Windows Impair Defenses Disable Win Defender Auto Logging
Disable or Modify Tools , Impair Defenses
Disable or Modify Tools , Impair Defenses
Disable or Modify Tools , Impair Defenses
Disable or Modify Tools , Impair Defenses
Disable or Modify System Firewall , Impair Defenses
Exploit Public-Facing Application
Exfiltration Over Alternative Protocol
InstallUtil , System Binary Proxy Execution
Command and Scripting Interpreter
Command and Scripting Interpreter
Gather Victim Network Information , IP Addresses
Disable or Modify Tools , Impair Defenses
Visual Basic , Command and Scripting Interpreter
Phishing , Spearphishing Attachment
Phishing , Spearphishing Attachment
System Binary Proxy Execution
Command and Scripting Interpreter
Plist File Modification
At , Scheduled Task/Job
At , Scheduled Task/Job
Scheduled Task , Scheduled Task/Job
Exploitation for Privilege Escalation
Process Injection
Local Accounts , Credentials In Files
Windows Service , Create or Modify System Process , Exploitation for Privilege Escalation
Windows Service
Masquerade Task or Service , Masquerading
Disable or Modify System Firewall , Impair Defenses
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
Scheduled Task/Job
Domain Account , Account Discovery
Domain Account , Account Discovery
Service Stop
Service Stop
Data Destruction
Data Destruction , File Deletion , Indicator Removal on Host
Service Stop
Data Destruction
Cron , Scheduled Task/Job
Domain Trust Discovery
Scheduled Task , Impair Defenses
Data Destruction , File Deletion , Indicator Removal on Host
Data Destruction , File Deletion , Indicator Removal on Host
Data Destruction , File Deletion , Indicator Removal on Host
Data Destruction , File Deletion , Indicator Removal on Host
Data Destruction , File Deletion , Indicator Removal on Host
Data Destruction , File Deletion , Indicator Removal on Host
Data Destruction , File Deletion , Indicator Removal on Host
Data Destruction , File Deletion , Indicator Removal on Host
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities
System Services , Service Execution
System Binary Proxy Execution , Mshta
System Binary Proxy Execution , Compiled HTML File
Command and Scripting Interpreter , PowerShell , Ingress Tool Transfer
Command and Scripting Interpreter , PowerShell , Ingress Tool Transfer
Indirect Command Execution
Indirect Command Execution
Disable or Modify System Firewall , Impair Defenses
Masquerade Task or Service , Masquerading
Disable or Modify System Firewall , Impair Defenses
Exploit Public-Facing Application
Disable or Modify Tools , Impair Defenses
Registry Run Keys / Startup Folder , Boot or Logon Autostart Execution
Install Root Certificate , Subvert Trust Controls
Remote System Discovery
Rootkit , Exploitation for Privilege Escalation
Spearphishing Attachment , Phishing , Malicious Link , User Execution
Plist Modification
Disable or Modify Tools , Impair Defenses
Remote System Discovery
Remote System Discovery
Modify Registry
System Owner/User Discovery
Remote Services , Windows Remote Management
Remote Services , Distributed Component Object Model
Gather Victim Host Information
PowerShell , Command and Scripting Interpreter
Component Object Model Hijacking , Event Triggered Execution
Steal or Forge Kerberos Tickets , AS-REP Roasting
Remote Services , Windows Remote Management
Account Discovery , Local Account
System Owner/User Discovery
Permission Groups Discovery , Domain Groups
Permission Groups Discovery , Local Groups
Domain Account , Account Discovery
Password Policy Discovery
File and Directory Permissions Modification
InstallUtil , System Binary Proxy Execution
InstallUtil , System Binary Proxy Execution
Process Injection
System Binary Proxy Execution , Rundll32
Process Injection
Process Injection
Process Injection
System Binary Proxy Execution , Rundll32
Steal or Forge Kerberos Tickets , Golden Ticket
Process Injection
Process Injection
System Binary Proxy Execution , Regsvcs/Regasm
System Binary Proxy Execution , Regsvcs/Regasm
Gather Victim Identity Information , Email Addresses
Use Alternate Authentication Material
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Unix Shell , Command and Scripting Interpreter
Use Alternate Authentication Material
Modify Registry
Command and Scripting Interpreter
Command and Scripting Interpreter
Disk Structure Wipe , Disk Wipe
Data Destruction
Data Destruction
Services Registry Permissions Weakness
Signed Binary Proxy Execution, Mshta
Process Injection
Mshta, Signed Binary Proxy Execution
Mshta, Signed Binary Proxy Execution
Mshta, Signed Binary Proxy Execution
Disable or Modify Tools , Impair Defenses
Disable or Modify Tools , Impair Defenses
Steal or Forge Kerberos Tickets , AS-REP Roasting
Windows Management Instrumentation
Scheduled Task , Scheduled Task/Job
Steal or Forge Kerberos Tickets , AS-REP Roasting
Steal or Forge Kerberos Tickets , AS-REP Roasting
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Command and Scripting Interpreter , PowerShell
System Binary Proxy Execution , Rundll32
Indicator Removal on Host
Bypass User Account Control , Abuse Elevation Control Mechanism
Remote Services , Windows Remote Management
Steal or Forge Kerberos Tickets , AS-REP Roasting
System Binary Proxy Execution , Regsvcs/Regasm
System Binary Proxy Execution , Regsvcs/Regasm
Disk Structure Wipe , Disk Wipe
Signed Binary Proxy Execution
Modify Registry
BITS Jobs, Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
Deobfuscate/Decode Files or Information
BITS Jobs, Ingress Tool Transfer
Dynamic-link Library Injection , System Binary Proxy Execution , Process Injection
System Binary Proxy Execution
BITS Jobs
Data Destruction
Automated Exfiltration
Automated Exfiltration
System Network Configuration Discovery
Steal or Forge Kerberos Tickets , Kerberoasting
Steal or Forge Kerberos Tickets , Kerberoasting
System Binary Proxy Execution , Rundll32
Scheduled Task , Scheduled Task/Job
Process Injection
Use Alternate Authentication Material , Pass the Ticket
Ingress Tool Transfer
Ingress Tool Transfer
Use Alternate Authentication Material , Pass the Ticket , Steal or Forge Kerberos Tickets , Kerberoasting , AS-REP Roasting
Use Alternate Authentication Material , Pass the Ticket
Exploitation for Privilege Escalation
Disable or Modify Tools , Impair Defenses
Bypass User Account Control , Abuse Elevation Control Mechanism
Indicator Blocking , Trusted Developer Utilities Proxy Execution , Impair Defenses
Modify Registry , OS Credential Dumping
Remote Services
Disable or Modify Tools , Impair Defenses
Inhibit System Recovery
Disable or Modify Tools , Impair Defenses
Disable or Modify Tools , Impair Defenses
Disable or Modify Tools , Impair Defenses
LSASS Memory , OS Credential Dumping
Disable or Modify Tools , Impair Defenses
Disable or Modify Tools , Impair Defenses
Disable or Modify Tools , Impair Defenses
Disable or Modify Tools , Impair Defenses
Disable or Modify Tools , Impair Defenses
Bypass User Account Control , Abuse Elevation Control Mechanism
Hidden Files and Directories , Disable or Modify Tools , Hide Artifacts , Impair Defenses
Modify Registry
Disable or Modify Tools , Impair Defenses
Disable or Modify Tools , Impair Defenses
Time Providers , Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder , Boot or Logon Autostart Execution
Modify Registry
Image File Execution Options Injection , Event Triggered Execution
Registry Run Keys / Startup Folder , Boot or Logon Autostart Execution
Ingress Tool Transfer , Exploit Public-Facing Application , Command and Scripting Interpreter
Disable or Modify Tools , Impair Defenses
Disable or Modify Tools , Impair Defenses
Disable or Modify Tools , Impair Defenses
Disable or Modify Tools , Impair Defenses
Disable or Modify Tools , Impair Defenses
Disable or Modify Tools , Impair Defenses
Disable or Modify Tools , Impair Defenses
Abuse Elevation Control Mechanism
Remote Desktop Protocol , Remote Services
Credentials in Registry , Unsecured Credentials
Active Setup , Boot or Logon Autostart Execution
Virtualization/Sandbox Evasion , Time Based Evasion
Data Destruction
Masquerading , Rename System Utilities , System Binary Proxy Execution , InstallUtil
Masquerading , Rename System Utilities , System Binary Proxy Execution , InstallUtil
Visual Basic , Command and Scripting Interpreter
Visual Basic , Command and Scripting Interpreter
Disable or Modify Tools , Impair Defenses
Obfuscated Files or Information
Remote Services , SMB/Windows Admin Shares , Distributed Component Object Model , Windows Management Instrumentation , Windows Service
Windows Command Shell , Command and Scripting Interpreter
Windows Command Shell
LSASS Memory , OS Credential Dumping
LSASS Memory , OS Credential Dumping
PowerShell , Command and Scripting Interpreter
SSH Authorized Keys , Account Manipulation
SSH Authorized Keys , Account Manipulation
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
/etc/passwd and /etc/shadow , OS Credential Dumping
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Setuid and Setgid , Abuse Elevation Control Mechanism
Dynamic Linker Hijacking , Hijack Execution Flow
Kernel Modules and Extensions , Boot or Logon Autostart Execution
Kernel Modules and Extensions , Boot or Logon Autostart Execution
Kernel Modules and Extensions , Boot or Logon Autostart Execution
Valid Accounts , Domain Accounts
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Setuid and Setgid , Abuse Elevation Control Mechanism
Setuid and Setgid , Abuse Elevation Control Mechanism
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Linux and Mac File and Directory Permissions Modification , File and Directory Permissions Modification
Local Account , Create Account
Valid Accounts , Domain Accounts
Valid Accounts , Domain Accounts
Systemd Timers , Scheduled Task/Job
Systemd Timers , Scheduled Task/Job
Systemd Timers , Scheduled Task/Job
Unix Shell Configuration Modification , Event Triggered Execution
Unix Shell Configuration Modification , Event Triggered Execution
RC Scripts , Boot or Logon Initialization Scripts
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
File Deletion, Indicator Removal on Host
Cron , Scheduled Task/Job
Cron , Scheduled Task/Job
At (Linux) , Scheduled Task/Job
Cron , Scheduled Task/Job
At (Linux) , Scheduled Task/Job
Cron , Scheduled Task/Job
Cron , Scheduled Task/Job
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Ingress Tool Transfer
Ingress Tool Transfer
DLL Side-Loading , Hijack Execution Flow
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools
Inhibit System Recovery
Server Software Component , Web Shell , Exploit Public-Facing Application
Server Software Component , Web Shell , Exploit Public-Facing Application
Data Destruction
Indicator Removal on Host
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Exfiltration Over Alternative Protocol
Inhibit System Recovery
Domain Accounts
Unix Shell
Ingress Tool Transfer
Scheduled Task
Automated Exfiltration
Valid Accounts
Valid Accounts
Service Stop
Exploitation for Client Execution, Command and Scripting Interpreter, Scheduled Task/Job, Software Deployment Tools
Use Alternate Authentication Material, Pass the Hash
File and Directory Permissions Modification
File and Directory Permissions Modification
Command and Scripting Interpreter, Indirect Command Execution
Service Stop, Valid Accounts
Account Access Removal
Create or Modify System Process , Windows Service
Scheduled Task/Job , Scheduled Task
Remote Services , Distributed Component Object Model , Windows Remote Management , Windows Management Instrumentation , Scheduled Task , Windows Service , Po...
Automated Exfiltration
NTDS, OS Credential Dumping
File and Directory Permissions Modification
OS Credential Dumping, Security Account Manager
Disable or Modify Tools , Impair Defenses
Disable or Modify Tools , Impair Defenses
Disable or Modify Tools , Impair Defenses
Service Stop
Service Stop, Create or Modify System Process, Windows Service
Remote Services , Distributed Component Object Model
Remote Services , Windows Remote Management
Windows Management Instrumentation
Create or Modify System Process , Windows Service
System Services , Service Execution
Scheduled Task/Job , Scheduled Task
Create or Modify System Process , Windows Service
Credentials from Web Browsers , Credentials from Password Stores
Archive via Utility, Archive Collected Data
Gather Victim Host Information
Process Injection , Dynamic-link Library Injection
Remote Services , SMB/Windows Admin Shares
Disable or Modify Tools , Impair Defenses
Remote Services , Windows Remote Management
Remote Services , Windows Remote Management
Transfer Data to Cloud Account
Data Encrypted for Impact
Data Destruction, File Deletion, Indicator Removal on Host
Windows Management Instrumentation
Windows Management Instrumentation
Remote Services , Distributed Component Object Model
Remote Services , Distributed Component Object Model
InstallUtil , System Binary Proxy Execution
InstallUtil , Signed Binary Proxy Execution
InstallUtil , System Binary Proxy Execution
InstallUtil , Signed Binary Proxy Execution
InstallUtil , System Binary Proxy Execution
Access Token Manipulation , Token Impersonation/Theft
Windows Management Instrumentation
System Network Configuration Discovery , Internet Connection Discovery
Disable or Modify System Firewall , Impair Defenses
Compile After Delivery , Obfuscated Files or Information
XSL Script Processing
Scheduled Task , Scheduled Task/Job
Scheduled Task/Job , Scheduled Task
Scheduled Task/Job , At
Remote Services , Windows Remote Management
Create or Modify System Process , Windows Service
Create or Modify System Process , Windows Service
Ingress Tool Transfer
Use Alternate Authentication Material, Pass the Hash
Match Legitimate Name or Location , Masquerading , OS Credential Dumping , Active Scanning
Remote System Discovery
Disable or Modify Tools , Impair Defenses
Scheduled Task
Ingress Tool Transfer
Disable or Modify Tools , Impair Defenses
Kerberoasting
Kerberoasting
Process Injection
Signed Binary Proxy Execution , Rundll32
Process Injection
Clear Windows Event Logs , Indicator Removal on Host
Process Injection , Create or Modify System Process , Parent PID Spoofing , Access Token Manipulation
Data Destruction , File Deletion , Indicator Removal on Host
Process Injection
Rename System Utilities , Masquerading
Modify Registry
Command and Scripting Interpreter , Component Object Model
Regsvr32 , Modify Registry
Server Software Component , Web Shell , Exploit Public-Facing Application
System Binary Proxy Execution , Regsvr32
MSBuild , Trusted Developer Utilities Proxy Execution
Visual Basic , Command and Scripting Interpreter
Verclsid , System Binary Proxy Execution
Print Processors , Boot or Logon Autostart Execution
Event Triggered Execution , Screensaver
Boot or Logon Initialization Scripts , Logon Script (Windows)
Change Default File Association , Event Triggered Execution
Screen Capture
Screen Capture
Screen Capture
Process Injection
Signed Binary Proxy Execution , Rundll32
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities
Process Injection
Process Injection
Phishing , Spearphishing Attachment
Signed Binary Proxy Execution , Regsvcs/Regasm
Signed Binary Proxy Execution , Regsvcs/Regasm
Disable or Modify System Firewall , Impair Defenses
Phishing , Spearphishing Attachment
Account Discovery , Local Account
Account Discovery , Local Account
LSASS Memory , OS Credential Dumping
Archive via Utility , Archive Collected Data
Automated Exfiltration
System Services , Service Execution
Archive via Utility , Archive Collected Data
Remote Services , SMB/Windows Admin Shares
System Binary Proxy Execution , Mshta
Signed Binary Proxy Execution , Mshta
System Binary Proxy Execution , Mshta
System Binary Proxy Execution , Compiled HTML File
System Binary Proxy Execution , Compiled HTML File
Signed Binary Proxy Execution , Compiled HTML File
NTDS , OS Credential Dumping
NTDS , OS Credential Dumping
NTDS , OS Credential Dumping
BITS Jobs , Ingress Tool Transfer
BITS Jobs
User Execution , Malicious File
Security Account Manager , OS Credential Dumping
Install Root Certificate , Subvert Trust Controls
Domain Account , Account Discovery
Credentials from Password Stores , Credentials from Web Browsers
Credentials from Password Stores , Credentials from Web Browsers
System Owner/User Discovery
Permission Groups Discovery , Local Groups
Permission Groups Discovery , Local Groups
Permission Groups Discovery , Local Groups
Permission Groups Discovery , Local Groups
Permission Groups Discovery , Local Groups
Permission Groups Discovery , Local Groups
Command and Scripting Interpreter , JavaScript
XSL Script Processing
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
Phishing , Spearphishing Attachment
Command and Scripting Interpreter , JavaScript
Command and Scripting Interpreter , JavaScript
Command and Scripting Interpreter , JavaScript
System Owner/User Discovery
System Owner/User Discovery
Phishing , Spearphishing Attachment
System Network Connections Discovery
System Network Connections Discovery
System Network Connections Discovery
System Network Connections Discovery
Phishing , Spearphishing Attachment
Security Account Manager , OS Credential Dumping
System Binary Proxy Execution , Rundll32
System Binary Proxy Execution , Rundll32
Phishing , Spearphishing Attachment
Local Account , Create Account
System Binary Proxy Execution , Control Panel
System Information Discovery
Domain Account , Account Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Inhibit System Recovery
Inhibit System Recovery
Remote System Discovery
Remote System Discovery
Domain Trust Discovery
Domain Trust Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Permission Groups Discovery , Domain Groups
Remote System Discovery
Remote System Discovery
OS Credential Dumping
Forced Authentication
Remote System Discovery
Remote System Discovery
Command and Scripting Interpreter , PowerShell
Exploit Public-Facing Application
Phishing , Spearphishing Link
Password Policy Discovery
Permission Groups Discovery , Domain Groups
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Permission Groups Discovery , Domain Groups
Permission Groups Discovery , Domain Groups
System Network Connections Discovery
Permission Groups Discovery , Domain Groups
Permission Groups Discovery , Domain Groups
Permission Groups Discovery , Domain Groups
Permission Groups Discovery , Domain Groups
Permission Groups Discovery , Domain Groups
Permission Groups Discovery , Domain Groups
Permission Groups Discovery , Domain Groups
Permission Groups Discovery , Domain Groups
Permission Groups Discovery , Domain Groups
Domain Account , Account Discovery
Domain Account , Account Discovery
Domain Account , Account Discovery
Domain Account , Account Discovery
Domain Account , Account Discovery
Domain Account , Account Discovery
Domain Trust Discovery
Domain Trust Discovery
Domain Account , Account Discovery
Domain Account , Account Discovery
Domain Account , Account Discovery
Domain Account , Account Discovery
Account Discovery , Local Account
Account Discovery , Local Account
Account Discovery , Local Account
Account Discovery , Local Account
Command and Scripting Interpreter , PowerShell
Security Account Manager , OS Credential Dumping
Archive via Utility , Archive Collected Data
System Binary Proxy Execution , CMSTP
Indicator Removal on Host
Component Object Model Hijacking , Event Triggered Execution
Msiexec , System Binary Proxy Execution
System Binary Proxy Execution , Rundll32
Process Injection
Data from Local System
Phishing , Spearphishing Attachment
Archive via Utility , Archive Collected Data
User Execution , Malicious File
Process Injection
System Binary Proxy Execution , Regsvr32
Command and Scripting Interpreter
System Binary Proxy Execution , Rundll32
System Binary Proxy Execution , Rundll32
System Binary Proxy Execution , Rundll32
Process Injection
Security Account Manager , OS Credential Dumping
Security Account Manager , OS Credential Dumping
System Binary Proxy Execution , Mshta
System Binary Proxy Execution , Mshta
Bypass User Account Control , Abuse Elevation Control Mechanism
Disable or Modify Tools , Impair Defenses
DLL Side-Loading , Hijack Execution Flow
Print Processors , Boot or Logon Autostart Execution
Print Processors , Boot or Logon Autostart Execution
Exploitation for Privilege Escalation
Print Processors , Boot or Logon Autostart Execution
Print Processors , Boot or Logon Autostart Execution
Print Processors , Boot or Logon Autostart Execution
Print Processors , Boot or Logon Autostart Execution
Disable or Modify Tools , Impair Defenses
System Services , Service Execution
Disable or Modify Cloud Firewall , Impair Defenses
Disable or Modify Cloud Firewall , Impair Defenses
File Deletion , Indicator Removal on Host
Obfuscated Files or Information , Indicator Removal from Tools
Command and Scripting Interpreter , Visual Basic
Indicator Removal on Host , Clear Windows Event Logs
Windows Management Instrumentation Event Subscription , Event Triggered Execution
Indicator Removal on Host, Clear Windows Event Logs
Indicator Removal on Host, Clear Windows Event Logs
Gather Victim Host Information
Gather Victim Host Information
Gather Victim Host Information
Inhibit System Recovery
Deobfuscate/Decode Files or Information
Command and Scripting Interpreter , PowerShell
Command and Scripting Interpreter , PowerShell
Command and Scripting Interpreter , PowerShell
Command and Scripting Interpreter , PowerShell
Obfuscated Files or Information , Indicator Removal from Tools
File and Directory Permissions Modification
Indicator Removal on Host , Clear Windows Event Logs
File Deletion , Indicator Removal on Host
Impair Defenses , PowerShell , Command and Scripting Interpreter
OS Credential Dumping
Command and Scripting Interpreter , PowerShell
Command and Scripting Interpreter , Obfuscated Files or Information , PowerShell
Command and Scripting Interpreter , Process Injection , PowerShell
Command and Scripting Interpreter
Inhibit System Recovery
System Binary Proxy Execution , CMSTP
User Execution
Defacement
User Execution
Domain Account , Local Groups , Domain Trust Discovery , Local Account , Account Discovery , Domain Groups , Permission Groups Discovery
Domain Account , Local Groups , Domain Trust Discovery , Local Account , Account Discovery , Domain Groups , Permission Groups Discovery
Domain Account , Local Groups , Domain Trust Discovery , Local Account , Account Discovery , Domain Groups , Permission Groups Discovery
Domain Account , Local Groups , Domain Trust Discovery , Local Account , Account Discovery , Domain Groups , Permission Groups Discovery
Domain Account , Local Groups , Domain Trust Discovery , Local Account , Account Discovery , Domain Groups , Permission Groups Discovery
NTDS , OS Credential Dumping
Exploit Public-Facing Application
Command and Scripting Interpreter , Windows Command Shell , Windows Service , Create or Modify System Process
Email Collection , Local Email Collection
Remote Desktop Protocol , Remote Services
Abuse Elevation Control Mechanism
Bypass User Account Control , Abuse Elevation Control Mechanism
Bypass User Account Control , Abuse Elevation Control Mechanism
System Binary Proxy Execution , CMSTP
Inhibit System Recovery
Scheduled Task/Job
File and Directory Permissions Modification
Masquerading
Account Access Removal
Account Discovery
Ingress Tool Transfer
Create or Modify System Process
Disable or Modify Tools , Impair Defenses
File and Directory Permissions Modification
File and Directory Permissions Modification
Disable or Modify Tools , Impair Defenses
Service Stop
Service Stop
Account Access Removal
Account Access Removal
Windows Service , Create or Modify System Process
Windows Service , Create or Modify System Process
File and Directory Permissions Modification
Process Injection
Phishing , Spearphishing Attachment
Phishing , Spearphishing Attachment
Phishing , Spearphishing Attachment
Phishing , Spearphishing Attachment
Phishing , Spearphishing Attachment
Archive via Utility , Archive Collected Data
Exfiltration Over Alternative Protocol
Command and Scripting Interpreter
Obfuscated Files or Information
Gather Victim Network Information , IP Addresses
Scheduled Task/Job
Scheduled Task/Job
Process Injection
Process Injection
Password Spraying , Brute Force
Exfiltration Over Alternative Protocol
Password Spraying , Brute Force
Password Spraying , Brute Force
Phishing , Spearphishing Attachment
Phishing , Spearphishing Attachment
Password Spraying , Brute Force
Password Spraying , Brute Force
Password Spraying , Brute Force
Phishing , Spearphishing Attachment
Password Spraying , Brute Force
Password Spraying , Brute Force
Password Spraying , Brute Force
Password Spraying , Brute Force
Phishing , Spearphishing Attachment
Phishing , Spearphishing Attachment
Scheduled Task , Scheduled Task/Job
Security Account Manager , OS Credential Dumping
Security Account Manager , OS Credential Dumping
Scheduled Task , Scheduled Task/Job
Password Spraying , Brute Force
System Services , Service Execution
Domain Trust Discovery
Disable or Modify Tools , Impair Defenses
BITS Jobs
Deobfuscate/Decode Files or Information
Create or Modify System Process
User Execution
Data Destruction
Data Encrypted for Impact
Inhibit System Recovery
Data Encrypted for Impact
Server Software Component , Web Shell
Command and Scripting Interpreter , PowerShell
Disable or Modify Tools , Impair Defenses
Exploit Public-Facing Application
Scheduled Task , Scheduled Task/Job
Command and Scripting Interpreter , Windows Command Shell
Modify Registry , Bypass User Account Control , Abuse Elevation Control Mechanism
Command and Scripting Interpreter , PowerShell
Command and Scripting Interpreter , PowerShell
Data Staged
Launch Agent , Create or Modify System Process
Launch Agent , Create or Modify System Process
Ingress Tool Transfer
Process Injection
System Binary Proxy Execution , Regsvcs/Regasm
System Binary Proxy Execution , Regsvcs/Regasm
System Binary Proxy Execution , Compiled HTML File
System Binary Proxy Execution , Rundll32
System Binary Proxy Execution , Rundll32
System Binary Proxy Execution , Rundll32
System Binary Proxy Execution , Rundll32
System Binary Proxy Execution , Rundll32
Exploitation for Privilege Escalation
System Binary Proxy Execution , Regsvr32
NTDS , OS Credential Dumping
System Binary Proxy Execution , Regsvr32
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Modify Registry
Domain Trust Discovery
Inhibit System Recovery
System Binary Proxy Execution , Mshta
System Binary Proxy Execution , Mshta
Command and Scripting Interpreter , PowerShell
System Binary Proxy Execution , Mshta
Trusted Developer Utilities Proxy Execution , MSBuild
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Trusted Developer Utilities Proxy Execution
Inhibit System Recovery
Exploitation for Client Execution
Windows Management Instrumentation Event Subscription , Event Triggered Execution
Masquerading , Rename System Utilities
User Execution , Malicious File
Application Shimming , Event Triggered Execution
Scheduled Task , Scheduled Task/Job
Services Registry Permissions Weakness , Hijack Execution Flow
Application Shimming , Event Triggered Execution
Masquerading , Rename System Utilities
Bypass User Account Control , Abuse Elevation Control Mechanism
Command and Scripting Interpreter , Windows Command Shell
System Network Configuration Discovery
Valid Accounts , Domain Accounts
Inhibit System Recovery
Data Destruction
Data Destruction
Service Stop
Data Encrypted for Impact
Kerberoasting, Steal or Forge Kerberos Tickets
Use Alternate Authentication Material , Pass the Hash
Exploitation of Remote Services
Indicator Removal on Host , Network Share Connection Removal
Command and Scripting Interpreter, Scheduled Task/Job
Masquerading
Disable or Modify Tools , Impair Defenses
Masquerading
Modify Registry
Windows Service , Create or Modify System Process
Remote Desktop Protocol , Remote Services
Event Triggered Execution , Accessibility Features
Command and Scripting Interpreter , PowerShell
File and Directory Permissions Modification , Windows File and Directory Permissions Modification
System Services , Service Execution
Software Deployment Tools
Command and Scripting Interpreter , Windows Command Shell
Phishing , Spearphishing Attachment
Valid Accounts , Local Accounts
Disable or Modify Tools , Impair Defenses
Local Account , Create Account
Indicator Removal on Host , Clear Windows Event Logs
Local Account , Create Account
Path Interception by Unquoted Path , Hijack Execution Flow
Exploitation for Privilege Escalation
Windows Management Instrumentation
Windows Management Instrumentation
Exploitation for Privilege Escalation
LSASS Memory , OS Credential Dumping
LSASS Memory , OS Credential Dumping
Bypass User Account Control , Abuse Elevation Control Mechanism
Bypass User Account Control , Abuse Elevation Control Mechanism
Bypass User Account Control , Abuse Elevation Control Mechanism
Application Shimming , Event Triggered Execution
Port Monitors , Boot or Logon Autostart Execution
Credentials in Registry , Unsecured Credentials
NTDS , OS Credential Dumping
LSASS Memory , OS Credential Dumping
LSASS Memory , OS Credential Dumping
LSASS Memory , OS Credential Dumping
LSASS Memory , OS Credential Dumping
Data Encrypted for Impact
Indicator Removal on Host
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
Malicious Image , User Execution
Cloud Accounts , Valid Accounts
Compromise Software Supply Chain , Supply Chain Compromise
Cloud Account , Create Account
Cloud Account , Create Account
User Execution
Brute Force
Modify Authentication Process
Disable or Modify Cloud Firewall , Impair Defenses
Cloud Account , Create Account
Cloud Infrastructure Discovery
Phishing
Phishing
Malicious Image , User Execution
Malicious Image , User Execution
Compromise Client Software Binary
Compromise Software Dependencies and Development Tools , Supply Chain Compromise
Compromise Software Dependencies and Development Tools , Supply Chain Compromise
Trusted Relationship
Compromise Client Software Binary
Cloud Service Discovery
Exploitation for Credential Access
Spearphishing Attachment , Phishing
Spearphishing Attachment , Phishing
Exploitation for Credential Access
Trusted Relationship
Spearphishing Attachment , Phishing
Malicious Image , User Execution
Malicious Image , User Execution
Exfiltration Over Unencrypted Non-C2 Protocol , Exfiltration Over Alternative Protocol
Malicious Image , User Execution
Malicious Image , User Execution
Malicious Image , User Execution
Spearphishing Attachment , Phishing
Exfiltration to Cloud Storage , Exfiltration Over Web Service
Transfer Data to Cloud Account
Data from Cloud Storage Object
Data from Cloud Storage Object
Cloud Account , Create Account
Cloud Account , Create Account
Cloud Account , Create Account
Cloud Accounts , Valid Accounts
Cloud Service Discovery
Account Manipulation
Account Manipulation
Cloud Infrastructure Discovery , Brute Force
Cloud Groups , Account Manipulation , Permission Groups Discovery
Cloud Accounts , Valid Accounts
Cloud Accounts , Valid Accounts
Cloud Account , Create Account
Modify Authentication Process
Cloud Account , Create Account
Valid Accounts
Valid Accounts
Disable or Modify Cloud Firewall , Impair Defenses
Disable or Modify Cloud Firewall , Impair Defenses
Data Encrypted for Impact
Data Encrypted for Impact
Email Forwarding Rule , Email Collection
Email Forwarding Rule , Email Collection
Email Collection
Password Guessing , Brute Force
Remote Email Collection , Email Collection
Valid Accounts
Valid Accounts
Valid Accounts
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Cloud Accounts , Valid Accounts
Cloud Accounts , Valid Accounts
Valid Accounts
Unused/Unsupported Cloud Regions
Cloud Accounts , Valid Accounts
Cloud Accounts , Valid Accounts
Valid Accounts
Data from Cloud Storage Object
Data from Cloud Storage Object
Cloud Accounts , Valid Accounts
Use Alternate Authentication Material
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Implant Internal Image
Data from Cloud Storage Object
Data from Cloud Storage Object
System Binary Proxy Execution , Masquerading , Rundll32 , Rename System Utilities
Exfiltration Over Unencrypted Non-C2 Protocol
Signed Binary Proxy Execution , Masquerading , Rundll32 , Rename System Utilities
LSASS Memory
PowerShell
Disable or Modify System Firewall
Rename System Utilities
Windows Command Shell
Valid Accounts
Valid Accounts
Valid Accounts
Malicious File
Masquerading
Phishing
Change Default File Association
Scheduled Task
PowerShell , Windows Command Shell
Cloud Accounts
Cloud Accounts
Web Protocols
Cloud Accounts
Cloud Accounts
Exfiltration Over Unencrypted Non-C2 Protocol
Spearphishing via Service
Cloud Accounts
Exfiltration Over Unencrypted Non-C2 Protocol
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Service Discovery
Cloud Service Discovery
Implant Internal Image
LSASS Memory
Hidden Files and Directories
LSASS Memory
Valid Accounts
Create Account
Disable or Modify Cloud Firewall
Cloud Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Domain Accounts
Network Sniffing
Exploit Public-Facing Application
Command and Scripting Interpreter
Data from Information Repositories, Data from Network Shared Drive
Exploit Public-Facing Application , Command and Scripting Interpreter
Exfiltration Over Unencrypted Non-C2 Protocol , Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol , Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol , Exfiltration Over Alternative Protocol
Drive-by Compromise
Hardware Additions , Automated Exfiltration , Network Denial of Service , Traffic Duplication
TFTP Boot , Pre-OS Boot
Hardware Additions , Network Denial of Service , Adversary-in-the-Middle , ARP Cache Poisoning
Hardware Additions , Network Denial of Service , Adversary-in-the-Middle , ARP Cache Poisoning
Exfiltration Over C2 Channel
Exploit Public-Facing Application
Hardware Additions , Network Denial of Service , Adversary-in-the-Middle
Hardware Additions , Network Denial of Service , Adversary-in-the-Middle , ARP Cache Poisoning
Exploitation for Client Execution
Exploitation for Client Execution
Application Layer Protocol , Web Protocols
SMB/Windows Admin Shares , Remote Services
SMB/Windows Admin Shares , Remote Services
Remote Desktop Protocol , Remote Services
Exfiltration Over Unencrypted Non-C2 Protocol , Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol
Remote Email Collection , Email Collection
DNS , Application Layer Protocol
File Transfer Protocols , Application Layer Protocol
Remote Desktop Protocol , Remote Services
DNS , Application Layer Protocol
Non-Application Layer Protocol
Network Denial of Service , Reflection Amplification
Command and Scripting Interpreter
Command and Scripting Interpreter
Digital Certificates
Process Injection
Digital Certificates
Digital Certificates
Protocol Impersonation
Digital Certificates
Command and Scripting Interpreter
Valid Accounts
File and Directory Discovery
Drive-by Compromise
Network Denial of Service
Spearphishing Attachment , Phishing
Valid Accounts , Default Accounts
Valid Accounts , Default Accounts
Valid Accounts , Default Accounts
Valid Accounts , Default Accounts
Email Collection , Remote Email Collection
Email Collection , Local Email Collection
System Information Discovery
Server Software Component , Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Web Shell , Server Software Component , Exploit Public-Facing Application
Web Shell , Server Software Component , Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Web Shell
Exploit Public-Facing Application
Exploit Public-Facing Application
System Information Discovery