Splunk Stored XSS via Specially Crafted Bulletin Message
Drive-by Compromise
Drive-by Compromise
Abuse Elevation Control Mechanism, Indirect Command Execution
Drive-by Compromise
File and Directory Discovery
Endpoint Denial of Service
Exploitation of Remote Services
Drive-by Compromise
Drive-by Compromise
Exploit Public-Facing Application
Exploitation of Remote Services
Drive-by Compromise
Abuse Elevation Control Mechanism
Drive-by Compromise
Endpoint Denial of Service
Account Discovery
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Permission Groups Discovery, Domain Groups
Masquerading
DLL Side-Loading, Hijack Execution Flow
Image File Execution Options Injection
Password Spraying, Brute Force
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
LSASS Memory, OS Credential Dumping
Modify Registry
Domain Trust Discovery
Abuse Elevation Control Mechanism
Steal or Forge Kerberos Tickets, Kerberoasting
Security Account Manager, OS Credential Dumping
Remote Desktop Protocol, Remote Services
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Windows Management Instrumentation
Account Manipulation, Additional Cloud Roles
User Execution
DLL Side-Loading
Query Registry
Command and Scripting Interpreter, PowerShell
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Disable or Modify Tools, Impair Defenses
Modify Registry
Server Software Component, Exploit Public-Facing Application, External Remote Services
Cloud Account
OS Credential Dumping
Indicator Removal
Local Groups
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Virtualization/Sandbox Evasion, Time Based Evasion
Spearphishing Attachment, Phishing
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Modify Registry
Account Discovery, Domain Account
Hide Artifacts, NTFS File Attributes
Modify Registry
Trusted Developer Utilities Proxy Execution, MSBuild
Unix Shell Configuration Modification, Event Triggered Execution
Data Destruction
RC Scripts, Boot or Logon Initialization Scripts
System Binary Proxy Execution
System Binary Proxy Execution, Rundll32
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Account Discovery
Private Keys, Unsecured Credentials
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
PowerShell, Ingress Tool Transfer
Access Token Manipulation, Token Impersonation/Theft
Exploit Public-Facing Application, External Remote Services
Services Registry Permissions Weakness
Create or Modify System Process, Windows Service
Web Session Cookie, Cloud Service Dashboard
Use Alternate Authentication Material, Pass the Ticket
Regsvr32, Modify Registry
User Execution
Steal Application Access Token
Encrypted Channel
Port Monitors, Boot or Logon Autostart Execution
System Binary Proxy Execution, Regsvr32
Cloud Account
Pre-OS Boot, Registry Run Keys / Startup Folder
Proxy, Multi-hop Proxy
Cloud Groups, Account Manipulation, Permission Groups Discovery
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Systemd Timers, Scheduled Task/Job
Cloud Service Discovery
Exploit Public-Facing Application
Data Encrypted for Impact
Windows Management Instrumentation
Mavinject, System Binary Proxy Execution
DLL Side-Loading, Hijack Execution Flow
Remote Access Software
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
System Binary Proxy Execution, Rundll32
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Account Manipulation, Additional Cloud Roles
Exploitation for Credential Access
Additional Cloud Roles
Disable or Modify Tools, Impair Defenses
Remote Services
Msiexec, System Binary Proxy Execution
Hidden Window
Domain Generation Algorithms
Network Denial of Service
Exploit Public-Facing Application
Disable or Modify Tools, Impair Defenses
Remote Access Software
Additional Cloud Roles
Disable or Modify Tools, Impair Defenses
Query Registry
Steal Web Session Cookie
Phishing, Spearphishing Attachment
Encrypted Channel
Email Collection, Email Forwarding Rule
Setuid and Setgid, Abuse Elevation Control Mechanism
Brute Force, Password Guessing
System Binary Proxy Execution, Regsvr32
Install Root Certificate, Subvert Trust Controls
Screen Capture
Account Discovery, Local Account
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Account Manipulation, Additional Cloud Roles
Spearphishing Attachment, Phishing
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Ingress Tool Transfer
Modify Registry
Inhibit System Recovery
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Process Injection
Remote System Discovery
Email Collection
Account Manipulation
Remote Desktop Protocol, Remote Services
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Modify Authentication Process, Multi-Factor Authentication
Command and Scripting Interpreter
Right-to-Left Override, Masquerading
System Information Discovery
Domain Account, Account Discovery
Disable or Modify Cloud Logs, Impair Defenses
Exploit Public-Facing Application
Unsecured Credentials, Group Policy Preferences
Steal or Forge Kerberos Tickets, AS-REP Roasting
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Compiled HTML File
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Permission Groups Discovery, Domain Groups
Modify Registry
Unix Shell, Command and Scripting Interpreter
Account Discovery, Domain Account
Data Staged
Cloud Account, Create Account
Cloud Account
Exploit Public-Facing Application, External Remote Services
Permission Groups Discovery, Domain Groups
Password Spraying
Valid Accounts, Brute Force
Steal Application Access Token, Phishing, Spearphishing Link
Time Based Evasion, Virtualization/Sandbox Evasion
Credentials in Registry, Unsecured Credentials
Disable or Modify Cloud Logs, Impair Defenses
Data Encrypted for Impact
Ingress Tool Transfer
Exploit Public-Facing Application
Password Spraying, Brute Force
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Protocol Tunneling, Proxy, Web Service
Scheduled Task/Job
Exploit Public-Facing Application, External Remote Services
Exploitation for Client Execution
Drive-by Compromise
Defacement
Mail Protocols, Application Layer Protocol
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Domain or Tenant Policy Modification, Trust Modification
Disk Structure Wipe, Disk Wipe
Impair Defenses, Disable or Modify Tools
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Password Managers
Scheduled Task/Job, Scheduled Task
Msiexec
Password Spraying, Brute Force
System Shutdown/Reboot
Protocol Impersonation
Disable or Modify Tools, Impair Defenses
Domain or Tenant Policy Modification, Group Policy Modification
Password Spraying, Brute Force
Account Manipulation
Service Stop
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Hide Artifacts, NTFS File Attributes
Modify Registry
System Network Connections Discovery
Spearphishing Attachment
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Container Orchestration Job
Query Registry
User Execution
SIP and Trust Provider Hijacking
Process Injection
Spearphishing Attachment, Phishing
Security Support Provider, Boot or Logon Autostart Execution
Disable or Modify System Firewall, Impair Defenses
Malicious Image, User Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
LSASS Memory, OS Credential Dumping
System Owner/User Discovery
Disable or Modify Tools, Impair Defenses
Indirect Command Execution
Modify Registry
System Binary Proxy Execution, Rundll32
Print Processors, Boot or Logon Autostart Execution
Exploit Public-Facing Application
Exploitation for Privilege Escalation
Command and Scripting Interpreter
Scheduled Task/Job
Automated Collection
Process Injection
Disable or Modify Tools, Impair Defenses
User Execution
Network Denial of Service
PowerShell, Command and Scripting Interpreter
Indicator Removal
Disable or Modify Tools, Impair Defenses
Active Setup, Boot or Logon Autostart Execution
Phishing, Spearphishing Attachment
Cloud Accounts, Valid Accounts
Gather Victim Network Information, IP Addresses
Account Manipulation
Exploit Public-Facing Application, External Remote Services
HTML Smuggling
System Binary Proxy Execution, Rundll32
Disable or Modify Tools, Impair Defenses
Container API
Credentials from Password Stores
Print Processors, Boot or Logon Autostart Execution
File and Directory Permissions Modification
Account Discovery
Disable or Modify Cloud Firewall, Impair Defenses
Systemd Timers, Scheduled Task/Job
Deobfuscate/Decode Files or Information
Token Impersonation/Theft, Access Token Manipulation
Modify Registry
Endpoint Denial of Service
Data Destruction
OS Credential Dumping
User Execution, Malicious File
Remote Access Software
Command and Scripting Interpreter
Domain Account, Account Discovery
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
DLL Side-Loading, Boot or Logon Autostart Execution
Credentials from Web Browsers, Credentials from Password Stores
Domain Trust Discovery
SMB/Windows Admin Shares, Remote Services
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Steal or Forge Authentication Certificates, Archive Collected Data
Steal or Forge Kerberos Tickets, Golden Ticket
XSL Script Processing
Disable or Modify Tools, Impair Defenses
Archive Collected Data
System Binary Proxy Execution, Rundll32
Remote System Discovery
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Steal Application Access Token
Modify Registry
Phishing, Spearphishing Attachment
Use Alternate Authentication Material, Pass the Ticket
Exfiltration Over C2 Channel
Browser Session Hijacking
Cron, Scheduled Task/Job
User Execution
User Execution
Digital Certificates
Server Software Component, IIS Components
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
User Execution
Password Policy Discovery
Use Alternate Authentication Material
Cloud Account, Create Account
Query Registry
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Exploitation for Privilege Escalation
Internal Proxy, Proxy
Abuse Elevation Control Mechanism, Bypass User Account Control
Domain or Tenant Policy Modification, Group Policy Modification
Multi-Factor Authentication Request Generation
PowerShell, Command and Scripting Interpreter
Process Injection
Account Discovery, Local Account
Process Injection, Dynamic-link Library Injection
Command and Scripting Interpreter
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
File and Directory Discovery
Disable or Modify Tools, Impair Defenses
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impair Defenses, Disable or Modify Cloud Logs
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Query Registry
Modify Registry
System Binary Proxy Execution, Regsvcs/Regasm
PowerShell, Command and Scripting Interpreter
Disable or Modify Tools, Impair Defenses
Brute Force, Password Guessing, Password Spraying
Command and Scripting Interpreter
Command and Scripting Interpreter
LSASS Memory
Disable or Modify Cloud Logs, Impair Defenses
Domain Account, Account Discovery
Masquerading, Rename System Utilities
Data Destruction
Exploit Public-Facing Application
User Execution
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Bypass User Account Control, Abuse Elevation Control Mechanism
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
System Binary Proxy Execution, Mshta
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Cron, Scheduled Task/Job
Forced Authentication
Disable or Modify Tools, Impair Defenses
Bypass User Account Control, Abuse Elevation Control Mechanism
Steal or Forge Authentication Certificates
Hidden Window
Inhibit System Recovery
OS Credential Dumping, PowerShell
Domain Account, Account Discovery
Password Spraying, Brute Force
Indicator Removal, Network Share Connection Removal
System Binary Proxy Execution, Regsvcs/Regasm
Windows Management Instrumentation
SID-History Injection, Access Token Manipulation
Modify Registry
Modify Registry
LSASS Memory, OS Credential Dumping
Disable or Modify Tools, Impair Defenses
Valid Accounts
Domain or Tenant Policy Modification
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Transfer Data to Cloud Account
Compromise Accounts, Unused/Unsupported Cloud Regions
Automated Exfiltration
Web Shell, External Remote Services
Steal Application Access Token
Exploit Public-Facing Application, External Remote Services
Account Manipulation
Impair Defenses
Phishing, Modify Registry
Password Spraying, Brute Force
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Process Injection
Data Encrypted for Impact
User Execution
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Brute Force, Password Guessing, Password Spraying
Password Policy Discovery
User Execution
Gather Victim Identity Information, Email Addresses
Valid Accounts, Domain Accounts
System Binary Proxy Execution
Malicious Image, User Execution
User Execution
Ingress Tool Transfer
Account Manipulation, Additional Email Delegate Permissions
Modify Registry
Hardware Additions
Exploit Public-Facing Application, External Remote Services
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
User Execution, Malicious File
Container API
Exfiltration Over Web Service
Service Stop
Valid Accounts
Masquerading, Rename System Utilities
Log Enumeration
Scheduled Task/Job, Scheduled Task
Phishing, Spearphishing Attachment
Account Manipulation, Additional Cloud Roles
Archive via Utility, Archive Collected Data
Password Spraying, Brute Force
System Binary Proxy Execution, Compiled HTML File
Password Policy Discovery
System Services, Service Execution
LSASS Memory, OS Credential Dumping
Remote System Discovery
Credentials from Password Stores, Credentials from Web Browsers
Password Guessing, Brute Force
Remote Services, Windows Remote Management
Server Software Component, IIS Components
At, Scheduled Task/Job
Application or System Exploitation
Exploit Public-Facing Application
Compromise Host Software Binary
Remote System Discovery
Account Discovery, Local Account
Modify Registry
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Process Injection
Print Processors, Boot or Logon Autostart Execution
File Transfer Protocols, Application Layer Protocol
Archive via Utility, Archive Collected Data
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
InstallUtil, System Binary Proxy Execution
Parent PID Spoofing, Access Token Manipulation
/etc/passwd and /etc/shadow, OS Credential Dumping
Event Triggered Execution, Accessibility Features
Phishing, Spearphishing Attachment
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Impair Defenses, Disable or Modify Cloud Logs
Cron, Scheduled Task/Job
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Remote Desktop Protocol, Remote Services
Trusted Relationship
Service Stop
Disable or Modify Tools, Impair Defenses
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Domain or Tenant Policy Modification, Group Policy Modification
Non-Application Layer Protocol
Windows Management Instrumentation Event Subscription
Modify Registry
Domain Account, Account Discovery
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Permission Groups Discovery, Local Groups
Exploit Public-Facing Application
Drive-by Compromise
Exfiltration Over Web Service
Exploit Public-Facing Application
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
System Binary Proxy Execution, Regsvcs/Regasm
Account Manipulation, Device Registration
Phishing, Spearphishing Attachment
Disable or Modify System Firewall, Impair Defenses
Browser Session Hijacking
Disable or Modify Tools, Impair Defenses
Exploitation of Remote Services
Disable or Modify Tools, Impair Defenses
Abuse Elevation Control Mechanism
Impair Defenses, PowerShell, Command and Scripting Interpreter
Setuid and Setgid, Abuse Elevation Control Mechanism
Exploitation for Privilege Escalation
Bypass User Account Control, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Protocol Tunneling, SSH
Process Injection, Portable Executable Injection
User Execution
Create Account, Cloud Account
SSH Authorized Keys, Account Manipulation
Steal or Forge Authentication Certificates
System Binary Proxy Execution, Compiled HTML File
Inhibit System Recovery
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
DLL Side-Loading, Hijack Execution Flow
System Binary Proxy Execution, Mshta
Protocol Tunneling, Proxy, Web Service
System Network Configuration Discovery
InstallUtil, System Binary Proxy Execution
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Scheduled Task/Job, At
LSA Secrets
Right-to-Left Override, Masquerading
Permission Groups Discovery, Domain Groups
Data Destruction
Virtualization/Sandbox Evasion, Time Based Evasion
Application Layer Protocol
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Email Collection, Remote Email Collection
Windows Command Shell, Command and Scripting Interpreter
Screen Capture
Malicious Image, User Execution
Steal Application Access Token
Steal or Forge Kerberos Tickets, AS-REP Roasting
Account Manipulation
Email Collection, Email Forwarding Rule
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Account Manipulation
System Binary Proxy Execution, Regsvcs/Regasm
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Remote Access Software
Disable or Modify Tools, Impair Defenses
Exploitation for Privilege Escalation
Brute Force, Password Spraying, Credential Stuffing
Cloud Infrastructure Discovery, Brute Force
Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Roles
Drive-by Compromise
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Management Instrumentation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
System Binary Proxy Execution, Rundll32
Remote Desktop Protocol, Remote Services
Exploitation for Client Execution
Account Access Removal
Valid Accounts
System Owner/User Discovery
Email Collection, Email Forwarding Rule
Obfuscated Files or Information
Browser Session Hijacking
Fileless Storage, Obfuscated Files or Information
Print Processors, Boot or Logon Autostart Execution
Remote Desktop Protocol, Remote Services
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Exploit Public-Facing Application, External Remote Services
System Binary Proxy Execution, Rundll32
Process Injection
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
System Owner/User Discovery
Ingress Tool Transfer
Security Account Manager, OS Credential Dumping
Exploit Public-Facing Application
Impair Defenses
Account Discovery, Local Account
Digital Certificates
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Permission Groups Discovery, Local Groups
Network Sniffing
Inhibit System Recovery
Ingress Tool Transfer
Local Account, Create Account
Account Manipulation, Additional Email Delegate Permissions
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Disable or Modify Tools, Impair Defenses
Account Access Removal
Data Destruction, File Deletion, Indicator Removal
Spearphishing Attachment, Phishing
System Network Connections Discovery
Remote Services, SMB/Windows Admin Shares
Disable or Modify Tools, Impair Defenses
Spearphishing Attachment, Phishing
Drive-by Compromise
Valid Accounts
Mail Protocols, Application Layer Protocol
Modify Registry
Automated Collection
Inhibit System Recovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Token Impersonation/Theft, Access Token Manipulation
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Inhibit System Recovery
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Cloud Accounts, Valid Accounts
Account Discovery, Domain Account
Trusted Relationship
Disable or Modify Tools, Impair Defenses
Data Destruction
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Plist File Modification
System Binary Proxy Execution, Rundll32
Account Discovery, Local Account
LSASS Memory, OS Credential Dumping
Modify Registry
Data Destruction
Permission Groups Discovery, Domain Groups
Remote Desktop Protocol, Remote Services
Domain Account, Account Discovery
Valid Accounts
Exfiltration Over Unencrypted Non-C2 Protocol
Rootkit, Exploitation for Privilege Escalation
System Binary Proxy Execution, Mshta
File and Directory Discovery
Account Manipulation
Exploit Public-Facing Application, External Remote Services
DNS, Application Layer Protocol
Exploit Public-Facing Application
System Shutdown/Reboot
Application Layer Protocol
Obfuscated Files or Information, Unix Shell
System Binary Proxy Execution, Rundll32
Exploit Public-Facing Application
Account Manipulation
SID-History Injection, Access Token Manipulation
Security Account Manager, OS Credential Dumping
Permission Groups Discovery, Local Groups
Command and Scripting Interpreter, Windows Command Shell
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Modify Registry
Mail Protocols, Application Layer Protocol
Modify Registry
Abuse Elevation Control Mechanism, Bypass User Account Control
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Server Software Component, IIS Components
Command and Scripting Interpreter, PowerShell
Unsecured Credentials
Domain Account, Account Discovery
Exfiltration Over Unencrypted Non-C2 Protocol
Disable or Modify Tools, Impair Defenses
Steal Application Access Token
DLL Side-Loading, Hijack Execution Flow
Windows Management Instrumentation
Launch Agent, Create or Modify System Process
Archive via Utility, Archive Collected Data
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Data Destruction
Windows Service, Create or Modify System Process
Remote Desktop Protocol, Remote Services
Container API
System Network Connections Discovery
System Binary Proxy Execution, Regsvr32
Web Service
Gather Victim Host Information
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Windows Management Instrumentation
Modify Registry
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
BITS Jobs
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, PowerShell
Create or Modify System Process, Windows Service
Modify Registry
Disable or Modify System Firewall, Impair Defenses
Change Default File Association, Event Triggered Execution
SMB/Windows Admin Shares, Remote Services
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Digital Certificates
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Exploit Public-Facing Application, External Remote Services
Disable or Modify Tools, Impair Defenses
Permission Groups Discovery, Local Groups
System Time Discovery
Command and Scripting Interpreter, Component Object Model
Dynamic-link Library Injection, Process Injection
Masquerading
Cloud Account
System Binary Proxy Execution, Mshta
User Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Command and Scripting Interpreter
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Exfiltration Over C2 Channel
System Services, Service Execution
System Owner/User Discovery
Compromise Software Supply Chain
Remote Access Software, OS Credential Dumping
Account Discovery, Domain Account
User Execution
Verclsid, System Binary Proxy Execution
Exploit Public-Facing Application, Command and Scripting Interpreter
Screen Capture
Cloud Accounts
Permission Groups Discovery, Local Groups
Domain Trust Discovery
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Account Manipulation, Valid Accounts
User Execution
System Services, Service Execution
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Drive-by Compromise
Shared Modules
Data Destruction, File Deletion, Indicator Removal
Modify Registry
System Binary Proxy Execution, Rundll32
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Command and Scripting Interpreter, JavaScript
Exploit Public-Facing Application, External Remote Services
Gather Victim Host Information
Modify Registry
Password Spraying, Brute Force
Valid Accounts
Account Access Removal
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Rogue Domain Controller
Valid Accounts, Cloud Accounts
Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Control Panel
Process Injection
Domain Account, Account Discovery
Create or Modify System Process
Exfiltration Over C2 Channel
Phishing
Password Spraying, Brute Force
Exploit Public-Facing Application
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter
Windows Service, Create or Modify System Process
Compile After Delivery, Obfuscated Files or Information
Exploitation for Privilege Escalation
System Shutdown/Reboot
Remote Services, Distributed Component Object Model
Process Injection
Query Registry
RDP Hijacking
Bypass User Account Control
TFTP Boot, Pre-OS Boot
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Modify Registry
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
NTDS, OS Credential Dumping
At, Scheduled Task/Job
Windows Remote Management, Remote Services
Modify Registry
Create or Modify System Process, Windows Service
Command and Scripting Interpreter, Windows Command Shell
System Information Discovery
Process Injection
Scheduled Task
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Security Account Manager
Exploit Public-Facing Application
Steal or Forge Kerberos Tickets
Valid Accounts, Local Accounts
Permission Groups Discovery, Domain Groups
Valid Accounts
System Services, Service Execution
System Binary Proxy Execution, Rundll32
Drive-by Compromise
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Local Groups
Multi-Factor Authentication Request Generation
BITS Jobs, Ingress Tool Transfer
Scheduled Task, Scheduled Task/Job
Abuse Elevation Control Mechanism
Create Process with Token, Access Token Manipulation
System Binary Proxy Execution, Rundll32
Exploitation of Remote Services
Service Stop
Domain or Tenant Policy Modification, Group Policy Modification
Process Discovery
Kernel Modules and Extensions
Security Account Manager, OS Credential Dumping
Data Encrypted for Impact
NTDS, OS Credential Dumping
Windows Command Shell, Command and Scripting Interpreter
DCSync, OS Credential Dumping
System Shutdown/Reboot
Indicator Removal
Exploit Public-Facing Application
Compromise Host Software Binary
Cloud Service Discovery
Ingress Tool Transfer
Archive via Utility, Archive Collected Data
Cloud Infrastructure Discovery
Software Deployment Tools
Scheduled Task/Job, Scheduled Task
Phishing, Spearphishing Attachment
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Server Software Component, Web Shell
Exploit Public-Facing Application
LSASS Memory, OS Credential Dumping
Disable or Modify Tools, Impair Defenses
DNS, Application Layer Protocol
Data from Local System
Service Stop
System Owner/User Discovery
Odbcconf
Exploitation for Privilege Escalation
Exploitation for Credential Access
Account Manipulation, Valid Accounts
System Binary Proxy Execution, Rundll32
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
NTDS, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Credentials from Password Stores, Credentials from Web Browsers
Data from Cloud Storage
System Binary Proxy Execution, Regsvcs/Regasm
Data Destruction, File Deletion, Indicator Removal
System Binary Proxy Execution
System Network Connections Discovery
Exploit Public-Facing Application
Scheduled Task, PowerShell, Command and Scripting Interpreter
System Network Configuration Discovery, Internet Connection Discovery
Network Share Discovery
Network Share Discovery
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Command and Scripting Interpreter, PowerShell
User Execution
Path Interception by Unquoted Path, Hijack Execution Flow
System Services, Service Execution
Use Alternate Authentication Material
OS Credential Dumping, DCSync, Rogue Domain Controller
Obfuscated Files or Information
Disable or Modify Tools, Impair Defenses
Exploit Public-Facing Application
Valid Accounts, Domain Accounts
Indirect Command Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Proxy, Non-Application Layer Protocol
Password Policy Discovery
Cron, Scheduled Task/Job
Cloud Account, Create Account
Impair Defenses, Disable or Modify System Firewall
Modify Registry
System Network Configuration Discovery
Phishing, Spearphishing Attachment
Exploit Public-Facing Application, External Remote Services
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Disable or Modify Tools, Impair Defenses
Bypass User Account Control, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Multi-Factor Authentication Request Generation
File and Directory Permissions Modification
Disable or Modify Tools, Impair Defenses
Application Shimming, Event Triggered Execution
System Binary Proxy Execution, Regsvcs/Regasm
Modify Registry
User Execution, Malicious File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Authentication Process
Local Account, Create Account
Data from Cloud Storage
Valid Accounts
Data from Cloud Storage
Clear Windows Event Logs, Indicator Removal
Exfiltration Over Alternative Protocol
Masquerading
Command and Scripting Interpreter
Password Spraying, Brute Force
System Information Discovery, External Remote Services
Exploitation for Credential Access
Modify Registry
System Owner/User Discovery
Command and Scripting Interpreter, JavaScript
Password Policy Discovery
Compromise Software Supply Chain
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Rogue Domain Controller
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Account Discovery, Domain Account
Exploit Public-Facing Application
Brute Force
Multi-Factor Authentication Request Generation
Modify Cloud Compute Configurations
Password Spraying, Brute Force
Command and Scripting Interpreter, PowerShell
InstallUtil, System Binary Proxy Execution
Image File Execution Options Injection, Event Triggered Execution
Phishing, Spearphishing Attachment
Rogue Domain Controller
Ingress Tool Transfer
Credentials from Password Stores
Setuid and Setgid, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Steal Application Access Token
Inhibit System Recovery
Component Object Model Hijacking, Event Triggered Execution
Account Manipulation
Application Layer Protocol
Masquerading
Disable or Modify Tools, Impair Defenses
Network Share Discovery
Windows Service
Command and Scripting Interpreter, Process Injection, PowerShell
Drive-by Compromise
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Remote Email Collection
Steal or Forge Kerberos Tickets
Brute Force
System Script Proxy Execution, System Binary Proxy Execution
Additional Cloud Roles
Data Encrypted for Impact
Bypass User Account Control, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, PowerShell
Data Destruction, File Deletion, Indicator Removal
Email Collection, Remote Email Collection
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Ingress Tool Transfer
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses, Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Exploit Public-Facing Application, External Remote Services
Disable or Modify Tools, Impair Defenses
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Process Injection
System Binary Proxy Execution
Domain Trust Discovery
Bypass User Account Control, Abuse Elevation Control Mechanism
Domain Account, Account Discovery
Data Destruction
Digital Certificates
Cloud Accounts, Valid Accounts
Ingress Tool Transfer, Domain Groups
Modify Authentication Process, Multi-Factor Authentication
Print Processors, Boot or Logon Autostart Execution
NTDS, OS Credential Dumping
Email Collection, Remote Email Collection
Scheduled Task, Scheduled Task/Job
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Command and Scripting Interpreter, PowerShell
Cloud Service Discovery
Exploitation of Remote Services
Archive via Utility, Archive Collected Data
Systemd Timers, Scheduled Task/Job
PowerShell
Gather Victim Host Information, PowerShell
Data from Cloud Storage
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Application Shimming, Event Triggered Execution
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Password Spraying, Brute Force
Modify Registry
System Network Configuration Discovery
Ingress Tool Transfer
Cron, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Hidden Window, Run Virtual Instance
Disable or Modify Cloud Firewall, Impair Defenses
File Deletion, Indicator Removal
Domain Trust Discovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Exploit Public-Facing Application
Data Destruction, File Deletion, Indicator Removal
Phishing, Spearphishing Attachment
Drive-by Compromise
System Network Connections Discovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Remote Desktop Protocol, Remote Services
System Binary Proxy Execution, Mshta
Command and Scripting Interpreter
Disable or Modify Tools, Impair Defenses
Services Registry Permissions Weakness, Hijack Execution Flow
Disable or Modify Tools, Impair Defenses
Modify Authentication Process
Ingress Tool Transfer
Cloud Accounts, Valid Accounts
Scheduled Task, Scheduled Task/Job
Impair Defenses, Disable or Modify Cloud Logs
Clipboard Data
Scheduled Task
Exploit Public-Facing Application
Phishing, Spearphishing Attachment
Valid Accounts
Unix Shell, Command and Scripting Interpreter
Password Spraying, Brute Force
Exploit Public-Facing Application
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Rundll32
Impair Defenses, Disable or Modify Cloud Logs
PowerShell, Command and Scripting Interpreter
Change Default File Association, Event Triggered Execution
PowerShell, Command and Scripting Interpreter
BITS Jobs
Domain Accounts, Permission Groups Discovery
Valid Accounts, Domain Accounts
File and Directory Discovery
Print Processors, Boot or Logon Autostart Execution
DLL Side-Loading
System Owner/User Discovery
Compiled HTML File, System Binary Proxy Execution
Cloud Account, Create Account
Windows Management Instrumentation
Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Management Instrumentation
User Execution
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Account Discovery, Domain Account
Compromise Software Supply Chain, Supply Chain Compromise
Archive via Utility, Archive Collected Data
Disable or Modify Tools, Impair Defenses, Modify Registry
Exploit Public-Facing Application
Steal or Forge Kerberos Tickets
Windows Service, Create or Modify System Process
Remote Services, SMB/Windows Admin Shares
Cloud Accounts, Valid Accounts
Valid Accounts
Command and Scripting Interpreter, Windows Command Shell
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Service Stop
Exploit Public-Facing Application, External Remote Services
Security Account Manager, OS Credential Dumping
Process Injection
Process Injection
Rename System Utilities, Masquerading
Exploit Public-Facing Application
Phishing, Spearphishing Attachment
Modify Registry
Launch Agent, Create or Modify System Process
User Execution
Exploitation of Remote Services
Exploit Public-Facing Application
System Network Connections Discovery
Credentials in Registry, Unsecured Credentials
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Account Discovery, Domain Account
Exploitation of Remote Services
Steal or Forge Authentication Certificates
Domain or Tenant Policy Modification
DLL Side-Loading, Hijack Execution Flow
Valid Accounts, Domain Accounts
Exploit Public-Facing Application
Service Stop
Remote Email Collection
Exploitation for Privilege Escalation
Inhibit System Recovery
Spearphishing Attachment, Phishing
Exploitation of Remote Services
Command and Scripting Interpreter, JavaScript
Exploit Public-Facing Application, External Remote Services
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Phishing, Spearphishing Attachment
System Binary Proxy Execution, Compiled HTML File
Security Account Manager
Email Collection
Scheduled Task, Scheduled Task/Job
Steal or Forge Kerberos Tickets, Kerberoasting
Malicious File, User Execution
Process Injection
DCSync, OS Credential Dumping
Modify Registry
Visual Basic, Command and Scripting Interpreter
Modify Registry
Credentials from Password Stores
Unix Shell Configuration Modification, Event Triggered Execution
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Modify Registry
Password Spraying, Brute Force
Data Destruction
Brute Force, Password Guessing
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Hide Artifacts, NTFS File Attributes
Cloud Account, Create Account
Cloud Accounts, Valid Accounts
InstallUtil, System Binary Proxy Execution
Domain Account, Account Discovery
Service Stop
Process Injection
Modify Registry
Scheduled Task
Access Token Manipulation, SID-History Injection
Server Software Component, Web Shell
Remote Services, Windows Remote Management
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, PowerShell
Brute Force, Credential Stuffing
Exploit Public-Facing Application
Windows Management Instrumentation
Account Manipulation, Device Registration
Bypass User Account Control, Abuse Elevation Control Mechanism
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Account Discovery
Modify Registry
Account Discovery
Email Collection, Remote Email Collection
Valid Accounts, Default Accounts, Modify Authentication Process
Steal or Forge Kerberos Tickets, Kerberoasting
Account Manipulation, Additional Cloud Roles
Disable or Modify Tools, Impair Defenses
Automated Collection
Lateral Tool Transfer
System Binary Proxy Execution
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter
Malicious Image, User Execution
Disable or Modify Cloud Firewall, Impair Defenses
SSH Authorized Keys, Account Manipulation
Access Token Manipulation
Gather Victim Host Information
Local Account, Create Account
File and Directory Permissions Modification
Disable or Modify Cloud Firewall, Impair Defenses
Exploitation for Privilege Escalation
Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Modify Registry
Account Discovery, Domain Account, User Execution, Malicious File
Exploitation for Privilege Escalation
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Network Denial of Service, Reflection Amplification
Spearphishing Attachment, Phishing
Email Collection, Local Email Collection
Remote Access Software
Disable or Modify Cloud Logs, Impair Defenses
System Owner/User Discovery
DLL Search Order Hijacking, Hijack Execution Flow
Inhibit System Recovery
Remote Email Collection, Email Collection
Scheduled Task/Job
System Information Discovery, Rootkit
Automated Exfiltration
Account Discovery, Local Account, PowerShell
Valid Accounts
Modify Registry
Phishing, Spearphishing Link
Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
Browser Session Hijacking
System Firmware, Pre-OS Boot
Account Manipulation, Device Registration
Security Account Manager, OS Credential Dumping
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Remote System Discovery
Server Software Component, IIS Components
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Create or Modify System Process, Windows Service
Abuse Elevation Control Mechanism
Steal or Forge Authentication Certificates
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Obfuscated Files or Information
Cloud Service Discovery
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Account Manipulation, Additional Email Delegate Permissions
Valid Accounts
Odbcconf
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Command and Scripting Interpreter
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Odbcconf
User Execution
File and Directory Permissions Modification
Exfiltration Over Alternative Protocol
Permission Groups Discovery, Domain Groups
Cron, Scheduled Task/Job
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Disable or Modify Tools, Impair Defenses
Steal Application Access Token
Account Manipulation, Additional Cloud Roles
System Binary Proxy Execution, Rundll32
Remote Email Collection
Remote Access Software
Protocol Tunneling, Proxy, Web Service
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Service Stop
Scheduled Task, Command and Scripting Interpreter
Service Stop
InstallUtil, System Binary Proxy Execution
Disable or Modify Tools, Impair Defenses, Modify Registry
Data from Cloud Storage
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Dynamic Linker Hijacking, Hijack Execution Flow
Internal Proxy, Proxy
Remote Services, Windows Remote Management
Process Injection, Portable Executable Injection
Local Account, Create Account
Disable or Modify Cloud Firewall, Impair Defenses
Remote Services, Windows Remote Management
Valid Accounts
Disable or Modify Tools, Impair Defenses
System Information Discovery
Security Account Manager
Use Alternate Authentication Material
Steal or Forge Kerberos Tickets
Modify Registry
Disable or Modify Cloud Logs, Impair Defenses
Phishing, Spearphishing Attachment
Disable or Modify Tools, Impair Defenses
Regsvr32, System Binary Proxy Execution
Domain Trust Discovery, PowerShell
IP Addresses, Gather Victim Network Information
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
File Deletion, Indicator Removal
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Replication Through Removable Media
Phishing, Spearphishing Attachment
Compromise Software Supply Chain
System Binary Proxy Execution, Mshta
Data Encrypted for Impact
Password Policy Discovery
Visual Basic, Command and Scripting Interpreter
Server Software Component, IIS Components
Domain or Tenant Policy Modification, Trust Modification
Indicator Removal, Clear Windows Event Logs
Windows Management Instrumentation
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Msiexec, System Binary Proxy Execution
Masquerade Task or Service, Masquerading
Print Processors, Boot or Logon Autostart Execution
Exploit Public-Facing Application
Password Spraying, Brute Force
Account Manipulation, Additional Email Delegate Permissions
Scheduled Task, Scheduled Task/Job
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Create or Modify System Process, Windows Service
Scheduled Task/Job, Scheduled Task
Endpoint Denial of Service
Spearphishing Attachment, Phishing
Windows Management Instrumentation
Phishing, Spearphishing Attachment
Disable or Modify Tools, Impair Defenses
LSASS Memory, OS Credential Dumping
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Process Injection
Process Injection
Disable or Modify Tools, Impair Defenses, Modify Registry
Inhibit System Recovery
Disable or Modify Tools
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Remote System Discovery
User Execution
Indicator Removal
Valid Accounts, Default Accounts
Remote System Discovery
Inhibit System Recovery
Obfuscated Files or Information, Indicator Removal from Tools
Kerberoasting
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Registry
Phishing
Steal or Forge Kerberos Tickets, Kerberoasting
Remote System Discovery
System Binary Proxy Execution, CMSTP
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Command and Scripting Interpreter, PowerShell
Drive-by Compromise
Domain Account, Account Discovery
Modify Registry
Phishing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Modify Registry
Domain Generation Algorithms
Remote Desktop Protocol, Remote Services
Transfer Data to Cloud Account
Modify Authentication Process, Multi-Factor Authentication
Exploit Public-Facing Application, External Remote Services
SIP and Trust Provider Hijacking
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Remote System Discovery
Cloud Account
Disable or Modify Tools, Impair Defenses
Kernel Modules and Extensions, Service Execution
Time Providers, Boot or Logon Autostart Execution
Command and Scripting Interpreter
Event Triggered Execution, Screensaver
Exploit Public-Facing Application
Disable or Modify Cloud Logs, Impair Defenses
User Execution
Modify Authentication Process, Multi-Factor Authentication
Cloud Service Discovery
Visual Basic, Command and Scripting Interpreter
Remote Access Software
Cloud Account
Account Discovery, Local Account, PowerShell
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
System Binary Proxy Execution, CMSTP
Indicator Removal, Clear Windows Event Logs
MSBuild, Trusted Developer Utilities Proxy Execution
User Execution
Exploitation for Privilege Escalation
Modify Registry
Modify Registry
Modify Registry
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Steal or Forge Kerberos Tickets
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Event Triggered Execution
XSL Script Processing
Scheduled Task, Impair Defenses
Process Injection
Disable or Modify Tools
Remote Services, Distributed Component Object Model
Screen Capture
Remote Services, Distributed Component Object Model, MMC
Remote System Discovery
SSH Authorized Keys
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
PowerShell, Command and Scripting Interpreter
Account Manipulation, Additional Cloud Roles
Exploit Public-Facing Application
Command and Scripting Interpreter, Visual Basic
User Execution
Bypass User Account Control, Abuse Elevation Control Mechanism
Account Manipulation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Command and Scripting Interpreter, PowerShell
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Indicator Removal
Data Destruction
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Phishing, Spearphishing Attachment
Steal or Forge Kerberos Tickets, AS-REP Roasting
Additional Email Delegate Permissions, Additional Cloud Roles
Indicator Removal, Clear Windows Event Logs
Clipboard Data
Permission Groups Discovery, Domain Groups
Exploit Public-Facing Application, External Remote Services
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Credentials
Remote System Discovery
Windows Command Shell
Create or Modify System Process
Valid Accounts
User Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Phishing, Spearphishing Attachment
Password Spraying, Brute Force
Install Root Certificate, Subvert Trust Controls
Valid Accounts
Cloud Account
Account Manipulation, Valid Accounts
Data Destruction
Steal or Forge Kerberos Tickets, AS-REP Roasting
Exploit Public-Facing Application, External Remote Services
Server Software Component, IIS Components
Scheduled Task, Scheduled Task/Job
User Execution
Windows Management Instrumentation
Ingress Tool Transfer
Malicious Image, User Execution
Network Service Discovery
Remote Services, Windows Remote Management
Modify Registry
Cloud Account, Create Account
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Data Encrypted for Impact
PowerShell, Ingress Tool Transfer, Fileless Storage
Steal or Forge Kerberos Tickets
Modify Registry, OS Credential Dumping
Permission Groups Discovery, Domain Groups
Cloud Accounts, Valid Accounts
Unsecured Credentials, Group Policy Preferences
Command and Scripting Interpreter, JavaScript
Domain Account, Account Discovery
File and Directory Permissions Modification
Process Injection
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
DLL Search Order Hijacking
Process Injection
Exfiltration Over Unencrypted Non-C2 Protocol
Transfer Data to Cloud Account
System Information Discovery
Phishing, Spearphishing Attachment
Account Manipulation, Additional Cloud Credentials
Command and Scripting Interpreter, PowerShell
Exfiltration Over Alternative Protocol
User Execution
Steal or Forge Authentication Certificates
System Binary Proxy Execution, Regsvr32
Modify Authentication Process
Valid Accounts, Default Accounts
Cloud Account
Exploit Public-Facing Application, External Remote Services
Account Manipulation
DLL Side-Loading, Hijack Execution Flow
Command and Scripting Interpreter, PowerShell
Local Account, Create Account
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Exploit Public-Facing Application
Exploit Public-Facing Application
Valid Accounts
Windows Management Instrumentation
System Owner/User Discovery
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Brute Force
Password Policy Discovery
Steal or Forge Authentication Certificates
Disable or Modify Tools, Impair Defenses
Steal or Forge Authentication Certificates
Disable or Modify System Firewall, Impair Defenses
Ingress Tool Transfer
Mark-of-the-Web Bypass
Spearphishing Attachment, Phishing
Disable or Modify Tools, Impair Defenses
Disk Structure Wipe, Disk Wipe
Command and Scripting Interpreter
DLL Search Order Hijacking, Hijack Execution Flow
Account Manipulation
Exploitation for Client Execution
System Services, Service Execution
System Binary Proxy Execution, Rundll32
Local Accounts, Credentials In Files
Rogue Domain Controller
Security Account Manager
Disable or Modify Tools, Impair Defenses
SID-History Injection, Access Token Manipulation
Ingress Tool Transfer
Cached Domain Credentials, OS Credential Dumping
Container API
GUI Input Capture, Input Capture
Disable or Modify Tools, Impair Defenses
Network Share Discovery, Valid Accounts
Domain Account, Account Discovery
LSASS Memory, OS Credential Dumping
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Exploit Public-Facing Application, External Remote Services
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Create Account, Cloud Account
Disable or Modify Tools, Impair Defenses, Modify Registry
Kerberoasting
Modify Registry
Scheduled Task, Scheduled Task/Job
Unix Shell
Modify Registry
Phishing, Spearphishing Attachment
Additional Email Delegate Permissions, Additional Cloud Roles
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Unused/Unsupported Cloud Regions
Network Service Discovery
Remote System Discovery
Hardware, Gather Victim Host Information
Steal or Forge Authentication Certificates
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Rootkit, Exploitation for Privilege Escalation
Disable or Modify System Firewall, Impair Defenses
Obfuscated Files or Information, Fileless Storage
Remote System Discovery
File Deletion, Indicator Removal
Phishing, Spearphishing Attachment
DLL Side-Loading, Hijack Execution Flow
Password Policy Discovery
Transfer Data to Cloud Account
Credentials, Gather Victim Identity Information
Data Destruction, File Deletion, Indicator Removal
Windows Management Instrumentation
Abuse Elevation Control Mechanism
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Remote System Discovery
System Owner/User Discovery
System Owner/User Discovery
Brute Force, Password Spraying, Credential Stuffing
Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Boot or Logon Initialization Scripts, Logon Script (Windows)
Process Injection, Portable Executable Injection
Create or Modify System Process, Windows Service
Indirect Command Execution
Cloud Accounts, Valid Accounts
Credentials in Registry, Unsecured Credentials
Transfer Data to Cloud Account
Windows Service
Disable or Modify Tools, Impair Defenses
Malicious File, Masquerade File Type
Spearphishing Attachment, Phishing, Malicious Link, User Execution
LSASS Memory, OS Credential Dumping
Cloud Accounts
Remote Access Software
Modify Registry
Password Policy Discovery
Remote System Discovery
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Domain Account, Account Discovery
Compromise Accounts, Cloud Accounts, Brute Force
Valid Accounts, Cloud Accounts
System Binary Proxy Execution, Mshta
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Application Shimming, Event Triggered Execution
Steal or Forge Authentication Certificates
Command and Scripting Interpreter
SIP and Trust Provider Hijacking
Exploit Public-Facing Application, External Remote Services
Msiexec
Cloud Service Discovery
Email Collection, Local Email Collection
Disable or Modify Tools, Impair Defenses
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Transfer Data to Cloud Account
Obfuscated Files or Information
Windows Service, Create or Modify System Process
Malicious Image, User Execution
System Binary Proxy Execution, CMSTP
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Steal or Forge Authentication Certificates
Service Stop
Disable or Modify Tools, Impair Defenses
Application or System Exploitation
Data from Cloud Storage
Trusted Developer Utilities Proxy Execution
IIS Components, Server Software Component
System Binary Proxy Execution
Password Spraying, Valid Accounts, Default Accounts
Account Manipulation
Malicious Image, User Execution
Malicious Image, User Execution
Cloud Groups, Account Manipulation, Permission Groups Discovery
Impair Defenses, Disable or Modify Cloud Logs
Disable or Modify Cloud Logs, Impair Defenses
Account Manipulation
DLL Search Order Hijacking, Hijack Execution Flow
Password Spraying, Brute Force
Password Spraying, Brute Force
Vulnerability Scanning, Network Service Discovery
Network Service Discovery
Network Service Discovery
Account Manipulation, Impair Defenses
Account Manipulation, Impair Defenses
Windows Service
Cloud Service Discovery
Password Policy Discovery
Network Share Discovery, Data from Network Shared Drive
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Brute Force
Brute Force
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Exfiltration Over Unencrypted Non-C2 Protocol
Malicious Image, User Execution
Malicious Image, User Execution
LSASS Memory
PowerShell
Email Forwarding Rule, Email Collection
Email Forwarding Rule, Email Collection
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Disable or Modify System Firewall
Rename System Utilities
Windows Command Shell
Use Alternate Authentication Material, Pass the Hash
Valid Accounts
Valid Accounts
Valid Accounts
Masquerading
Phishing
Malicious File
Change Default File Association
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
PowerShell, Windows Command Shell
Cloud Accounts
Exfiltration Over Unencrypted Non-C2 Protocol
Cloud Accounts
Cloud Accounts
Spearphishing via Service
Cloud Accounts
Cloud Accounts
Web Protocols
Scheduled Task
Exfiltration Over Unencrypted Non-C2 Protocol
Cloud Service Discovery
Cloud Service Discovery
LSASS Memory
LSASS Memory, OS Credential Dumping
LSASS Memory
Hidden Files and Directories
Create Account
Valid Accounts
Disable or Modify Cloud Firewall
Cloud Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Domain Accounts
Abuse Elevation Control Mechanism, Indirect Command Execution
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Permission Groups Discovery, Domain Groups
Masquerading
DLL Side-Loading, Hijack Execution Flow
Image File Execution Options Injection
Password Spraying, Brute Force
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
LSASS Memory, OS Credential Dumping
Modify Registry
Domain Trust Discovery
Abuse Elevation Control Mechanism
Steal or Forge Kerberos Tickets, Kerberoasting
Security Account Manager, OS Credential Dumping
Remote Desktop Protocol, Remote Services
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Windows Management Instrumentation
Account Manipulation, Additional Cloud Roles
User Execution
DLL Side-Loading
Query Registry
Command and Scripting Interpreter, PowerShell
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Disable or Modify Tools, Impair Defenses
Modify Registry
Server Software Component, Exploit Public-Facing Application, External Remote Services
Cloud Account
OS Credential Dumping
Indicator Removal
Local Groups
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Virtualization/Sandbox Evasion, Time Based Evasion
Spearphishing Attachment, Phishing
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Modify Registry
Account Discovery, Domain Account
Hide Artifacts, NTFS File Attributes
Modify Registry
Trusted Developer Utilities Proxy Execution, MSBuild
Unix Shell Configuration Modification, Event Triggered Execution
Data Destruction
RC Scripts, Boot or Logon Initialization Scripts
System Binary Proxy Execution
System Binary Proxy Execution, Rundll32
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Account Discovery
Private Keys, Unsecured Credentials
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
PowerShell, Ingress Tool Transfer
Access Token Manipulation, Token Impersonation/Theft
Exploit Public-Facing Application, External Remote Services
Services Registry Permissions Weakness
Create or Modify System Process, Windows Service
Web Session Cookie, Cloud Service Dashboard
Use Alternate Authentication Material, Pass the Ticket
Regsvr32, Modify Registry
User Execution
Steal Application Access Token
Encrypted Channel
Port Monitors, Boot or Logon Autostart Execution
System Binary Proxy Execution, Regsvr32
Cloud Account
Pre-OS Boot, Registry Run Keys / Startup Folder
Proxy, Multi-hop Proxy
Cloud Groups, Account Manipulation, Permission Groups Discovery
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Systemd Timers, Scheduled Task/Job
Cloud Service Discovery
Exploit Public-Facing Application
Data Encrypted for Impact
Windows Management Instrumentation
Mavinject, System Binary Proxy Execution
DLL Side-Loading, Hijack Execution Flow
Remote Access Software
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Endpoint Denial of Service
System Binary Proxy Execution, Rundll32
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Account Manipulation, Additional Cloud Roles
Additional Cloud Roles
Disable or Modify Tools, Impair Defenses
Remote Services
Msiexec, System Binary Proxy Execution
Hidden Window
Domain Generation Algorithms
Network Denial of Service
Exploit Public-Facing Application
Disable or Modify Tools, Impair Defenses
Remote Access Software
Additional Cloud Roles
Disable or Modify Tools, Impair Defenses
Query Registry
Steal Web Session Cookie
Phishing, Spearphishing Attachment
Encrypted Channel
Email Collection, Email Forwarding Rule
Setuid and Setgid, Abuse Elevation Control Mechanism
Brute Force, Password Guessing
System Binary Proxy Execution, Regsvr32
Install Root Certificate, Subvert Trust Controls
Screen Capture
Account Discovery, Local Account
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Account Manipulation, Additional Cloud Roles
Spearphishing Attachment, Phishing
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Ingress Tool Transfer
Modify Registry
Inhibit System Recovery
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Process Injection
Remote System Discovery
Email Collection
Account Manipulation
Remote Desktop Protocol, Remote Services
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Modify Authentication Process, Multi-Factor Authentication
Command and Scripting Interpreter
Right-to-Left Override, Masquerading
System Information Discovery
Domain Account, Account Discovery
Disable or Modify Cloud Logs, Impair Defenses
Exploit Public-Facing Application
Unsecured Credentials, Group Policy Preferences
Steal or Forge Kerberos Tickets, AS-REP Roasting
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Compiled HTML File
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Permission Groups Discovery, Domain Groups
Modify Registry
Unix Shell, Command and Scripting Interpreter
Account Discovery, Domain Account
Data Staged
Cloud Account, Create Account
Cloud Account
Exploit Public-Facing Application, External Remote Services
Permission Groups Discovery, Domain Groups
Password Spraying
Valid Accounts, Brute Force
Steal Application Access Token, Phishing, Spearphishing Link
Time Based Evasion, Virtualization/Sandbox Evasion
Credentials in Registry, Unsecured Credentials
Disable or Modify Cloud Logs, Impair Defenses
Data Encrypted for Impact
Ingress Tool Transfer
Exploit Public-Facing Application
Password Spraying, Brute Force
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Protocol Tunneling, Proxy, Web Service
Scheduled Task/Job
Exploit Public-Facing Application, External Remote Services
Exploitation for Client Execution
Drive-by Compromise
Defacement
Mail Protocols, Application Layer Protocol
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Domain or Tenant Policy Modification, Trust Modification
Disk Structure Wipe, Disk Wipe
Impair Defenses, Disable or Modify Tools
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Password Managers
Scheduled Task/Job, Scheduled Task
Msiexec
Password Spraying, Brute Force
System Shutdown/Reboot
Protocol Impersonation
Disable or Modify Tools, Impair Defenses
Domain or Tenant Policy Modification, Group Policy Modification
Password Spraying, Brute Force
Account Manipulation
Service Stop
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Hide Artifacts, NTFS File Attributes
Modify Registry
System Network Connections Discovery
Spearphishing Attachment
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Container Orchestration Job
Query Registry
User Execution
SIP and Trust Provider Hijacking
Process Injection
Spearphishing Attachment, Phishing
Security Support Provider, Boot or Logon Autostart Execution
Disable or Modify System Firewall, Impair Defenses
Malicious Image, User Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
LSASS Memory, OS Credential Dumping
System Owner/User Discovery
Disable or Modify Tools, Impair Defenses
Indirect Command Execution
Modify Registry
System Binary Proxy Execution, Rundll32
Print Processors, Boot or Logon Autostart Execution
Exploit Public-Facing Application
Exploitation for Privilege Escalation
Command and Scripting Interpreter
Scheduled Task/Job
Automated Collection
Process Injection
Disable or Modify Tools, Impair Defenses
User Execution
Network Denial of Service
PowerShell, Command and Scripting Interpreter
Indicator Removal
Disable or Modify Tools, Impair Defenses
Active Setup, Boot or Logon Autostart Execution
Phishing, Spearphishing Attachment
Cloud Accounts, Valid Accounts
Gather Victim Network Information, IP Addresses
Account Manipulation
Exploit Public-Facing Application, External Remote Services
System Binary Proxy Execution, Rundll32
Disable or Modify Tools, Impair Defenses
Container API
Credentials from Password Stores
Print Processors, Boot or Logon Autostart Execution
File and Directory Permissions Modification
Account Discovery
Disable or Modify Cloud Firewall, Impair Defenses
Systemd Timers, Scheduled Task/Job
Deobfuscate/Decode Files or Information
Token Impersonation/Theft, Access Token Manipulation
Modify Registry
Endpoint Denial of Service
Data Destruction
OS Credential Dumping
User Execution, Malicious File
Remote Access Software
Command and Scripting Interpreter
Domain Account, Account Discovery
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
DLL Side-Loading, Boot or Logon Autostart Execution
Credentials from Web Browsers, Credentials from Password Stores
Domain Trust Discovery
SMB/Windows Admin Shares, Remote Services
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Steal or Forge Authentication Certificates, Archive Collected Data
Steal or Forge Kerberos Tickets, Golden Ticket
XSL Script Processing
Disable or Modify Tools, Impair Defenses
Archive Collected Data
System Binary Proxy Execution, Rundll32
Remote System Discovery
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Steal Application Access Token
Modify Registry
Phishing, Spearphishing Attachment
Use Alternate Authentication Material, Pass the Ticket
Exfiltration Over C2 Channel
Browser Session Hijacking
Cron, Scheduled Task/Job
User Execution
User Execution
Digital Certificates
Server Software Component, IIS Components
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
User Execution
Password Policy Discovery
Use Alternate Authentication Material
Cloud Account, Create Account
Query Registry
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Exploitation for Privilege Escalation
Internal Proxy, Proxy
Abuse Elevation Control Mechanism, Bypass User Account Control
Domain or Tenant Policy Modification, Group Policy Modification
Multi-Factor Authentication Request Generation
PowerShell, Command and Scripting Interpreter
Process Injection
Account Discovery, Local Account
Process Injection, Dynamic-link Library Injection
Command and Scripting Interpreter
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
File and Directory Discovery
Disable or Modify Tools, Impair Defenses
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impair Defenses, Disable or Modify Cloud Logs
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Query Registry
Modify Registry
System Binary Proxy Execution, Regsvcs/Regasm
PowerShell, Command and Scripting Interpreter
Disable or Modify Tools, Impair Defenses
Brute Force, Password Guessing, Password Spraying
Command and Scripting Interpreter
Command and Scripting Interpreter
LSASS Memory
Disable or Modify Cloud Logs, Impair Defenses
Domain Account, Account Discovery
Masquerading, Rename System Utilities
Data Destruction
Exploit Public-Facing Application
User Execution
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Bypass User Account Control, Abuse Elevation Control Mechanism
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
System Binary Proxy Execution, Mshta
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Cron, Scheduled Task/Job
Forced Authentication
Disable or Modify Tools, Impair Defenses
Bypass User Account Control, Abuse Elevation Control Mechanism
Steal or Forge Authentication Certificates
Hidden Window
Inhibit System Recovery
OS Credential Dumping, PowerShell
Domain Account, Account Discovery
Password Spraying, Brute Force
Indicator Removal, Network Share Connection Removal
System Binary Proxy Execution, Regsvcs/Regasm
Windows Management Instrumentation
SID-History Injection, Access Token Manipulation
Modify Registry
Modify Registry
LSASS Memory, OS Credential Dumping
Disable or Modify Tools, Impair Defenses
Valid Accounts
Domain or Tenant Policy Modification
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Transfer Data to Cloud Account
Compromise Accounts, Unused/Unsupported Cloud Regions
Automated Exfiltration
Web Shell, External Remote Services
Steal Application Access Token
Exploit Public-Facing Application, External Remote Services
Account Manipulation
Impair Defenses
Phishing, Modify Registry
Password Spraying, Brute Force
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Process Injection
Data Encrypted for Impact
User Execution
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Brute Force, Password Guessing, Password Spraying
Password Policy Discovery
User Execution
Gather Victim Identity Information, Email Addresses
Valid Accounts, Domain Accounts
System Binary Proxy Execution
Malicious Image, User Execution
User Execution
Ingress Tool Transfer
Account Manipulation, Additional Email Delegate Permissions
Modify Registry
Hardware Additions
Exploit Public-Facing Application, External Remote Services
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
User Execution, Malicious File
Container API
Exfiltration Over Web Service
Service Stop
Valid Accounts
Masquerading, Rename System Utilities
Scheduled Task/Job, Scheduled Task
Phishing, Spearphishing Attachment
Account Manipulation, Additional Cloud Roles
Archive via Utility, Archive Collected Data
Password Spraying, Brute Force
System Binary Proxy Execution, Compiled HTML File
Password Policy Discovery
System Services, Service Execution
LSASS Memory, OS Credential Dumping
Remote System Discovery
Credentials from Password Stores, Credentials from Web Browsers
Endpoint Denial of Service
Password Guessing, Brute Force
Remote Services, Windows Remote Management
Server Software Component, IIS Components
At, Scheduled Task/Job
Application or System Exploitation
Exploit Public-Facing Application
Compromise Host Software Binary
Remote System Discovery
Account Discovery, Local Account
Modify Registry
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Process Injection
Print Processors, Boot or Logon Autostart Execution
File Transfer Protocols, Application Layer Protocol
Archive via Utility, Archive Collected Data
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
InstallUtil, System Binary Proxy Execution
Parent PID Spoofing, Access Token Manipulation
/etc/passwd and /etc/shadow, OS Credential Dumping
Event Triggered Execution, Accessibility Features
Phishing, Spearphishing Attachment
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Impair Defenses, Disable or Modify Cloud Logs
Cron, Scheduled Task/Job
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Remote Desktop Protocol, Remote Services
Trusted Relationship
Service Stop
Disable or Modify Tools, Impair Defenses
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Domain or Tenant Policy Modification, Group Policy Modification
Non-Application Layer Protocol
Windows Management Instrumentation Event Subscription
Modify Registry
Domain Account, Account Discovery
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Permission Groups Discovery, Local Groups
Exploit Public-Facing Application
Drive-by Compromise
Exfiltration Over Web Service
Exploit Public-Facing Application
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
System Binary Proxy Execution, Regsvcs/Regasm
Account Manipulation, Device Registration
Phishing, Spearphishing Attachment
Disable or Modify System Firewall, Impair Defenses
Browser Session Hijacking
Disable or Modify Tools, Impair Defenses
Exploitation of Remote Services
Disable or Modify Tools, Impair Defenses
Abuse Elevation Control Mechanism
Impair Defenses, PowerShell, Command and Scripting Interpreter
Setuid and Setgid, Abuse Elevation Control Mechanism
Exploitation for Privilege Escalation
Bypass User Account Control, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Protocol Tunneling, SSH
Process Injection, Portable Executable Injection
User Execution
Create Account, Cloud Account
SSH Authorized Keys, Account Manipulation
Steal or Forge Authentication Certificates
System Binary Proxy Execution, Compiled HTML File
Inhibit System Recovery
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
DLL Side-Loading, Hijack Execution Flow
System Binary Proxy Execution, Mshta
Protocol Tunneling, Proxy, Web Service
System Network Configuration Discovery
InstallUtil, System Binary Proxy Execution
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Scheduled Task/Job, At
LSA Secrets
Right-to-Left Override, Masquerading
Permission Groups Discovery, Domain Groups
Data Destruction
Virtualization/Sandbox Evasion, Time Based Evasion
Application Layer Protocol
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Email Collection, Remote Email Collection
Windows Command Shell, Command and Scripting Interpreter
Screen Capture
Malicious Image, User Execution
Steal Application Access Token
Steal or Forge Kerberos Tickets, AS-REP Roasting
Account Manipulation
Email Collection, Email Forwarding Rule
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Account Manipulation
System Binary Proxy Execution, Regsvcs/Regasm
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Remote Access Software
Disable or Modify Tools, Impair Defenses
Exploitation for Privilege Escalation
Brute Force, Password Spraying, Credential Stuffing
Cloud Infrastructure Discovery, Brute Force
Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Roles
Drive-by Compromise
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Management Instrumentation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
System Binary Proxy Execution, Rundll32
Remote Desktop Protocol, Remote Services
Exploitation for Client Execution
Account Access Removal
Valid Accounts
System Owner/User Discovery
Email Collection, Email Forwarding Rule
Obfuscated Files or Information
Browser Session Hijacking
Fileless Storage, Obfuscated Files or Information
Print Processors, Boot or Logon Autostart Execution
Remote Desktop Protocol, Remote Services
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Exploit Public-Facing Application, External Remote Services
System Binary Proxy Execution, Rundll32
Process Injection
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
System Owner/User Discovery
Ingress Tool Transfer
Security Account Manager, OS Credential Dumping
Exploit Public-Facing Application
Impair Defenses
Account Discovery, Local Account
Digital Certificates
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Permission Groups Discovery, Local Groups
Network Sniffing
Inhibit System Recovery
Ingress Tool Transfer
Local Account, Create Account
Account Manipulation, Additional Email Delegate Permissions
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Disable or Modify Tools, Impair Defenses
Account Access Removal
Data Destruction, File Deletion, Indicator Removal
Spearphishing Attachment, Phishing
System Network Connections Discovery
Remote Services, SMB/Windows Admin Shares
Disable or Modify Tools, Impair Defenses
Spearphishing Attachment, Phishing
Drive-by Compromise
Valid Accounts
Mail Protocols, Application Layer Protocol
Modify Registry
Automated Collection
Inhibit System Recovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Token Impersonation/Theft, Access Token Manipulation
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Inhibit System Recovery
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Cloud Accounts, Valid Accounts
Account Discovery, Domain Account
Trusted Relationship
Disable or Modify Tools, Impair Defenses
Data Destruction
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Plist File Modification
System Binary Proxy Execution, Rundll32
Account Discovery, Local Account
LSASS Memory, OS Credential Dumping
Modify Registry
Data Destruction
Permission Groups Discovery, Domain Groups
Remote Desktop Protocol, Remote Services
Domain Account, Account Discovery
Valid Accounts
Exfiltration Over Unencrypted Non-C2 Protocol
Rootkit, Exploitation for Privilege Escalation
System Binary Proxy Execution, Mshta
Account Manipulation
Exploit Public-Facing Application, External Remote Services
DNS, Application Layer Protocol
Exploit Public-Facing Application
System Shutdown/Reboot
Application Layer Protocol
Obfuscated Files or Information, Unix Shell
System Binary Proxy Execution, Rundll32
Exploit Public-Facing Application
Account Manipulation
SID-History Injection, Access Token Manipulation
Security Account Manager, OS Credential Dumping
Permission Groups Discovery, Local Groups
Command and Scripting Interpreter, Windows Command Shell
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Modify Registry
Mail Protocols, Application Layer Protocol
Modify Registry
Abuse Elevation Control Mechanism, Bypass User Account Control
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Server Software Component, IIS Components
Command and Scripting Interpreter, PowerShell
Unsecured Credentials
Domain Account, Account Discovery
Exfiltration Over Unencrypted Non-C2 Protocol
Disable or Modify Tools, Impair Defenses
Steal Application Access Token
DLL Side-Loading, Hijack Execution Flow
Windows Management Instrumentation
Launch Agent, Create or Modify System Process
Archive via Utility, Archive Collected Data
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Data Destruction
Windows Service, Create or Modify System Process
Remote Desktop Protocol, Remote Services
Container API
System Network Connections Discovery
System Binary Proxy Execution, Regsvr32
Web Service
Gather Victim Host Information
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Windows Management Instrumentation
Modify Registry
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
BITS Jobs
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, PowerShell
Create or Modify System Process, Windows Service
Modify Registry
Disable or Modify System Firewall, Impair Defenses
Change Default File Association, Event Triggered Execution
SMB/Windows Admin Shares, Remote Services
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Digital Certificates
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Exploit Public-Facing Application, External Remote Services
Disable or Modify Tools, Impair Defenses
Permission Groups Discovery, Local Groups
System Time Discovery
Command and Scripting Interpreter, Component Object Model
Dynamic-link Library Injection, Process Injection
Masquerading
Cloud Account
System Binary Proxy Execution, Mshta
User Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Command and Scripting Interpreter
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Exfiltration Over C2 Channel
System Services, Service Execution
System Owner/User Discovery
Compromise Software Supply Chain
Remote Access Software, OS Credential Dumping
Account Discovery, Domain Account
User Execution
Verclsid, System Binary Proxy Execution
Exploit Public-Facing Application, Command and Scripting Interpreter
Screen Capture
Cloud Accounts
Permission Groups Discovery, Local Groups
Domain Trust Discovery
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Account Manipulation, Valid Accounts
User Execution
System Services, Service Execution
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Drive-by Compromise
Shared Modules
Data Destruction, File Deletion, Indicator Removal
Modify Registry
System Binary Proxy Execution, Rundll32
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Command and Scripting Interpreter, JavaScript
Exploit Public-Facing Application, External Remote Services
Gather Victim Host Information
Modify Registry
Password Spraying, Brute Force
Valid Accounts
Account Access Removal
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Rogue Domain Controller
Valid Accounts, Cloud Accounts
Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Control Panel
Process Injection
Domain Account, Account Discovery
Create or Modify System Process
Exfiltration Over C2 Channel
Phishing
Password Spraying, Brute Force
Exploit Public-Facing Application
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter
Windows Service, Create or Modify System Process
Compile After Delivery, Obfuscated Files or Information
Exploitation for Privilege Escalation
System Shutdown/Reboot
Remote Services, Distributed Component Object Model
Process Injection
Query Registry
RDP Hijacking
Bypass User Account Control
TFTP Boot, Pre-OS Boot
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Modify Registry
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
NTDS, OS Credential Dumping
At, Scheduled Task/Job
Windows Remote Management, Remote Services
Modify Registry
Create or Modify System Process, Windows Service
Command and Scripting Interpreter, Windows Command Shell
Process Injection
Scheduled Task
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Security Account Manager
Exploit Public-Facing Application
Steal or Forge Kerberos Tickets
Valid Accounts, Local Accounts
Permission Groups Discovery, Domain Groups
Valid Accounts
System Services, Service Execution
System Binary Proxy Execution, Rundll32
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Local Groups
Multi-Factor Authentication Request Generation
BITS Jobs, Ingress Tool Transfer
Scheduled Task, Scheduled Task/Job
Abuse Elevation Control Mechanism
Create Process with Token, Access Token Manipulation
System Binary Proxy Execution, Rundll32
Exploitation of Remote Services
Service Stop
Domain or Tenant Policy Modification, Group Policy Modification
Process Discovery
Kernel Modules and Extensions
Security Account Manager, OS Credential Dumping
Data Encrypted for Impact
NTDS, OS Credential Dumping
Windows Command Shell, Command and Scripting Interpreter
DCSync, OS Credential Dumping
System Shutdown/Reboot
Indicator Removal
Exploit Public-Facing Application
Compromise Host Software Binary
Cloud Service Discovery
Ingress Tool Transfer
Archive via Utility, Archive Collected Data
Cloud Infrastructure Discovery
Software Deployment Tools
Scheduled Task/Job, Scheduled Task
Phishing, Spearphishing Attachment
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Server Software Component, Web Shell
Exploit Public-Facing Application
LSASS Memory, OS Credential Dumping
Disable or Modify Tools, Impair Defenses
DNS, Application Layer Protocol
Data from Local System
Service Stop
System Owner/User Discovery
Odbcconf
Exploitation for Privilege Escalation
Exploitation for Credential Access
Account Manipulation, Valid Accounts
System Binary Proxy Execution, Rundll32
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
NTDS, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Credentials from Password Stores, Credentials from Web Browsers
Data from Cloud Storage
System Binary Proxy Execution, Regsvcs/Regasm
Data Destruction, File Deletion, Indicator Removal
System Binary Proxy Execution
System Network Connections Discovery
Exploit Public-Facing Application
Scheduled Task, PowerShell, Command and Scripting Interpreter
System Network Configuration Discovery, Internet Connection Discovery
Network Share Discovery
Network Share Discovery
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Command and Scripting Interpreter, PowerShell
User Execution
Path Interception by Unquoted Path, Hijack Execution Flow
System Services, Service Execution
Use Alternate Authentication Material
OS Credential Dumping, DCSync, Rogue Domain Controller
Obfuscated Files or Information
Disable or Modify Tools, Impair Defenses
Exploit Public-Facing Application
Valid Accounts, Domain Accounts
Indirect Command Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Proxy, Non-Application Layer Protocol
Password Policy Discovery
Cron, Scheduled Task/Job
Cloud Account, Create Account
Impair Defenses, Disable or Modify System Firewall
Modify Registry
System Network Configuration Discovery
Phishing, Spearphishing Attachment
Exploit Public-Facing Application, External Remote Services
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Disable or Modify Tools, Impair Defenses
Bypass User Account Control, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Multi-Factor Authentication Request Generation
File and Directory Permissions Modification
Disable or Modify Tools, Impair Defenses
Application Shimming, Event Triggered Execution
System Binary Proxy Execution, Regsvcs/Regasm
Modify Registry
User Execution, Malicious File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Authentication Process
Local Account, Create Account
Data from Cloud Storage
Valid Accounts
Data from Cloud Storage
Clear Windows Event Logs, Indicator Removal
Exfiltration Over Alternative Protocol
Masquerading
Command and Scripting Interpreter
Password Spraying, Brute Force
System Information Discovery, External Remote Services
Exploitation for Credential Access
Modify Registry
System Owner/User Discovery
Command and Scripting Interpreter, JavaScript
Password Policy Discovery
Compromise Software Supply Chain
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Rogue Domain Controller
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Account Discovery, Domain Account
Exploit Public-Facing Application
Brute Force
Multi-Factor Authentication Request Generation
Modify Cloud Compute Configurations
Password Spraying, Brute Force
Command and Scripting Interpreter, PowerShell
InstallUtil, System Binary Proxy Execution
Image File Execution Options Injection, Event Triggered Execution
Phishing, Spearphishing Attachment
Rogue Domain Controller
Ingress Tool Transfer
Credentials from Password Stores
Setuid and Setgid, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Steal Application Access Token
Inhibit System Recovery
Component Object Model Hijacking, Event Triggered Execution
Account Manipulation
Application Layer Protocol
Masquerading
Disable or Modify Tools, Impair Defenses
Network Share Discovery
Windows Service
Command and Scripting Interpreter, Process Injection, PowerShell
Drive-by Compromise
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Remote Email Collection
Steal or Forge Kerberos Tickets
Brute Force
System Script Proxy Execution, System Binary Proxy Execution
Additional Cloud Roles
Data Encrypted for Impact
Bypass User Account Control, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, PowerShell
Data Destruction, File Deletion, Indicator Removal
Email Collection, Remote Email Collection
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Ingress Tool Transfer
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses, Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Exploit Public-Facing Application, External Remote Services
Disable or Modify Tools, Impair Defenses
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Process Injection
System Binary Proxy Execution
Domain Trust Discovery
Bypass User Account Control, Abuse Elevation Control Mechanism
Domain Account, Account Discovery
Data Destruction
Digital Certificates
Cloud Accounts, Valid Accounts
Ingress Tool Transfer, Domain Groups
Modify Authentication Process, Multi-Factor Authentication
Print Processors, Boot or Logon Autostart Execution
NTDS, OS Credential Dumping
Email Collection, Remote Email Collection
Scheduled Task, Scheduled Task/Job
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Command and Scripting Interpreter, PowerShell
Cloud Service Discovery
Exploitation of Remote Services
Archive via Utility, Archive Collected Data
Systemd Timers, Scheduled Task/Job
PowerShell
Gather Victim Host Information, PowerShell
Data from Cloud Storage
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Application Shimming, Event Triggered Execution
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Password Spraying, Brute Force
Modify Registry
System Network Configuration Discovery
Ingress Tool Transfer
Cron, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Hidden Window, Run Virtual Instance
Disable or Modify Cloud Firewall, Impair Defenses
File Deletion, Indicator Removal
Domain Trust Discovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Exploit Public-Facing Application
Data Destruction, File Deletion, Indicator Removal
Phishing, Spearphishing Attachment
Drive-by Compromise
System Network Connections Discovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Remote Desktop Protocol, Remote Services
System Binary Proxy Execution, Mshta
Command and Scripting Interpreter
Disable or Modify Tools, Impair Defenses
Services Registry Permissions Weakness, Hijack Execution Flow
Disable or Modify Tools, Impair Defenses
Modify Authentication Process
Ingress Tool Transfer
Cloud Accounts, Valid Accounts
Scheduled Task, Scheduled Task/Job
Impair Defenses, Disable or Modify Cloud Logs
Clipboard Data
Scheduled Task
Exploit Public-Facing Application
Phishing, Spearphishing Attachment
Valid Accounts
Unix Shell, Command and Scripting Interpreter
Password Spraying, Brute Force
Exploit Public-Facing Application
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Rundll32
Impair Defenses, Disable or Modify Cloud Logs
PowerShell, Command and Scripting Interpreter
Change Default File Association, Event Triggered Execution
PowerShell, Command and Scripting Interpreter
BITS Jobs
Domain Accounts, Permission Groups Discovery
Valid Accounts, Domain Accounts
File and Directory Discovery
Print Processors, Boot or Logon Autostart Execution
DLL Side-Loading
System Owner/User Discovery
Compiled HTML File, System Binary Proxy Execution
Cloud Account, Create Account
Windows Management Instrumentation
Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Management Instrumentation
User Execution
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Account Discovery, Domain Account
Compromise Software Supply Chain, Supply Chain Compromise
Archive via Utility, Archive Collected Data
Disable or Modify Tools, Impair Defenses, Modify Registry
Exploit Public-Facing Application
Steal or Forge Kerberos Tickets
Windows Service, Create or Modify System Process
Remote Services, SMB/Windows Admin Shares
Cloud Accounts, Valid Accounts
Valid Accounts
Command and Scripting Interpreter, Windows Command Shell
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Service Stop
Exploit Public-Facing Application, External Remote Services
Security Account Manager, OS Credential Dumping
Process Injection
Process Injection
Rename System Utilities, Masquerading
Exploit Public-Facing Application
Phishing, Spearphishing Attachment
Modify Registry
Launch Agent, Create or Modify System Process
User Execution
Exploitation of Remote Services
Exploit Public-Facing Application
System Network Connections Discovery
Credentials in Registry, Unsecured Credentials
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Account Discovery, Domain Account
Exploitation of Remote Services
Steal or Forge Authentication Certificates
Domain or Tenant Policy Modification
DLL Side-Loading, Hijack Execution Flow
Valid Accounts, Domain Accounts
Exploit Public-Facing Application
Service Stop
Remote Email Collection
Exploitation for Privilege Escalation
Inhibit System Recovery
Spearphishing Attachment, Phishing
Exploitation of Remote Services
Command and Scripting Interpreter, JavaScript
Exploit Public-Facing Application, External Remote Services
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Phishing, Spearphishing Attachment
System Binary Proxy Execution, Compiled HTML File
Security Account Manager
Email Collection
Scheduled Task, Scheduled Task/Job
Steal or Forge Kerberos Tickets, Kerberoasting
Malicious File, User Execution
Process Injection
DCSync, OS Credential Dumping
Modify Registry
Visual Basic, Command and Scripting Interpreter
Modify Registry
Credentials from Password Stores
Unix Shell Configuration Modification, Event Triggered Execution
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Modify Registry
Password Spraying, Brute Force
Data Destruction
Brute Force, Password Guessing
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Hide Artifacts, NTFS File Attributes
Cloud Account, Create Account
Cloud Accounts, Valid Accounts
InstallUtil, System Binary Proxy Execution
Domain Account, Account Discovery
Service Stop
Process Injection
Modify Registry
Scheduled Task
Access Token Manipulation, SID-History Injection
Server Software Component, Web Shell
Remote Services, Windows Remote Management
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, PowerShell
Brute Force, Credential Stuffing
Exploit Public-Facing Application
Windows Management Instrumentation
Account Manipulation, Device Registration
Bypass User Account Control, Abuse Elevation Control Mechanism
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Account Discovery
Modify Registry
Account Discovery
Email Collection, Remote Email Collection
Valid Accounts, Default Accounts, Modify Authentication Process
Steal or Forge Kerberos Tickets, Kerberoasting
Account Manipulation, Additional Cloud Roles
Disable or Modify Tools, Impair Defenses
Automated Collection
Lateral Tool Transfer
System Binary Proxy Execution
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter
Malicious Image, User Execution
Disable or Modify Cloud Firewall, Impair Defenses
SSH Authorized Keys, Account Manipulation
Gather Victim Host Information
Local Account, Create Account
File and Directory Permissions Modification
Disable or Modify Cloud Firewall, Impair Defenses
Exploitation for Privilege Escalation
Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Modify Registry
Account Discovery, Domain Account, User Execution, Malicious File
Exploitation for Privilege Escalation
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Network Denial of Service, Reflection Amplification
Spearphishing Attachment, Phishing
Email Collection, Local Email Collection
Remote Access Software
Disable or Modify Cloud Logs, Impair Defenses
System Owner/User Discovery
DLL Search Order Hijacking, Hijack Execution Flow
Inhibit System Recovery
Remote Email Collection, Email Collection
Scheduled Task/Job
System Information Discovery, Rootkit
Automated Exfiltration
Account Discovery, Local Account, PowerShell
Valid Accounts
Modify Registry
Phishing, Spearphishing Link
Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
Browser Session Hijacking
System Firmware, Pre-OS Boot
Account Manipulation, Device Registration
Security Account Manager, OS Credential Dumping
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Remote System Discovery
Server Software Component, IIS Components
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Create or Modify System Process, Windows Service
Abuse Elevation Control Mechanism
Steal or Forge Authentication Certificates
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Obfuscated Files or Information
Cloud Service Discovery
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Account Manipulation, Additional Email Delegate Permissions
Valid Accounts
Odbcconf
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Command and Scripting Interpreter
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Odbcconf
User Execution
File and Directory Permissions Modification
Exfiltration Over Alternative Protocol
Permission Groups Discovery, Domain Groups
Cron, Scheduled Task/Job
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Disable or Modify Tools, Impair Defenses
Steal Application Access Token
Account Manipulation, Additional Cloud Roles
System Binary Proxy Execution, Rundll32
Remote Email Collection
Remote Access Software
Protocol Tunneling, Proxy, Web Service
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Service Stop
Scheduled Task, Command and Scripting Interpreter
Service Stop
InstallUtil, System Binary Proxy Execution
Disable or Modify Tools, Impair Defenses, Modify Registry
Data from Cloud Storage
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Dynamic Linker Hijacking, Hijack Execution Flow
Internal Proxy, Proxy
Remote Services, Windows Remote Management
Process Injection, Portable Executable Injection
Local Account, Create Account
Disable or Modify Cloud Firewall, Impair Defenses
Remote Services, Windows Remote Management
Valid Accounts
Disable or Modify Tools, Impair Defenses
System Information Discovery
Security Account Manager
Use Alternate Authentication Material
Steal or Forge Kerberos Tickets
Modify Registry
Disable or Modify Cloud Logs, Impair Defenses
Phishing, Spearphishing Attachment
Disable or Modify Tools, Impair Defenses
Regsvr32, System Binary Proxy Execution
Domain Trust Discovery, PowerShell
IP Addresses, Gather Victim Network Information
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
File Deletion, Indicator Removal
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Replication Through Removable Media
Phishing, Spearphishing Attachment
Compromise Software Supply Chain
System Binary Proxy Execution, Mshta
Data Encrypted for Impact
Password Policy Discovery
Visual Basic, Command and Scripting Interpreter
Server Software Component, IIS Components
Domain or Tenant Policy Modification, Trust Modification
Indicator Removal, Clear Windows Event Logs
Windows Management Instrumentation
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Msiexec, System Binary Proxy Execution
Masquerade Task or Service, Masquerading
Print Processors, Boot or Logon Autostart Execution
Exploit Public-Facing Application
Password Spraying, Brute Force
Account Manipulation, Additional Email Delegate Permissions
Scheduled Task, Scheduled Task/Job
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Create or Modify System Process, Windows Service
Scheduled Task/Job, Scheduled Task
Spearphishing Attachment, Phishing
Windows Management Instrumentation
Phishing, Spearphishing Attachment
Disable or Modify Tools, Impair Defenses
LSASS Memory, OS Credential Dumping
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Process Injection
Process Injection
Disable or Modify Tools, Impair Defenses, Modify Registry
Inhibit System Recovery
Disable or Modify Tools
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Remote System Discovery
User Execution
Indicator Removal
Valid Accounts, Default Accounts
Remote System Discovery
Inhibit System Recovery
Obfuscated Files or Information, Indicator Removal from Tools
Kerberoasting
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Registry
Phishing
Steal or Forge Kerberos Tickets, Kerberoasting
Remote System Discovery
System Binary Proxy Execution, CMSTP
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Command and Scripting Interpreter, PowerShell
Drive-by Compromise
Domain Account, Account Discovery
Modify Registry
Phishing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Modify Registry
Domain Generation Algorithms
Remote Desktop Protocol, Remote Services
Transfer Data to Cloud Account
Modify Authentication Process, Multi-Factor Authentication
Exploit Public-Facing Application, External Remote Services
SIP and Trust Provider Hijacking
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Remote System Discovery
Cloud Account
Disable or Modify Tools, Impair Defenses
Kernel Modules and Extensions, Service Execution
Time Providers, Boot or Logon Autostart Execution
Command and Scripting Interpreter
Event Triggered Execution, Screensaver
Exploit Public-Facing Application
Disable or Modify Cloud Logs, Impair Defenses
User Execution
Modify Authentication Process, Multi-Factor Authentication
Cloud Service Discovery
Visual Basic, Command and Scripting Interpreter
Remote Access Software
Cloud Account
Account Discovery, Local Account, PowerShell
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
System Binary Proxy Execution, CMSTP
Indicator Removal, Clear Windows Event Logs
MSBuild, Trusted Developer Utilities Proxy Execution
User Execution
Exploitation for Privilege Escalation
Modify Registry
Modify Registry
Modify Registry
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Steal or Forge Kerberos Tickets
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Event Triggered Execution
XSL Script Processing
Scheduled Task, Impair Defenses
Process Injection
Disable or Modify Tools
Remote Services, Distributed Component Object Model
Screen Capture
Remote Services, Distributed Component Object Model, MMC
Remote System Discovery
SSH Authorized Keys
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
PowerShell, Command and Scripting Interpreter
Account Manipulation, Additional Cloud Roles
Exploit Public-Facing Application
Command and Scripting Interpreter, Visual Basic
User Execution
Bypass User Account Control, Abuse Elevation Control Mechanism
Account Manipulation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Command and Scripting Interpreter, PowerShell
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Indicator Removal
Data Destruction
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Phishing, Spearphishing Attachment
Steal or Forge Kerberos Tickets, AS-REP Roasting
Additional Email Delegate Permissions, Additional Cloud Roles
Indicator Removal, Clear Windows Event Logs
Clipboard Data
Permission Groups Discovery, Domain Groups
Exploit Public-Facing Application, External Remote Services
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Credentials
Remote System Discovery
Windows Command Shell
Create or Modify System Process
Valid Accounts
User Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Phishing, Spearphishing Attachment
Password Spraying, Brute Force
Install Root Certificate, Subvert Trust Controls
Valid Accounts
Cloud Account
Account Manipulation, Valid Accounts
Data Destruction
Steal or Forge Kerberos Tickets, AS-REP Roasting
Exploit Public-Facing Application, External Remote Services
Server Software Component, IIS Components
Scheduled Task, Scheduled Task/Job
User Execution
Windows Management Instrumentation
Ingress Tool Transfer
Malicious Image, User Execution
Network Service Discovery
Remote Services, Windows Remote Management
Modify Registry
Cloud Account, Create Account
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Data Encrypted for Impact
PowerShell, Ingress Tool Transfer, Fileless Storage
Steal or Forge Kerberos Tickets
Modify Registry, OS Credential Dumping
Permission Groups Discovery, Domain Groups
Cloud Accounts, Valid Accounts
Unsecured Credentials, Group Policy Preferences
Command and Scripting Interpreter, JavaScript
Domain Account, Account Discovery
File and Directory Permissions Modification
Process Injection
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
DLL Search Order Hijacking
Process Injection
Exfiltration Over Unencrypted Non-C2 Protocol
Transfer Data to Cloud Account
System Information Discovery
Phishing, Spearphishing Attachment
Account Manipulation, Additional Cloud Credentials
Command and Scripting Interpreter, PowerShell
Exfiltration Over Alternative Protocol
User Execution
Steal or Forge Authentication Certificates
System Binary Proxy Execution, Regsvr32
Modify Authentication Process
Valid Accounts, Default Accounts
Cloud Account
Exploit Public-Facing Application, External Remote Services
Account Manipulation
DLL Side-Loading, Hijack Execution Flow
Command and Scripting Interpreter, PowerShell
Local Account, Create Account
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Exploit Public-Facing Application
Exploit Public-Facing Application
Valid Accounts
Windows Management Instrumentation
System Owner/User Discovery
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Brute Force
Password Policy Discovery
Steal or Forge Authentication Certificates
Disable or Modify Tools, Impair Defenses
Steal or Forge Authentication Certificates
Disable or Modify System Firewall, Impair Defenses
Ingress Tool Transfer
Mark-of-the-Web Bypass
Spearphishing Attachment, Phishing
Disable or Modify Tools, Impair Defenses
Disk Structure Wipe, Disk Wipe
Command and Scripting Interpreter
DLL Search Order Hijacking, Hijack Execution Flow
Account Manipulation
Exploitation for Client Execution
System Services, Service Execution
System Binary Proxy Execution, Rundll32
Local Accounts, Credentials In Files
Rogue Domain Controller
Security Account Manager
Disable or Modify Tools, Impair Defenses
SID-History Injection, Access Token Manipulation
Ingress Tool Transfer
Cached Domain Credentials, OS Credential Dumping
Container API
GUI Input Capture, Input Capture
Disable or Modify Tools, Impair Defenses
Network Share Discovery, Valid Accounts
Domain Account, Account Discovery
LSASS Memory, OS Credential Dumping
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Exploit Public-Facing Application, External Remote Services
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Create Account, Cloud Account
Disable or Modify Tools, Impair Defenses, Modify Registry
Kerberoasting
Modify Registry
Scheduled Task, Scheduled Task/Job
Unix Shell
Modify Registry
Phishing, Spearphishing Attachment
Additional Email Delegate Permissions, Additional Cloud Roles
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Unused/Unsupported Cloud Regions
Network Service Discovery
Remote System Discovery
Hardware, Gather Victim Host Information
Steal or Forge Authentication Certificates
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Rootkit, Exploitation for Privilege Escalation
Disable or Modify System Firewall, Impair Defenses
Obfuscated Files or Information, Fileless Storage
Remote System Discovery
File Deletion, Indicator Removal
Phishing, Spearphishing Attachment
DLL Side-Loading, Hijack Execution Flow
Password Policy Discovery
Transfer Data to Cloud Account
Credentials, Gather Victim Identity Information
Data Destruction, File Deletion, Indicator Removal
Windows Management Instrumentation
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Remote System Discovery
System Owner/User Discovery
System Owner/User Discovery
Brute Force, Password Spraying, Credential Stuffing
Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Boot or Logon Initialization Scripts, Logon Script (Windows)
Process Injection, Portable Executable Injection
Create or Modify System Process, Windows Service
Indirect Command Execution
Cloud Accounts, Valid Accounts
Credentials in Registry, Unsecured Credentials
Transfer Data to Cloud Account
Windows Service
Disable or Modify Tools, Impair Defenses
Malicious File, Masquerade File Type
Spearphishing Attachment, Phishing, Malicious Link, User Execution
LSASS Memory, OS Credential Dumping
Cloud Accounts
Remote Access Software
Modify Registry
Password Policy Discovery
Remote System Discovery
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Domain Account, Account Discovery
Compromise Accounts, Cloud Accounts, Brute Force
Valid Accounts, Cloud Accounts
System Binary Proxy Execution, Mshta
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Application Shimming, Event Triggered Execution
Steal or Forge Authentication Certificates
Command and Scripting Interpreter
SIP and Trust Provider Hijacking
Exploit Public-Facing Application, External Remote Services
Msiexec
Cloud Service Discovery
Email Collection, Local Email Collection
Disable or Modify Tools, Impair Defenses
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Transfer Data to Cloud Account
Obfuscated Files or Information
Windows Service, Create or Modify System Process
Malicious Image, User Execution
System Binary Proxy Execution, CMSTP
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Steal or Forge Authentication Certificates
Service Stop
Disable or Modify Tools, Impair Defenses
Data from Cloud Storage
Trusted Developer Utilities Proxy Execution
IIS Components, Server Software Component
System Binary Proxy Execution
Password Spraying, Valid Accounts, Default Accounts
Account Manipulation
Malicious Image, User Execution
Malicious Image, User Execution
Cloud Groups, Account Manipulation, Permission Groups Discovery
Impair Defenses, Disable or Modify Cloud Logs
Disable or Modify Cloud Logs, Impair Defenses
Account Manipulation
DLL Search Order Hijacking, Hijack Execution Flow
Password Spraying, Brute Force
Password Spraying, Brute Force
Vulnerability Scanning, Network Service Discovery
Network Service Discovery
Network Service Discovery
Account Manipulation, Impair Defenses
Account Manipulation, Impair Defenses
Windows Service
Cloud Service Discovery
Password Policy Discovery
Network Share Discovery, Data from Network Shared Drive
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Brute Force
Brute Force
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Exfiltration Over Unencrypted Non-C2 Protocol
Malicious Image, User Execution
Malicious Image, User Execution
LSASS Memory
PowerShell
Email Forwarding Rule, Email Collection
Email Forwarding Rule, Email Collection
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Disable or Modify System Firewall
Rename System Utilities
Windows Command Shell
Use Alternate Authentication Material, Pass the Hash
Valid Accounts
Valid Accounts
Valid Accounts
Masquerading
Phishing
Malicious File
Change Default File Association
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
PowerShell, Windows Command Shell
Cloud Accounts
Exfiltration Over Unencrypted Non-C2 Protocol
Cloud Accounts
Cloud Accounts
Spearphishing via Service
Cloud Accounts
Cloud Accounts
Web Protocols
Scheduled Task
Exfiltration Over Unencrypted Non-C2 Protocol
Cloud Service Discovery
Cloud Service Discovery
LSASS Memory
LSASS Memory, OS Credential Dumping
LSASS Memory
Hidden Files and Directories
Create Account
Valid Accounts
Disable or Modify Cloud Firewall
Cloud Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Domain Accounts
Abuse Elevation Control Mechanism, Indirect Command Execution
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Permission Groups Discovery, Domain Groups
Masquerading
DLL Side-Loading, Hijack Execution Flow
Image File Execution Options Injection
Password Spraying, Brute Force
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
LSASS Memory, OS Credential Dumping
Modify Registry
Domain Trust Discovery
Abuse Elevation Control Mechanism
Steal or Forge Kerberos Tickets, Kerberoasting
Security Account Manager, OS Credential Dumping
Remote Desktop Protocol, Remote Services
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Windows Management Instrumentation
Account Manipulation, Additional Cloud Roles
User Execution
DLL Side-Loading
Query Registry
Command and Scripting Interpreter, PowerShell
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Disable or Modify Tools, Impair Defenses
Modify Registry
Server Software Component, Exploit Public-Facing Application, External Remote Services
Cloud Account
OS Credential Dumping
Indicator Removal
Local Groups
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Virtualization/Sandbox Evasion, Time Based Evasion
Spearphishing Attachment, Phishing
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Modify Registry
Account Discovery, Domain Account
Hide Artifacts, NTFS File Attributes
Modify Registry
Trusted Developer Utilities Proxy Execution, MSBuild
Unix Shell Configuration Modification, Event Triggered Execution
Data Destruction
RC Scripts, Boot or Logon Initialization Scripts
System Binary Proxy Execution
System Binary Proxy Execution, Rundll32
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Account Discovery
Private Keys, Unsecured Credentials
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
PowerShell, Ingress Tool Transfer
Access Token Manipulation, Token Impersonation/Theft
Exploit Public-Facing Application, External Remote Services
Services Registry Permissions Weakness
Create or Modify System Process, Windows Service
Web Session Cookie, Cloud Service Dashboard
Use Alternate Authentication Material, Pass the Ticket
Regsvr32, Modify Registry
User Execution
Steal Application Access Token
Encrypted Channel
Port Monitors, Boot or Logon Autostart Execution
System Binary Proxy Execution, Regsvr32
Cloud Account
Pre-OS Boot, Registry Run Keys / Startup Folder
Proxy, Multi-hop Proxy
Cloud Groups, Account Manipulation, Permission Groups Discovery
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Systemd Timers, Scheduled Task/Job
Cloud Service Discovery
Exploit Public-Facing Application
Data Encrypted for Impact
Windows Management Instrumentation
Mavinject, System Binary Proxy Execution
DLL Side-Loading, Hijack Execution Flow
Remote Access Software
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
System Binary Proxy Execution, Rundll32
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Account Manipulation, Additional Cloud Roles
Additional Cloud Roles
Disable or Modify Tools, Impair Defenses
Remote Services
Msiexec, System Binary Proxy Execution
Hidden Window
Domain Generation Algorithms
Network Denial of Service
Exploit Public-Facing Application
Disable or Modify Tools, Impair Defenses
Remote Access Software
Additional Cloud Roles
Disable or Modify Tools, Impair Defenses
Query Registry
Steal Web Session Cookie
Phishing, Spearphishing Attachment
Encrypted Channel
Email Collection, Email Forwarding Rule
Setuid and Setgid, Abuse Elevation Control Mechanism
Brute Force, Password Guessing
System Binary Proxy Execution, Regsvr32
Install Root Certificate, Subvert Trust Controls
Screen Capture
Account Discovery, Local Account
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Account Manipulation, Additional Cloud Roles
Spearphishing Attachment, Phishing
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Ingress Tool Transfer
Modify Registry
Inhibit System Recovery
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Process Injection
Remote System Discovery
Email Collection
Account Manipulation
Remote Desktop Protocol, Remote Services
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Modify Authentication Process, Multi-Factor Authentication
Command and Scripting Interpreter
Right-to-Left Override, Masquerading
System Information Discovery
Domain Account, Account Discovery
Disable or Modify Cloud Logs, Impair Defenses
Exploit Public-Facing Application
Unsecured Credentials, Group Policy Preferences
Steal or Forge Kerberos Tickets, AS-REP Roasting
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Compiled HTML File
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Permission Groups Discovery, Domain Groups
Modify Registry
Unix Shell, Command and Scripting Interpreter
Account Discovery, Domain Account
Data Staged
Cloud Account, Create Account
Cloud Account
Exploit Public-Facing Application, External Remote Services
Permission Groups Discovery, Domain Groups
Password Spraying
Valid Accounts, Brute Force
Steal Application Access Token, Phishing, Spearphishing Link
Time Based Evasion, Virtualization/Sandbox Evasion
Credentials in Registry, Unsecured Credentials
Disable or Modify Cloud Logs, Impair Defenses
Data Encrypted for Impact
Ingress Tool Transfer
Exploit Public-Facing Application
Password Spraying, Brute Force
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Protocol Tunneling, Proxy, Web Service
Scheduled Task/Job
Exploit Public-Facing Application, External Remote Services
Exploitation for Client Execution
Drive-by Compromise
Defacement
Mail Protocols, Application Layer Protocol
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Domain or Tenant Policy Modification, Trust Modification
Disk Structure Wipe, Disk Wipe
Impair Defenses, Disable or Modify Tools
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Password Managers
Scheduled Task/Job, Scheduled Task
Msiexec
Password Spraying, Brute Force
System Shutdown/Reboot
Protocol Impersonation
Disable or Modify Tools, Impair Defenses
Domain or Tenant Policy Modification, Group Policy Modification
Password Spraying, Brute Force
Account Manipulation
Service Stop
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Hide Artifacts, NTFS File Attributes
Modify Registry
System Network Connections Discovery
Spearphishing Attachment
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Container Orchestration Job
Query Registry
User Execution
SIP and Trust Provider Hijacking
Process Injection
Spearphishing Attachment, Phishing
Security Support Provider, Boot or Logon Autostart Execution
Disable or Modify System Firewall, Impair Defenses
Malicious Image, User Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
LSASS Memory, OS Credential Dumping
System Owner/User Discovery
Disable or Modify Tools, Impair Defenses
Indirect Command Execution
Modify Registry
System Binary Proxy Execution, Rundll32
Print Processors, Boot or Logon Autostart Execution
Exploit Public-Facing Application
Exploitation for Privilege Escalation
Command and Scripting Interpreter
Scheduled Task/Job
Automated Collection
Process Injection
Disable or Modify Tools, Impair Defenses
User Execution
Network Denial of Service
PowerShell, Command and Scripting Interpreter
Indicator Removal
Disable or Modify Tools, Impair Defenses
Active Setup, Boot or Logon Autostart Execution
Phishing, Spearphishing Attachment
Cloud Accounts, Valid Accounts
Gather Victim Network Information, IP Addresses
Account Manipulation
Exploit Public-Facing Application, External Remote Services
System Binary Proxy Execution, Rundll32
Disable or Modify Tools, Impair Defenses
Container API
Credentials from Password Stores
Print Processors, Boot or Logon Autostart Execution
File and Directory Permissions Modification
Account Discovery
Disable or Modify Cloud Firewall, Impair Defenses
Systemd Timers, Scheduled Task/Job
Deobfuscate/Decode Files or Information
Token Impersonation/Theft, Access Token Manipulation
Modify Registry
Endpoint Denial of Service
Data Destruction
OS Credential Dumping
User Execution, Malicious File
Remote Access Software
Command and Scripting Interpreter
Domain Account, Account Discovery
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
DLL Side-Loading, Boot or Logon Autostart Execution
Credentials from Web Browsers, Credentials from Password Stores
Domain Trust Discovery
SMB/Windows Admin Shares, Remote Services
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Steal or Forge Authentication Certificates, Archive Collected Data
Steal or Forge Kerberos Tickets, Golden Ticket
XSL Script Processing
Disable or Modify Tools, Impair Defenses
Archive Collected Data
System Binary Proxy Execution, Rundll32
Remote System Discovery
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Steal Application Access Token
Modify Registry
Phishing, Spearphishing Attachment
Use Alternate Authentication Material, Pass the Ticket
Exfiltration Over C2 Channel
Browser Session Hijacking
Cron, Scheduled Task/Job
User Execution
User Execution
Digital Certificates
Server Software Component, IIS Components
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
User Execution
Password Policy Discovery
Use Alternate Authentication Material
Cloud Account, Create Account
Query Registry
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Exploitation for Privilege Escalation
Internal Proxy, Proxy
Abuse Elevation Control Mechanism, Bypass User Account Control
Domain or Tenant Policy Modification, Group Policy Modification
Multi-Factor Authentication Request Generation
PowerShell, Command and Scripting Interpreter
Process Injection
Account Discovery, Local Account
Process Injection, Dynamic-link Library Injection
Command and Scripting Interpreter
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Disable or Modify Tools, Impair Defenses
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impair Defenses, Disable or Modify Cloud Logs
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Query Registry
Modify Registry
System Binary Proxy Execution, Regsvcs/Regasm
PowerShell, Command and Scripting Interpreter
Disable or Modify Tools, Impair Defenses
Brute Force, Password Guessing, Password Spraying
Command and Scripting Interpreter
Command and Scripting Interpreter
LSASS Memory
Disable or Modify Cloud Logs, Impair Defenses
Domain Account, Account Discovery
Masquerading, Rename System Utilities
Data Destruction
Exploit Public-Facing Application
User Execution
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Bypass User Account Control, Abuse Elevation Control Mechanism
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
System Binary Proxy Execution, Mshta
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Cron, Scheduled Task/Job
Forced Authentication
Disable or Modify Tools, Impair Defenses
Bypass User Account Control, Abuse Elevation Control Mechanism
Steal or Forge Authentication Certificates
Hidden Window
Inhibit System Recovery
OS Credential Dumping, PowerShell
Domain Account, Account Discovery
Password Spraying, Brute Force
Indicator Removal, Network Share Connection Removal
System Binary Proxy Execution, Regsvcs/Regasm
Windows Management Instrumentation
SID-History Injection, Access Token Manipulation
Modify Registry
Modify Registry
LSASS Memory, OS Credential Dumping
Disable or Modify Tools, Impair Defenses
Valid Accounts
Domain or Tenant Policy Modification
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Transfer Data to Cloud Account
Compromise Accounts, Unused/Unsupported Cloud Regions
Automated Exfiltration
Web Shell, External Remote Services
Steal Application Access Token
Exploit Public-Facing Application, External Remote Services
Account Manipulation
Impair Defenses
Phishing, Modify Registry
Password Spraying, Brute Force
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Process Injection
Data Encrypted for Impact
User Execution
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Brute Force, Password Guessing, Password Spraying
Password Policy Discovery
User Execution
Gather Victim Identity Information, Email Addresses
Valid Accounts, Domain Accounts
System Binary Proxy Execution
Malicious Image, User Execution
User Execution
Ingress Tool Transfer
Account Manipulation, Additional Email Delegate Permissions
Modify Registry
Hardware Additions
Exploit Public-Facing Application, External Remote Services
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
User Execution, Malicious File
Container API
Exfiltration Over Web Service
Service Stop
Valid Accounts
Masquerading, Rename System Utilities
Log Enumeration
Scheduled Task/Job, Scheduled Task
Phishing, Spearphishing Attachment
Account Manipulation, Additional Cloud Roles
Archive via Utility, Archive Collected Data
Password Spraying, Brute Force
System Binary Proxy Execution, Compiled HTML File
Password Policy Discovery
System Services, Service Execution
LSASS Memory, OS Credential Dumping
Remote System Discovery
Credentials from Password Stores, Credentials from Web Browsers
Password Guessing, Brute Force
Remote Services, Windows Remote Management
Server Software Component, IIS Components
At, Scheduled Task/Job
Application or System Exploitation
Exploit Public-Facing Application
Compromise Host Software Binary
Remote System Discovery
Account Discovery, Local Account
Modify Registry
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Process Injection
Print Processors, Boot or Logon Autostart Execution
File Transfer Protocols, Application Layer Protocol
Archive via Utility, Archive Collected Data
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
InstallUtil, System Binary Proxy Execution
Parent PID Spoofing, Access Token Manipulation
/etc/passwd and /etc/shadow, OS Credential Dumping
Event Triggered Execution, Accessibility Features
Phishing, Spearphishing Attachment
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Impair Defenses, Disable or Modify Cloud Logs
Cron, Scheduled Task/Job
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Remote Desktop Protocol, Remote Services
Trusted Relationship
Service Stop
Disable or Modify Tools, Impair Defenses
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Domain or Tenant Policy Modification, Group Policy Modification
Non-Application Layer Protocol
Windows Management Instrumentation Event Subscription
Modify Registry
Domain Account, Account Discovery
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Permission Groups Discovery, Local Groups
Exploit Public-Facing Application
Drive-by Compromise
Exfiltration Over Web Service
Exploit Public-Facing Application
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
System Binary Proxy Execution, Regsvcs/Regasm
Account Manipulation, Device Registration
Phishing, Spearphishing Attachment
Disable or Modify System Firewall, Impair Defenses
Browser Session Hijacking
Disable or Modify Tools, Impair Defenses
Exploitation of Remote Services
Disable or Modify Tools, Impair Defenses
Abuse Elevation Control Mechanism
Impair Defenses, PowerShell, Command and Scripting Interpreter
Setuid and Setgid, Abuse Elevation Control Mechanism
Exploitation for Privilege Escalation
Bypass User Account Control, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Protocol Tunneling, SSH
Process Injection, Portable Executable Injection
User Execution
Create Account, Cloud Account
SSH Authorized Keys, Account Manipulation
Steal or Forge Authentication Certificates
System Binary Proxy Execution, Compiled HTML File
Inhibit System Recovery
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
DLL Side-Loading, Hijack Execution Flow
System Binary Proxy Execution, Mshta
Protocol Tunneling, Proxy, Web Service
System Network Configuration Discovery
InstallUtil, System Binary Proxy Execution
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Scheduled Task/Job, At
LSA Secrets
Right-to-Left Override, Masquerading
Permission Groups Discovery, Domain Groups
Data Destruction
Virtualization/Sandbox Evasion, Time Based Evasion
Application Layer Protocol
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Email Collection, Remote Email Collection
Windows Command Shell, Command and Scripting Interpreter
Screen Capture
Malicious Image, User Execution
Steal Application Access Token
Steal or Forge Kerberos Tickets, AS-REP Roasting
Account Manipulation
Email Collection, Email Forwarding Rule
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Account Manipulation
System Binary Proxy Execution, Regsvcs/Regasm
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Remote Access Software
Disable or Modify Tools, Impair Defenses
Exploitation for Privilege Escalation
Brute Force, Password Spraying, Credential Stuffing
Cloud Infrastructure Discovery, Brute Force
Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Roles
Drive-by Compromise
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Management Instrumentation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
System Binary Proxy Execution, Rundll32
Remote Desktop Protocol, Remote Services
Exploitation for Client Execution
Account Access Removal
Valid Accounts
System Owner/User Discovery
Email Collection, Email Forwarding Rule
Obfuscated Files or Information
Browser Session Hijacking
Fileless Storage, Obfuscated Files or Information
Print Processors, Boot or Logon Autostart Execution
Remote Desktop Protocol, Remote Services
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Exploit Public-Facing Application, External Remote Services
System Binary Proxy Execution, Rundll32
Process Injection
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
System Owner/User Discovery
Ingress Tool Transfer
Security Account Manager, OS Credential Dumping
Exploit Public-Facing Application
Impair Defenses
Account Discovery, Local Account
Digital Certificates
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Permission Groups Discovery, Local Groups
Network Sniffing
Inhibit System Recovery
Ingress Tool Transfer
Local Account, Create Account
Account Manipulation, Additional Email Delegate Permissions
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Disable or Modify Tools, Impair Defenses
Account Access Removal
Data Destruction, File Deletion, Indicator Removal
Spearphishing Attachment, Phishing
System Network Connections Discovery
Remote Services, SMB/Windows Admin Shares
Disable or Modify Tools, Impair Defenses
Spearphishing Attachment, Phishing
Drive-by Compromise
Valid Accounts
Mail Protocols, Application Layer Protocol
Modify Registry
Automated Collection
Inhibit System Recovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Token Impersonation/Theft, Access Token Manipulation
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Inhibit System Recovery
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Cloud Accounts, Valid Accounts
Account Discovery, Domain Account
Trusted Relationship
Disable or Modify Tools, Impair Defenses
Data Destruction
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Plist File Modification
System Binary Proxy Execution, Rundll32
Account Discovery, Local Account
LSASS Memory, OS Credential Dumping
Modify Registry
Data Destruction
Permission Groups Discovery, Domain Groups
Remote Desktop Protocol, Remote Services
Domain Account, Account Discovery
Valid Accounts
Exfiltration Over Unencrypted Non-C2 Protocol
Rootkit, Exploitation for Privilege Escalation
System Binary Proxy Execution, Mshta
Account Manipulation
Exploit Public-Facing Application, External Remote Services
DNS, Application Layer Protocol
Exploit Public-Facing Application
System Shutdown/Reboot
Application Layer Protocol
Obfuscated Files or Information, Unix Shell
System Binary Proxy Execution, Rundll32
Exploit Public-Facing Application
Account Manipulation
SID-History Injection, Access Token Manipulation
Security Account Manager, OS Credential Dumping
Permission Groups Discovery, Local Groups
Command and Scripting Interpreter, Windows Command Shell
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Modify Registry
Mail Protocols, Application Layer Protocol
Modify Registry
Abuse Elevation Control Mechanism, Bypass User Account Control
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Server Software Component, IIS Components
Command and Scripting Interpreter, PowerShell
Unsecured Credentials
Domain Account, Account Discovery
Exfiltration Over Unencrypted Non-C2 Protocol
Disable or Modify Tools, Impair Defenses
Steal Application Access Token
DLL Side-Loading, Hijack Execution Flow
Windows Management Instrumentation
Launch Agent, Create or Modify System Process
Archive via Utility, Archive Collected Data
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Data Destruction
Windows Service, Create or Modify System Process
Remote Desktop Protocol, Remote Services
Container API
System Network Connections Discovery
System Binary Proxy Execution, Regsvr32
Web Service
Gather Victim Host Information
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Windows Management Instrumentation
Modify Registry
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
BITS Jobs
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, PowerShell
Create or Modify System Process, Windows Service
Modify Registry
Disable or Modify System Firewall, Impair Defenses
Change Default File Association, Event Triggered Execution
SMB/Windows Admin Shares, Remote Services
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Digital Certificates
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Exploit Public-Facing Application, External Remote Services
Disable or Modify Tools, Impair Defenses
Permission Groups Discovery, Local Groups
System Time Discovery
Command and Scripting Interpreter, Component Object Model
Dynamic-link Library Injection, Process Injection
Masquerading
Cloud Account
System Binary Proxy Execution, Mshta
User Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Command and Scripting Interpreter
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Exfiltration Over C2 Channel
System Services, Service Execution
System Owner/User Discovery
Compromise Software Supply Chain
Remote Access Software, OS Credential Dumping
Account Discovery, Domain Account
User Execution
Verclsid, System Binary Proxy Execution
Exploit Public-Facing Application, Command and Scripting Interpreter
Screen Capture
Cloud Accounts
Permission Groups Discovery, Local Groups
Domain Trust Discovery
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Account Manipulation, Valid Accounts
User Execution
System Services, Service Execution
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Drive-by Compromise
Shared Modules
Data Destruction, File Deletion, Indicator Removal
Modify Registry
System Binary Proxy Execution, Rundll32
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Command and Scripting Interpreter, JavaScript
Exploit Public-Facing Application, External Remote Services
Gather Victim Host Information
Modify Registry
Password Spraying, Brute Force
Valid Accounts
Account Access Removal
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Rogue Domain Controller
Valid Accounts, Cloud Accounts
Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Control Panel
Process Injection
Domain Account, Account Discovery
Create or Modify System Process
Exfiltration Over C2 Channel
Phishing
Password Spraying, Brute Force
Exploit Public-Facing Application
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter
Windows Service, Create or Modify System Process
Compile After Delivery, Obfuscated Files or Information
Exploitation for Privilege Escalation
System Shutdown/Reboot
Remote Services, Distributed Component Object Model
Process Injection
Query Registry
RDP Hijacking
Bypass User Account Control
TFTP Boot, Pre-OS Boot
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Modify Registry
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
NTDS, OS Credential Dumping
At, Scheduled Task/Job
Windows Remote Management, Remote Services
Modify Registry
Create or Modify System Process, Windows Service
Command and Scripting Interpreter, Windows Command Shell
Process Injection
Scheduled Task
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Security Account Manager
Exploit Public-Facing Application
Steal or Forge Kerberos Tickets
Valid Accounts, Local Accounts
Permission Groups Discovery, Domain Groups
Valid Accounts
System Services, Service Execution
System Binary Proxy Execution, Rundll32
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Local Groups
Multi-Factor Authentication Request Generation
BITS Jobs, Ingress Tool Transfer
Scheduled Task, Scheduled Task/Job
Abuse Elevation Control Mechanism
Create Process with Token, Access Token Manipulation
System Binary Proxy Execution, Rundll32
Exploitation of Remote Services
Service Stop
Domain or Tenant Policy Modification, Group Policy Modification
Process Discovery
Kernel Modules and Extensions
Security Account Manager, OS Credential Dumping
Data Encrypted for Impact
NTDS, OS Credential Dumping
Windows Command Shell, Command and Scripting Interpreter
DCSync, OS Credential Dumping
System Shutdown/Reboot
Indicator Removal
Exploit Public-Facing Application
Compromise Host Software Binary
Cloud Service Discovery
Ingress Tool Transfer
Archive via Utility, Archive Collected Data
Cloud Infrastructure Discovery
Software Deployment Tools
Scheduled Task/Job, Scheduled Task
Phishing, Spearphishing Attachment
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Server Software Component, Web Shell
Exploit Public-Facing Application
LSASS Memory, OS Credential Dumping
Disable or Modify Tools, Impair Defenses
DNS, Application Layer Protocol
Data from Local System
Service Stop
System Owner/User Discovery
Odbcconf
Exploitation for Privilege Escalation
Exploitation for Credential Access
Account Manipulation, Valid Accounts
System Binary Proxy Execution, Rundll32
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
NTDS, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Credentials from Password Stores, Credentials from Web Browsers
Data from Cloud Storage
System Binary Proxy Execution, Regsvcs/Regasm
Data Destruction, File Deletion, Indicator Removal
System Binary Proxy Execution
System Network Connections Discovery
Exploit Public-Facing Application
Scheduled Task, PowerShell, Command and Scripting Interpreter
System Network Configuration Discovery, Internet Connection Discovery
Network Share Discovery
Network Share Discovery
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Command and Scripting Interpreter, PowerShell
User Execution
Path Interception by Unquoted Path, Hijack Execution Flow
System Services, Service Execution
Use Alternate Authentication Material
OS Credential Dumping, DCSync, Rogue Domain Controller
Obfuscated Files or Information
Disable or Modify Tools, Impair Defenses
Exploit Public-Facing Application
Valid Accounts, Domain Accounts
Indirect Command Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Proxy, Non-Application Layer Protocol
Password Policy Discovery
Cron, Scheduled Task/Job
Cloud Account, Create Account
Impair Defenses, Disable or Modify System Firewall
Modify Registry
System Network Configuration Discovery
Phishing, Spearphishing Attachment
Exploit Public-Facing Application, External Remote Services
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Disable or Modify Tools, Impair Defenses
Bypass User Account Control, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Multi-Factor Authentication Request Generation
File and Directory Permissions Modification
Disable or Modify Tools, Impair Defenses
Application Shimming, Event Triggered Execution
System Binary Proxy Execution, Regsvcs/Regasm
Modify Registry
User Execution, Malicious File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Authentication Process
Local Account, Create Account
Data from Cloud Storage
Valid Accounts
Data from Cloud Storage
Clear Windows Event Logs, Indicator Removal
Exfiltration Over Alternative Protocol
Masquerading
Command and Scripting Interpreter
Password Spraying, Brute Force
System Information Discovery, External Remote Services
Exploitation for Credential Access
Modify Registry
System Owner/User Discovery
Command and Scripting Interpreter, JavaScript
Password Policy Discovery
Compromise Software Supply Chain
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Rogue Domain Controller
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Account Discovery, Domain Account
Exploit Public-Facing Application
Brute Force
Multi-Factor Authentication Request Generation
Modify Cloud Compute Configurations
Password Spraying, Brute Force
Command and Scripting Interpreter, PowerShell
InstallUtil, System Binary Proxy Execution
Image File Execution Options Injection, Event Triggered Execution
Phishing, Spearphishing Attachment
Rogue Domain Controller
Ingress Tool Transfer
Credentials from Password Stores
Setuid and Setgid, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Steal Application Access Token
Inhibit System Recovery
Component Object Model Hijacking, Event Triggered Execution
Account Manipulation
Application Layer Protocol
Masquerading
Disable or Modify Tools, Impair Defenses
Network Share Discovery
Windows Service
Command and Scripting Interpreter, Process Injection, PowerShell
Drive-by Compromise
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Remote Email Collection
Steal or Forge Kerberos Tickets
Brute Force
System Script Proxy Execution, System Binary Proxy Execution
Additional Cloud Roles
Data Encrypted for Impact
Bypass User Account Control, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, PowerShell
Data Destruction, File Deletion, Indicator Removal
Email Collection, Remote Email Collection
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Ingress Tool Transfer
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses, Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Exploit Public-Facing Application, External Remote Services
Disable or Modify Tools, Impair Defenses
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Process Injection
System Binary Proxy Execution
Domain Trust Discovery
Bypass User Account Control, Abuse Elevation Control Mechanism
Domain Account, Account Discovery
Data Destruction
Digital Certificates
Cloud Accounts, Valid Accounts
Ingress Tool Transfer, Domain Groups
Modify Authentication Process, Multi-Factor Authentication
Print Processors, Boot or Logon Autostart Execution
NTDS, OS Credential Dumping
Email Collection, Remote Email Collection
Scheduled Task, Scheduled Task/Job
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Command and Scripting Interpreter, PowerShell
Cloud Service Discovery
Exploitation of Remote Services
Archive via Utility, Archive Collected Data
Systemd Timers, Scheduled Task/Job
PowerShell
Gather Victim Host Information, PowerShell
Data from Cloud Storage
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Application Shimming, Event Triggered Execution
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Password Spraying, Brute Force
Modify Registry
System Network Configuration Discovery
Ingress Tool Transfer
Cron, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Hidden Window, Run Virtual Instance
Disable or Modify Cloud Firewall, Impair Defenses
File Deletion, Indicator Removal
Domain Trust Discovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Exploit Public-Facing Application
Data Destruction, File Deletion, Indicator Removal
Phishing, Spearphishing Attachment
Drive-by Compromise
System Network Connections Discovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Remote Desktop Protocol, Remote Services
System Binary Proxy Execution, Mshta
Command and Scripting Interpreter
Disable or Modify Tools, Impair Defenses
Services Registry Permissions Weakness, Hijack Execution Flow
Disable or Modify Tools, Impair Defenses
Modify Authentication Process
Ingress Tool Transfer
Cloud Accounts, Valid Accounts
Scheduled Task, Scheduled Task/Job
Impair Defenses, Disable or Modify Cloud Logs
Clipboard Data
Scheduled Task
Exploit Public-Facing Application
Phishing, Spearphishing Attachment
Valid Accounts
Unix Shell, Command and Scripting Interpreter
Password Spraying, Brute Force
Exploit Public-Facing Application
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Rundll32
Impair Defenses, Disable or Modify Cloud Logs
PowerShell, Command and Scripting Interpreter
Change Default File Association, Event Triggered Execution
PowerShell, Command and Scripting Interpreter
BITS Jobs
Domain Accounts, Permission Groups Discovery
Valid Accounts, Domain Accounts
File and Directory Discovery
Print Processors, Boot or Logon Autostart Execution
DLL Side-Loading
System Owner/User Discovery
Compiled HTML File, System Binary Proxy Execution
Cloud Account, Create Account
Windows Management Instrumentation
Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Management Instrumentation
User Execution
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Account Discovery, Domain Account
Compromise Software Supply Chain, Supply Chain Compromise
Archive via Utility, Archive Collected Data
Disable or Modify Tools, Impair Defenses, Modify Registry
Exploit Public-Facing Application
Steal or Forge Kerberos Tickets
Windows Service, Create or Modify System Process
Remote Services, SMB/Windows Admin Shares
Cloud Accounts, Valid Accounts
Valid Accounts
Command and Scripting Interpreter, Windows Command Shell
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Service Stop
Exploit Public-Facing Application, External Remote Services
Security Account Manager, OS Credential Dumping
Process Injection
Process Injection
Rename System Utilities, Masquerading
Exploit Public-Facing Application
Phishing, Spearphishing Attachment
Modify Registry
Launch Agent, Create or Modify System Process
User Execution
Exploitation of Remote Services
Exploit Public-Facing Application
System Network Connections Discovery
Credentials in Registry, Unsecured Credentials
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Account Discovery, Domain Account
Exploitation of Remote Services
Steal or Forge Authentication Certificates
Domain or Tenant Policy Modification
DLL Side-Loading, Hijack Execution Flow
Valid Accounts, Domain Accounts
Exploit Public-Facing Application
Service Stop
Remote Email Collection
Exploitation for Privilege Escalation
Inhibit System Recovery
Spearphishing Attachment, Phishing
Exploitation of Remote Services
Command and Scripting Interpreter, JavaScript
Exploit Public-Facing Application, External Remote Services
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Phishing, Spearphishing Attachment
System Binary Proxy Execution, Compiled HTML File
Security Account Manager
Email Collection
Scheduled Task, Scheduled Task/Job
Steal or Forge Kerberos Tickets, Kerberoasting
Malicious File, User Execution
Process Injection
DCSync, OS Credential Dumping
Modify Registry
Visual Basic, Command and Scripting Interpreter
Modify Registry
Credentials from Password Stores
Unix Shell Configuration Modification, Event Triggered Execution
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Modify Registry
Password Spraying, Brute Force
Data Destruction
Brute Force, Password Guessing
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Hide Artifacts, NTFS File Attributes
Cloud Account, Create Account
Cloud Accounts, Valid Accounts
InstallUtil, System Binary Proxy Execution
Domain Account, Account Discovery
Service Stop
Process Injection
Modify Registry
Scheduled Task
Access Token Manipulation, SID-History Injection
Server Software Component, Web Shell
Remote Services, Windows Remote Management
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, PowerShell
Brute Force, Credential Stuffing
Exploit Public-Facing Application
Windows Management Instrumentation
Account Manipulation, Device Registration
Bypass User Account Control, Abuse Elevation Control Mechanism
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Account Discovery
Modify Registry
Account Discovery
Email Collection, Remote Email Collection
Valid Accounts, Default Accounts, Modify Authentication Process
Steal or Forge Kerberos Tickets, Kerberoasting
Account Manipulation, Additional Cloud Roles
Disable or Modify Tools, Impair Defenses
Automated Collection
Lateral Tool Transfer
System Binary Proxy Execution
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter
Malicious Image, User Execution
Disable or Modify Cloud Firewall, Impair Defenses
SSH Authorized Keys, Account Manipulation
Gather Victim Host Information
Local Account, Create Account
File and Directory Permissions Modification
Disable or Modify Cloud Firewall, Impair Defenses
Exploitation for Privilege Escalation
Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Modify Registry
Account Discovery, Domain Account, User Execution, Malicious File
Exploitation for Privilege Escalation
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Network Denial of Service, Reflection Amplification
Spearphishing Attachment, Phishing
Email Collection, Local Email Collection
Remote Access Software
Disable or Modify Cloud Logs, Impair Defenses
System Owner/User Discovery
DLL Search Order Hijacking, Hijack Execution Flow
Inhibit System Recovery
Remote Email Collection, Email Collection
Scheduled Task/Job
System Information Discovery, Rootkit
Automated Exfiltration
Account Discovery, Local Account, PowerShell
Valid Accounts
Modify Registry
Phishing, Spearphishing Link
Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
Browser Session Hijacking
System Firmware, Pre-OS Boot
Account Manipulation, Device Registration
Security Account Manager, OS Credential Dumping
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Remote System Discovery
Server Software Component, IIS Components
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Create or Modify System Process, Windows Service
Abuse Elevation Control Mechanism
Steal or Forge Authentication Certificates
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Obfuscated Files or Information
Cloud Service Discovery
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Account Manipulation, Additional Email Delegate Permissions
Valid Accounts
Odbcconf
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Command and Scripting Interpreter
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Odbcconf
User Execution
File and Directory Permissions Modification
Exfiltration Over Alternative Protocol
Permission Groups Discovery, Domain Groups
Cron, Scheduled Task/Job
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Disable or Modify Tools, Impair Defenses
Steal Application Access Token
Account Manipulation, Additional Cloud Roles
System Binary Proxy Execution, Rundll32
Remote Email Collection
Remote Access Software
Protocol Tunneling, Proxy, Web Service
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Service Stop
Scheduled Task, Command and Scripting Interpreter
Service Stop
InstallUtil, System Binary Proxy Execution
Disable or Modify Tools, Impair Defenses, Modify Registry
Data from Cloud Storage
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Dynamic Linker Hijacking, Hijack Execution Flow
Internal Proxy, Proxy
Remote Services, Windows Remote Management
Process Injection, Portable Executable Injection
Local Account, Create Account
Disable or Modify Cloud Firewall, Impair Defenses
Remote Services, Windows Remote Management
Valid Accounts
Disable or Modify Tools, Impair Defenses
System Information Discovery
Security Account Manager
Use Alternate Authentication Material
Steal or Forge Kerberos Tickets
Modify Registry
Disable or Modify Cloud Logs, Impair Defenses
Phishing, Spearphishing Attachment
Disable or Modify Tools, Impair Defenses
Regsvr32, System Binary Proxy Execution
Domain Trust Discovery, PowerShell
IP Addresses, Gather Victim Network Information
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
File Deletion, Indicator Removal
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Replication Through Removable Media
Phishing, Spearphishing Attachment
Compromise Software Supply Chain
System Binary Proxy Execution, Mshta
Data Encrypted for Impact
Password Policy Discovery
Visual Basic, Command and Scripting Interpreter
Server Software Component, IIS Components
Domain or Tenant Policy Modification, Trust Modification
Indicator Removal, Clear Windows Event Logs
Windows Management Instrumentation
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Msiexec, System Binary Proxy Execution
Masquerade Task or Service, Masquerading
Print Processors, Boot or Logon Autostart Execution
Exploit Public-Facing Application
Password Spraying, Brute Force
Account Manipulation, Additional Email Delegate Permissions
Scheduled Task, Scheduled Task/Job
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Create or Modify System Process, Windows Service
Scheduled Task/Job, Scheduled Task
Spearphishing Attachment, Phishing
Windows Management Instrumentation
Phishing, Spearphishing Attachment
Disable or Modify Tools, Impair Defenses
LSASS Memory, OS Credential Dumping
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Process Injection
Process Injection
Disable or Modify Tools, Impair Defenses, Modify Registry
Inhibit System Recovery
Disable or Modify Tools
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Remote System Discovery
User Execution
Indicator Removal
Valid Accounts, Default Accounts
Remote System Discovery
Inhibit System Recovery
Obfuscated Files or Information, Indicator Removal from Tools
Kerberoasting
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Registry
Phishing
Steal or Forge Kerberos Tickets, Kerberoasting
Remote System Discovery
System Binary Proxy Execution, CMSTP
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Command and Scripting Interpreter, PowerShell
Drive-by Compromise
Domain Account, Account Discovery
Modify Registry
Phishing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Modify Registry
Domain Generation Algorithms
Remote Desktop Protocol, Remote Services
Transfer Data to Cloud Account
Modify Authentication Process, Multi-Factor Authentication
Exploit Public-Facing Application, External Remote Services
SIP and Trust Provider Hijacking
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Remote System Discovery
Cloud Account
Disable or Modify Tools, Impair Defenses
Kernel Modules and Extensions, Service Execution
Time Providers, Boot or Logon Autostart Execution
Command and Scripting Interpreter
Event Triggered Execution, Screensaver
Exploit Public-Facing Application
Disable or Modify Cloud Logs, Impair Defenses
User Execution
Modify Authentication Process, Multi-Factor Authentication
Cloud Service Discovery
Visual Basic, Command and Scripting Interpreter
Remote Access Software
Cloud Account
Account Discovery, Local Account, PowerShell
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
System Binary Proxy Execution, CMSTP
Indicator Removal, Clear Windows Event Logs
MSBuild, Trusted Developer Utilities Proxy Execution
User Execution
Exploitation for Privilege Escalation
Modify Registry
Modify Registry
Modify Registry
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Steal or Forge Kerberos Tickets
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Event Triggered Execution
XSL Script Processing
Scheduled Task, Impair Defenses
Process Injection
Disable or Modify Tools
Remote Services, Distributed Component Object Model
Screen Capture
Remote Services, Distributed Component Object Model, MMC
Remote System Discovery
SSH Authorized Keys
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
PowerShell, Command and Scripting Interpreter
Account Manipulation, Additional Cloud Roles
Exploit Public-Facing Application
Command and Scripting Interpreter, Visual Basic
User Execution
Bypass User Account Control, Abuse Elevation Control Mechanism
Account Manipulation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Command and Scripting Interpreter, PowerShell
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Indicator Removal
Data Destruction
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Phishing, Spearphishing Attachment
Steal or Forge Kerberos Tickets, AS-REP Roasting
Additional Email Delegate Permissions, Additional Cloud Roles
Indicator Removal, Clear Windows Event Logs
Clipboard Data
Permission Groups Discovery, Domain Groups
Exploit Public-Facing Application, External Remote Services
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Credentials
Remote System Discovery
Windows Command Shell
Create or Modify System Process
Valid Accounts
User Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Phishing, Spearphishing Attachment
Password Spraying, Brute Force
Install Root Certificate, Subvert Trust Controls
Valid Accounts
Cloud Account
Account Manipulation, Valid Accounts
Data Destruction
Steal or Forge Kerberos Tickets, AS-REP Roasting
Exploit Public-Facing Application, External Remote Services
Server Software Component, IIS Components
Scheduled Task, Scheduled Task/Job
User Execution
Windows Management Instrumentation
Ingress Tool Transfer
Malicious Image, User Execution
Network Service Discovery
Remote Services, Windows Remote Management
Modify Registry
Cloud Account, Create Account
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Data Encrypted for Impact
PowerShell, Ingress Tool Transfer, Fileless Storage
Steal or Forge Kerberos Tickets
Modify Registry, OS Credential Dumping
Permission Groups Discovery, Domain Groups
Cloud Accounts, Valid Accounts
Unsecured Credentials, Group Policy Preferences
Command and Scripting Interpreter, JavaScript
Domain Account, Account Discovery
File and Directory Permissions Modification
Process Injection
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
DLL Search Order Hijacking
Process Injection
Exfiltration Over Unencrypted Non-C2 Protocol
Transfer Data to Cloud Account
System Information Discovery
Phishing, Spearphishing Attachment
Account Manipulation, Additional Cloud Credentials
Command and Scripting Interpreter, PowerShell
Exfiltration Over Alternative Protocol
User Execution
Steal or Forge Authentication Certificates
System Binary Proxy Execution, Regsvr32
Modify Authentication Process
Valid Accounts, Default Accounts
Cloud Account
Exploit Public-Facing Application, External Remote Services
Account Manipulation
DLL Side-Loading, Hijack Execution Flow
Command and Scripting Interpreter, PowerShell
Local Account, Create Account
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Exploit Public-Facing Application
Exploit Public-Facing Application
Valid Accounts
Windows Management Instrumentation
System Owner/User Discovery
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Brute Force
Password Policy Discovery
Steal or Forge Authentication Certificates
Disable or Modify Tools, Impair Defenses
Steal or Forge Authentication Certificates
Disable or Modify System Firewall, Impair Defenses
Ingress Tool Transfer
Mark-of-the-Web Bypass
Spearphishing Attachment, Phishing
Disable or Modify Tools, Impair Defenses
Disk Structure Wipe, Disk Wipe
Command and Scripting Interpreter
DLL Search Order Hijacking, Hijack Execution Flow
Account Manipulation
Exploitation for Client Execution
System Services, Service Execution
System Binary Proxy Execution, Rundll32
Local Accounts, Credentials In Files
Rogue Domain Controller
Security Account Manager
Disable or Modify Tools, Impair Defenses
SID-History Injection, Access Token Manipulation
Ingress Tool Transfer
Cached Domain Credentials, OS Credential Dumping
Container API
GUI Input Capture, Input Capture
Disable or Modify Tools, Impair Defenses
Network Share Discovery, Valid Accounts
Domain Account, Account Discovery
LSASS Memory, OS Credential Dumping
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Exploit Public-Facing Application, External Remote Services
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Create Account, Cloud Account
Disable or Modify Tools, Impair Defenses, Modify Registry
Kerberoasting
Modify Registry
Scheduled Task, Scheduled Task/Job
Unix Shell
Modify Registry
Phishing, Spearphishing Attachment
Additional Email Delegate Permissions, Additional Cloud Roles
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Unused/Unsupported Cloud Regions
Network Service Discovery
Remote System Discovery
Hardware, Gather Victim Host Information
Steal or Forge Authentication Certificates
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Rootkit, Exploitation for Privilege Escalation
Disable or Modify System Firewall, Impair Defenses
Obfuscated Files or Information, Fileless Storage
Remote System Discovery
File Deletion, Indicator Removal
Phishing, Spearphishing Attachment
DLL Side-Loading, Hijack Execution Flow
Password Policy Discovery
Transfer Data to Cloud Account
Credentials, Gather Victim Identity Information
Data Destruction, File Deletion, Indicator Removal
Windows Management Instrumentation
Abuse Elevation Control Mechanism
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Remote System Discovery
System Owner/User Discovery
System Owner/User Discovery
Brute Force, Password Spraying, Credential Stuffing
Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Boot or Logon Initialization Scripts, Logon Script (Windows)
Process Injection, Portable Executable Injection
Create or Modify System Process, Windows Service
Indirect Command Execution
Cloud Accounts, Valid Accounts
Credentials in Registry, Unsecured Credentials
Transfer Data to Cloud Account
Windows Service
Disable or Modify Tools, Impair Defenses
Malicious File, Masquerade File Type
Spearphishing Attachment, Phishing, Malicious Link, User Execution
LSASS Memory, OS Credential Dumping
Cloud Accounts
Remote Access Software
Modify Registry
Password Policy Discovery
Remote System Discovery
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Domain Account, Account Discovery
Compromise Accounts, Cloud Accounts, Brute Force
Valid Accounts, Cloud Accounts
System Binary Proxy Execution, Mshta
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Application Shimming, Event Triggered Execution
Steal or Forge Authentication Certificates
Command and Scripting Interpreter
SIP and Trust Provider Hijacking
Exploit Public-Facing Application, External Remote Services
Msiexec
Cloud Service Discovery
Email Collection, Local Email Collection
Disable or Modify Tools, Impair Defenses
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Transfer Data to Cloud Account
Obfuscated Files or Information
Windows Service, Create or Modify System Process
Malicious Image, User Execution
System Binary Proxy Execution, CMSTP
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Steal or Forge Authentication Certificates
Service Stop
Disable or Modify Tools, Impair Defenses
Data from Cloud Storage
Trusted Developer Utilities Proxy Execution
IIS Components, Server Software Component
System Binary Proxy Execution
Password Spraying, Valid Accounts, Default Accounts
Account Manipulation
Malicious Image, User Execution
Malicious Image, User Execution
Cloud Groups, Account Manipulation, Permission Groups Discovery
Impair Defenses, Disable or Modify Cloud Logs
Disable or Modify Cloud Logs, Impair Defenses
Account Manipulation
DLL Search Order Hijacking, Hijack Execution Flow
Password Spraying, Brute Force
Password Spraying, Brute Force
Vulnerability Scanning, Network Service Discovery
Network Service Discovery
Network Service Discovery
Account Manipulation, Impair Defenses
Account Manipulation, Impair Defenses
Windows Service
Cloud Service Discovery
Password Policy Discovery
Network Share Discovery, Data from Network Shared Drive
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Brute Force
Brute Force
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Exfiltration Over Unencrypted Non-C2 Protocol
Malicious Image, User Execution
Malicious Image, User Execution
LSASS Memory
PowerShell
Email Forwarding Rule, Email Collection
Email Forwarding Rule, Email Collection
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Disable or Modify System Firewall
Rename System Utilities
Windows Command Shell
Use Alternate Authentication Material, Pass the Hash
Valid Accounts
Valid Accounts
Valid Accounts
Masquerading
Phishing
Malicious File
Change Default File Association
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
PowerShell, Windows Command Shell
Cloud Accounts
Exfiltration Over Unencrypted Non-C2 Protocol
Cloud Accounts
Cloud Accounts
Spearphishing via Service
Cloud Accounts
Cloud Accounts
Web Protocols
Scheduled Task
Exfiltration Over Unencrypted Non-C2 Protocol
Cloud Service Discovery
Cloud Service Discovery
LSASS Memory
LSASS Memory, OS Credential Dumping
LSASS Memory
Hidden Files and Directories
Create Account
Valid Accounts
Disable or Modify Cloud Firewall
Cloud Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Domain Accounts
Abuse Elevation Control Mechanism, Indirect Command Execution
Abuse Elevation Control Mechanism, Indirect Command Execution
Abuse Elevation Control Mechanism
Masquerading
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Modify Registry
Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
DLL Side-Loading
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Modify Registry
Indicator Removal
Virtualization/Sandbox Evasion, Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Modify Registry
Hide Artifacts, NTFS File Attributes
Hide Artifacts, NTFS File Attributes
Modify Registry
Trusted Developer Utilities Proxy Execution, MSBuild
Trusted Developer Utilities Proxy Execution, MSBuild
System Binary Proxy Execution
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Access Token Manipulation, Token Impersonation/Theft
Access Token Manipulation, Token Impersonation/Theft
Services Registry Permissions Weakness
Web Session Cookie, Cloud Service Dashboard
Use Alternate Authentication Material, Pass the Ticket
Use Alternate Authentication Material, Pass the Ticket
Regsvr32, Modify Registry
Regsvr32, Modify Registry
System Binary Proxy Execution, Regsvr32
System Binary Proxy Execution, Regsvr32
Pre-OS Boot, Registry Run Keys / Startup Folder
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Mavinject, System Binary Proxy Execution
Mavinject, System Binary Proxy Execution
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Msiexec, System Binary Proxy Execution
Msiexec, System Binary Proxy Execution
Hidden Window
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Setuid and Setgid, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Regsvr32
System Binary Proxy Execution, Regsvr32
Install Root Certificate, Subvert Trust Controls
Install Root Certificate, Subvert Trust Controls
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Process Injection
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Right-to-Left Override, Masquerading
Right-to-Left Override, Masquerading
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Compiled HTML File
Modify Registry
Valid Accounts, Brute Force
Time Based Evasion, Virtualization/Sandbox Evasion
Time Based Evasion, Virtualization/Sandbox Evasion
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Domain or Tenant Policy Modification, Trust Modification
Domain or Tenant Policy Modification, Trust Modification
Impair Defenses, Disable or Modify Tools
Impair Defenses, Disable or Modify Tools
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Msiexec
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Domain or Tenant Policy Modification, Group Policy Modification
Domain or Tenant Policy Modification, Group Policy Modification
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Hide Artifacts, NTFS File Attributes
Hide Artifacts, NTFS File Attributes
Modify Registry
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
SIP and Trust Provider Hijacking
Process Injection
Disable or Modify System Firewall, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Indirect Command Execution
Modify Registry
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Process Injection
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Indicator Removal
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
HTML Smuggling
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
File and Directory Permissions Modification
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Deobfuscate/Decode Files or Information
Token Impersonation/Theft, Access Token Manipulation
Token Impersonation/Theft, Access Token Manipulation
Modify Registry
DLL Side-Loading, Boot or Logon Autostart Execution
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
XSL Script Processing
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Modify Registry
Use Alternate Authentication Material, Pass the Ticket
Use Alternate Authentication Material, Pass the Ticket
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Use Alternate Authentication Material
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism, Bypass User Account Control
Abuse Elevation Control Mechanism, Bypass User Account Control
Domain or Tenant Policy Modification, Group Policy Modification
Domain or Tenant Policy Modification, Group Policy Modification
Process Injection
Process Injection, Dynamic-link Library Injection
Process Injection, Dynamic-link Library Injection
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Impair Defenses, Disable or Modify Cloud Logs
Modify Registry
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Hidden Window
Indicator Removal, Network Share Connection Removal
Indicator Removal, Network Share Connection Removal
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
SID-History Injection, Access Token Manipulation
SID-History Injection, Access Token Manipulation
Modify Registry
Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Valid Accounts
Domain or Tenant Policy Modification
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Compromise Accounts, Unused/Unsupported Cloud Regions
Impair Defenses
Phishing, Modify Registry
Process Injection
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
System Binary Proxy Execution
Modify Registry
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Valid Accounts
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Compiled HTML File
Modify Registry
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Process Injection
InstallUtil, System Binary Proxy Execution
InstallUtil, System Binary Proxy Execution
Parent PID Spoofing, Access Token Manipulation
Parent PID Spoofing, Access Token Manipulation
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Impair Defenses, Disable or Modify Cloud Logs
Impair Defenses, Disable or Modify Cloud Logs
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Domain or Tenant Policy Modification, Group Policy Modification
Domain or Tenant Policy Modification, Group Policy Modification
Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
Disable or Modify System Firewall, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Abuse Elevation Control Mechanism
Impair Defenses, PowerShell, Command and Scripting Interpreter
Setuid and Setgid, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Process Injection, Portable Executable Injection
Process Injection, Portable Executable Injection
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Compiled HTML File
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
InstallUtil, System Binary Proxy Execution
InstallUtil, System Binary Proxy Execution
Right-to-Left Override, Masquerading
Right-to-Left Override, Masquerading
Virtualization/Sandbox Evasion, Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Valid Accounts
Obfuscated Files or Information
Fileless Storage, Obfuscated Files or Information
Fileless Storage, Obfuscated Files or Information
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Process Injection
Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Valid Accounts
Modify Registry
Token Impersonation/Theft, Access Token Manipulation
Token Impersonation/Theft, Access Token Manipulation
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Plist File Modification
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Modify Registry
Valid Accounts
Rootkit, Exploitation for Privilege Escalation
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
Obfuscated Files or Information, Unix Shell
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
SID-History Injection, Access Token Manipulation
SID-History Injection, Access Token Manipulation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Modify Registry
Modify Registry
Abuse Elevation Control Mechanism, Bypass User Account Control
Abuse Elevation Control Mechanism, Bypass User Account Control
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
System Binary Proxy Execution, Regsvr32
System Binary Proxy Execution, Regsvr32
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Registry
BITS Jobs
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Registry
Disable or Modify System Firewall, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Dynamic-link Library Injection, Process Injection
Dynamic-link Library Injection, Process Injection
Masquerading
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
Verclsid, System Binary Proxy Execution
Verclsid, System Binary Proxy Execution
Cloud Accounts
Account Manipulation, Valid Accounts
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Modify Registry
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Modify Registry
Valid Accounts
Rogue Domain Controller
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Control Panel
System Binary Proxy Execution, Control Panel
Process Injection
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Compile After Delivery, Obfuscated Files or Information
Compile After Delivery, Obfuscated Files or Information
Process Injection
Bypass User Account Control
TFTP Boot, Pre-OS Boot
TFTP Boot, Pre-OS Boot
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Modify Registry
Modify Registry
Process Injection
Valid Accounts, Local Accounts
Valid Accounts, Local Accounts
Valid Accounts
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
BITS Jobs, Ingress Tool Transfer
Abuse Elevation Control Mechanism
Create Process with Token, Access Token Manipulation
Create Process with Token, Access Token Manipulation
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Domain or Tenant Policy Modification, Group Policy Modification
Domain or Tenant Policy Modification, Group Policy Modification
Indicator Removal
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Odbcconf
Account Manipulation, Valid Accounts
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
System Binary Proxy Execution
Path Interception by Unquoted Path, Hijack Execution Flow
Path Interception by Unquoted Path, Hijack Execution Flow
Use Alternate Authentication Material
OS Credential Dumping, DCSync, Rogue Domain Controller
Obfuscated Files or Information
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Indirect Command Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Impair Defenses, Disable or Modify System Firewall
Impair Defenses, Disable or Modify System Firewall
Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
File and Directory Permissions Modification
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
Modify Registry
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Authentication Process
Valid Accounts
Clear Windows Event Logs, Indicator Removal
Clear Windows Event Logs, Indicator Removal
Masquerading
Modify Registry
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Rogue Domain Controller
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Modify Cloud Compute Configurations
InstallUtil, System Binary Proxy Execution
InstallUtil, System Binary Proxy Execution
Rogue Domain Controller
Setuid and Setgid, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Masquerading
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Command and Scripting Interpreter, Process Injection, PowerShell
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
System Script Proxy Execution, System Binary Proxy Execution
System Script Proxy Execution, System Binary Proxy Execution
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Process Injection
System Binary Proxy Execution
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Modify Registry
Hidden Window, Run Virtual Instance
Hidden Window, Run Virtual Instance
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
File Deletion, Indicator Removal
File Deletion, Indicator Removal
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Services Registry Permissions Weakness, Hijack Execution Flow
Services Registry Permissions Weakness, Hijack Execution Flow
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Modify Authentication Process
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Impair Defenses, Disable or Modify Cloud Logs
Impair Defenses, Disable or Modify Cloud Logs
Valid Accounts
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Impair Defenses, Disable or Modify Cloud Logs
Impair Defenses, Disable or Modify Cloud Logs
BITS Jobs
Domain Accounts, Permission Groups Discovery
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
DLL Side-Loading
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts
Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts
Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Process Injection
Process Injection
Rename System Utilities, Masquerading
Rename System Utilities, Masquerading
Modify Registry
Domain or Tenant Policy Modification
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Compiled HTML File
Process Injection
Modify Registry
Modify Registry
Modify Registry
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Hide Artifacts, NTFS File Attributes
Hide Artifacts, NTFS File Attributes
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
InstallUtil, System Binary Proxy Execution
InstallUtil, System Binary Proxy Execution
Process Injection
Modify Registry
Access Token Manipulation, SID-History Injection
Access Token Manipulation, SID-History Injection
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Modify Registry
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Modify Authentication Process
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Access Token Manipulation
File and Directory Permissions Modification
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Modify Registry
Modify Registry
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
System Information Discovery, Rootkit
Valid Accounts
Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
System Firmware, Pre-OS Boot
System Firmware, Pre-OS Boot
Abuse Elevation Control Mechanism
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Obfuscated Files or Information
Valid Accounts
Odbcconf
Odbcconf
File and Directory Permissions Modification
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
InstallUtil, System Binary Proxy Execution
InstallUtil, System Binary Proxy Execution
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Dynamic Linker Hijacking, Hijack Execution Flow
Dynamic Linker Hijacking, Hijack Execution Flow
Process Injection, Portable Executable Injection
Process Injection, Portable Executable Injection
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Valid Accounts
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Use Alternate Authentication Material
Modify Registry
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Regsvr32, System Binary Proxy Execution
Regsvr32, System Binary Proxy Execution
File Deletion, Indicator Removal
File Deletion, Indicator Removal
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
Domain or Tenant Policy Modification, Trust Modification
Domain or Tenant Policy Modification, Trust Modification
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Msiexec, System Binary Proxy Execution
Msiexec, System Binary Proxy Execution
Masquerade Task or Service, Masquerading
Masquerade Task or Service, Masquerading
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Process Injection
Process Injection
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Indicator Removal
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Obfuscated Files or Information, Indicator Removal from Tools
Obfuscated Files or Information, Indicator Removal from Tools
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Registry
System Binary Proxy Execution, CMSTP
System Binary Proxy Execution, CMSTP
Modify Registry
Modify Registry
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
SIP and Trust Provider Hijacking
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
System Binary Proxy Execution, CMSTP
System Binary Proxy Execution, CMSTP
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
MSBuild, Trusted Developer Utilities Proxy Execution
MSBuild, Trusted Developer Utilities Proxy Execution
Modify Registry
Modify Registry
Modify Registry
XSL Script Processing
Scheduled Task, Impair Defenses
Process Injection
Disable or Modify Tools
Remote Services, Distributed Component Object Model, MMC
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Indicator Removal
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Valid Accounts
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Install Root Certificate, Subvert Trust Controls
Install Root Certificate, Subvert Trust Controls
Valid Accounts
Account Manipulation, Valid Accounts
Modify Registry
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Modify Registry
PowerShell, Ingress Tool Transfer, Fileless Storage
Modify Registry, OS Credential Dumping
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
File and Directory Permissions Modification
Process Injection
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
DLL Search Order Hijacking
Process Injection
System Binary Proxy Execution, Regsvr32
System Binary Proxy Execution, Regsvr32
Modify Authentication Process
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Valid Accounts
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Mark-of-the-Web Bypass
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Local Accounts, Credentials In Files
Rogue Domain Controller
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
SID-History Injection, Access Token Manipulation
SID-History Injection, Access Token Manipulation
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Network Share Discovery, Valid Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Modify Registry
Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Unused/Unsupported Cloud Regions
Rootkit, Exploitation for Privilege Escalation
Disable or Modify System Firewall, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Obfuscated Files or Information, Fileless Storage
Obfuscated Files or Information, Fileless Storage
File Deletion, Indicator Removal
File Deletion, Indicator Removal
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Abuse Elevation Control Mechanism
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Process Injection, Portable Executable Injection
Process Injection, Portable Executable Injection
Indirect Command Execution
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Malicious File, Masquerade File Type
Modify Registry
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
SIP and Trust Provider Hijacking
Msiexec
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Obfuscated Files or Information
System Binary Proxy Execution, CMSTP
System Binary Proxy Execution, CMSTP
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Trusted Developer Utilities Proxy Execution
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
System Binary Proxy Execution
Password Spraying, Valid Accounts, Default Accounts
Password Spraying, Valid Accounts, Default Accounts
Impair Defenses, Disable or Modify Cloud Logs
Impair Defenses, Disable or Modify Cloud Logs
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
Account Manipulation, Impair Defenses
Account Manipulation, Impair Defenses
Domain or Tenant Policy Modification, Group Policy Modification
Domain or Tenant Policy Modification, Group Policy Modification
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Valid Accounts, Default Accounts, Password Spraying
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
System Binary Proxy Execution
Odbcconf, System Binary Proxy Execution
Odbcconf, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Valid Accounts
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading
File and Directory Permissions Modification
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
MSBuild, Trusted Developer Utilities Proxy Execution
MSBuild, Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution, MSBuild
Trusted Developer Utilities Proxy Execution, MSBuild
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution
BITS Jobs, Ingress Tool Transfer
Deobfuscate/Decode Files or Information
BITS Jobs, Ingress Tool Transfer
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
BITS Jobs
File Deletion, Indicator Removal
File Deletion, Indicator Removal
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Indicator Removal
File and Directory Permissions Modification
Service Stop, Valid Accounts
File and Directory Permissions Modification
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Disable or Modify System Firewall
Rename System Utilities
Use Alternate Authentication Material, Pass the Hash
Use Alternate Authentication Material, Pass the Hash
Valid Accounts
Valid Accounts
Valid Accounts
Masquerading
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Hidden Files and Directories
Valid Accounts
Disable or Modify Cloud Firewall
Cloud Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Domain Accounts
Masquerading
Modify Registry
Domain Trust Discovery
Abuse Elevation Control Mechanism
Remote Desktop Protocol, Remote Services
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
User Execution
Disable or Modify Tools, Impair Defenses
Modify Registry
Indicator Removal
Local Groups
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Virtualization/Sandbox Evasion, Time Based Evasion
Spearphishing Attachment, Phishing
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Modify Registry
Modify Registry
Trusted Developer Utilities Proxy Execution, MSBuild
Unix Shell Configuration Modification, Event Triggered Execution
Data Destruction
RC Scripts, Boot or Logon Initialization Scripts
System Binary Proxy Execution, Rundll32
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Private Keys, Unsecured Credentials
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Access Token Manipulation, Token Impersonation/Theft
Services Registry Permissions Weakness
Use Alternate Authentication Material, Pass the Ticket
Regsvr32, Modify Registry
Port Monitors, Boot or Logon Autostart Execution
System Binary Proxy Execution, Regsvr32
Pre-OS Boot, Registry Run Keys / Startup Folder
Systemd Timers, Scheduled Task/Job
Data Encrypted for Impact
Mavinject, System Binary Proxy Execution
System Binary Proxy Execution, Rundll32
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Disable or Modify Tools, Impair Defenses
Remote Services
Msiexec, System Binary Proxy Execution
Hidden Window
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Phishing, Spearphishing Attachment
Setuid and Setgid, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Regsvr32
Install Root Certificate, Subvert Trust Controls
Account Discovery, Local Account
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Ingress Tool Transfer
Modify Registry
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Command and Scripting Interpreter
Right-to-Left Override, Masquerading
System Information Discovery
Unsecured Credentials, Group Policy Preferences
System Binary Proxy Execution, Compiled HTML File
Permission Groups Discovery, Domain Groups
Modify Registry
Unix Shell, Command and Scripting Interpreter
Data Staged
Permission Groups Discovery, Domain Groups
Time Based Evasion, Virtualization/Sandbox Evasion
Credentials in Registry, Unsecured Credentials
Ingress Tool Transfer
Protocol Tunneling, Proxy, Web Service
Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
Impair Defenses, Disable or Modify Tools
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Password Managers
Msiexec
System Shutdown/Reboot
Disable or Modify Tools, Impair Defenses
Service Stop
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Modify Registry
System Network Connections Discovery
Spearphishing Attachment
SIP and Trust Provider Hijacking
Process Injection
Spearphishing Attachment, Phishing
Security Support Provider, Boot or Logon Autostart Execution
Disable or Modify System Firewall, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
System Owner/User Discovery
Disable or Modify Tools, Impair Defenses
Indirect Command Execution
Modify Registry
System Binary Proxy Execution, Rundll32
Command and Scripting Interpreter
Process Injection
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Active Setup, Boot or Logon Autostart Execution
Phishing, Spearphishing Attachment
Exploit Public-Facing Application, External Remote Services
System Binary Proxy Execution, Rundll32
Disable or Modify Tools, Impair Defenses
Credentials from Password Stores
Print Processors, Boot or Logon Autostart Execution
File and Directory Permissions Modification
Disable or Modify Cloud Firewall, Impair Defenses
Systemd Timers, Scheduled Task/Job
Deobfuscate/Decode Files or Information
Modify Registry
Data Destruction
OS Credential Dumping
User Execution, Malicious File
Command and Scripting Interpreter
Domain Account, Account Discovery
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Credentials from Web Browsers, Credentials from Password Stores
Steal or Forge Authentication Certificates, Archive Collected Data
XSL Script Processing
Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Rundll32
Remote System Discovery
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Modify Registry
Phishing, Spearphishing Attachment
Cron, Scheduled Task/Job
Server Software Component, IIS Components
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Exploitation for Privilege Escalation
Internal Proxy, Proxy
Abuse Elevation Control Mechanism, Bypass User Account Control
PowerShell, Command and Scripting Interpreter
Process Injection
Command and Scripting Interpreter
Disable or Modify Tools, Impair Defenses
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Exploit Public-Facing Application, External Remote Services
Query Registry
Modify Registry
System Binary Proxy Execution, Regsvcs/Regasm
Disable or Modify Tools, Impair Defenses
Command and Scripting Interpreter
LSASS Memory
Domain Account, Account Discovery
Masquerading, Rename System Utilities
Data Destruction
Bypass User Account Control, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Mshta
Cron, Scheduled Task/Job
Bypass User Account Control, Abuse Elevation Control Mechanism
Hidden Window
Inhibit System Recovery
Indicator Removal, Network Share Connection Removal
System Binary Proxy Execution, Regsvcs/Regasm
Modify Registry
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Automated Exfiltration
Phishing, Modify Registry
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Process Injection
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Ingress Tool Transfer
Modify Registry
Hardware Additions
Service Stop
Masquerading, Rename System Utilities
Scheduled Task/Job, Scheduled Task
Phishing, Spearphishing Attachment
Archive via Utility, Archive Collected Data
System Binary Proxy Execution, Compiled HTML File
Password Policy Discovery
LSASS Memory, OS Credential Dumping
Remote System Discovery
Server Software Component, IIS Components
At, Scheduled Task/Job
Remote System Discovery
Account Discovery, Local Account
Modify Registry
Process Injection
Print Processors, Boot or Logon Autostart Execution
Archive via Utility, Archive Collected Data
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
InstallUtil, System Binary Proxy Execution
Parent PID Spoofing, Access Token Manipulation
/etc/passwd and /etc/shadow, OS Credential Dumping
Event Triggered Execution, Accessibility Features
Phishing, Spearphishing Attachment
Cron, Scheduled Task/Job
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Remote Desktop Protocol, Remote Services
Service Stop
Disable or Modify Tools, Impair Defenses
Domain or Tenant Policy Modification, Group Policy Modification
Windows Management Instrumentation Event Subscription
Modify Registry
Disable or Modify Tools, Impair Defenses
Remote System Discovery
System Binary Proxy Execution, Regsvcs/Regasm
Phishing, Spearphishing Attachment
Disable or Modify System Firewall, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Setuid and Setgid, Abuse Elevation Control Mechanism
Exploitation for Privilege Escalation
Bypass User Account Control, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Protocol Tunneling, SSH
SSH Authorized Keys, Account Manipulation
System Binary Proxy Execution, Compiled HTML File
DLL Side-Loading, Hijack Execution Flow
System Binary Proxy Execution, Mshta
System Network Configuration Discovery
InstallUtil, System Binary Proxy Execution
Scheduled Task/Job, At
LSA Secrets
Right-to-Left Override, Masquerading
Permission Groups Discovery, Domain Groups
Virtualization/Sandbox Evasion, Time Based Evasion
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Command Shell, Command and Scripting Interpreter
Screen Capture
Account Manipulation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Remote Access Software
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Management Instrumentation
System Binary Proxy Execution, Rundll32
Remote Desktop Protocol, Remote Services
Account Access Removal
System Owner/User Discovery
Fileless Storage, Obfuscated Files or Information
System Binary Proxy Execution, Rundll32
System Owner/User Discovery
Ingress Tool Transfer
Security Account Manager, OS Credential Dumping
Account Discovery, Local Account
Data Destruction, File Deletion, Indicator Removal
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Local Account, Create Account
Disable or Modify Tools, Impair Defenses
Account Access Removal
Data Destruction, File Deletion, Indicator Removal
Spearphishing Attachment, Phishing
System Network Connections Discovery
Remote Services, SMB/Windows Admin Shares
Disable or Modify Tools, Impair Defenses
Modify Registry
Inhibit System Recovery
Permission Groups Discovery, Domain Groups
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Inhibit System Recovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Data Destruction
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
System Binary Proxy Execution, Rundll32
Account Discovery, Local Account
Modify Registry
Data Destruction
Permission Groups Discovery, Domain Groups
Remote Desktop Protocol, Remote Services
Domain Account, Account Discovery
System Binary Proxy Execution, Mshta
System Shutdown/Reboot
Obfuscated Files or Information, Unix Shell
Permission Groups Discovery, Local Groups
Command and Scripting Interpreter, Windows Command Shell
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Registry
Modify Registry
Abuse Elevation Control Mechanism, Bypass User Account Control
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Domain Account, Account Discovery
Exfiltration Over Unencrypted Non-C2 Protocol
Disable or Modify Tools, Impair Defenses
DLL Side-Loading, Hijack Execution Flow
Windows Management Instrumentation
Archive via Utility, Archive Collected Data
Data Destruction
Remote Desktop Protocol, Remote Services
System Binary Proxy Execution, Regsvr32
Gather Victim Host Information
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Management Instrumentation
Modify Registry
BITS Jobs
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Create or Modify System Process, Windows Service
Modify Registry
Disable or Modify System Firewall, Impair Defenses
Change Default File Association, Event Triggered Execution
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Disable or Modify Tools, Impair Defenses
Permission Groups Discovery, Local Groups
System Time Discovery
Command and Scripting Interpreter, Component Object Model
Masquerading
System Binary Proxy Execution, Mshta
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
User Execution
Verclsid, System Binary Proxy Execution
Screen Capture
Permission Groups Discovery, Local Groups
Domain Trust Discovery
User Execution
Data Destruction, File Deletion, Indicator Removal
Modify Registry
System Binary Proxy Execution, Rundll32
Modify Registry
Account Access Removal
Disable or Modify Tools, Impair Defenses
System Binary Proxy Execution, Control Panel
Domain Account, Account Discovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter
Windows Service, Create or Modify System Process
Compile After Delivery, Obfuscated Files or Information
Exploitation for Privilege Escalation
System Shutdown/Reboot
Remote Services, Distributed Component Object Model
Process Injection
Query Registry
Bypass User Account Control
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Modify Registry
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
NTDS, OS Credential Dumping
At, Scheduled Task/Job
Modify Registry
Create or Modify System Process, Windows Service
Command and Scripting Interpreter, Windows Command Shell
Process Injection
Exploit Public-Facing Application
Permission Groups Discovery, Domain Groups
System Binary Proxy Execution, Rundll32
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Local Groups
BITS Jobs, Ingress Tool Transfer
Scheduled Task, Scheduled Task/Job
Abuse Elevation Control Mechanism
System Binary Proxy Execution, Rundll32
Service Stop
Process Discovery
Kernel Modules and Extensions
Security Account Manager, OS Credential Dumping
Data Encrypted for Impact
NTDS, OS Credential Dumping
Windows Command Shell, Command and Scripting Interpreter
System Shutdown/Reboot
Indicator Removal
Ingress Tool Transfer
Archive via Utility, Archive Collected Data
Software Deployment Tools
Scheduled Task/Job, Scheduled Task
Phishing, Spearphishing Attachment
Server Software Component, Web Shell
Disable or Modify Tools, Impair Defenses
System Owner/User Discovery
Odbcconf
System Binary Proxy Execution, Rundll32
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
NTDS, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Data Destruction, File Deletion, Indicator Removal
System Binary Proxy Execution
System Network Connections Discovery
System Network Configuration Discovery, Internet Connection Discovery
Path Interception by Unquoted Path, Hijack Execution Flow
Use Alternate Authentication Material
Obfuscated Files or Information
Indirect Command Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Proxy, Non-Application Layer Protocol
Password Policy Discovery
Cron, Scheduled Task/Job
Impair Defenses, Disable or Modify System Firewall
Modify Registry
System Network Configuration Discovery
Phishing, Spearphishing Attachment
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Disable or Modify Tools, Impair Defenses
Bypass User Account Control, Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
File and Directory Permissions Modification
Disable or Modify Tools, Impair Defenses
Application Shimming, Event Triggered Execution
System Binary Proxy Execution, Regsvcs/Regasm
Modify Registry
User Execution, Malicious File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Authentication Process
Clear Windows Event Logs, Indicator Removal
Exfiltration Over Alternative Protocol
Masquerading
Modify Registry
System Owner/User Discovery
Password Policy Discovery
Command and Scripting Interpreter, PowerShell
Image File Execution Options Injection, Event Triggered Execution
Phishing, Spearphishing Attachment
Ingress Tool Transfer
Credentials from Password Stores
Setuid and Setgid, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Inhibit System Recovery
Component Object Model Hijacking, Event Triggered Execution
Masquerading
System Script Proxy Execution, System Binary Proxy Execution
Bypass User Account Control, Abuse Elevation Control Mechanism
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Ingress Tool Transfer
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Process Injection
System Binary Proxy Execution
Domain Trust Discovery
Bypass User Account Control, Abuse Elevation Control Mechanism
Ingress Tool Transfer, Domain Groups
NTDS, OS Credential Dumping
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Command and Scripting Interpreter, PowerShell
Systemd Timers, Scheduled Task/Job
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Application Shimming, Event Triggered Execution
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Modify Registry
System Network Configuration Discovery
Ingress Tool Transfer
Cron, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Hidden Window, Run Virtual Instance
Disable or Modify Cloud Firewall, Impair Defenses
File Deletion, Indicator Removal
Domain Trust Discovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Data Destruction, File Deletion, Indicator Removal
Phishing, Spearphishing Attachment
System Network Connections Discovery
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Mshta
Command and Scripting Interpreter
Disable or Modify Tools, Impair Defenses
Services Registry Permissions Weakness, Hijack Execution Flow
Disable or Modify Tools, Impair Defenses
Ingress Tool Transfer
Scheduled Task, Scheduled Task/Job
Clipboard Data
Phishing, Spearphishing Attachment
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
System Binary Proxy Execution, Rundll32
Change Default File Association, Event Triggered Execution
BITS Jobs
System Owner/User Discovery
Compiled HTML File, System Binary Proxy Execution
Windows Management Instrumentation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Management Instrumentation
Archive via Utility, Archive Collected Data
Disable or Modify Tools, Impair Defenses, Modify Registry
Command and Scripting Interpreter, Windows Command Shell
Security Account Manager, OS Credential Dumping
Process Injection
Process Injection
Rename System Utilities, Masquerading
Modify Registry
Launch Agent, Create or Modify System Process
System Network Connections Discovery
Credentials in Registry, Unsecured Credentials
DLL Side-Loading, Hijack Execution Flow
Service Stop
Inhibit System Recovery
Command and Scripting Interpreter, JavaScript
Phishing, Spearphishing Attachment
System Binary Proxy Execution, Compiled HTML File
Malicious File, User Execution
Modify Registry
Modify Registry
Credentials from Password Stores
Unix Shell Configuration Modification, Event Triggered Execution
Data Destruction
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Hide Artifacts, NTFS File Attributes
InstallUtil, System Binary Proxy Execution
Domain Account, Account Discovery
Service Stop
Modify Registry
Scheduled Task
Server Software Component, Web Shell
Remote Services, Windows Remote Management
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Management Instrumentation
Bypass User Account Control, Abuse Elevation Control Mechanism
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Modify Registry
Disable or Modify Tools, Impair Defenses
Lateral Tool Transfer
Disable or Modify Tools, Impair Defenses
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Command and Scripting Interpreter
SSH Authorized Keys, Account Manipulation
File and Directory Permissions Modification
Exploitation for Privilege Escalation
Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Modify Registry
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Email Collection, Local Email Collection
Remote Access Software
System Owner/User Discovery
Inhibit System Recovery
System Information Discovery, Rootkit
Automated Exfiltration
Phishing, Spearphishing Link
Disable or Modify Tools, Impair Defenses
Security Account Manager, OS Credential Dumping
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Remote System Discovery
Steal or Forge Authentication Certificates
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Obfuscated Files or Information
Odbcconf
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Odbcconf
File and Directory Permissions Modification
Cron, Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
Remote Access Software
Protocol Tunneling, Proxy, Web Service
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Service Stop
Scheduled Task, Command and Scripting Interpreter
Service Stop
InstallUtil, System Binary Proxy Execution
Disable or Modify Tools, Impair Defenses, Modify Registry
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Dynamic Linker Hijacking, Hijack Execution Flow
Internal Proxy, Proxy
Remote Services, Windows Remote Management
Disable or Modify Tools, Impair Defenses
System Information Discovery
Modify Registry
Phishing, Spearphishing Attachment
Disable or Modify Tools, Impair Defenses
Regsvr32, System Binary Proxy Execution
File Deletion, Indicator Removal
Replication Through Removable Media
Compromise Software Supply Chain
System Binary Proxy Execution, Mshta
Data Encrypted for Impact
Password Policy Discovery
Visual Basic, Command and Scripting Interpreter
Msiexec, System Binary Proxy Execution
Masquerade Task or Service, Masquerading
Print Processors, Boot or Logon Autostart Execution
Scheduled Task, Scheduled Task/Job
Create or Modify System Process, Windows Service
Scheduled Task/Job, Scheduled Task
Phishing, Spearphishing Attachment
Disable or Modify Tools, Impair Defenses
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Process Injection
Disable or Modify Tools, Impair Defenses, Modify Registry
Inhibit System Recovery
Disable or Modify Tools
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Indicator Removal
Remote System Discovery
Inhibit System Recovery
Kerberoasting
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Registry
Remote System Discovery
Command and Scripting Interpreter, PowerShell
Modify Registry
Modify Registry
Remote Desktop Protocol, Remote Services
Exploit Public-Facing Application, External Remote Services
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Disable or Modify Tools, Impair Defenses
Time Providers, Boot or Logon Autostart Execution
Command and Scripting Interpreter
Event Triggered Execution, Screensaver
Exploit Public-Facing Application
Remote Access Software
Indicator Removal, Clear Windows Event Logs
MSBuild, Trusted Developer Utilities Proxy Execution
Modify Registry
Modify Registry
Modify Registry
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Steal or Forge Kerberos Tickets
XSL Script Processing
Scheduled Task, Impair Defenses
Process Injection
Screen Capture
Remote Services, Distributed Component Object Model, MMC
SSH Authorized Keys
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, Visual Basic
Bypass User Account Control, Abuse Elevation Control Mechanism
Command and Scripting Interpreter, PowerShell
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Indicator Removal
Permission Groups Discovery, Domain Groups
Remote System Discovery
Windows Command Shell
Create or Modify System Process
User Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Phishing, Spearphishing Attachment
Install Root Certificate, Subvert Trust Controls
Data Destruction
Scheduled Task, Scheduled Task/Job
Ingress Tool Transfer
Remote Services, Windows Remote Management
Modify Registry
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Modify Registry, OS Credential Dumping
Command and Scripting Interpreter, JavaScript
File and Directory Permissions Modification
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
DLL Search Order Hijacking
Process Injection
Exfiltration Over Unencrypted Non-C2 Protocol
System Information Discovery
Phishing, Spearphishing Attachment
System Binary Proxy Execution, Regsvr32
Exploit Public-Facing Application, External Remote Services
Local Account, Create Account
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Windows Management Instrumentation
System Owner/User Discovery
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Disable or Modify System Firewall, Impair Defenses
Ingress Tool Transfer
Disable or Modify Tools, Impair Defenses
Command and Scripting Interpreter
System Services, Service Execution
System Binary Proxy Execution, Rundll32
Disable or Modify Tools, Impair Defenses
Ingress Tool Transfer
Cached Domain Credentials, OS Credential Dumping
Disable or Modify Tools, Impair Defenses
Domain Account, Account Discovery
LSASS Memory, OS Credential Dumping
Exploit Public-Facing Application, External Remote Services
Disable or Modify Tools, Impair Defenses, Modify Registry
Modify Registry
Scheduled Task, Scheduled Task/Job
Unix Shell
Modify Registry
Phishing, Spearphishing Attachment
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Steal or Forge Authentication Certificates
Disable or Modify System Firewall, Impair Defenses
Obfuscated Files or Information, Fileless Storage
Remote System Discovery
File Deletion, Indicator Removal
Phishing, Spearphishing Attachment
Data Destruction, File Deletion, Indicator Removal
Windows Management Instrumentation
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
System Owner/User Discovery
Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Boot or Logon Initialization Scripts, Logon Script (Windows)
Create or Modify System Process, Windows Service
Indirect Command Execution
Credentials in Registry, Unsecured Credentials
Disable or Modify Tools, Impair Defenses
Malicious File, Masquerade File Type
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Modify Registry
System Binary Proxy Execution, Mshta
Application Shimming, Event Triggered Execution
Steal or Forge Authentication Certificates
Command and Scripting Interpreter
Msiexec
Disable or Modify Tools, Impair Defenses
Obfuscated Files or Information
Steal or Forge Authentication Certificates
Service Stop
Disable or Modify Tools, Impair Defenses
Trusted Developer Utilities Proxy Execution
DLL Search Order Hijacking, Hijack Execution Flow
Network Share Discovery, Data from Network Shared Drive
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
PowerShell
Disable or Modify System Firewall
Rename System Utilities
Windows Command Shell
Malicious File
Change Default File Association
PowerShell, Windows Command Shell
Scheduled Task
Hidden Files and Directories
Abuse Elevation Control Mechanism, Indirect Command Execution
Abuse Elevation Control Mechanism
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Image File Execution Options Injection
Abuse Elevation Control Mechanism
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
DLL Side-Loading
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Unix Shell Configuration Modification, Event Triggered Execution
Unix Shell Configuration Modification, Event Triggered Execution
RC Scripts, Boot or Logon Initialization Scripts
RC Scripts, Boot or Logon Initialization Scripts
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Access Token Manipulation, Token Impersonation/Theft
Access Token Manipulation, Token Impersonation/Theft
Services Registry Permissions Weakness
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Port Monitors, Boot or Logon Autostart Execution
Port Monitors, Boot or Logon Autostart Execution
Pre-OS Boot, Registry Run Keys / Startup Folder
Cloud Groups, Account Manipulation, Permission Groups Discovery
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Additional Cloud Roles
Additional Cloud Roles
Setuid and Setgid, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Process Injection
Account Manipulation
Valid Accounts, Brute Force
Scheduled Task/Job
Domain or Tenant Policy Modification, Trust Modification
Domain or Tenant Policy Modification, Trust Modification
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Domain or Tenant Policy Modification, Group Policy Modification
Domain or Tenant Policy Modification, Group Policy Modification
Account Manipulation
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Container Orchestration Job
Process Injection
Security Support Provider, Boot or Logon Autostart Execution
Security Support Provider, Boot or Logon Autostart Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Exploitation for Privilege Escalation
Scheduled Task/Job
Process Injection
Active Setup, Boot or Logon Autostart Execution
Active Setup, Boot or Logon Autostart Execution
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Account Manipulation
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Token Impersonation/Theft, Access Token Manipulation
Token Impersonation/Theft, Access Token Manipulation
DLL Side-Loading, Boot or Logon Autostart Execution
DLL Side-Loading, Boot or Logon Autostart Execution
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism, Bypass User Account Control
Abuse Elevation Control Mechanism, Bypass User Account Control
Domain or Tenant Policy Modification, Group Policy Modification
Domain or Tenant Policy Modification, Group Policy Modification
Process Injection
Process Injection, Dynamic-link Library Injection
Process Injection, Dynamic-link Library Injection
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
SID-History Injection, Access Token Manipulation
SID-History Injection, Access Token Manipulation
Valid Accounts
Domain or Tenant Policy Modification
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Account Manipulation
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Process Injection
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Valid Accounts
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
At, Scheduled Task/Job
At, Scheduled Task/Job
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Process Injection
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Parent PID Spoofing, Access Token Manipulation
Parent PID Spoofing, Access Token Manipulation
Event Triggered Execution, Accessibility Features
Event Triggered Execution, Accessibility Features
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Domain or Tenant Policy Modification, Group Policy Modification
Domain or Tenant Policy Modification, Group Policy Modification
Windows Management Instrumentation Event Subscription
Account Manipulation, Device Registration
Account Manipulation, Device Registration
Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Exploitation for Privilege Escalation
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Process Injection, Portable Executable Injection
Process Injection, Portable Executable Injection
SSH Authorized Keys, Account Manipulation
SSH Authorized Keys, Account Manipulation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Scheduled Task/Job, At
Scheduled Task/Job, At
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Account Manipulation
Account Manipulation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Exploitation for Privilege Escalation
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Valid Accounts
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Process Injection
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Valid Accounts
Token Impersonation/Theft, Access Token Manipulation
Token Impersonation/Theft, Access Token Manipulation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Rootkit, Exploitation for Privilege Escalation
Account Manipulation
Account Manipulation
SID-History Injection, Access Token Manipulation
SID-History Injection, Access Token Manipulation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism, Bypass User Account Control
Abuse Elevation Control Mechanism, Bypass User Account Control
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Launch Agent, Create or Modify System Process
Launch Agent, Create or Modify System Process
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Change Default File Association, Event Triggered Execution
Change Default File Association, Event Triggered Execution
Dynamic-link Library Injection, Process Injection
Dynamic-link Library Injection, Process Injection
Cloud Accounts
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Valid Accounts
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Process Injection
Create or Modify System Process
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Exploitation for Privilege Escalation
Process Injection
Bypass User Account Control
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
At, Scheduled Task/Job
At, Scheduled Task/Job
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Process Injection
Scheduled Task
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Valid Accounts, Local Accounts
Valid Accounts, Local Accounts
Valid Accounts
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Abuse Elevation Control Mechanism
Create Process with Token, Access Token Manipulation
Create Process with Token, Access Token Manipulation
Domain or Tenant Policy Modification, Group Policy Modification
Domain or Tenant Policy Modification, Group Policy Modification
Kernel Modules and Extensions
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Exploitation for Privilege Escalation
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Scheduled Task, PowerShell, Command and Scripting Interpreter
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Path Interception by Unquoted Path, Hijack Execution Flow
Path Interception by Unquoted Path, Hijack Execution Flow
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Application Shimming, Event Triggered Execution
Application Shimming, Event Triggered Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Valid Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Image File Execution Options Injection, Event Triggered Execution
Image File Execution Options Injection, Event Triggered Execution
Setuid and Setgid, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Component Object Model Hijacking, Event Triggered Execution
Component Object Model Hijacking, Event Triggered Execution
Account Manipulation
Windows Service
Command and Scripting Interpreter, Process Injection, PowerShell
Additional Cloud Roles
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Process Injection
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Application Shimming, Event Triggered Execution
Application Shimming, Event Triggered Execution
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Services Registry Permissions Weakness, Hijack Execution Flow
Services Registry Permissions Weakness, Hijack Execution Flow
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task
Valid Accounts
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Change Default File Association, Event Triggered Execution
Change Default File Association, Event Triggered Execution
Domain Accounts, Permission Groups Discovery
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
DLL Side-Loading
Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts
Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts
Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Process Injection
Process Injection
Launch Agent, Create or Modify System Process
Launch Agent, Create or Modify System Process
Domain or Tenant Policy Modification
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Exploitation for Privilege Escalation
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Process Injection
Unix Shell Configuration Modification, Event Triggered Execution
Unix Shell Configuration Modification, Event Triggered Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Process Injection
Scheduled Task
Access Token Manipulation, SID-History Injection
Access Token Manipulation, SID-History Injection
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Account Manipulation, Device Registration
Account Manipulation, Device Registration
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Modify Authentication Process
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
SSH Authorized Keys, Account Manipulation
SSH Authorized Keys, Account Manipulation
Access Token Manipulation
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
Scheduled Task/Job
Valid Accounts
Scheduled Task/Job
Account Manipulation, Device Registration
Account Manipulation, Device Registration
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Abuse Elevation Control Mechanism
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Valid Accounts
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Scheduled Task, Command and Scripting Interpreter
Dynamic Linker Hijacking, Hijack Execution Flow
Dynamic Linker Hijacking, Hijack Execution Flow
Process Injection, Portable Executable Injection
Process Injection, Portable Executable Injection
Valid Accounts
Domain or Tenant Policy Modification, Trust Modification
Domain or Tenant Policy Modification, Trust Modification
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Process Injection
Process Injection
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Kernel Modules and Extensions, Service Execution
Time Providers, Boot or Logon Autostart Execution
Time Providers, Boot or Logon Autostart Execution
Event Triggered Execution, Screensaver
Event Triggered Execution, Screensaver
Exploitation for Privilege Escalation
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Event Triggered Execution
Scheduled Task, Impair Defenses
Process Injection
SSH Authorized Keys
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Account Manipulation
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Additional Email Delegate Permissions, Additional Cloud Roles
Additional Email Delegate Permissions, Additional Cloud Roles
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Credentials
Account Manipulation, Additional Cloud Credentials
Create or Modify System Process
Valid Accounts
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Valid Accounts
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Process Injection
DLL Search Order Hijacking
Process Injection
Account Manipulation, Additional Cloud Credentials
Account Manipulation, Additional Cloud Credentials
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Account Manipulation
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Valid Accounts
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
Account Manipulation
Local Accounts, Credentials In Files
SID-History Injection, Access Token Manipulation
SID-History Injection, Access Token Manipulation
Network Share Discovery, Valid Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Additional Email Delegate Permissions, Additional Cloud Roles
Additional Email Delegate Permissions, Additional Cloud Roles
Rootkit, Exploitation for Privilege Escalation
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Abuse Elevation Control Mechanism
Boot or Logon Initialization Scripts, Logon Script (Windows)
Boot or Logon Initialization Scripts, Logon Script (Windows)
Process Injection, Portable Executable Injection
Process Injection, Portable Executable Injection
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Windows Service
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Application Shimming, Event Triggered Execution
Application Shimming, Event Triggered Execution
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Password Spraying, Valid Accounts, Default Accounts
Password Spraying, Valid Accounts, Default Accounts
Account Manipulation
Cloud Groups, Account Manipulation, Permission Groups Discovery
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Account Manipulation
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
Account Manipulation, Impair Defenses
Account Manipulation, Impair Defenses
Windows Service
Domain or Tenant Policy Modification, Group Policy Modification
Domain or Tenant Policy Modification, Group Policy Modification
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Valid Accounts, Default Accounts, Password Spraying
Component Object Model Hijacking, Event Triggered Execution
Component Object Model Hijacking, Event Triggered Execution
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Service Stop, Valid Accounts
Service Stop, Create or Modify System Process, Windows Service
Service Stop, Create or Modify System Process, Windows Service
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Valid Accounts
Valid Accounts
Valid Accounts
Change Default File Association
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Scheduled Task
Valid Accounts
Cloud Accounts
Cloud Accounts
Domain Accounts
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Image File Execution Options Injection
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
DLL Side-Loading
Server Software Component, Exploit Public-Facing Application, External Remote Services
Server Software Component, Exploit Public-Facing Application, External Remote Services
Cloud Account
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Unix Shell Configuration Modification, Event Triggered Execution
Unix Shell Configuration Modification, Event Triggered Execution
RC Scripts, Boot or Logon Initialization Scripts
RC Scripts, Boot or Logon Initialization Scripts
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Exploit Public-Facing Application, External Remote Services
Services Registry Permissions Weakness
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Port Monitors, Boot or Logon Autostart Execution
Port Monitors, Boot or Logon Autostart Execution
Cloud Account
Pre-OS Boot, Registry Run Keys / Startup Folder
Pre-OS Boot, Registry Run Keys / Startup Folder
Cloud Groups, Account Manipulation, Permission Groups Discovery
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Additional Cloud Roles
Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Exploit Public-Facing Application, External Remote Services
Cloud Account, Create Account
Cloud Account, Create Account
Exploit Public-Facing Application, External Remote Services
Valid Accounts, Brute Force
Scheduled Task/Job
Exploit Public-Facing Application, External Remote Services
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Account Manipulation
Container Orchestration Job
Security Support Provider, Boot or Logon Autostart Execution
Security Support Provider, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Scheduled Task/Job
Active Setup, Boot or Logon Autostart Execution
Active Setup, Boot or Logon Autostart Execution
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Account Manipulation
Exploit Public-Facing Application, External Remote Services
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
DLL Side-Loading, Boot or Logon Autostart Execution
DLL Side-Loading, Boot or Logon Autostart Execution
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Server Software Component, IIS Components
Server Software Component, IIS Components
Cloud Account, Create Account
Cloud Account, Create Account
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Valid Accounts
Web Shell, External Remote Services
Web Shell, External Remote Services
Exploit Public-Facing Application, External Remote Services
Account Manipulation
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Exploit Public-Facing Application, External Remote Services
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Valid Accounts
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Server Software Component, IIS Components
Server Software Component, IIS Components
At, Scheduled Task/Job
At, Scheduled Task/Job
Compromise Host Software Binary
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Event Triggered Execution, Accessibility Features
Event Triggered Execution, Accessibility Features
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Windows Management Instrumentation Event Subscription
Account Manipulation, Device Registration
Account Manipulation, Device Registration
Create Account, Cloud Account
Create Account, Cloud Account
SSH Authorized Keys, Account Manipulation
SSH Authorized Keys, Account Manipulation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Scheduled Task/Job, At
Scheduled Task/Job, At
Account Manipulation
Account Manipulation
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Valid Accounts
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Exploit Public-Facing Application, External Remote Services
Local Account, Create Account
Local Account, Create Account
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Account Manipulation
Exploit Public-Facing Application, External Remote Services
Account Manipulation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Server Software Component, IIS Components
Server Software Component, IIS Components
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Launch Agent, Create or Modify System Process
Launch Agent, Create or Modify System Process
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
BITS Jobs
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Change Default File Association, Event Triggered Execution
Change Default File Association, Event Triggered Execution
Exploit Public-Facing Application, External Remote Services
Cloud Account
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Cloud Accounts
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Exploit Public-Facing Application, External Remote Services
Valid Accounts
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Create or Modify System Process
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
TFTP Boot, Pre-OS Boot
TFTP Boot, Pre-OS Boot
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
At, Scheduled Task/Job
At, Scheduled Task/Job
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Scheduled Task
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Valid Accounts, Local Accounts
Valid Accounts, Local Accounts
Valid Accounts
BITS Jobs, Ingress Tool Transfer
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Kernel Modules and Extensions
Compromise Host Software Binary
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Server Software Component, Web Shell
Server Software Component, Web Shell
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Scheduled Task, PowerShell, Command and Scripting Interpreter
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Path Interception by Unquoted Path, Hijack Execution Flow
Path Interception by Unquoted Path, Hijack Execution Flow
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cloud Account, Create Account
Cloud Account, Create Account
Exploit Public-Facing Application, External Remote Services
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Application Shimming, Event Triggered Execution
Application Shimming, Event Triggered Execution
Modify Authentication Process
Local Account, Create Account
Local Account, Create Account
Valid Accounts
System Information Discovery, External Remote Services
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Image File Execution Options Injection, Event Triggered Execution
Image File Execution Options Injection, Event Triggered Execution
Component Object Model Hijacking, Event Triggered Execution
Component Object Model Hijacking, Event Triggered Execution
Account Manipulation
Windows Service
Additional Cloud Roles
Exploit Public-Facing Application, External Remote Services
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Application Shimming, Event Triggered Execution
Application Shimming, Event Triggered Execution
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Services Registry Permissions Weakness, Hijack Execution Flow
Services Registry Permissions Weakness, Hijack Execution Flow
Modify Authentication Process
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task
Valid Accounts
Change Default File Association, Event Triggered Execution
Change Default File Association, Event Triggered Execution
BITS Jobs
Domain Accounts, Permission Groups Discovery
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
DLL Side-Loading
Cloud Account, Create Account
Cloud Account, Create Account
Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Exploit Public-Facing Application, External Remote Services
Launch Agent, Create or Modify System Process
Launch Agent, Create or Modify System Process
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Exploit Public-Facing Application, External Remote Services
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Unix Shell Configuration Modification, Event Triggered Execution
Unix Shell Configuration Modification, Event Triggered Execution
Cloud Account, Create Account
Cloud Account, Create Account
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Scheduled Task
Server Software Component, Web Shell
Server Software Component, Web Shell
Account Manipulation, Device Registration
Account Manipulation, Device Registration
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Modify Authentication Process
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
SSH Authorized Keys, Account Manipulation
SSH Authorized Keys, Account Manipulation
Local Account, Create Account
Local Account, Create Account
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
Scheduled Task/Job
Valid Accounts
Scheduled Task/Job
System Firmware, Pre-OS Boot
System Firmware, Pre-OS Boot
Account Manipulation, Device Registration
Account Manipulation, Device Registration
Server Software Component, IIS Components
Server Software Component, IIS Components
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Valid Accounts
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Scheduled Task, Command and Scripting Interpreter
Dynamic Linker Hijacking, Hijack Execution Flow
Dynamic Linker Hijacking, Hijack Execution Flow
Local Account, Create Account
Local Account, Create Account
Valid Accounts
Server Software Component, IIS Components
Server Software Component, IIS Components
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Exploit Public-Facing Application, External Remote Services
Cloud Account
Kernel Modules and Extensions, Service Execution
Time Providers, Boot or Logon Autostart Execution
Time Providers, Boot or Logon Autostart Execution
Event Triggered Execution, Screensaver
Event Triggered Execution, Screensaver
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Cloud Account
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Event Triggered Execution
Scheduled Task, Impair Defenses
SSH Authorized Keys
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Additional Email Delegate Permissions, Additional Cloud Roles
Additional Email Delegate Permissions, Additional Cloud Roles
Exploit Public-Facing Application, External Remote Services
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Credentials
Account Manipulation, Additional Cloud Credentials
Create or Modify System Process
Valid Accounts
Valid Accounts
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Exploit Public-Facing Application, External Remote Services
Server Software Component, IIS Components
Server Software Component, IIS Components
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Cloud Account, Create Account
Cloud Account, Create Account
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
DLL Search Order Hijacking
Account Manipulation, Additional Cloud Credentials
Account Manipulation, Additional Cloud Credentials
Modify Authentication Process
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Cloud Account
Exploit Public-Facing Application, External Remote Services
Account Manipulation
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Local Account, Create Account
Local Account, Create Account
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Valid Accounts
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
Account Manipulation
Local Accounts, Credentials In Files
Network Share Discovery, Valid Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Exploit Public-Facing Application, External Remote Services
Create Account, Cloud Account
Create Account, Cloud Account
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Additional Email Delegate Permissions, Additional Cloud Roles
Additional Email Delegate Permissions, Additional Cloud Roles
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Boot or Logon Initialization Scripts, Logon Script (Windows)
Boot or Logon Initialization Scripts, Logon Script (Windows)
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Windows Service
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Application Shimming, Event Triggered Execution
Application Shimming, Event Triggered Execution
Exploit Public-Facing Application, External Remote Services
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
IIS Components, Server Software Component
IIS Components, Server Software Component
Password Spraying, Valid Accounts, Default Accounts
Password Spraying, Valid Accounts, Default Accounts
Account Manipulation
Cloud Groups, Account Manipulation, Permission Groups Discovery
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Account Manipulation
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
Local Account, Create Account
Local Account, Create Account
Local Account, Create Account
Local Account, Create Account
Account Manipulation, Impair Defenses
Account Manipulation, Impair Defenses
Windows Service
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Valid Accounts, Default Accounts, Password Spraying
Component Object Model Hijacking, Event Triggered Execution
Component Object Model Hijacking, Event Triggered Execution
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts
BITS Jobs, Ingress Tool Transfer
BITS Jobs, Ingress Tool Transfer
BITS Jobs
Service Stop, Valid Accounts
Service Stop, Create or Modify System Process, Windows Service
Service Stop, Create or Modify System Process, Windows Service
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Valid Accounts
Valid Accounts
Valid Accounts
Change Default File Association
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Scheduled Task
Create Account
Valid Accounts
Cloud Accounts
Cloud Accounts
Domain Accounts
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Exploit Public-Facing Application
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Server Software Component, Exploit Public-Facing Application, External Remote Services
Server Software Component, Exploit Public-Facing Application, External Remote Services
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Exploit Public-Facing Application
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Exploit Public-Facing Application
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Valid Accounts, Brute Force
Steal Application Access Token, Phishing, Spearphishing Link
Steal Application Access Token, Phishing, Spearphishing Link
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Drive-by Compromise
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Spearphishing Attachment
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Exploit Public-Facing Application
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Valid Accounts
Web Shell, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Phishing, Modify Registry
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Hardware Additions
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Valid Accounts
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Exploit Public-Facing Application
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Trusted Relationship
Exploit Public-Facing Application
Drive-by Compromise
Exploit Public-Facing Application
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Drive-by Compromise
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Valid Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Drive-by Compromise
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Trusted Relationship
Valid Accounts
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Compromise Software Supply Chain
Exploit Public-Facing Application, Command and Scripting Interpreter
Cloud Accounts
Account Manipulation, Valid Accounts
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Drive-by Compromise
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Valid Accounts
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Phishing
Exploit Public-Facing Application
Exploit Public-Facing Application
Valid Accounts, Local Accounts
Valid Accounts, Local Accounts
Valid Accounts
Drive-by Compromise
Exploit Public-Facing Application
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Exploit Public-Facing Application
Account Manipulation, Valid Accounts
Exploit Public-Facing Application
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Exploit Public-Facing Application
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Valid Accounts
System Information Discovery, External Remote Services
Compromise Software Supply Chain
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Exploit Public-Facing Application
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Drive-by Compromise
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Exploit Public-Facing Application
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Drive-by Compromise
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Exploit Public-Facing Application
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Valid Accounts
Exploit Public-Facing Application
Domain Accounts, Permission Groups Discovery
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Compromise Software Supply Chain, Supply Chain Compromise
Compromise Software Supply Chain, Supply Chain Compromise
Exploit Public-Facing Application
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Exploit Public-Facing Application
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Exploit Public-Facing Application
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Exploit Public-Facing Application
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Modify Authentication Process
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Valid Accounts
Phishing, Spearphishing Link
Phishing, Spearphishing Link
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Valid Accounts
Valid Accounts
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Replication Through Removable Media
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Compromise Software Supply Chain
Exploit Public-Facing Application
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Phishing
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Drive-by Compromise
Phishing
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Exploit Public-Facing Application
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Valid Accounts
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Valid Accounts
Account Manipulation, Valid Accounts
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Valid Accounts
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Local Accounts, Credentials In Files
Network Share Discovery, Valid Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Password Spraying, Valid Accounts, Default Accounts
Password Spraying, Valid Accounts, Default Accounts
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Valid Accounts, Default Accounts, Password Spraying
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts
Service Stop, Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Phishing
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Spearphishing via Service
Cloud Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Cloud Accounts
Domain Accounts
Password Spraying, Brute Force
Password Spraying, Brute Force
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets, Kerberoasting
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Private Keys, Unsecured Credentials
Private Keys, Unsecured Credentials
Steal Application Access Token
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Exploitation for Credential Access
Steal Web Session Cookie
Brute Force, Password Guessing
Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Password Spraying
Valid Accounts, Brute Force
Steal Application Access Token, Phishing, Spearphishing Link
Credentials in Registry, Unsecured Credentials
Credentials in Registry, Unsecured Credentials
Password Spraying, Brute Force
Password Spraying, Brute Force
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Password Managers
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Container API
Credentials from Password Stores
OS Credential Dumping
Credentials from Web Browsers, Credentials from Password Stores
Credentials from Web Browsers, Credentials from Password Stores
Steal or Forge Authentication Certificates, Archive Collected Data
Steal or Forge Kerberos Tickets, Golden Ticket
Steal or Forge Kerberos Tickets, Golden Ticket
Steal Application Access Token
Multi-Factor Authentication Request Generation
Brute Force, Password Guessing, Password Spraying
Brute Force, Password Guessing, Password Spraying
Brute Force, Password Guessing, Password Spraying
LSASS Memory
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Forced Authentication
Steal or Forge Authentication Certificates
OS Credential Dumping, PowerShell
Password Spraying, Brute Force
Password Spraying, Brute Force
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Steal Application Access Token
Password Spraying, Brute Force
Password Spraying, Brute Force
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Brute Force, Password Guessing, Password Spraying
Brute Force, Password Guessing, Password Spraying
Brute Force, Password Guessing, Password Spraying
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Container API
Password Spraying, Brute Force
Password Spraying, Brute Force
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Credentials from Password Stores, Credentials from Web Browsers
Credentials from Password Stores, Credentials from Web Browsers
Password Guessing, Brute Force
Password Guessing, Brute Force
/etc/passwd and /etc/shadow, OS Credential Dumping
/etc/passwd and /etc/shadow, OS Credential Dumping
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Steal or Forge Authentication Certificates
LSA Secrets
Steal Application Access Token
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Spraying, Credential Stuffing
Cloud Infrastructure Discovery, Brute Force
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Network Sniffing
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Unsecured Credentials
Steal Application Access Token
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Container API
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Remote Access Software, OS Credential Dumping
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Security Account Manager
Steal or Forge Kerberos Tickets
Multi-Factor Authentication Request Generation
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
DCSync, OS Credential Dumping
DCSync, OS Credential Dumping
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Exploitation for Credential Access
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Credentials from Password Stores, Credentials from Web Browsers
Credentials from Password Stores, Credentials from Web Browsers
OS Credential Dumping, DCSync, Rogue Domain Controller
OS Credential Dumping, DCSync, Rogue Domain Controller
Multi-Factor Authentication Request Generation
Modify Authentication Process
Password Spraying, Brute Force
Password Spraying, Brute Force
Exploitation for Credential Access
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Brute Force
Multi-Factor Authentication Request Generation
Password Spraying, Brute Force
Password Spraying, Brute Force
Credentials from Password Stores
Steal Application Access Token
Steal or Forge Kerberos Tickets
Brute Force
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Password Spraying, Brute Force
Password Spraying, Brute Force
Modify Authentication Process
Password Spraying, Brute Force
Password Spraying, Brute Force
Steal or Forge Kerberos Tickets
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Credentials in Registry, Unsecured Credentials
Credentials in Registry, Unsecured Credentials
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Steal or Forge Authentication Certificates
Security Account Manager
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets, Kerberoasting
DCSync, OS Credential Dumping
DCSync, OS Credential Dumping
Credentials from Password Stores
Password Spraying, Brute Force
Password Spraying, Brute Force
Brute Force, Password Guessing
Brute Force, Password Guessing
Brute Force, Credential Stuffing
Brute Force, Credential Stuffing
Valid Accounts, Default Accounts, Modify Authentication Process
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets, Kerberoasting
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Steal or Forge Authentication Certificates
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Steal Application Access Token
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Security Account Manager
Steal or Forge Kerberos Tickets
Password Spraying, Brute Force
Password Spraying, Brute Force
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Kerberoasting
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets, Kerberoasting
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Steal or Forge Kerberos Tickets
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Password Spraying, Brute Force
Password Spraying, Brute Force
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets
Modify Registry, OS Credential Dumping
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Steal or Forge Authentication Certificates
Modify Authentication Process
Brute Force
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Local Accounts, Credentials In Files
Security Account Manager
Cached Domain Credentials, OS Credential Dumping
Cached Domain Credentials, OS Credential Dumping
Container API
GUI Input Capture, Input Capture
GUI Input Capture, Input Capture
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Kerberoasting
Steal or Forge Authentication Certificates
Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Spraying, Credential Stuffing
Credentials in Registry, Unsecured Credentials
Credentials in Registry, Unsecured Credentials
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Compromise Accounts, Cloud Accounts, Brute Force
Steal or Forge Authentication Certificates
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Steal or Forge Authentication Certificates
Password Spraying, Valid Accounts, Default Accounts
Kerberoasting
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Brute Force
Brute Force
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
OS Credential Dumping, Security Account Manager
OS Credential Dumping, Security Account Manager
LSASS Memory
LSASS Memory
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory
Windows Management Instrumentation
User Execution
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
PowerShell, Ingress Tool Transfer
User Execution
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Windows Management Instrumentation
Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Unix Shell, Command and Scripting Interpreter
Unix Shell, Command and Scripting Interpreter
Scheduled Task/Job
Exploitation for Client Execution
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Container Orchestration Job
User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Command and Scripting Interpreter
Scheduled Task/Job
User Execution
PowerShell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
User Execution, Malicious File
User Execution, Malicious File
Command and Scripting Interpreter
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
User Execution
User Execution
User Execution
PowerShell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
PowerShell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
User Execution
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
OS Credential Dumping, PowerShell
Windows Management Instrumentation
User Execution
User Execution
Malicious Image, User Execution
Malicious Image, User Execution
User Execution
User Execution, Malicious File
User Execution, Malicious File
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
System Services, Service Execution
System Services, Service Execution
At, Scheduled Task/Job
At, Scheduled Task/Job
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Impair Defenses, PowerShell, Command and Scripting Interpreter
Impair Defenses, PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
User Execution
Scheduled Task/Job, At
Scheduled Task/Job, At
Windows Command Shell, Command and Scripting Interpreter
Windows Command Shell, Command and Scripting Interpreter
Malicious Image, User Execution
Malicious Image, User Execution
Windows Management Instrumentation
Exploitation for Client Execution
Obfuscated Files or Information, Unix Shell
Command and Scripting Interpreter, Windows Command Shell
Command and Scripting Interpreter, Windows Command Shell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Windows Management Instrumentation
Windows Management Instrumentation
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, Component Object Model
Command and Scripting Interpreter, Component Object Model
User Execution
Command and Scripting Interpreter
System Services, Service Execution
System Services, Service Execution
User Execution
Exploit Public-Facing Application, Command and Scripting Interpreter
User Execution
System Services, Service Execution
System Services, Service Execution
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Shared Modules
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, JavaScript
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Command and Scripting Interpreter
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
At, Scheduled Task/Job
At, Scheduled Task/Job
Command and Scripting Interpreter, Windows Command Shell
Command and Scripting Interpreter, Windows Command Shell
Scheduled Task
System Services, Service Execution
System Services, Service Execution
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Windows Command Shell, Command and Scripting Interpreter
Windows Command Shell, Command and Scripting Interpreter
Software Deployment Tools
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Scheduled Task, PowerShell, Command and Scripting Interpreter
Scheduled Task, PowerShell, Command and Scripting Interpreter
Scheduled Task, PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
User Execution
System Services, Service Execution
System Services, Service Execution
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
User Execution, Malicious File
User Execution, Malicious File
Command and Scripting Interpreter
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, JavaScript
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, Process Injection, PowerShell
Command and Scripting Interpreter, Process Injection, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
PowerShell
Gather Victim Host Information, PowerShell
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Command and Scripting Interpreter
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task
Unix Shell, Command and Scripting Interpreter
Unix Shell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Windows Management Instrumentation
Windows Management Instrumentation
User Execution
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Command and Scripting Interpreter, Windows Command Shell
Command and Scripting Interpreter, Windows Command Shell
User Execution
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, JavaScript
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Malicious File, User Execution
Malicious File, User Execution
Visual Basic, Command and Scripting Interpreter
Visual Basic, Command and Scripting Interpreter
Scheduled Task
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Windows Management Instrumentation
Command and Scripting Interpreter
Malicious Image, User Execution
Malicious Image, User Execution
Account Discovery, Domain Account, User Execution, Malicious File
Account Discovery, Domain Account, User Execution, Malicious File
Scheduled Task/Job
Account Discovery, Local Account, PowerShell
Scheduled Task/Job
Command and Scripting Interpreter
User Execution
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Scheduled Task, Command and Scripting Interpreter
Scheduled Task, Command and Scripting Interpreter
Domain Trust Discovery, PowerShell
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Visual Basic, Command and Scripting Interpreter
Visual Basic, Command and Scripting Interpreter
Windows Management Instrumentation
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Windows Management Instrumentation
User Execution
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Kernel Modules and Extensions, Service Execution
Command and Scripting Interpreter
User Execution
Visual Basic, Command and Scripting Interpreter
Visual Basic, Command and Scripting Interpreter
Account Discovery, Local Account, PowerShell
User Execution
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Scheduled Task, Impair Defenses
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
PowerShell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, Visual Basic
Command and Scripting Interpreter, Visual Basic
User Execution
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows Command Shell
User Execution
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
User Execution
Windows Management Instrumentation
Malicious Image, User Execution
Malicious Image, User Execution
PowerShell, Ingress Tool Transfer, Fileless Storage
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
User Execution
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Windows Management Instrumentation
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Command and Scripting Interpreter
Exploitation for Client Execution
System Services, Service Execution
System Services, Service Execution
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Unix Shell
Windows Management Instrumentation
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Malicious File, Masquerade File Type
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Command and Scripting Interpreter
Malicious Image, User Execution
Malicious Image, User Execution
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
PowerShell
Windows Command Shell
Malicious File
PowerShell, Windows Command Shell
PowerShell, Windows Command Shell
Scheduled Task
File and Directory Discovery
Account Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Domain Trust Discovery
Query Registry
Local Groups
Virtualization/Sandbox Evasion, Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Account Discovery, Domain Account
Account Discovery, Domain Account
Account Discovery
Web Session Cookie, Cloud Service Dashboard
Cloud Groups, Account Manipulation, Permission Groups Discovery
Cloud Groups, Account Manipulation, Permission Groups Discovery
Cloud Service Discovery
Query Registry
Account Discovery, Local Account
Account Discovery, Local Account
Remote System Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
System Information Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Account Discovery, Domain Account
Account Discovery, Domain Account
Cloud Account
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Time Based Evasion, Virtualization/Sandbox Evasion
Time Based Evasion, Virtualization/Sandbox Evasion
Remote System Discovery
System Network Connections Discovery
Query Registry
System Owner/User Discovery
Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Trust Discovery
Remote System Discovery
Password Policy Discovery
Query Registry
Account Discovery, Local Account
Account Discovery, Local Account
File and Directory Discovery
Query Registry
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Password Policy Discovery
Log Enumeration
Password Policy Discovery
Remote System Discovery
Remote System Discovery
Account Discovery, Local Account
Account Discovery, Local Account
Domain Account, Account Discovery
Domain Account, Account Discovery
Remote System Discovery
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
System Network Configuration Discovery
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Virtualization/Sandbox Evasion, Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Cloud Infrastructure Discovery, Brute Force
System Owner/User Discovery
System Owner/User Discovery
Account Discovery, Local Account
Account Discovery, Local Account
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Network Sniffing
System Network Connections Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Account Discovery, Domain Account
Account Discovery, Domain Account
Account Discovery, Local Account
Account Discovery, Local Account
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Domain Account, Account Discovery
Domain Account, Account Discovery
File and Directory Discovery
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Domain Account, Account Discovery
Domain Account, Account Discovery
System Network Connections Discovery
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
System Time Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
System Owner/User Discovery
Account Discovery, Domain Account
Account Discovery, Domain Account
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Domain Trust Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Query Registry
System Information Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Process Discovery
Cloud Service Discovery
Cloud Infrastructure Discovery
System Owner/User Discovery
System Network Connections Discovery
System Network Configuration Discovery, Internet Connection Discovery
System Network Configuration Discovery, Internet Connection Discovery
Network Share Discovery
Network Share Discovery
Password Policy Discovery
System Network Configuration Discovery
System Information Discovery, External Remote Services
System Owner/User Discovery
Password Policy Discovery
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Account Discovery, Domain Account
Account Discovery, Domain Account
Network Share Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Domain Trust Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Ingress Tool Transfer, Domain Groups
Cloud Service Discovery
System Network Configuration Discovery
Domain Trust Discovery
System Network Connections Discovery
Domain Accounts, Permission Groups Discovery
File and Directory Discovery
System Owner/User Discovery
Account Discovery, Domain Account
Account Discovery, Domain Account
System Network Connections Discovery
Account Discovery, Domain Account
Account Discovery, Domain Account
Domain Account, Account Discovery
Domain Account, Account Discovery
Account Discovery
Account Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Account Discovery, Domain Account, User Execution, Malicious File
Account Discovery, Domain Account, User Execution, Malicious File
System Owner/User Discovery
System Information Discovery, Rootkit
Account Discovery, Local Account, PowerShell
Account Discovery, Local Account, PowerShell
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Remote System Discovery
Cloud Service Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
System Information Discovery
Domain Trust Discovery, PowerShell
Password Policy Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Remote System Discovery
Cloud Service Discovery
Account Discovery, Local Account, PowerShell
Account Discovery, Local Account, PowerShell
Remote System Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Remote System Discovery
Cloud Account
Network Service Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Domain Account, Account Discovery
Domain Account, Account Discovery
System Information Discovery
System Owner/User Discovery
Password Policy Discovery
Network Share Discovery, Valid Accounts
Domain Account, Account Discovery
Domain Account, Account Discovery
Remote System Discovery
Network Service Discovery
Remote System Discovery
Remote System Discovery
Password Policy Discovery
Remote System Discovery
System Owner/User Discovery
System Owner/User Discovery
Password Policy Discovery
Remote System Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Cloud Service Discovery
Cloud Groups, Account Manipulation, Permission Groups Discovery
Cloud Groups, Account Manipulation, Permission Groups Discovery
Vulnerability Scanning, Network Service Discovery
Network Service Discovery
Network Service Discovery
Cloud Service Discovery
Password Policy Discovery
Network Share Discovery, Data from Network Shared Drive
Cloud Service Discovery
Cloud Service Discovery
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Tools, Impair Defenses
Impair Defenses, Disable or Modify Tools
Disable or Modify Tools, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Tools, Impair Defenses
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Impair Defenses, PowerShell, Command and Scripting Interpreter
Disable or Modify Tools, Impair Defenses
Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Impair Defenses, Disable or Modify System Firewall
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Impair Defenses, Disable or Modify Cloud Logs
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Scheduled Task, Impair Defenses
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Disable or Modify Tools, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Disable or Modify Tools, Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Disable or Modify Cloud Logs, Impair Defenses
Account Manipulation, Impair Defenses
Account Manipulation, Impair Defenses
Exploitation of Remote Services
Exploitation of Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
RDP Hijacking, Remote Service Session Hijacking, Windows Service
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Web Session Cookie, Cloud Service Dashboard
Use Alternate Authentication Material, Pass the Ticket
Use Alternate Authentication Material, Pass the Ticket
Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
SMB/Windows Admin Shares, Remote Services
SMB/Windows Admin Shares, Remote Services
Use Alternate Authentication Material, Pass the Ticket
Use Alternate Authentication Material, Pass the Ticket
Use Alternate Authentication Material
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Exploitation of Remote Services
Protocol Tunneling, SSH
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Services, SMB/Windows Admin Shares
Remote Services, SMB/Windows Admin Shares
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
SMB/Windows Admin Shares, Remote Services
SMB/Windows Admin Shares, Remote Services
Remote Services, Distributed Component Object Model
Remote Services, Distributed Component Object Model
RDP Hijacking
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Windows Remote Management, Remote Services
Windows Remote Management, Remote Services
Exploitation of Remote Services
Software Deployment Tools
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Use Alternate Authentication Material
Exploitation of Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Services, SMB/Windows Admin Shares
Remote Services, SMB/Windows Admin Shares
Exploitation of Remote Services
Exploitation of Remote Services
Exploitation of Remote Services
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Lateral Tool Transfer
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Use Alternate Authentication Material
Replication Through Removable Media
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Services, Distributed Component Object Model
Remote Services, Distributed Component Object Model
Remote Services, Distributed Component Object Model, MMC
Remote Services, Distributed Component Object Model, MMC
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Use Alternate Authentication Material, Pass the Hash
Use Alternate Authentication Material, Pass the Hash
Endpoint Denial of Service
Endpoint Denial of Service
Data Destruction
Data Encrypted for Impact
Endpoint Denial of Service
Network Denial of Service
Inhibit System Recovery
Data Encrypted for Impact
Defacement
Disk Structure Wipe, Disk Wipe
Disk Structure Wipe, Disk Wipe
System Shutdown/Reboot
Service Stop
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Network Denial of Service
Endpoint Denial of Service
Data Destruction
Data Destruction
Inhibit System Recovery
Data Encrypted for Impact
Service Stop
Endpoint Denial of Service
Application or System Exploitation
Service Stop
Inhibit System Recovery
Data Destruction
Account Access Removal
Data Destruction, File Deletion, Indicator Removal
Inhibit System Recovery
Account Access Removal
Data Destruction, File Deletion, Indicator Removal
Inhibit System Recovery
Inhibit System Recovery
Data Destruction
Data Destruction
System Shutdown/Reboot
Data Destruction
Data Destruction, File Deletion, Indicator Removal
Account Access Removal
System Shutdown/Reboot
Service Stop
Data Encrypted for Impact
System Shutdown/Reboot
Service Stop
Data Destruction, File Deletion, Indicator Removal
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Inhibit System Recovery
Data Encrypted for Impact
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction
Data Destruction, File Deletion, Indicator Removal
Service Stop
Service Stop
Inhibit System Recovery
Data Destruction
Service Stop
Network Denial of Service, Reflection Amplification
Network Denial of Service, Reflection Amplification
Inhibit System Recovery
Service Stop
Service Stop
Data Encrypted for Impact
Endpoint Denial of Service
Inhibit System Recovery
Inhibit System Recovery
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Data Destruction
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Data Destruction
Data Encrypted for Impact
Disk Structure Wipe, Disk Wipe
Disk Structure Wipe, Disk Wipe
Data Destruction, File Deletion, Indicator Removal
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Service Stop
Application or System Exploitation
Inhibit System Recovery
Account Access Removal
Inhibit System Recovery
Inhibit System Recovery
Service Stop
Service Stop, Valid Accounts
Service Stop
Service Stop, Create or Modify System Process, Windows Service
Data Destruction, File Deletion, Indicator Removal
PowerShell, Ingress Tool Transfer
Encrypted Channel
Proxy, Multi-hop Proxy
Proxy, Multi-hop Proxy
Remote Access Software
Domain Generation Algorithms
Remote Access Software
Encrypted Channel
Ingress Tool Transfer
Ingress Tool Transfer
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
Protocol Impersonation
Remote Access Software
Internal Proxy, Proxy
Internal Proxy, Proxy
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Ingress Tool Transfer
File Transfer Protocols, Application Layer Protocol
File Transfer Protocols, Application Layer Protocol
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Non-Application Layer Protocol
Protocol Tunneling, SSH
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Application Layer Protocol
Remote Access Software
Ingress Tool Transfer
Ingress Tool Transfer
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
DNS, Application Layer Protocol
DNS, Application Layer Protocol
Application Layer Protocol
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
Web Service
Remote Access Software, OS Credential Dumping
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
BITS Jobs, Ingress Tool Transfer
Ingress Tool Transfer
DNS, Application Layer Protocol
DNS, Application Layer Protocol
Proxy, Non-Application Layer Protocol
Proxy, Non-Application Layer Protocol
Ingress Tool Transfer
Application Layer Protocol
Ingress Tool Transfer
Ingress Tool Transfer, Domain Groups
Ingress Tool Transfer
Ingress Tool Transfer
Remote Access Software
Remote Access Software
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Internal Proxy, Proxy
Internal Proxy, Proxy
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Domain Generation Algorithms
Remote Access Software
Ingress Tool Transfer
PowerShell, Ingress Tool Transfer, Fileless Storage
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Remote Access Software
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Ingress Tool Transfer
BITS Jobs, Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
BITS Jobs, Ingress Tool Transfer
Ingress Tool Transfer
Web Protocols
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Screen Capture
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Kerberoasting
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Local Account, Create Account
Local Account, Create Account
Inhibit System Recovery
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Domain or Tenant Policy Modification, Group Policy Modification
Unsecured Credentials, Group Policy Preferences
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Phishing, Spearphishing Attachment
Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Event Triggered Execution
System Binary Proxy Execution
Odbcconf, System Binary Proxy Execution
Ingress Tool Transfer
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
LSASS Memory, OS Credential Dumping
NTDS, OS Credential Dumping
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities
NTDS, OS Credential Dumping
Masquerading, Rename System Utilities
Masquerading
File and Directory Permissions Modification
Account Access Removal
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
MSBuild, Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution, MSBuild
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
System Binary Proxy Execution, Mshta
System Binary Proxy Execution
BITS Jobs, Ingress Tool Transfer
Deobfuscate/Decode Files or Information
Ingress Tool Transfer
Ingress Tool Transfer
BITS Jobs, Ingress Tool Transfer
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
BITS Jobs
Automated Exfiltration
Automated Exfiltration
File Deletion, Indicator Removal
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Indicator Removal
Inhibit System Recovery
Inhibit System Recovery
Exfiltration Over Alternative Protocol
Automated Exfiltration
Ingress Tool Transfer
Service Stop
File and Directory Permissions Modification
Service Stop, Valid Accounts
File and Directory Permissions Modification
OS Credential Dumping, Security Account Manager
Service Stop
Service Stop, Create or Modify System Process, Windows Service
Archive via Utility, Archive Collected Data
Data Destruction, File Deletion, Indicator Removal
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Email Collection, Email Forwarding Rule
Email Collection, Email Forwarding Rule
Screen Capture
Email Collection
Data Staged
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Automated Collection
Steal or Forge Authentication Certificates, Archive Collected Data
Archive Collected Data
Browser Session Hijacking
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Browser Session Hijacking
Email Collection, Remote Email Collection
Email Collection, Remote Email Collection
Screen Capture
Email Collection, Email Forwarding Rule
Email Collection, Email Forwarding Rule
Email Collection, Email Forwarding Rule
Email Collection, Email Forwarding Rule
Browser Session Hijacking
Automated Collection
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Screen Capture
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Data from Local System
Data from Cloud Storage
Data from Cloud Storage
Data from Cloud Storage
Remote Email Collection
Email Collection, Remote Email Collection
Email Collection, Remote Email Collection
Email Collection, Remote Email Collection
Email Collection, Remote Email Collection
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Data from Cloud Storage
Clipboard Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Remote Email Collection
Email Collection
Email Collection, Remote Email Collection
Email Collection, Remote Email Collection
Automated Collection
Email Collection, Local Email Collection
Email Collection, Local Email Collection
Remote Email Collection, Email Collection
Remote Email Collection, Email Collection
Browser Session Hijacking
Remote Email Collection
Data from Cloud Storage
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Screen Capture
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Clipboard Data
GUI Input Capture, Input Capture
GUI Input Capture, Input Capture
Email Collection, Local Email Collection
Email Collection, Local Email Collection
Data from Cloud Storage
Screen Capture
Network Share Discovery, Data from Network Shared Drive
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Email Forwarding Rule, Email Collection
Email Forwarding Rule, Email Collection
Email Forwarding Rule, Email Collection
Email Forwarding Rule, Email Collection
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
System Binary Proxy Execution
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Regsvr32
Mavinject, System Binary Proxy Execution
System Binary Proxy Execution, Rundll32
Msiexec, System Binary Proxy Execution
System Binary Proxy Execution, Regsvr32
System Binary Proxy Execution, Compiled HTML File
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution
System Binary Proxy Execution, Compiled HTML File
InstallUtil, System Binary Proxy Execution
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Mshta
InstallUtil, System Binary Proxy Execution
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Regsvr32
System Binary Proxy Execution, Mshta
Verclsid, System Binary Proxy Execution
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Control Panel
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution
System Binary Proxy Execution, Regsvcs/Regasm
InstallUtil, System Binary Proxy Execution
System Script Proxy Execution, System Binary Proxy Execution
System Binary Proxy Execution
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Rundll32
Compiled HTML File, System Binary Proxy Execution
System Binary Proxy Execution, Compiled HTML File
InstallUtil, System Binary Proxy Execution
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
System Binary Proxy Execution
System Binary Proxy Execution, Rundll32
InstallUtil, System Binary Proxy Execution
Regsvr32, System Binary Proxy Execution
System Binary Proxy Execution, Mshta
Msiexec, System Binary Proxy Execution
System Binary Proxy Execution, CMSTP
System Binary Proxy Execution, CMSTP
System Binary Proxy Execution, Regsvr32
System Binary Proxy Execution, Rundll32
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, CMSTP
System Binary Proxy Execution
System Binary Proxy Execution
Odbcconf, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
System Binary Proxy Execution, Mshta
System Binary Proxy Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Unix Shell, Command and Scripting Interpreter
Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Impair Defenses, PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Windows Command Shell, Command and Scripting Interpreter
Command and Scripting Interpreter, Windows Command Shell
Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, Component Object Model
Command and Scripting Interpreter
Exploit Public-Facing Application, Command and Scripting Interpreter
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Command and Scripting Interpreter, JavaScript
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Command and Scripting Interpreter
Command and Scripting Interpreter, Windows Command Shell
Windows Command Shell, Command and Scripting Interpreter
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Scheduled Task, PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter
Command and Scripting Interpreter, JavaScript
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, Process Injection, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter
Unix Shell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Command and Scripting Interpreter, Windows Command Shell
Command and Scripting Interpreter, JavaScript
Visual Basic, Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter
Command and Scripting Interpreter
Scheduled Task, Command and Scripting Interpreter
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Visual Basic, Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter
Visual Basic, Command and Scripting Interpreter
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, Visual Basic
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Digital Certificates
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Digital Certificates
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Digital Certificates
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Digital Certificates
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force
Compromise Accounts, Cloud Accounts, Brute Force
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Impair Defenses, Disable or Modify Tools
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Exploit Public-Facing Application
Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, Command and Scripting Interpreter
Exploit Public-Facing Application, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Cloud Accounts, Valid Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Cloud Accounts, Valid Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Cloud Accounts, Valid Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Cloud Accounts, Valid Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Cloud Accounts, Valid Accounts
Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force
Valid Accounts, Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Valid Accounts, Brute Force
Cloud Accounts, Valid Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Valid Accounts
Valid Accounts, Domain Accounts
Valid Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Valid Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Account Manipulation, Valid Accounts
Valid Accounts
Valid Accounts, Cloud Accounts
Valid Accounts, Local Accounts
Valid Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Account Manipulation, Valid Accounts
Valid Accounts, Domain Accounts
Valid Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Valid Accounts, Domain Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Valid Accounts, Domain Accounts
Cloud Accounts, Valid Accounts
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts, Default Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Valid Accounts
Valid Accounts
Account Manipulation, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts, Default Accounts
Valid Accounts
Network Share Discovery, Valid Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Cloud Accounts, Valid Accounts
Valid Accounts, Cloud Accounts
Password Spraying, Valid Accounts, Default Accounts
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts
Service Stop, Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Protocol Impersonation
Exploit Public-Facing Application
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Log Enumeration
Exploit Public-Facing Application
Exploit Public-Facing Application
Exfiltration Over Web Service
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploitation for Privilege Escalation
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
System Information Discovery, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Remote Email Collection
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Remote Email Collection
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Server Software Component, IIS Components
Exploit Public-Facing Application
Disable or Modify Cloud Logs, Impair Defenses
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Remote Access Software
Exploit Public-Facing Application, External Remote Services
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Spearphishing via Service
Web Protocols
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Regsvr32, Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Phishing, Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry, OS Credential Dumping
Disable or Modify Tools, Impair Defenses, Modify Registry
Modify Registry
Modify Registry
Modify Registry
Abuse Elevation Control Mechanism, Indirect Command Execution
Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism, Bypass User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism, Bypass User Account Control
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Steal Application Access Token, Phishing, Spearphishing Link
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Modify Registry
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Phishing
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Phishing, Spearphishing Link
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Phishing
Phishing
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Phishing, Spearphishing Attachment
Phishing
Password Spraying, Brute Force
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Brute Force, Password Guessing
Valid Accounts, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Brute Force, Password Guessing, Password Spraying
Password Spraying, Brute Force
Password Spraying, Brute Force
Brute Force, Password Guessing, Password Spraying
Password Spraying, Brute Force
Password Guessing, Brute Force
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Spraying, Credential Stuffing
Cloud Infrastructure Discovery, Brute Force
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Brute Force
Password Spraying, Brute Force
Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Password Spraying, Brute Force
Brute Force, Password Guessing
Brute Force, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Password Spraying, Brute Force
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Password Spraying, Brute Force
Brute Force
Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Brute Force
Brute Force
Command and Scripting Interpreter, PowerShell
PowerShell, Ingress Tool Transfer
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
PowerShell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
OS Credential Dumping, PowerShell
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Impair Defenses, PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Scheduled Task, PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, Process Injection, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
PowerShell
Gather Victim Host Information, PowerShell
PowerShell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Account Discovery, Local Account, PowerShell
Domain Trust Discovery, PowerShell
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Command and Scripting Interpreter, PowerShell
Account Discovery, Local Account, PowerShell
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
PowerShell, Ingress Tool Transfer, Fileless Storage
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Command and Scripting Interpreter, PowerShell
PowerShell
PowerShell, Windows Command Shell
Account Manipulation, Additional Cloud Roles
Cloud Groups, Account Manipulation, Permission Groups Discovery
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation
Account Manipulation
Account Manipulation
Account Manipulation
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Cloud Roles
Account Manipulation, Device Registration
SSH Authorized Keys, Account Manipulation
Account Manipulation
Account Manipulation
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation
Account Manipulation
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Account Manipulation
Account Manipulation, Device Registration
Account Manipulation, Additional Cloud Roles
SSH Authorized Keys, Account Manipulation
Account Manipulation, Device Registration
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Cloud Roles
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Cloud Roles
Account Manipulation
Account Manipulation, Additional Cloud Credentials
Account Manipulation, Valid Accounts
Account Manipulation, Additional Cloud Credentials
Account Manipulation
Account Manipulation
Account Manipulation
Cloud Groups, Account Manipulation, Permission Groups Discovery
Account Manipulation
Account Manipulation, Impair Defenses
Account Manipulation, Impair Defenses
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
User Execution
User Execution
User Execution
Malicious Image, User Execution
User Execution
User Execution, Malicious File
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
Malicious Image, User Execution
User Execution
User Execution, Malicious File
User Execution
Malicious Image, User Execution
User Execution
User Execution
User Execution
User Execution
User Execution, Malicious File
User Execution
User Execution
Malicious File, User Execution
Malicious Image, User Execution
Account Discovery, Domain Account, User Execution, Malicious File
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
Malicious Image, User Execution
User Execution
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Account Discovery
Account Discovery, Domain Account
Account Discovery
Account Discovery, Local Account
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Account Discovery
Account Discovery, Domain Account
Account Discovery
Domain Account, Account Discovery
Account Discovery, Local Account
Domain Account, Account Discovery
Domain Account, Account Discovery
Account Discovery, Local Account
Domain Account, Account Discovery
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Account Discovery, Local Account
Account Discovery, Domain Account
Account Discovery, Local Account
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Account Discovery, Domain Account
Domain Account, Account Discovery
Account Discovery, Domain Account
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Account Discovery
Account Discovery, Domain Account
Account Discovery, Domain Account
Domain Account, Account Discovery
Account Discovery
Account Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Account Discovery, Domain Account, User Execution, Malicious File
Account Discovery, Local Account, PowerShell
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Account Discovery
Account Discovery, Local Account, PowerShell
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over C2 Channel
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Transfer Data to Cloud Account
Automated Exfiltration
Exfiltration Over Web Service
Exfiltration Over Web Service
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Exfiltration Over C2 Channel
Exfiltration Over C2 Channel
Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Automated Exfiltration
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol
Transfer Data to Cloud Account
Exfiltration Over Unencrypted Non-C2 Protocol
Transfer Data to Cloud Account
Exfiltration Over Alternative Protocol
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Transfer Data to Cloud Account
Transfer Data to Cloud Account
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Transfer Data to Cloud Account
Exfiltration Over Unencrypted Non-C2 Protocol
Automated Exfiltration
Automated Exfiltration
Exfiltration Over Alternative Protocol
Automated Exfiltration
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
LSASS Memory, OS Credential Dumping
Security Account Manager, OS Credential Dumping
OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
LSASS Memory, OS Credential Dumping
OS Credential Dumping
OS Credential Dumping, PowerShell
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
/etc/passwd and /etc/shadow, OS Credential Dumping
Security Account Manager, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Remote Access Software, OS Credential Dumping
NTDS, OS Credential Dumping
Security Account Manager, OS Credential Dumping
NTDS, OS Credential Dumping
DCSync, OS Credential Dumping
LSASS Memory, OS Credential Dumping
NTDS, OS Credential Dumping
Security Account Manager, OS Credential Dumping
OS Credential Dumping, DCSync, Rogue Domain Controller
NTDS, OS Credential Dumping
Security Account Manager, OS Credential Dumping
DCSync, OS Credential Dumping
Security Account Manager, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Modify Registry, OS Credential Dumping
Cached Domain Credentials, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
OS Credential Dumping, Security Account Manager
LSASS Memory, OS Credential Dumping
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Spearphishing Attachment
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Phishing, Spearphishing Attachment
Cloud Accounts, Valid Accounts
Account Manipulation, Device Registration
Steal or Forge Kerberos Tickets, AS-REP Roasting
Cloud Accounts, Valid Accounts
Valid Accounts
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Valid Accounts, Local Accounts
DCSync, OS Credential Dumping
Valid Accounts, Domain Accounts
Local Account, Create Account
Modify Registry
Modify Cloud Compute Configurations
Rogue Domain Controller
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Impair Defenses, Disable or Modify Cloud Logs
Cloud Accounts, Valid Accounts
Valid Accounts
Domain or Tenant Policy Modification
DCSync, OS Credential Dumping
Account Manipulation, Additional Email Delegate Permissions
Valid Accounts
Local Account, Create Account
Modify Authentication Process, Multi-Factor Authentication
Disable or Modify Tools
Account Manipulation
Cloud Accounts, Valid Accounts
Valid Accounts, Default Accounts
Brute Force
Unused/Unsupported Cloud Regions
Password Spraying, Brute Force
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Password Spraying
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Brute Force, Password Guessing, Password Spraying
Password Spraying, Brute Force
Password Spraying, Brute Force
Brute Force, Password Guessing, Password Spraying
Password Spraying, Brute Force
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Password Spraying, Brute Force
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Password Spraying, Brute Force
Brute Force, Password Spraying, Credential Stuffing
Password Spraying, Valid Accounts, Default Accounts
Password Spraying, Brute Force
Password Spraying, Brute Force
Valid Accounts, Default Accounts, Password Spraying
Proxy, Multi-hop Proxy
Remote Access Software
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Remote Desktop Protocol, Remote Services
SMB/Windows Admin Shares, Remote Services
Process Injection
Exploit Public-Facing Application, External Remote Services
Process Injection
File Transfer Protocols, Application Layer Protocol
InstallUtil, System Binary Proxy Execution
Non-Application Layer Protocol
InstallUtil, System Binary Proxy Execution
Exploitation for Client Execution
SMB/Windows Admin Shares, Remote Services
Exploit Public-Facing Application, Command and Scripting Interpreter
System Binary Proxy Execution, Rundll32
TFTP Boot, Pre-OS Boot
Process Injection
Use Alternate Authentication Material
OS Credential Dumping, DCSync, Rogue Domain Controller
Email Collection, Remote Email Collection
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Remote Desktop Protocol, Remote Services
Exploit Public-Facing Application, External Remote Services
Account Discovery, Domain Account, User Execution, Malicious File
Remote Email Collection, Email Collection
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Alternative Protocol
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Network Service Discovery
Network Service Discovery
Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Web Shell, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Exploit Public-Facing Application, External Remote Services
System Information Discovery, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Brute Force
PowerShell, Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
BITS Jobs, Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer, Domain Groups
Ingress Tool Transfer
Ingress Tool Transfer
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Ingress Tool Transfer
PowerShell, Ingress Tool Transfer, Fileless Storage
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Ingress Tool Transfer
BITS Jobs, Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
BITS Jobs, Ingress Tool Transfer
Ingress Tool Transfer
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Masquerading
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Right-to-Left Override, Masquerading
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Right-to-Left Override, Masquerading
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Masquerading
Masquerading
Masquerading
Rename System Utilities, Masquerading
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerade Task or Service, Masquerading
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading
Remote Desktop Protocol, Remote Services
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services
Remote Desktop Protocol, Remote Services
SMB/Windows Admin Shares, Remote Services
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, Windows Remote Management
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Services, SMB/Windows Admin Shares
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
SMB/Windows Admin Shares, Remote Services
Remote Services, Distributed Component Object Model
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Windows Remote Management, Remote Services
Remote Desktop Protocol, Remote Services
Remote Services, SMB/Windows Admin Shares
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Remote Desktop Protocol, Remote Services
Remote Services, Distributed Component Object Model
Remote Services, Distributed Component Object Model, MMC
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, Windows Remote Management
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Permission Groups Discovery, Domain Groups
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Cloud Groups, Account Manipulation, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Local Groups
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Domain Accounts, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Cloud Groups, Account Manipulation, Permission Groups Discovery
Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Process Injection
Process Injection
Process Injection
Process Injection, Dynamic-link Library Injection
Process Injection
Process Injection
Process Injection, Portable Executable Injection
Process Injection
Dynamic-link Library Injection, Process Injection
Process Injection
Process Injection
Process Injection
Command and Scripting Interpreter, Process Injection, PowerShell
Process Injection
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Process Injection
Process Injection
Process Injection
Process Injection
Process Injection, Portable Executable Injection
Process Injection
Process Injection
Process Injection
Process Injection
Process Injection
Process Injection, Portable Executable Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Account Discovery, Domain Account
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Account Discovery
Account Discovery, Domain Account
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Account Discovery, Domain Account
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Account Discovery, Domain Account
Domain Account, Account Discovery
Account Discovery, Domain Account
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Account Discovery
Account Discovery, Domain Account
Account Discovery, Domain Account
Domain Account, Account Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Account Discovery, Domain Account, User Execution, Malicious File
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Account Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Password Spraying
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Modify Registry
Valid Accounts
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Security Account Manager
DCSync, OS Credential Dumping
Brute Force
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Brute Force
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
DCSync, OS Credential Dumping
Account Manipulation, Device Registration
Disable or Modify Cloud Firewall, Impair Defenses
Account Manipulation, Device Registration
Steal or Forge Kerberos Tickets
Cloud Account
Modify Authentication Process
Local Accounts, Credentials In Files
Cloud Accounts
Password Spraying, Brute Force
Password Spraying, Brute Force
Systemd Timers, Scheduled Task/Job
Scheduled Task/Job
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Scheduled Task/Job, Scheduled Task
At, Scheduled Task/Job
Cron, Scheduled Task/Job
Scheduled Task/Job, At
At, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task/Job, Scheduled Task
Cron, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Cron, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task/Job
Scheduled Task/Job
Cron, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task/Job, Scheduled Task
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Indicator Removal
Indicator Removal
Indicator Removal, Network Share Connection Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Clear Windows Event Logs, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
File Deletion, Indicator Removal
Indicator Removal, Clear Windows Event Logs
Indicator Removal
Indicator Removal, Clear Windows Event Logs
Indicator Removal
Indicator Removal, Clear Windows Event Logs
File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
File Deletion, Indicator Removal
Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Create or Modify System Process, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows Service, Create or Modify System Process
Create or Modify System Process, Windows Service
Windows Service, Create or Modify System Process
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Create or Modify System Process, Windows Service
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Windows Service
Windows Service, Create or Modify System Process
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Create or Modify System Process, Windows Service
Windows Service
Windows Service, Create or Modify System Process
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows Service
Service Stop, Create or Modify System Process, Windows Service
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Rename System Utilities, Masquerading
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Rename System Utilities
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Scheduled Task
Scheduled Task, Scheduled Task/Job
Scheduled Task/Job, Scheduled Task
Scheduled Task, PowerShell, Command and Scripting Interpreter
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task
Scheduled Task, Scheduled Task/Job
Scheduled Task
Scheduled Task, Command and Scripting Interpreter
Scheduled Task, Scheduled Task/Job
Scheduled Task/Job, Scheduled Task
Scheduled Task, Impair Defenses
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Scheduled Task
Account Discovery, Local Account
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Account Discovery, Local Account
Account Discovery, Local Account
Account Discovery, Local Account
Local Account, Create Account
Account Discovery, Local Account
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Local Account, Create Account
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Local Account, Create Account
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Account Discovery, Local Account, PowerShell
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Local Account, Create Account
Account Discovery, Local Account, PowerShell
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Local Account, Create Account
Local Account, Create Account
Local Account, Create Account
Windows Management Instrumentation
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows Management Instrumentation
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Permission Groups Discovery, Domain Groups
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Ingress Tool Transfer, Domain Groups
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Data Destruction
Data Destruction
Data Destruction
Data Destruction
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction
Data Destruction
Data Destruction
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction
Data Destruction, File Deletion, Indicator Removal
Data Destruction
Data Destruction
Data Destruction
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Domain Generation Algorithms
Remote Access Software
Protocol Tunneling, Proxy, Web Service
Exploitation for Client Execution
Exfiltration Over Unencrypted Non-C2 Protocol
DNS, Application Layer Protocol
Compromise Software Supply Chain
DNS, Application Layer Protocol
Drive-by Compromise
Network Denial of Service, Reflection Amplification
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Domain Generation Algorithms
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Spearphishing via Service
Exfiltration Over Unencrypted Non-C2 Protocol
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Steal Application Access Token
Valid Accounts, Brute Force
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Steal or Forge Authentication Certificates
Domain or Tenant Policy Modification
Steal Application Access Token
Impair Defenses
Abuse Elevation Control Mechanism
Malicious Image, User Execution
Impair Defenses
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Exploit Public-Facing Application, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Exploitation of Remote Services
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Modify Registry
Transfer Data to Cloud Account
Create or Modify System Process, Windows Service
Launch Agent, Create or Modify System Process
Windows Service, Create or Modify System Process
Create or Modify System Process, Windows Service
Create or Modify System Process
Windows Service, Create or Modify System Process
Create or Modify System Process, Windows Service
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Windows Service, Create or Modify System Process
Launch Agent, Create or Modify System Process
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Create or Modify System Process
Create or Modify System Process, Windows Service
Windows Service, Create or Modify System Process
Service Stop, Create or Modify System Process, Windows Service
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, Golden Ticket
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets, Kerberoasting
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Port Monitors, Boot or Logon Autostart Execution
Security Support Provider, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Active Setup, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
DLL Side-Loading, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Time Providers, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Gather Victim Network Information, IP Addresses
Gather Victim Network Information, IP Addresses
Gather Victim Identity Information, Email Addresses
Gather Victim Identity Information, Email Addresses
Gather Victim Host Information
Gather Victim Host Information
Gather Victim Host Information, PowerShell
Gather Victim Host Information
IP Addresses, Gather Victim Network Information
IP Addresses, Gather Victim Network Information
Hardware, Gather Victim Host Information
Hardware, Gather Victim Host Information
Credentials, Gather Victim Identity Information
Credentials, Gather Victim Identity Information
Vulnerability Scanning, Network Service Discovery
Server Software Component, Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Server Software Component, IIS Components
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Server Software Component, IIS Components
Server Software Component, IIS Components
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell
Server Software Component, Web Shell
Server Software Component, IIS Components
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Server Software Component, IIS Components
Server Software Component, IIS Components
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
IIS Components, Server Software Component
Steal or Forge Authentication Certificates, Archive Collected Data
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Rootkit, Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Rootkit, Exploitation for Privilege Escalation
Cloud Account, Create Account
Cloud Account, Create Account
Create Account, Cloud Account
Local Account, Create Account
Cloud Account, Create Account
Local Account, Create Account
Cloud Account, Create Account
Cloud Account, Create Account
Local Account, Create Account
Local Account, Create Account
Cloud Account, Create Account
Local Account, Create Account
Create Account, Cloud Account
Local Account, Create Account
Local Account, Create Account
Create Account
Email Collection, Email Forwarding Rule
Email Collection
Email Collection, Remote Email Collection
Email Collection, Email Forwarding Rule
Email Collection, Email Forwarding Rule
Email Collection, Remote Email Collection
Email Collection, Remote Email Collection
Email Collection
Email Collection, Remote Email Collection
Email Collection, Local Email Collection
Remote Email Collection, Email Collection
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Email Collection, Local Email Collection
Email Forwarding Rule, Email Collection
Email Forwarding Rule, Email Collection
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Unix Shell Configuration Modification, Event Triggered Execution
Event Triggered Execution, Accessibility Features
Change Default File Association, Event Triggered Execution
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Application Shimming, Event Triggered Execution
Image File Execution Options Injection, Event Triggered Execution
Component Object Model Hijacking, Event Triggered Execution
Application Shimming, Event Triggered Execution
Change Default File Association, Event Triggered Execution
Unix Shell Configuration Modification, Event Triggered Execution
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Event Triggered Execution, Screensaver
Event Triggered Execution
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Application Shimming, Event Triggered Execution
Component Object Model Hijacking, Event Triggered Execution
Cloud Account
Cloud Account
Cloud Account, Create Account
Cloud Account
Cloud Account, Create Account
Create Account, Cloud Account
Cloud Account
Cloud Account, Create Account
Cloud Account, Create Account
Cloud Account, Create Account
Cloud Account
Cloud Account
Cloud Account
Cloud Account, Create Account
Cloud Account
Create Account, Cloud Account
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory
LSASS Memory
LSASS Memory, OS Credential Dumping
LSASS Memory
Service Stop
Service Stop
Service Stop
Service Stop
Service Stop
Service Stop
Service Stop
Service Stop
Service Stop
Service Stop
Service Stop
Service Stop
Service Stop, Valid Accounts
Service Stop
Service Stop, Create or Modify System Process, Windows Service
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Private Keys, Unsecured Credentials
Unsecured Credentials, Group Policy Preferences
Credentials in Registry, Unsecured Credentials
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Unsecured Credentials
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Credentials in Registry, Unsecured Credentials
Unsecured Credentials, Group Policy Preferences
Credentials in Registry, Unsecured Credentials
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
System Binary Proxy Execution, Mshta
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Path Interception by Unquoted Path, Hijack Execution Flow
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Services Registry Permissions Weakness, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
Dynamic Linker Hijacking, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Additional Cloud Roles
Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Additional Email Delegate Permissions, Additional Cloud Roles
Additional Email Delegate Permissions, Additional Cloud Roles
Access Token Manipulation, Token Impersonation/Theft
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Token Impersonation/Theft, Access Token Manipulation
SID-History Injection, Access Token Manipulation
Parent PID Spoofing, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Token Impersonation/Theft, Access Token Manipulation
SID-History Injection, Access Token Manipulation
Create Process with Token, Access Token Manipulation
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Access Token Manipulation, SID-History Injection
Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
SID-History Injection, Access Token Manipulation
Local Groups
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Abuse Elevation Control Mechanism, Bypass User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism, Bypass User Account Control
Bypass User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
File Deletion, Indicator Removal
File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
File and Directory Permissions Modification
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
File and Directory Permissions Modification
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
File and Directory Permissions Modification
File and Directory Permissions Modification
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
File and Directory Permissions Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
File and Directory Permissions Modification
File and Directory Permissions Modification
Domain Trust Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Trust Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Trust Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Trust Discovery
Domain Trust Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Trust Discovery, PowerShell
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Security Account Manager
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Security Account Manager
Security Account Manager, OS Credential Dumping
Security Account Manager
Security Account Manager
OS Credential Dumping, Security Account Manager
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Brute Force, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Spraying, Credential Stuffing
Valid Accounts, Default Accounts, Credential Stuffing
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Disable or Modify Cloud Logs, Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Impair Defenses, Disable or Modify Cloud Logs
Impair Defenses, Disable or Modify Cloud Logs
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Disable or Modify Cloud Logs, Impair Defenses
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process
Valid Accounts, Default Accounts, Modify Authentication Process
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Msiexec, System Binary Proxy Execution
Msiexec
Msiexec, System Binary Proxy Execution
Msiexec
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Obfuscated Files or Information
Fileless Storage, Obfuscated Files or Information
Obfuscated Files or Information, Unix Shell
Compile After Delivery, Obfuscated Files or Information
Obfuscated Files or Information
Obfuscated Files or Information
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Obfuscated Files or Information, Indicator Removal from Tools
Obfuscated Files or Information, Fileless Storage
Obfuscated Files or Information
Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Boot or Logon Autostart Execution
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Email Collection, Remote Email Collection
Remote Email Collection
Email Collection, Remote Email Collection
Email Collection, Remote Email Collection
Remote Email Collection
Email Collection, Remote Email Collection
Remote Email Collection, Email Collection
Remote Email Collection
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Domain or Tenant Policy Modification, Trust Modification
Domain or Tenant Policy Modification, Group Policy Modification
Domain or Tenant Policy Modification, Group Policy Modification
Domain or Tenant Policy Modification
Domain or Tenant Policy Modification, Group Policy Modification
Domain or Tenant Policy Modification, Group Policy Modification
Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts
Domain or Tenant Policy Modification
Domain or Tenant Policy Modification, Trust Modification
Domain or Tenant Policy Modification, Group Policy Modification
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, Distributed Component Object Model
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model
Remote Services, Distributed Component Object Model, MMC
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Query Registry
Query Registry
Query Registry
Query Registry
Query Registry
Query Registry
Compromise Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Spearphishing Attachment, Phishing
Data from Cloud Storage
Valid Accounts
Valid Accounts
Valid Accounts
Phishing
Cloud Service Discovery
Windows Command Shell, Command and Scripting Interpreter
Command and Scripting Interpreter, Windows Command Shell
Command and Scripting Interpreter, Windows Command Shell
Windows Command Shell, Command and Scripting Interpreter
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Command and Scripting Interpreter, Windows Command Shell
Windows Command Shell
Windows Command Shell
PowerShell, Windows Command Shell
Steal or Forge Authentication Certificates, Archive Collected Data
Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol
Trusted Developer Utilities Proxy Execution, MSBuild
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
MSBuild, Trusted Developer Utilities Proxy Execution
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Trusted Developer Utilities Proxy Execution
MSBuild, Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution, MSBuild
InstallUtil, System Binary Proxy Execution
InstallUtil, System Binary Proxy Execution
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
InstallUtil, System Binary Proxy Execution
InstallUtil, System Binary Proxy Execution
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
InstallUtil, System Binary Proxy Execution
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Server Software Component, IIS Components
Server Software Component, IIS Components
Server Software Component, IIS Components
Server Software Component, IIS Components
Server Software Component, IIS Components
Server Software Component, IIS Components
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
IIS Components, Server Software Component
Remote Access Software
Remote Access Software
Remote Access Software
Remote Access Software
Remote Access Software, OS Credential Dumping
Remote Access Software
Remote Access Software
Remote Access Software
Remote Access Software
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Exploitation of Remote Services
Exploitation of Remote Services
Exploitation of Remote Services
Exploitation of Remote Services
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Exploitation of Remote Services
Exploitation of Remote Services
Exploitation of Remote Services
Exploitation of Remote Services
Mail Protocols, Application Layer Protocol
File Transfer Protocols, Application Layer Protocol
Application Layer Protocol
Mail Protocols, Application Layer Protocol
DNS, Application Layer Protocol
Application Layer Protocol
Mail Protocols, Application Layer Protocol
DNS, Application Layer Protocol
Application Layer Protocol
Use Alternate Authentication Material, Pass the Ticket
Use Alternate Authentication Material, Pass the Ticket
Use Alternate Authentication Material
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Use Alternate Authentication Material
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Use Alternate Authentication Material
Use Alternate Authentication Material, Pass the Hash
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Compiled HTML File
Compiled HTML File, System Binary Proxy Execution
System Binary Proxy Execution, Compiled HTML File
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Password Spraying, Valid Accounts, Default Accounts
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets, Kerberoasting
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Kerberoasting
Steal or Forge Kerberos Tickets, Kerberoasting
Kerberoasting
Kerberoasting
Remote Services, Windows Remote Management
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Windows Remote Management, Remote Services
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Network Denial of Service
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Network Denial of Service
Network Denial of Service, Reflection Amplification
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Steal Application Access Token
Steal Application Access Token, Phishing, Spearphishing Link
Steal Application Access Token
Steal Application Access Token
Steal Application Access Token
Steal Application Access Token
Steal Application Access Token
Steal Application Access Token
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell
Server Software Component, Web Shell
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
System Network Connections Discovery
System Network Connections Discovery
System Network Connections Discovery
System Network Connections Discovery
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
System Network Connections Discovery
System Network Connections Discovery
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Domain Accounts, Permission Groups Discovery
Valid Accounts, Domain Accounts
Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts
Valid Accounts, Domain Accounts
Domain Accounts
User Execution, Malicious File
User Execution, Malicious File
User Execution, Malicious File
Malicious File, User Execution
Account Discovery, Domain Account, User Execution, Malicious File
Malicious File, Masquerade File Type
Malicious File
Disable or Modify System Firewall, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Impair Defenses, Disable or Modify System Firewall
Disable or Modify System Firewall, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Disable or Modify System Firewall
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Additional Email Delegate Permissions, Additional Cloud Roles
Additional Email Delegate Permissions, Additional Cloud Roles
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
System Services, Service Execution
System Services, Service Execution
System Services, Service Execution
System Services, Service Execution
System Services, Service Execution
Kernel Modules and Extensions, Service Execution
System Services, Service Execution
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
System Information Discovery
System Information Discovery
System Information Discovery, External Remote Services
System Information Discovery, Rootkit
System Information Discovery
System Information Discovery
Data Encrypted for Impact
Data Encrypted for Impact
Data Encrypted for Impact
Data Encrypted for Impact
Data Encrypted for Impact
Data Encrypted for Impact
Data Encrypted for Impact
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Proxy, Multi-hop Proxy
Protocol Tunneling, Proxy, Web Service
Internal Proxy, Proxy
Protocol Tunneling, Proxy, Web Service
Proxy, Non-Application Layer Protocol
Protocol Tunneling, Proxy, Web Service
Internal Proxy, Proxy
Brute Force, Password Guessing
Brute Force, Password Guessing, Password Spraying
Brute Force, Password Guessing, Password Spraying
Password Guessing, Brute Force
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Brute Force, Password Guessing
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall
Clear Windows Event Logs, Indicator Removal
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Automated Exfiltration
Automated Exfiltration
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Automated Exfiltration
Automated Exfiltration
Automated Exfiltration
BITS Jobs
BITS Jobs, Ingress Tool Transfer
BITS Jobs
BITS Jobs, Ingress Tool Transfer
BITS Jobs, Ingress Tool Transfer
BITS Jobs
Trusted Developer Utilities Proxy Execution, MSBuild
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
MSBuild, Trusted Developer Utilities Proxy Execution
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
MSBuild, Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution, MSBuild
Domain or Tenant Policy Modification, Group Policy Modification
Domain or Tenant Policy Modification, Group Policy Modification
Domain or Tenant Policy Modification, Group Policy Modification
Domain or Tenant Policy Modification, Group Policy Modification
Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts
Domain or Tenant Policy Modification, Group Policy Modification
Data from Cloud Storage
Data from Cloud Storage
Data from Cloud Storage
Data from Cloud Storage
Data from Cloud Storage
Data from Cloud Storage
Transfer Data to Cloud Account
Transfer Data to Cloud Account
Transfer Data to Cloud Account
Transfer Data to Cloud Account
Transfer Data to Cloud Account
Transfer Data to Cloud Account
Account Manipulation, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Account Manipulation, Device Registration
Account Manipulation, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Hardware Additions
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
System Services, Service Execution
System Services, Service Execution
System Services, Service Execution
System Services, Service Execution
System Services, Service Execution
System Services, Service Execution
Regsvr32, Modify Registry
System Binary Proxy Execution, Regsvr32
System Binary Proxy Execution, Regsvr32
System Binary Proxy Execution, Regsvr32
Regsvr32, System Binary Proxy Execution
System Binary Proxy Execution, Regsvr32
Endpoint Denial of Service
Endpoint Denial of Service
Endpoint Denial of Service
Endpoint Denial of Service
Endpoint Denial of Service
Endpoint Denial of Service
Abuse Elevation Control Mechanism, Indirect Command Execution
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Endpoint Denial of Service
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Credentials from Password Stores
Credentials from Web Browsers, Credentials from Password Stores
Credentials from Password Stores, Credentials from Web Browsers
Credentials from Password Stores, Credentials from Web Browsers
Credentials from Password Stores
Credentials from Password Stores
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
System Network Configuration Discovery
System Network Configuration Discovery, Internet Connection Discovery
System Network Configuration Discovery
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
System Network Configuration Discovery
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
DNS, Application Layer Protocol
DNS, Application Layer Protocol
Email Collection, Email Forwarding Rule
Email Collection, Email Forwarding Rule
Email Collection, Email Forwarding Rule
Email Forwarding Rule, Email Collection
Email Forwarding Rule, Email Collection
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Network Service Discovery
Network Service Discovery
Vulnerability Scanning, Network Service Discovery
Network Service Discovery
Network Service Discovery
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
Screen Capture
Screen Capture
Screen Capture
Screen Capture
Screen Capture
Gather Victim Host Information
Gather Victim Host Information
Gather Victim Host Information, PowerShell
Gather Victim Host Information
Hardware, Gather Victim Host Information
Rogue Domain Controller
OS Credential Dumping, DCSync, Rogue Domain Controller
Rogue Domain Controller
Rogue Domain Controller
Rogue Domain Controller
Kernel Modules and Extensions
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Service Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Steal Application Access Token, Phishing, Spearphishing Link
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Phishing, Spearphishing Link
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
System Shutdown/Reboot
System Shutdown/Reboot
System Shutdown/Reboot
System Shutdown/Reboot
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Process Injection, Dynamic-link Library Injection
Dynamic-link Library Injection, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Account Access Removal
Account Access Removal
Account Access Removal
Account Access Removal
Odbcconf
Odbcconf
Odbcconf
Odbcconf, System Binary Proxy Execution
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Event Triggered Execution
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Component Object Model Hijacking, Event Triggered Execution
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, MMC
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Abuse Elevation Control Mechanism, Indirect Command Execution
Indirect Command Execution
Indirect Command Execution
Indirect Command Execution
Unix Shell, Command and Scripting Interpreter
Obfuscated Files or Information, Unix Shell
Unix Shell, Command and Scripting Interpreter
Unix Shell
Exfiltration Over Web Service
Exfiltration Over Web Service
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Container API
Container API
Container API
Container API
SID-History Injection, Access Token Manipulation
SID-History Injection, Access Token Manipulation
Access Token Manipulation, SID-History Injection
SID-History Injection, Access Token Manipulation
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, JavaScript
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Visual Basic, Command and Scripting Interpreter
Visual Basic, Command and Scripting Interpreter
Visual Basic, Command and Scripting Interpreter
Command and Scripting Interpreter, Visual Basic
Compromise Software Supply Chain
Compromise Software Supply Chain
Compromise Software Supply Chain, Supply Chain Compromise
Compromise Software Supply Chain
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, SSH
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Web Service
Protocol Tunneling, Proxy, Web Service
Disable or Modify Tools, Impair Defenses
Modify Registry
Disable or Modify Tools, Impair Defenses
Browser Session Hijacking
Browser Session Hijacking
Browser Session Hijacking
Browser Session Hijacking
Hide Artifacts, NTFS File Attributes
Hide Artifacts, NTFS File Attributes
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Hide Artifacts, NTFS File Attributes
Private Keys, Unsecured Credentials
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
File and Directory Discovery
File and Directory Discovery
File and Directory Discovery
File and Directory Discovery
Digital Certificates
Digital Certificates
Digital Certificates
Digital Certificates
Pre-OS Boot, Registry Run Keys / Startup Folder
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Change Default File Association, Event Triggered Execution
Change Default File Association, Event Triggered Execution
Change Default File Association
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
System Binary Proxy Execution, CMSTP
System Binary Proxy Execution, CMSTP
System Binary Proxy Execution, CMSTP
SIP and Trust Provider Hijacking
SIP and Trust Provider Hijacking
SIP and Trust Provider Hijacking
Application Shimming, Event Triggered Execution
Application Shimming, Event Triggered Execution
Application Shimming, Event Triggered Execution
Credentials in Registry, Unsecured Credentials
Credentials in Registry, Unsecured Credentials
Credentials in Registry, Unsecured Credentials
Process Injection, Portable Executable Injection
Process Injection, Portable Executable Injection
Process Injection, Portable Executable Injection
Fileless Storage, Obfuscated Files or Information
PowerShell, Ingress Tool Transfer, Fileless Storage
Obfuscated Files or Information, Fileless Storage
Rootkit, Exploitation for Privilege Escalation
System Information Discovery, Rootkit
Rootkit, Exploitation for Privilege Escalation
Exploitation for Client Execution
Exploitation for Client Execution
Exploitation for Client Execution
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Clipboard Data
Clipboard Data
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Compromise Software Supply Chain, Supply Chain Compromise
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Use Alternate Authentication Material, Pass the Ticket
Use Alternate Authentication Material, Pass the Ticket
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Windows Management Instrumentation Event Subscription
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Pre-OS Boot, Registry Run Keys / Startup Folder
TFTP Boot, Pre-OS Boot
System Firmware, Pre-OS Boot
Automated Collection
Automated Collection
Automated Collection
Hide Artifacts, NTFS File Attributes
Hide Artifacts, NTFS File Attributes
Hide Artifacts, NTFS File Attributes
DCSync, OS Credential Dumping
OS Credential Dumping, DCSync, Rogue Domain Controller
DCSync, OS Credential Dumping
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Setuid and Setgid, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Exploitation for Credential Access
Exploitation for Credential Access
Exploitation for Credential Access
Credentials from Web Browsers, Credentials from Password Stores
Credentials from Password Stores, Credentials from Web Browsers
Credentials from Password Stores, Credentials from Web Browsers
At, Scheduled Task/Job
Scheduled Task/Job, At
At, Scheduled Task/Job
Exfiltration Over C2 Channel
Exfiltration Over C2 Channel
Exfiltration Over C2 Channel
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
Access Token Manipulation, Token Impersonation/Theft
Token Impersonation/Theft, Access Token Manipulation
Token Impersonation/Theft, Access Token Manipulation
Virtualization/Sandbox Evasion, Time Based Evasion
Time Based Evasion, Virtualization/Sandbox Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Time Based Evasion, Virtualization/Sandbox Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Deobfuscate/Decode Files or Information
Deobfuscate/Decode Files or Information
Cloud Groups, Account Manipulation, Permission Groups Discovery
Cloud Groups, Account Manipulation, Permission Groups Discovery
Application or System Exploitation
Application or System Exploitation
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Email Collection, Local Email Collection
Email Collection, Local Email Collection
RC Scripts, Boot or Logon Initialization Scripts
Boot or Logon Initialization Scripts, Logon Script (Windows)
Gather Victim Identity Information, Email Addresses
Credentials, Gather Victim Identity Information
Valid Accounts, Local Accounts
Local Accounts, Credentials In Files
Disk Structure Wipe, Disk Wipe
Disk Structure Wipe, Disk Wipe
Disk Structure Wipe, Disk Wipe
Disk Structure Wipe, Disk Wipe
Account Manipulation, Additional Cloud Credentials
Account Manipulation, Additional Cloud Credentials
Install Root Certificate, Subvert Trust Controls
Install Root Certificate, Subvert Trust Controls
Install Root Certificate, Subvert Trust Controls
Install Root Certificate, Subvert Trust Controls
XSL Script Processing
XSL Script Processing
Domain Generation Algorithms
Domain Generation Algorithms
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Protocol Tunneling, SSH
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Obfuscated Files or Information, Indicator Removal from Tools
Domain or Tenant Policy Modification, Trust Modification
Domain or Tenant Policy Modification, Trust Modification
Gather Victim Network Information, IP Addresses
IP Addresses, Gather Victim Network Information
Gather Victim Network Information, IP Addresses
IP Addresses, Gather Victim Network Information
Internal Proxy, Proxy
Internal Proxy, Proxy
Unix Shell Configuration Modification, Event Triggered Execution
Unix Shell Configuration Modification, Event Triggered Execution
Launch Agent, Create or Modify System Process
Launch Agent, Create or Modify System Process
Services Registry Permissions Weakness
Services Registry Permissions Weakness, Hijack Execution Flow
Parent PID Spoofing, Access Token Manipulation
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Image File Execution Options Injection
Image File Execution Options Injection, Event Triggered Execution
Non-Application Layer Protocol
Proxy, Non-Application Layer Protocol
Cloud Infrastructure Discovery, Brute Force
Cloud Infrastructure Discovery
Compromise Host Software Binary
Compromise Host Software Binary
RDP Hijacking, Remote Service Session Hijacking, Windows Service
RDP Hijacking
Defacement
Trusted Relationship
Trusted Relationship
Right-to-Left Override, Masquerading
Right-to-Left Override, Masquerading
Encrypted Channel
Encrypted Channel
Web Protocols
Spearphishing via Service
Phishing
Use Alternate Authentication Material, Pass the Hash
Vulnerability Scanning, Network Service Discovery
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Malicious File, Masquerade File Type
Boot or Logon Initialization Scripts, Logon Script (Windows)
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Credentials, Gather Victim Identity Information
Hardware, Gather Victim Host Information
GUI Input Capture, Input Capture
GUI Input Capture, Input Capture
Cached Domain Credentials, OS Credential Dumping
Local Accounts, Credentials In Files
Mark-of-the-Web Bypass
Event Triggered Execution, Screensaver
Time Providers, Boot or Logon Autostart Execution
Masquerade Task or Service, Masquerading
Replication Through Removable Media
Dynamic Linker Hijacking, Hijack Execution Flow
System Firmware, Pre-OS Boot
Network Denial of Service, Reflection Amplification
Lateral Tool Transfer
Hidden Window, Run Virtual Instance
System Script Proxy Execution, System Binary Proxy Execution
Modify Cloud Compute Configurations
Path Interception by Unquoted Path, Hijack Execution Flow
System Network Configuration Discovery, Internet Connection Discovery
Data from Local System
Software Deployment Tools
Process Discovery
Create Process with Token, Access Token Manipulation
TFTP Boot, Pre-OS Boot
Compile After Delivery, Obfuscated Files or Information
System Binary Proxy Execution, Control Panel
Verclsid, System Binary Proxy Execution
Command and Scripting Interpreter, Component Object Model
System Time Discovery
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Plist File Modification
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Network Sniffing
LSA Secrets
Event Triggered Execution, Accessibility Features
/etc/passwd and /etc/shadow, OS Credential Dumping
File Transfer Protocols, Application Layer Protocol
Log Enumeration
Gather Victim Identity Information, Email Addresses
Forced Authentication
Steal or Forge Kerberos Tickets, Golden Ticket
HTML Smuggling
Active Setup, Boot or Logon Autostart Execution
Security Support Provider, Boot or Logon Autostart Execution
Container Orchestration Job
Protocol Impersonation
Password Managers
Data Staged
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Mavinject, System Binary Proxy Execution
Proxy, Multi-hop Proxy
Port Monitors, Boot or Logon Autostart Execution
Web Session Cookie, Cloud Service Dashboard
RC Scripts, Boot or Logon Initialization Scripts
RDP Hijacking, Remote Service Session Hijacking, Windows Service