Windows Vulnerable 3CX Software
Compromise Software Supply Chain
Compromise Software Supply Chain
Compromise Software Supply Chain
Exfiltration Over Unencrypted Non-C2 Protocol
DLL Side-Loading, Hijack Execution Flow
Exfiltration Over Unencrypted Non-C2 Protocol
Exploit Public-Facing Application
Process Injection
System Services, Service Execution
System Binary Proxy Execution, Regsvr32
Rootkit, Exploitation for Privilege Escalation
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Process Injection, Portable Executable Injection
Process Injection
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Command and Scripting Interpreter
Data Destruction, File Deletion, Indicator Removal
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Indicator Removal
Unix Shell, Command and Scripting Interpreter
System Shutdown/Reboot
Hardware Additions
Data Destruction
Steal or Forge Authentication Certificates
File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses
Phishing, Spearphishing Attachment
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Exploitation for Privilege Escalation
Data Destruction
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Disable or Modify Tools
PowerShell, Command and Scripting Interpreter
Rogue Domain Controller
Scheduled Task/Job, Scheduled Task
Create or Modify System Process
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
LSASS Memory
Command and Scripting Interpreter
Server Software Component, IIS Components
Spearphishing Attachment, Phishing
Server Software Component, IIS Components
Replication Through Removable Media
Modify Registry
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Malicious File, User Execution
Domain Account, Account Discovery
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
User Execution, Malicious File
Server Software Component, IIS Components
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Server Software Component, IIS Components
IIS Components, Server Software Component
Server Software Component, IIS Components
Server Software Component, IIS Components
Query Registry
Query Registry
Windows Service
Windows Management Instrumentation
System Network Configuration Discovery
Change Default File Association, Event Triggered Execution
Credentials from Password Stores
Indirect Command Execution
System Network Connections Discovery
Clipboard Data
Credentials in Registry, Unsecured Credentials
Password Managers
Service Stop
Private Keys, Unsecured Credentials
Cached Domain Credentials, OS Credential Dumping
Security Support Provider, Boot or Logon Autostart Execution
System Information Discovery
System Owner/User Discovery
Steal or Forge Kerberos Tickets
BITS Jobs, Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Account Manipulation
Domain Policy Modification
Account Manipulation
DCSync, OS Credential Dumping
SID-History Injection, Access Token Manipulation
OS Credential Dumping
Access Token Manipulation, SID-History Injection
Security Account Manager, OS Credential Dumping
Windows Management Instrumentation
Event Triggered Execution
Disable or Modify Tools, Impair Defenses
Active Setup, Boot or Logon Autostart Execution
Port Monitors, Boot or Logon Autostart Execution
Application Shimming, Event Triggered Execution
Inhibit System Recovery
Modify Registry
Disable or Modify Tools, Impair Defenses
Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Steal or Forge Kerberos Tickets, AS-REP Roasting
Disable or Modify Tools, Impair Defenses
Bypass User Account Control, Abuse Elevation Control Mechanism
Steal or Forge Kerberos Tickets, AS-REP Roasting
Credentials in Registry, Unsecured Credentials
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Modify Registry
Image File Execution Options Injection, Event Triggered Execution
Modify Registry
Command and Scripting Interpreter, PowerShell
Modify Registry
Modify Registry
Disable or Modify Tools, Impair Defenses
Bypass User Account Control, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Remote Services
Bypass User Account Control, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Bypass User Account Control, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Modify Registry
Time Providers, Boot or Logon Autostart Execution
Bypass User Account Control, Abuse Elevation Control Mechanism
Modify Registry
System Services, Service Execution
Modify Registry
Disable or Modify Tools, Impair Defenses
Services Registry Permissions Weakness
Modify Registry
Modify Registry
Disable or Modify Tools, Impair Defenses
Credentials in Registry, Unsecured Credentials
Disable or Modify Tools, Impair Defenses
Modify Registry
Modify Registry, OS Credential Dumping
Remote Desktop Protocol, Remote Services
Domain Account, Account Discovery
Domain Account, Account Discovery
File Deletion, Indicator Removal
Data Destruction
Process Injection, Portable Executable Injection
Application Layer Protocol
Modify Registry
Dynamic-link Library Injection, Process Injection
Application Layer Protocol
Regsvr32, System Binary Proxy Execution
Command and Scripting Interpreter, JavaScript
Process Injection
Process Injection
Windows Management Instrumentation
DLL Side-Loading, Hijack Execution Flow
System Owner/User Discovery
System Owner/User Discovery
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Rogue Domain Controller
Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Event Triggered Execution
Gather Victim Host Information, PowerShell
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Local Account, Create Account
Exploit Public-Facing Application
Exploit Public-Facing Application
Server Software Component, Web Shell, Exploit Public-Facing Application
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Event Triggered Execution
System Script Proxy Execution, System Binary Proxy Execution
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Spearphishing Attachment, Phishing
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
System Binary Proxy Execution
Protocol Tunneling, SSH
Odbcconf, System Binary Proxy Execution
Data Encrypted for Impact
Command and Scripting Interpreter
Ingress Tool Transfer
Domain Account, Account Discovery
SID-History Injection, Access Token Manipulation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter
SID-History Injection, Access Token Manipulation
Modify Authentication Process
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter
Image File Execution Options Injection
Account Manipulation
DCSync, OS Credential Dumping
Account Manipulation
Compiled HTML File, System Binary Proxy Execution
Rogue Domain Controller
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
LSASS Memory, OS Credential Dumping
NTDS, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Compiled HTML File, System Binary Proxy Execution
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Abuse Elevation Control Mechanism
Ingress Tool Transfer
Process Injection
InstallUtil, System Binary Proxy Execution
Valid Accounts, Domain Accounts
Valid Accounts, Local Accounts
LSASS Memory, OS Credential Dumping
Token Impersonation/Theft, Access Token Manipulation
Service Stop
Token Impersonation/Theft, Access Token Manipulation
Credentials, Gather Victim Identity Information
DLL Search Order Hijacking, Hijack Execution Flow
Remote Access Software, OS Credential Dumping
Create Process with Token, Access Token Manipulation
Process Injection, Portable Executable Injection
GUI Input Capture, Input Capture
Remote Access Software
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
LSASS Memory, OS Credential Dumping
DLL Search Order Hijacking
Ingress Tool Transfer
Proxy, Non-Application Layer Protocol
Ingress Tool Transfer
Ingress Tool Transfer
Hardware, Gather Victim Host Information
System Time Discovery
Clipboard Data
Windows Command Shell, Command and Scripting Interpreter
SSH Authorized Keys
System Shutdown/Reboot
System Shutdown/Reboot
System Information Discovery, Rootkit
Obfuscated Files or Information, Unix Shell
System Shutdown/Reboot
Obfuscated Files or Information
Disable or Modify Tools, Impair Defenses
Masquerading, Rename System Utilities
Windows Management Instrumentation Event Subscription
Disable or Modify Tools, Impair Defenses
Screen Capture
Mavinject, System Binary Proxy Execution
Screen Capture
Odbcconf
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Odbcconf
System Binary Proxy Execution
Remote System Discovery
Exploit Public-Facing Application
Odbcconf
Disable or Modify Tools, Impair Defenses
Remote Desktop Protocol, Remote Services
Application Layer Protocol
Modify Registry
Disable or Modify Tools, Impair Defenses
Service Stop
Modify Registry
Modify Registry
Remote Access Software
Modify Registry
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets, Kerberoasting
Modify Registry
Modify Registry
Modify Registry
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
IP Addresses, Gather Victim Network Information
Service Stop
Msiexec
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Exploit Public-Facing Application
Disable or Modify System Firewall, Impair Defenses
Exfiltration Over Alternative Protocol
Gather Victim Network Information, IP Addresses
Disable or Modify Tools, Impair Defenses
Command and Scripting Interpreter
Command and Scripting Interpreter
Visual Basic, Command and Scripting Interpreter
Plist File Modification
At, Scheduled Task/Job
At, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Exploitation for Privilege Escalation
Process Injection
Local Accounts, Credentials In Files
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Domain Account, Account Discovery
Remote System Discovery
Windows Service
Command and Scripting Interpreter, PowerShell
Gather Victim Host Information
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Email Collection, Local Email Collection
Password Policy Discovery
Domain Trust Discovery
Command and Scripting Interpreter, PowerShell
Password Policy Discovery
Permission Groups Discovery, Domain Groups
Remote System Discovery
Account Discovery, Local Account, PowerShell
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Inhibit System Recovery
Remote System Discovery
Permission Groups Discovery, Domain Groups
Masquerade Task or Service, Masquerading
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
Permission Groups Discovery, Local Groups
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Scheduled Task/Job
Domain Account, Account Discovery
Domain Account, Account Discovery
Service Stop
Data Destruction, File Deletion, Indicator Removal
Service Stop
Service Stop
Data Destruction
Cron, Scheduled Task/Job
Data Destruction
Domain Trust Discovery
NTDS, OS Credential Dumping
Scheduled Task, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
System Binary Proxy Execution, Mshta
System Services, Service Execution
System Binary Proxy Execution, Compiled HTML File
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Disable or Modify System Firewall, Impair Defenses
Indirect Command Execution
Indirect Command Execution
Disable or Modify Tools, Impair Defenses
System Network Connections Discovery
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Remote System Discovery
Install Root Certificate, Subvert Trust Controls
Rootkit, Exploitation for Privilege Escalation
Remote System Discovery
Remote System Discovery
Disable or Modify Tools, Impair Defenses
Masquerading
Remote Services, Distributed Component Object Model
Permission Groups Discovery, Domain Groups
PowerShell, Command and Scripting Interpreter
Remote Services, Windows Remote Management
System Owner/User Discovery
Remote Services, Windows Remote Management
System Owner/User Discovery
Permission Groups Discovery, Local Groups
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Steal or Forge Kerberos Tickets, AS-REP Roasting
Account Discovery, Local Account, PowerShell
Gather Victim Host Information
Password Policy Discovery
File and Directory Permissions Modification
Account Access Removal
File and Directory Permissions Modification
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
InstallUtil, System Binary Proxy Execution
InstallUtil, System Binary Proxy Execution
Process Injection
Process Injection
Process Injection
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Regsvcs/Regasm
Process Injection
Steal or Forge Kerberos Tickets, Golden Ticket
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Rundll32
Process Injection
Gather Victim Identity Information, Email Addresses
Use Alternate Authentication Material
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Unix Shell, Command and Scripting Interpreter
Use Alternate Authentication Material
MSBuild, Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution, MSBuild
Command and Scripting Interpreter
Kerberoasting
Command and Scripting Interpreter, PowerShell
Obfuscated Files or Information, Indicator Removal from Tools
Disk Structure Wipe, Disk Wipe
Command and Scripting Interpreter, Process Injection, PowerShell
Data Destruction
Data Destruction
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
OS Credential Dumping, PowerShell
Domain Trust Discovery, PowerShell
Mshta, System Binary Proxy Execution
Process Injection
Disable or Modify Tools, Impair Defenses
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
System Binary Proxy Execution, Mshta
Scheduled Task, Scheduled Task/Job
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows Management Instrumentation
Indicator Removal
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Regsvcs/Regasm
Bypass User Account Control, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Regsvcs/Regasm
Bypass User Account Control, Abuse Elevation Control Mechanism
System Binary Proxy Execution
Disk Structure Wipe, Disk Wipe
BITS Jobs, Ingress Tool Transfer
Deobfuscate/Decode Files or Information
Ingress Tool Transfer
Ingress Tool Transfer
BITS Jobs, Ingress Tool Transfer
Phishing, Spearphishing Attachment
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
System Binary Proxy Execution
BITS Jobs
Data Destruction
System Network Configuration Discovery
Automated Exfiltration
Automated Exfiltration
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets, Kerberoasting
System Binary Proxy Execution, Rundll32
Process Injection
Use Alternate Authentication Material, Pass the Ticket
Scheduled Task, Scheduled Task/Job
Ingress Tool Transfer
Ingress Tool Transfer
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Use Alternate Authentication Material, Pass the Ticket
Exploitation for Privilege Escalation
Virtualization/Sandbox Evasion, Time Based Evasion
Data Destruction
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Obfuscated Files or Information
Windows Command Shell, Command and Scripting Interpreter
Visual Basic, Command and Scripting Interpreter
Windows Command Shell
PowerShell, Command and Scripting Interpreter
LSASS Memory, OS Credential Dumping
SSH Authorized Keys, Account Manipulation
SSH Authorized Keys, Account Manipulation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
/etc/passwd and /etc/shadow, OS Credential Dumping
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Dynamic Linker Hijacking, Hijack Execution Flow
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Valid Accounts, Domain Accounts
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Setuid and Setgid, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Local Account, Create Account
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Unix Shell Configuration Modification, Event Triggered Execution
RC Scripts, Boot or Logon Initialization Scripts
File Deletion, Indicator Removal
Valid Accounts, Domain Accounts
Unix Shell Configuration Modification, Event Triggered Execution
Valid Accounts, Domain Accounts
Systemd Timers, Scheduled Task/Job
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
DLL Side-Loading, Hijack Execution Flow
Indicator Removal
Disable or Modify Tools
Server Software Component, Web Shell, Exploit Public-Facing Application
Inhibit System Recovery
Inhibit System Recovery
Exfiltration Over Alternative Protocol
Unix Shell
Automated Exfiltration
Ingress Tool Transfer
Scheduled Task
Valid Accounts
Valid Accounts
Service Stop
File and Directory Permissions Modification
Service Stop, Valid Accounts
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
File and Directory Permissions Modification
Scheduled Task/Job, Scheduled Task
Automated Exfiltration
Create or Modify System Process, Windows Service
OS Credential Dumping, Security Account Manager
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Service Stop
Service Stop, Create or Modify System Process, Windows Service
Remote Services, Distributed Component Object Model, MMC
Create or Modify System Process, Windows Service
Windows Management Instrumentation
Credentials from Web Browsers, Credentials from Password Stores
Archive via Utility, Archive Collected Data
Create or Modify System Process, Windows Service
Remote Services, Windows Remote Management
Scheduled Task/Job, Scheduled Task
Gather Victim Host Information
Remote Services, SMB/Windows Admin Shares
Process Injection, Dynamic-link Library Injection
Disable or Modify Tools, Impair Defenses
Remote Services, Windows Remote Management
Transfer Data to Cloud Account
Data Destruction, File Deletion, Indicator Removal
Data Encrypted for Impact
Remote Services, Distributed Component Object Model
Windows Management Instrumentation
Compile After Delivery, Obfuscated Files or Information
System Network Configuration Discovery, Internet Connection Discovery
Windows Management Instrumentation
InstallUtil, System Binary Proxy Execution
Disable or Modify System Firewall, Impair Defenses
Access Token Manipulation, Token Impersonation/Theft
InstallUtil, System Binary Proxy Execution
Scheduled Task/Job, Scheduled Task
XSL Script Processing
Scheduled Task/Job, At
Remote Services, Windows Remote Management
Create or Modify System Process, Windows Service
Ingress Tool Transfer
Create or Modify System Process, Windows Service
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Remote System Discovery
Ingress Tool Transfer
Scheduled Task
Disable or Modify Tools, Impair Defenses
Kerberoasting
Clear Windows Event Logs, Indicator Removal
Masquerading
Data Destruction, File Deletion, Indicator Removal
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Process Injection
Rename System Utilities, Masquerading
Command and Scripting Interpreter, Component Object Model
Modify Registry
Regsvr32, Modify Registry
System Binary Proxy Execution, Regsvr32
MSBuild, Trusted Developer Utilities Proxy Execution
Visual Basic, Command and Scripting Interpreter
Verclsid, System Binary Proxy Execution
Print Processors, Boot or Logon Autostart Execution
Event Triggered Execution, Screensaver
Boot or Logon Initialization Scripts, Logon Script (Windows)
Change Default File Association, Event Triggered Execution
Screen Capture
BITS Jobs
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Disable or Modify System Firewall, Impair Defenses
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Compiled HTML File
Automated Exfiltration
Install Root Certificate, Subvert Trust Controls
Account Discovery, Local Account
Account Discovery, Local Account
Archive via Utility, Archive Collected Data
NTDS, OS Credential Dumping
Remote Services, SMB/Windows Admin Shares
Archive via Utility, Archive Collected Data
System Binary Proxy Execution, Compiled HTML File
Credentials from Password Stores, Credentials from Web Browsers
System Owner/User Discovery
Credentials from Password Stores, Credentials from Web Browsers
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
Command and Scripting Interpreter, JavaScript
System Owner/User Discovery
Command and Scripting Interpreter, JavaScript
XSL Script Processing
Command and Scripting Interpreter, JavaScript
System Network Connections Discovery
System Network Connections Discovery
System Network Connections Discovery
Security Account Manager, OS Credential Dumping
System Binary Proxy Execution, Rundll32
Local Account, Create Account
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Control Panel
Remote System Discovery
Remote System Discovery
Domain Account, Account Discovery
System Information Discovery
Remote System Discovery
Remote System Discovery
Inhibit System Recovery
Inhibit System Recovery
Domain Trust Discovery
Permission Groups Discovery, Domain Groups
Remote System Discovery
Remote System Discovery
OS Credential Dumping
Remote System Discovery
Forced Authentication
Remote System Discovery
Remote System Discovery
Password Policy Discovery
Password Policy Discovery
Phishing, Spearphishing Link
Password Policy Discovery
Password Policy Discovery
Permission Groups Discovery, Domain Groups
System Network Connections Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Trust Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Account Discovery, Local Account
Account Discovery, Local Account
Security Account Manager, OS Credential Dumping
Archive via Utility, Archive Collected Data
System Binary Proxy Execution, CMSTP
Indicator Removal
System Binary Proxy Execution, Rundll32
Msiexec, System Binary Proxy Execution
Process Injection
Data from Local System
User Execution, Malicious File
Archive via Utility, Archive Collected Data
Process Injection
System Binary Proxy Execution, Regsvr32
Command and Scripting Interpreter
Process Injection
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
System Binary Proxy Execution, Mshta
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Exploitation for Privilege Escalation
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Disable or Modify Tools, Impair Defenses
System Services, Service Execution
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Command and Scripting Interpreter, Visual Basic
Indicator Removal, Clear Windows Event Logs
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
File and Directory Permissions Modification
File Deletion, Indicator Removal
Inhibit System Recovery
Indicator Removal, Clear Windows Event Logs
Impair Defenses, PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter
Inhibit System Recovery
Defacement
System Binary Proxy Execution, CMSTP
User Execution
User Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
NTDS, OS Credential Dumping
Exploit Public-Facing Application
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Remote Desktop Protocol, Remote Services
Abuse Elevation Control Mechanism
System Binary Proxy Execution, CMSTP
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Scheduled Task/Job
File and Directory Permissions Modification
Account Discovery
Ingress Tool Transfer
Account Access Removal
Disable or Modify Tools, Impair Defenses
Account Access Removal
File and Directory Permissions Modification
Service Stop
Service Stop
Disable or Modify Tools, Impair Defenses
Account Access Removal
Windows Service, Create or Modify System Process
File and Directory Permissions Modification
Windows Service, Create or Modify System Process
Process Injection
Archive via Utility, Archive Collected Data
Phishing, Spearphishing Attachment
Command and Scripting Interpreter
Obfuscated Files or Information
Scheduled Task/Job
Scheduled Task/Job
Password Spraying, Brute Force
Exfiltration Over Alternative Protocol
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Password Spraying, Brute Force
System Services, Service Execution
Domain Trust Discovery
Disable or Modify Tools, Impair Defenses
BITS Jobs
Deobfuscate/Decode Files or Information
User Execution
Create or Modify System Process
Data Destruction
Data Encrypted for Impact
Inhibit System Recovery
Command and Scripting Interpreter, PowerShell
Server Software Component, Web Shell
Disable or Modify Tools, Impair Defenses
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Scheduled Task, Scheduled Task/Job
Command and Scripting Interpreter, Windows Command Shell
Data Staged
Launch Agent, Create or Modify System Process
Ingress Tool Transfer
Launch Agent, Create or Modify System Process
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Exploitation for Privilege Escalation
NTDS, OS Credential Dumping
Exploitation for Privilege Escalation
System Binary Proxy Execution, Regsvr32
Exploitation for Privilege Escalation
Inhibit System Recovery
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
Command and Scripting Interpreter, PowerShell
Trusted Developer Utilities Proxy Execution, MSBuild
Trusted Developer Utilities Proxy Execution
System Binary Proxy Execution, Mshta
Inhibit System Recovery
Exploitation for Client Execution
Windows Management Instrumentation Event Subscription, Event Triggered Execution
User Execution, Malicious File
Masquerading, Rename System Utilities
Application Shimming, Event Triggered Execution
Scheduled Task, Scheduled Task/Job
Services Registry Permissions Weakness, Hijack Execution Flow
Application Shimming, Event Triggered Execution
Bypass User Account Control, Abuse Elevation Control Mechanism
Masquerading, Rename System Utilities
Command and Scripting Interpreter, Windows Command Shell
System Network Configuration Discovery
Inhibit System Recovery
Data Destruction
Service Stop
Data Encrypted for Impact
Use Alternate Authentication Material, Pass the Hash
Exploitation of Remote Services
Indicator Removal, Network Share Connection Removal
Masquerading
Modify Registry
Remote Desktop Protocol, Remote Services
Windows Service, Create or Modify System Process
Disable or Modify Tools, Impair Defenses
Command and Scripting Interpreter, Windows Command Shell
Command and Scripting Interpreter, PowerShell
System Services, Service Execution
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Software Deployment Tools
Event Triggered Execution, Accessibility Features
Local Account, Create Account
Local Account, Create Account
Indicator Removal, Clear Windows Event Logs
Path Interception by Unquoted Path, Hijack Execution Flow
Exploitation for Privilege Escalation
Windows Management Instrumentation
Exploitation for Privilege Escalation
Windows Management Instrumentation
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
NTDS, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Data Encrypted for Impact
Indicator Removal
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
Browser Session Hijacking
Modify Authentication Process, Multi-Factor Authentication
Brute Force, Password Spraying, Credential Stuffing
Modify Authentication Process, Multi-Factor Authentication
Password Policy Discovery
Password Policy Discovery
Brute Force, Password Guessing, Password Spraying
Browser Session Hijacking
Brute Force, Password Guessing, Password Spraying
Brute Force, Password Guessing
Compromise Accounts, Unused/Unsupported Cloud Regions
Data Encrypted for Impact
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Domain Policy Modification, Domain Trust Modification
Domain Policy Modification, Domain Trust Modification
Account Manipulation
Account Manipulation
Account Manipulation, Additional Cloud Roles
Account Manipulation
Malicious Image, User Execution
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Valid Accounts, Cloud Accounts
Create Account, Cloud Account
Cloud Account
Create Account, Cloud Account
Cloud Account
Account Manipulation, Additional Cloud Credentials
Additional Cloud Roles
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force
Disable Cloud Logs, Impair Defenses
Disable Cloud Logs, Impair Defenses
Impair Defenses, Disable Cloud Logs
Impair Defenses, Disable Cloud Logs
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Disable Cloud Logs, Impair Defenses
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Disable Cloud Logs, Impair Defenses
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Malicious Image, User Execution
Cloud Accounts, Valid Accounts
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Compromise Software Supply Chain, Supply Chain Compromise
Cloud Account, Create Account
Cloud Account, Create Account
User Execution
Brute Force
Disable or Modify Cloud Firewall, Impair Defenses
Modify Authentication Process
Cloud Account, Create Account
Cloud Infrastructure Discovery
Phishing
Phishing
Malicious Image, User Execution
Malicious Image, User Execution
Compromise Client Software Binary
Trusted Relationship
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Compromise Client Software Binary
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Cloud Service Discovery
Exploitation for Credential Access
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Trusted Relationship
Exploitation for Credential Access
Malicious Image, User Execution
Spearphishing Attachment, Phishing
Malicious Image, User Execution
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Malicious Image, User Execution
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Spearphishing Attachment, Phishing
Transfer Data to Cloud Account
Data from Cloud Storage
Data from Cloud Storage
Cloud Account, Create Account
Cloud Accounts, Valid Accounts
Cloud Service Discovery
Cloud Infrastructure Discovery, Brute Force
Account Manipulation
Account Manipulation
Cloud Groups, Account Manipulation, Permission Groups Discovery
Cloud Accounts, Valid Accounts
Cloud Account, Create Account
Valid Accounts
Cloud Account, Create Account
Modify Authentication Process
Valid Accounts
Disable or Modify Cloud Firewall, Impair Defenses
Data Encrypted for Impact
Disable or Modify Cloud Firewall, Impair Defenses
Email Forwarding Rule, Email Collection
Email Forwarding Rule, Email Collection
Password Guessing, Brute Force
Email Collection
Remote Email Collection, Email Collection
Valid Accounts
Valid Accounts
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Unused/Unsupported Cloud Regions
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Data from Cloud Storage
Data from Cloud Storage
Cloud Accounts, Valid Accounts
Valid Accounts
Valid Accounts
Use Alternate Authentication Material
Valid Accounts
Valid Accounts
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Data from Cloud Storage
Data from Cloud Storage
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Exfiltration Over Unencrypted Non-C2 Protocol
LSASS Memory
PowerShell
Disable or Modify System Firewall
Rename System Utilities
Windows Command Shell
Valid Accounts
Valid Accounts
Valid Accounts
Masquerading
Phishing
Malicious File
Change Default File Association
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
PowerShell, Windows Command Shell
Cloud Accounts
Exfiltration Over Unencrypted Non-C2 Protocol
Cloud Accounts
Cloud Accounts
Spearphishing via Service
Cloud Accounts
Cloud Accounts
Web Protocols
Scheduled Task
Exfiltration Over Unencrypted Non-C2 Protocol
Cloud Service Discovery
Cloud Service Discovery
LSASS Memory
LSASS Memory
Hidden Files and Directories
Create Account
Valid Accounts
Disable or Modify Cloud Firewall
Cloud Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Domain Accounts
Multi-Factor Authentication Request Generation
Steal Web Session Cookie
Web Session Cookie, Cloud Service Dashboard
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Abuse Elevation Control Mechanism
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Endpoint Denial of Service
Drive-by Compromise
Drive-by Compromise
Exfiltration Over Web Service
Drive-by Compromise
Exploitation of Remote Services
Exploitation of Remote Services
Drive-by Compromise
Drive-by Compromise
Valid Accounts, Brute Force
Brute Force
Brute Force
Brute Force
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Account Discovery
Endpoint Denial of Service
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Digital Certificates
Process Injection
Digital Certificates
Digital Certificates
Protocol Impersonation
Digital Certificates
Command and Scripting Interpreter
File and Directory Discovery
Valid Accounts
Drive-by Compromise
Network Denial of Service
Spearphishing Attachment, Phishing
Email Collection, Local Email Collection
Email Collection, Remote Email Collection
Valid Accounts, Default Accounts
System Information Discovery
Compromise Software Supply Chain
Domain Generation Algorithms
Domain Generation Algorithms
DNS, Application Layer Protocol
OS Credential Dumping, DCSync, Rogue Domain Controller
Protocol Tunneling, Proxy, Web Service
Encrypted Channel
Rogue Domain Controller
Network Sniffing
Exploit Public-Facing Application
Exploit Public-Facing Application, Command and Scripting Interpreter
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Drive-by Compromise
TFTP Boot, Pre-OS Boot
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Exfiltration Over C2 Channel
Exploit Public-Facing Application
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Exploitation for Client Execution
Exploitation for Client Execution
Application Layer Protocol, Web Protocols
SMB/Windows Admin Shares, Remote Services
SMB/Windows Admin Shares, Remote Services
Exfiltration Over Alternative Protocol
Remote Desktop Protocol, Remote Services
Remote Email Collection, Email Collection
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
File Transfer Protocols, Application Layer Protocol
Remote Desktop Protocol, Remote Services
DNS, Application Layer Protocol
Non-Application Layer Protocol
Network Denial of Service, Reflection Amplification
Exploit Public-Facing Application
Web Shell, Server Software Component, Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Web Shell, Server Software Component, Exploit Public-Facing Application
Server Software Component, Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Web Shell, Server Software Component, Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Web Shell
Exploit Public-Facing Application
System Information Discovery