Windows Debugger Tool Execution
Masquerading
Masquerading
Modify Registry
Domain Trust Discovery
Abuse Elevation Control Mechanism
Remote Desktop Protocol, Remote Services
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
User Execution
Disable or Modify Tools, Impair Defenses
Modify Registry
Indicator Removal
Local Groups
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Virtualization/Sandbox Evasion, Time Based Evasion
Spearphishing Attachment, Phishing
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Modify Registry
Modify Registry
Trusted Developer Utilities Proxy Execution, MSBuild
Unix Shell Configuration Modification, Event Triggered Execution
Data Destruction
RC Scripts, Boot or Logon Initialization Scripts
System Binary Proxy Execution, Rundll32
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Private Keys, Unsecured Credentials
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Access Token Manipulation, Token Impersonation/Theft
Services Registry Permissions Weakness
Use Alternate Authentication Material, Pass the Ticket
Regsvr32, Modify Registry
Port Monitors, Boot or Logon Autostart Execution
System Binary Proxy Execution, Regsvr32
Pre-OS Boot, Registry Run Keys / Startup Folder
Systemd Timers, Scheduled Task/Job
Data Encrypted for Impact
Mavinject, System Binary Proxy Execution
System Binary Proxy Execution, Rundll32
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Disable or Modify Tools, Impair Defenses
Remote Services
Msiexec, System Binary Proxy Execution
Hidden Window
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Phishing, Spearphishing Attachment
Setuid and Setgid, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Regsvr32
Install Root Certificate, Subvert Trust Controls
Account Discovery, Local Account
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Ingress Tool Transfer
Modify Registry
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Command and Scripting Interpreter
Right-to-Left Override, Masquerading
System Information Discovery
Unsecured Credentials, Group Policy Preferences
System Binary Proxy Execution, Compiled HTML File
Permission Groups Discovery, Domain Groups
Modify Registry
Unix Shell, Command and Scripting Interpreter
Data Staged
Permission Groups Discovery, Domain Groups
Time Based Evasion, Virtualization/Sandbox Evasion
Credentials in Registry, Unsecured Credentials
Ingress Tool Transfer
Protocol Tunneling, Proxy, Web Service
Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
Impair Defenses, Disable or Modify Tools
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Password Managers
Msiexec
System Shutdown/Reboot
Disable or Modify Tools, Impair Defenses
Service Stop
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Modify Registry
System Network Connections Discovery
Spearphishing Attachment
SIP and Trust Provider Hijacking
Process Injection
Spearphishing Attachment, Phishing
Security Support Provider, Boot or Logon Autostart Execution
Disable or Modify System Firewall, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
System Owner/User Discovery
Disable or Modify Tools, Impair Defenses
Indirect Command Execution
Modify Registry
System Binary Proxy Execution, Rundll32
Command and Scripting Interpreter
Process Injection
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Active Setup, Boot or Logon Autostart Execution
Phishing, Spearphishing Attachment
Exploit Public-Facing Application, External Remote Services
System Binary Proxy Execution, Rundll32
Disable or Modify Tools, Impair Defenses
Credentials from Password Stores
Print Processors, Boot or Logon Autostart Execution
File and Directory Permissions Modification
Disable or Modify Cloud Firewall, Impair Defenses
Systemd Timers, Scheduled Task/Job
Deobfuscate/Decode Files or Information
Modify Registry
Data Destruction
OS Credential Dumping
User Execution, Malicious File
Command and Scripting Interpreter
Domain Account, Account Discovery
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Credentials from Web Browsers, Credentials from Password Stores
Steal or Forge Authentication Certificates, Archive Collected Data
XSL Script Processing
Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Rundll32
Remote System Discovery
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Modify Registry
Phishing, Spearphishing Attachment
Cron, Scheduled Task/Job
Server Software Component, IIS Components
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Exploitation for Privilege Escalation
Internal Proxy, Proxy
Abuse Elevation Control Mechanism, Bypass User Account Control
PowerShell, Command and Scripting Interpreter
Process Injection
Command and Scripting Interpreter
Disable or Modify Tools, Impair Defenses
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Exploit Public-Facing Application, External Remote Services
Query Registry
Modify Registry
System Binary Proxy Execution, Regsvcs/Regasm
Disable or Modify Tools, Impair Defenses
Command and Scripting Interpreter
LSASS Memory
Domain Account, Account Discovery
Masquerading, Rename System Utilities
Data Destruction
Bypass User Account Control, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Mshta
Cron, Scheduled Task/Job
Bypass User Account Control, Abuse Elevation Control Mechanism
Hidden Window
Inhibit System Recovery
Indicator Removal, Network Share Connection Removal
System Binary Proxy Execution, Regsvcs/Regasm
Modify Registry
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Automated Exfiltration
Phishing, Modify Registry
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Process Injection
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Ingress Tool Transfer
Modify Registry
Hardware Additions
Service Stop
Masquerading, Rename System Utilities
Scheduled Task/Job, Scheduled Task
Phishing, Spearphishing Attachment
Archive via Utility, Archive Collected Data
System Binary Proxy Execution, Compiled HTML File
Password Policy Discovery
LSASS Memory, OS Credential Dumping
Remote System Discovery
Server Software Component, IIS Components
At, Scheduled Task/Job
Remote System Discovery
Account Discovery, Local Account
Modify Registry
Process Injection
Print Processors, Boot or Logon Autostart Execution
Archive via Utility, Archive Collected Data
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
InstallUtil, System Binary Proxy Execution
Parent PID Spoofing, Access Token Manipulation
/etc/passwd and /etc/shadow, OS Credential Dumping
Event Triggered Execution, Accessibility Features
Phishing, Spearphishing Attachment
Cron, Scheduled Task/Job
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Remote Desktop Protocol, Remote Services
Service Stop
Disable or Modify Tools, Impair Defenses
Domain or Tenant Policy Modification, Group Policy Modification
Windows Management Instrumentation Event Subscription
Modify Registry
Disable or Modify Tools, Impair Defenses
Remote System Discovery
System Binary Proxy Execution, Regsvcs/Regasm
Phishing, Spearphishing Attachment
Disable or Modify System Firewall, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Setuid and Setgid, Abuse Elevation Control Mechanism
Exploitation for Privilege Escalation
Bypass User Account Control, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Protocol Tunneling, SSH
SSH Authorized Keys, Account Manipulation
System Binary Proxy Execution, Compiled HTML File
DLL Side-Loading, Hijack Execution Flow
System Binary Proxy Execution, Mshta
System Network Configuration Discovery
InstallUtil, System Binary Proxy Execution
Scheduled Task/Job, At
LSA Secrets
Right-to-Left Override, Masquerading
Permission Groups Discovery, Domain Groups
Virtualization/Sandbox Evasion, Time Based Evasion
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Command Shell, Command and Scripting Interpreter
Screen Capture
Account Manipulation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Remote Access Software
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Management Instrumentation
System Binary Proxy Execution, Rundll32
Remote Desktop Protocol, Remote Services
Account Access Removal
System Owner/User Discovery
Fileless Storage, Obfuscated Files or Information
System Binary Proxy Execution, Rundll32
System Owner/User Discovery
Ingress Tool Transfer
Security Account Manager, OS Credential Dumping
Account Discovery, Local Account
Data Destruction, File Deletion, Indicator Removal
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Local Account, Create Account
Disable or Modify Tools, Impair Defenses
Account Access Removal
Data Destruction, File Deletion, Indicator Removal
Spearphishing Attachment, Phishing
System Network Connections Discovery
Remote Services, SMB/Windows Admin Shares
Disable or Modify Tools, Impair Defenses
Modify Registry
Inhibit System Recovery
Permission Groups Discovery, Domain Groups
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Inhibit System Recovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Data Destruction
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
System Binary Proxy Execution, Rundll32
Account Discovery, Local Account
Modify Registry
Data Destruction
Permission Groups Discovery, Domain Groups
Remote Desktop Protocol, Remote Services
Domain Account, Account Discovery
System Binary Proxy Execution, Mshta
System Shutdown/Reboot
Obfuscated Files or Information, Unix Shell
Permission Groups Discovery, Local Groups
Command and Scripting Interpreter, Windows Command Shell
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Registry
Modify Registry
Abuse Elevation Control Mechanism, Bypass User Account Control
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Domain Account, Account Discovery
Exfiltration Over Unencrypted Non-C2 Protocol
Disable or Modify Tools, Impair Defenses
DLL Side-Loading, Hijack Execution Flow
Windows Management Instrumentation
Archive via Utility, Archive Collected Data
Data Destruction
Remote Desktop Protocol, Remote Services
System Binary Proxy Execution, Regsvr32
Gather Victim Host Information
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Management Instrumentation
Modify Registry
BITS Jobs
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Create or Modify System Process, Windows Service
Modify Registry
Disable or Modify System Firewall, Impair Defenses
Change Default File Association, Event Triggered Execution
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Disable or Modify Tools, Impair Defenses
Permission Groups Discovery, Local Groups
System Time Discovery
Command and Scripting Interpreter, Component Object Model
Masquerading
System Binary Proxy Execution, Mshta
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
User Execution
Verclsid, System Binary Proxy Execution
Screen Capture
Permission Groups Discovery, Local Groups
Domain Trust Discovery
User Execution
Data Destruction, File Deletion, Indicator Removal
Modify Registry
System Binary Proxy Execution, Rundll32
Modify Registry
Account Access Removal
Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Control Panel
Domain Account, Account Discovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter
Windows Service, Create or Modify System Process
Compile After Delivery, Obfuscated Files or Information
Exploitation for Privilege Escalation
System Shutdown/Reboot
Remote Services, Distributed Component Object Model
Process Injection
Query Registry
Bypass User Account Control
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Modify Registry
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
NTDS, OS Credential Dumping
At, Scheduled Task/Job
Modify Registry
Create or Modify System Process, Windows Service
Command and Scripting Interpreter, Windows Command Shell
Process Injection
Exploit Public-Facing Application
Permission Groups Discovery, Domain Groups
System Binary Proxy Execution, Rundll32
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Local Groups
BITS Jobs, Ingress Tool Transfer
Scheduled Task, Scheduled Task/Job
Abuse Elevation Control Mechanism
System Binary Proxy Execution, Rundll32
Service Stop
Process Discovery
Kernel Modules and Extensions
Security Account Manager, OS Credential Dumping
Data Encrypted for Impact
NTDS, OS Credential Dumping
Windows Command Shell, Command and Scripting Interpreter
System Shutdown/Reboot
Indicator Removal
Ingress Tool Transfer
Archive via Utility, Archive Collected Data
Software Deployment Tools
Scheduled Task/Job, Scheduled Task
Phishing, Spearphishing Attachment
Server Software Component, Web Shell
Disable or Modify Tools, Impair Defenses
System Owner/User Discovery
Odbcconf
System Binary Proxy Execution, Rundll32
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
NTDS, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Data Destruction, File Deletion, Indicator Removal
System Binary Proxy Execution
System Network Connections Discovery
System Network Configuration Discovery, Internet Connection Discovery
Path Interception by Unquoted Path, Hijack Execution Flow
Use Alternate Authentication Material
Obfuscated Files or Information
Indirect Command Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Proxy, Non-Application Layer Protocol
Password Policy Discovery
Cron, Scheduled Task/Job
Impair Defenses, Disable or Modify System Firewall
Modify Registry
System Network Configuration Discovery
Phishing, Spearphishing Attachment
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Disable or Modify Tools, Impair Defenses
Bypass User Account Control, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
File and Directory Permissions Modification
Disable or Modify Tools, Impair Defenses
Application Shimming, Event Triggered Execution
System Binary Proxy Execution, Regsvcs/Regasm
Modify Registry
User Execution, Malicious File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Authentication Process
Clear Windows Event Logs, Indicator Removal
Exfiltration Over Alternative Protocol
Masquerading
Modify Registry
System Owner/User Discovery
Password Policy Discovery
Command and Scripting Interpreter, PowerShell
Image File Execution Options Injection, Event Triggered Execution
Phishing, Spearphishing Attachment
Ingress Tool Transfer
Credentials from Password Stores
Setuid and Setgid, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Inhibit System Recovery
Component Object Model Hijacking, Event Triggered Execution
Masquerading
System Script Proxy Execution, System Binary Proxy Execution
Bypass User Account Control, Abuse Elevation Control Mechanism
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Ingress Tool Transfer
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Process Injection
System Binary Proxy Execution
Domain Trust Discovery
Bypass User Account Control, Abuse Elevation Control Mechanism
Ingress Tool Transfer, Domain Groups
NTDS, OS Credential Dumping
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Command and Scripting Interpreter, PowerShell
Systemd Timers, Scheduled Task/Job
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Application Shimming, Event Triggered Execution
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Modify Registry
System Network Configuration Discovery
Ingress Tool Transfer
Cron, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Hidden Window, Run Virtual Instance
Disable or Modify Cloud Firewall, Impair Defenses
File Deletion, Indicator Removal
Domain Trust Discovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Data Destruction, File Deletion, Indicator Removal
Phishing, Spearphishing Attachment
System Network Connections Discovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Mshta
Command and Scripting Interpreter
Disable or Modify Tools, Impair Defenses
Services Registry Permissions Weakness, Hijack Execution Flow
Disable or Modify Tools, Impair Defenses
Ingress Tool Transfer
Scheduled Task, Scheduled Task/Job
Clipboard Data
Phishing, Spearphishing Attachment
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Rundll32
Change Default File Association, Event Triggered Execution
BITS Jobs
System Owner/User Discovery
Compiled HTML File, System Binary Proxy Execution
Windows Management Instrumentation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Management Instrumentation
Archive via Utility, Archive Collected Data
Disable or Modify Tools, Impair Defenses, Modify Registry
Command and Scripting Interpreter, Windows Command Shell
Security Account Manager, OS Credential Dumping
Process Injection
Process Injection
Rename System Utilities, Masquerading
Modify Registry
Launch Agent, Create or Modify System Process
System Network Connections Discovery
Credentials in Registry, Unsecured Credentials
DLL Side-Loading, Hijack Execution Flow
Service Stop
Inhibit System Recovery
Command and Scripting Interpreter, JavaScript
Phishing, Spearphishing Attachment
System Binary Proxy Execution, Compiled HTML File
Malicious File, User Execution
Modify Registry
Modify Registry
Credentials from Password Stores
Unix Shell Configuration Modification, Event Triggered Execution
Data Destruction
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Hide Artifacts, NTFS File Attributes
InstallUtil, System Binary Proxy Execution
Domain Account, Account Discovery
Service Stop
Modify Registry
Scheduled Task
Server Software Component, Web Shell
Remote Services, Windows Remote Management
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Management Instrumentation
Bypass User Account Control, Abuse Elevation Control Mechanism
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Modify Registry
Disable or Modify Tools, Impair Defenses
Lateral Tool Transfer
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter
SSH Authorized Keys, Account Manipulation
File and Directory Permissions Modification
Exploitation for Privilege Escalation
Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Modify Registry
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Email Collection, Local Email Collection
Remote Access Software
System Owner/User Discovery
Inhibit System Recovery
System Information Discovery, Rootkit
Automated Exfiltration
Phishing, Spearphishing Link
Disable or Modify Tools, Impair Defenses
Security Account Manager, OS Credential Dumping
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Remote System Discovery
Steal or Forge Authentication Certificates
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Obfuscated Files or Information
Odbcconf
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Odbcconf
File and Directory Permissions Modification
Cron, Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
Remote Access Software
Protocol Tunneling, Proxy, Web Service
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Service Stop
Scheduled Task, Command and Scripting Interpreter
Service Stop
InstallUtil, System Binary Proxy Execution
Disable or Modify Tools, Impair Defenses, Modify Registry
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Dynamic Linker Hijacking, Hijack Execution Flow
Internal Proxy, Proxy
Remote Services, Windows Remote Management
Disable or Modify Tools, Impair Defenses
System Information Discovery
Modify Registry
Phishing, Spearphishing Attachment
Disable or Modify Tools, Impair Defenses
Regsvr32, System Binary Proxy Execution
File Deletion, Indicator Removal
Replication Through Removable Media
Compromise Software Supply Chain
System Binary Proxy Execution, Mshta
Data Encrypted for Impact
Password Policy Discovery
Visual Basic, Command and Scripting Interpreter
Msiexec, System Binary Proxy Execution
Masquerade Task or Service, Masquerading
Print Processors, Boot or Logon Autostart Execution
Scheduled Task, Scheduled Task/Job
Create or Modify System Process, Windows Service
Scheduled Task/Job, Scheduled Task
Phishing, Spearphishing Attachment
Disable or Modify Tools, Impair Defenses
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Process Injection
Disable or Modify Tools, Impair Defenses, Modify Registry
Inhibit System Recovery
Disable or Modify Tools
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Indicator Removal
Remote System Discovery
Inhibit System Recovery
Kerberoasting
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Registry
Remote System Discovery
Command and Scripting Interpreter, PowerShell
Modify Registry
Modify Registry
Remote Desktop Protocol, Remote Services
Exploit Public-Facing Application, External Remote Services
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Disable or Modify Tools, Impair Defenses
Time Providers, Boot or Logon Autostart Execution
Command and Scripting Interpreter
Event Triggered Execution, Screensaver
Exploit Public-Facing Application
Remote Access Software
Indicator Removal, Clear Windows Event Logs
MSBuild, Trusted Developer Utilities Proxy Execution
Modify Registry
Modify Registry
Modify Registry
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Steal or Forge Kerberos Tickets
XSL Script Processing
Scheduled Task, Impair Defenses
Process Injection
Screen Capture
Remote Services, Distributed Component Object Model, MMC
SSH Authorized Keys
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, Visual Basic
Bypass User Account Control, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, PowerShell
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Indicator Removal
Permission Groups Discovery, Domain Groups
Remote System Discovery
Windows Command Shell
Create or Modify System Process
User Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Phishing, Spearphishing Attachment
Install Root Certificate, Subvert Trust Controls
Data Destruction
Scheduled Task, Scheduled Task/Job
Ingress Tool Transfer
Remote Services, Windows Remote Management
Modify Registry
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Modify Registry, OS Credential Dumping
Command and Scripting Interpreter, JavaScript
File and Directory Permissions Modification
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
DLL Search Order Hijacking
Process Injection
Exfiltration Over Unencrypted Non-C2 Protocol
System Information Discovery
Phishing, Spearphishing Attachment
System Binary Proxy Execution, Regsvr32
Exploit Public-Facing Application, External Remote Services
Local Account, Create Account
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Windows Management Instrumentation
System Owner/User Discovery
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Disable or Modify System Firewall, Impair Defenses
Ingress Tool Transfer
Disable or Modify Tools, Impair Defenses
Command and Scripting Interpreter
System Services, Service Execution
System Binary Proxy Execution, Rundll32
Disable or Modify Tools, Impair Defenses
Ingress Tool Transfer
Cached Domain Credentials, OS Credential Dumping
Disable or Modify Tools, Impair Defenses
Domain Account, Account Discovery
LSASS Memory, OS Credential Dumping
Exploit Public-Facing Application, External Remote Services
Disable or Modify Tools, Impair Defenses, Modify Registry
Modify Registry
Scheduled Task, Scheduled Task/Job
Unix Shell
Modify Registry
Phishing, Spearphishing Attachment
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Steal or Forge Authentication Certificates
Disable or Modify System Firewall, Impair Defenses
Obfuscated Files or Information, Fileless Storage
Remote System Discovery
File Deletion, Indicator Removal
Phishing, Spearphishing Attachment
Data Destruction, File Deletion, Indicator Removal
Windows Management Instrumentation
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
System Owner/User Discovery
Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Boot or Logon Initialization Scripts, Logon Script (Windows)
Create or Modify System Process, Windows Service
Indirect Command Execution
Credentials in Registry, Unsecured Credentials
Disable or Modify Tools, Impair Defenses
Malicious File, Masquerade File Type
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Modify Registry
System Binary Proxy Execution, Mshta
Application Shimming, Event Triggered Execution
Steal or Forge Authentication Certificates
Command and Scripting Interpreter
Msiexec
Disable or Modify Tools, Impair Defenses
Obfuscated Files or Information
Steal or Forge Authentication Certificates
Service Stop
Disable or Modify Tools, Impair Defenses
Trusted Developer Utilities Proxy Execution
DLL Search Order Hijacking, Hijack Execution Flow
Network Share Discovery, Data from Network Shared Drive
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
PowerShell
Disable or Modify System Firewall
Rename System Utilities
Windows Command Shell
Malicious File
Change Default File Association
PowerShell, Windows Command Shell
Scheduled Task
Hidden Files and Directories