary Proxy Execution
Odbcconf, System Binary Proxy Execution
Ingress Tool Transfer
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
LSASS Memory, OS Credential Dumping
NTDS, OS Credential Dumping
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities
NTDS, OS Credential Dumping
Masquerading, Rename System Utilities
Masquerading
File and Directory Permissions Modification
Account Access Removal
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
MSBuild, Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution, MSBuild
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
System Binary Proxy Execution, Mshta
System Binary Proxy Execution
BITS Jobs, Ingress Tool Transfer
Deobfuscate/Decode Files or Information
Ingress Tool Transfer
Ingress Tool Transfer
BITS Jobs, Ingress Tool Transfer
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
BITS Jobs
Automated Exfiltration
Automated Exfiltration
File Deletion, Indicator Removal
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Indicator Removal
Inhibit System Recovery
Inhibit System Recovery
Exfiltration Over Alternative Protocol
Automated Exfiltration
Ingress Tool Transfer
Service Stop
File and Directory Permissions Modification
Service Stop, Valid Accounts
File and Directory Permissions Modification
OS Credential Dumping, Security Account Manager
Service Stop
Service Stop, Create or Modify System Process, Windows Service
Archive via Utility, Archive Collected Data
Data Destruction, File Deletion, Indicator Removal
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Account Manipulation, Additional Cloud Roles
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Cloud Account
User Execution
Steal Application Access Token
Cloud Account
Cloud Groups, Account Manipulation, Permission Groups Discovery
Cloud Service Discovery
Account Manipulation, Additional Cloud Roles
Additional Cloud Roles
Additional Cloud Roles
Email Collection, Email Forwarding Rule
Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Account Manipulation, Additional Cloud Roles
Email Collection
Modify Authentication Process, Multi-Factor Authentication
Disable or Modify Cloud Logs, Impair Defenses
Cloud Account, Create Account
Steal Application Access Token, Phishing, Spearphishing Link
Disable or Modify Cloud Logs, Impair Defenses
Data Encrypted for Impact
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Domain or Tenant Policy Modification, Trust Modification
Account Manipulation
Container Orchestration Job
User Execution
Malicious Image, User Execution
Automated Collection
User Execution
Cloud Accounts, Valid Accounts
Account Manipulation
Container API
Steal Application Access Token
Browser Session Hijacking
User Execution
User Execution
User Execution
Cloud Account, Create Account
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Multi-Factor Authentication Request Generation
Impair Defenses, Disable or Modify Cloud Logs
Brute Force, Password Guessing, Password Spraying
Disable or Modify Cloud Logs, Impair Defenses
User Execution
Valid Accounts
Compromise Accounts, Unused/Unsupported Cloud Regions
Steal Application Access Token
Account Manipulation
Impair Defenses
User Execution
Brute Force, Password Guessing, Password Spraying
Password Policy Discovery
User Execution
Malicious Image, User Execution
User Execution
Account Manipulation, Additional Email Delegate Permissions
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Container API
Account Manipulation, Additional Cloud Roles
Password Guessing, Brute Force
Compromise Host Software Binary
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Impair Defenses, Disable or Modify Cloud Logs
Trusted Relationship
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Browser Session Hijacking
User Execution
Create Account, Cloud Account
Inhibit System Recovery
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Email Collection, Remote Email Collection
Malicious Image, User Execution
Steal Application Access Token
Account Manipulation
Email Collection, Email Forwarding Rule
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Spraying, Credential Stuffing
Cloud Infrastructure Discovery, Brute Force
Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Roles
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Valid Accounts
Email Collection, Email Forwarding Rule
Browser Session Hijacking
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Impair Defenses
Account Manipulation, Additional Email Delegate Permissions
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Valid Accounts
Automated Collection
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Cloud Accounts, Valid Accounts
Trusted Relationship
Valid Accounts
Account Manipulation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Steal Application Access Token
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Container API
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Cloud Account
User Execution
Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Phishing
Security Account Manager
Valid Accounts
Compromise Host Software Binary
Cloud Service Discovery
Cloud Infrastructure Discovery
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Exploitation for Credential Access
Data from Cloud Storage
User Execution
Cloud Account, Create Account
Data from Cloud Storage
Valid Accounts
Data from Cloud Storage
Exploitation for Credential Access
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Brute Force
Multi-Factor Authentication Request Generation
Modify Cloud Compute Configurations
Steal Application Access Token
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Remote Email Collection
Additional Cloud Roles
Data Encrypted for Impact
Cloud Accounts, Valid Accounts
Modify Authentication Process, Multi-Factor Authentication
Email Collection, Remote Email Collection
Cloud Service Discovery
Data from Cloud Storage
Modify Authentication Process
Cloud Accounts, Valid Accounts
Impair Defenses, Disable or Modify Cloud Logs
Valid Accounts
Impair Defenses, Disable or Modify Cloud Logs
Cloud Account, Create Account
User Execution
Compromise Software Supply Chain, Supply Chain Compromise
Cloud Accounts, Valid Accounts
Valid Accounts
User Execution
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Remote Email Collection
Spearphishing Attachment, Phishing
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Email Collection
Brute Force, Password Guessing
Cloud Account, Create Account
Cloud Accounts, Valid Accounts
Account Manipulation, Device Registration
Email Collection, Remote Email Collection
Account Manipulation, Additional Cloud Roles
Automated Collection
Malicious Image, User Execution
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Spearphishing Attachment, Phishing
Disable or Modify Cloud Logs, Impair Defenses
Valid Accounts
Browser Session Hijacking
Account Manipulation, Device Registration
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Cloud Service Discovery
Account Manipulation, Additional Email Delegate Permissions
Valid Accounts
User Execution
Steal Application Access Token
Account Manipulation, Additional Cloud Roles
Remote Email Collection
Data from Cloud Storage
Disable or Modify Cloud Firewall, Impair Defenses
Valid Accounts
Security Account Manager
Use Alternate Authentication Material
Disable or Modify Cloud Logs, Impair Defenses
Domain or Tenant Policy Modification, Trust Modification
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Email Delegate Permissions
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Spearphishing Attachment, Phishing
User Execution
Phishing
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Transfer Data to Cloud Account
Cloud Account
Disable or Modify Cloud Logs, Impair Defenses
User Execution
Modify Authentication Process, Multi-Factor Authentication
Cloud Service Discovery
Cloud Account
User Execution
Account Manipulation, Additional Cloud Roles
User Execution
Additional Email Delegate Permissions, Additional Cloud Roles
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Credentials
Valid Accounts
Valid Accounts
User Execution
Malicious Image, User Execution
Network Service Discovery
Cloud Account, Create Account
Cloud Accounts, Valid Accounts
Transfer Data to Cloud Account
Account Manipulation, Additional Cloud Credentials
User Execution
Modify Authentication Process
Cloud Account
Account Manipulation
Spearphishing Attachment, Phishing
Account Manipulation
Security Account Manager
Container API
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Create Account, Cloud Account
Additional Email Delegate Permissions, Additional Cloud Roles
Unused/Unsupported Cloud Regions
Network Service Discovery
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Password Policy Discovery
Transfer Data to Cloud Account
Brute Force, Password Spraying, Credential Stuffing
Cloud Accounts, Valid Accounts
Transfer Data to Cloud Account
Compromise Accounts, Cloud Accounts, Brute Force
Valid Accounts, Cloud Accounts
Cloud Service Discovery
Transfer Data to Cloud Account
Malicious Image, User Execution
Data from Cloud Storage
Account Manipulation
Malicious Image, User Execution
Malicious Image, User Execution
Cloud Groups, Account Manipulation, Permission Groups Discovery
Impair Defenses, Disable or Modify Cloud Logs
Disable or Modify Cloud Logs, Impair Defenses
Drive-by Compromise
Abuse Elevation Control Mechanism, Indirect Command Execution
Drive-by Compromise
File and Directory Discovery
Endpoint Denial of Service
Exploitation of Remote Services
Drive-by Compromise
Drive-by Compromise
Exploit Public-Facing Application
Exploitation of Remote Services
Drive-by Compromise
Abuse Elevation Control Mechanism
Drive-by Compromise
Endpoint Denial of Service
Account Discovery
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Web Session Cookie, Cloud Service Dashboard
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Endpoint Denial of Service
Exploitation for Credential Access
Network Denial of Service
Steal Web Session Cookie
Spearphishing Attachment, Phishing
Cloud Account
Password Spraying
Valid Accounts, Brute Force
Drive-by Compromise
Protocol Impersonation
Network Denial of Service
HTML Smuggling
Endpoint Denial of Service
Digital Certificates
File and Directory Discovery
Exploit Public-Facing Application
Command and Scripting Interpreter
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Exfiltration Over Web Service
Log Enumeration
Endpoint Denial of Service
Application or System Exploitation
Drive-by Compromise
Account Manipulation, Device Registration
Exploitation of Remote Services
Drive-by Compromise
Process Injection
Digital Certificates
Drive-by Compromise
File and Directory Discovery
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Digital Certificates
Command and Scripting Interpreter
Drive-by Compromise
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Valid Accounts
Valid Accounts, Cloud Accounts
System Information Discovery
Drive-by Compromise
Multi-Factor Authentication Request Generation
Exploit Public-Facing Application
Multi-Factor Authentication Request Generation
Command and Scripting Interpreter
Brute Force
Email Collection, Remote Email Collection
Digital Certificates
Drive-by Compromise
File and Directory Discovery
Exploit Public-Facing Application
Exploitation of Remote Services
Exploitation of Remote Services
Exploitation of Remote Services
Account Discovery
Valid Accounts, Default Accounts, Modify Authentication Process
Access Token Manipulation
Email Collection, Local Email Collection
Abuse Elevation Control Mechanism
Command and Scripting Interpreter
Endpoint Denial of Service
Valid Accounts, Default Accounts
Drive-by Compromise
Modify Authentication Process, Multi-Factor Authentication
Cloud Account
System Information Discovery
Valid Accounts, Default Accounts
Brute Force
Abuse Elevation Control Mechanism
Cloud Accounts
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Application or System Exploitation
Account Manipulation
Password Spraying, Brute Force
Password Spraying, Brute Force
Account Manipulation, Impair Defenses
Account Manipulation, Impair Defenses
Password Spraying, Valid Accounts, Default Accounts
DLL Search Order Hijacking, Hijack Execution Flow
Cloud Service Discovery
Password Policy Discovery
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Brute Force
Brute Force
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Exfiltration Over Unencrypted Non-C2 Protocol
Malicious Image, User Execution
Malicious Image, User Execution
LSASS Memory
PowerShell
Email Forwarding Rule, Email Collection
Email Forwarding Rule, Email Collection
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Disable or Modify System Firewall
Rename System Utilities
Windows Command Shell
Use Alternate Authentication Material, Pass the Hash
Valid Accounts
Valid Accounts
Valid Accounts
Masquerading
Phishing
Malicious File
Change Default File Association
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
PowerShell, Windows Command Shell
Cloud Accounts
Exfiltration Over Unencrypted Non-C2 Protocol
Cloud Accounts
Cloud Accounts
Spearphishing via Service
Cloud Accounts
Cloud Accounts
Web Protocols
Scheduled Task
Exfiltration Over Unencrypted Non-C2 Protocol
Cloud Service Discovery
Cloud Service Discovery
LSASS Memory
LSASS Memory, OS Credential Dumping
LSASS Memory
Hidden Files and Directories
Create Account
Valid Accounts
Disable or Modify Cloud Firewall
Cloud Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Domain Accounts
Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploitation for Privilege Escalation
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
System Information Discovery, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Exploit Public-Facing Application
Phishing
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Remote Access Software
Exploit Public-Facing Application, External Remote Services
Encrypted Channel
Proxy, Multi-hop Proxy
Domain Generation Algorithms
Remote Access Software
Encrypted Channel
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Remote Desktop Protocol, Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploitation for Client Execution
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Remote Access Software
SMB/Windows Admin Shares, Remote Services
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
File Transfer Protocols, Application Layer Protocol
Non-Application Layer Protocol
Exfiltration Over Web Service
Protocol Tunneling, Proxy, Web Service
Exploitation for Client Execution
Network Sniffing
Exfiltration Over Unencrypted Non-C2 Protocol
DNS, Application Layer Protocol
SMB/Windows Admin Shares, Remote Services
Exfiltration Over C2 Channel
Exploit Public-Facing Application, Command and Scripting Interpreter
TFTP Boot, Pre-OS Boot
DNS, Application Layer Protocol
OS Credential Dumping, DCSync, Rogue Domain Controller
Rogue Domain Controller
Drive-by Compromise
Remote Desktop Protocol, Remote Services
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Network Denial of Service, Reflection Amplification
Remote Email Collection, Email Collection
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Domain Generation Algorithms
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Exfiltration Over Alternative Protocol
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Vulnerability Scanning, Network Service Discovery
Network Service Discovery
Network Service Discovery