attack.mitre.org

ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found [here](https://na.eventscloud.com/attackcon6)

[Get Started](/resources/)

[Take a Tour](#)

[Contribute](/resources/engage-with-attack/contribute)

[Blog](https://medium.com/mitre-attack)

[FAQ](/resources/faq)

[Random Page](#) Toggle Dropdown Toggle Dropdown

[Matrix](#) [Tactic](#) [Technique](#) [Data Source](#) [Mitigation](#) [Group](#) [Software](#) [Campaign](#) [Asset](#)

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.

ATT&CK Matrix for Enterprise

----------------------------

layout: side

[side](#) [flat](#)

show sub-techniques hide sub-techniques

[Reconnaissance](/tactics/TA0043)

[Resource Development](/tactics/TA0042)

[Initial Access](/tactics/TA0001)

[Execution](/tactics/TA0002)

[Persistence](/tactics/TA0003)

[Privilege Escalation](/tactics/TA0004)

[Defense Evasion](/tactics/TA0005)

[Credential Access](/tactics/TA0006)

[Discovery](/tactics/TA0007)

[Lateral Movement](/tactics/TA0008)

[Collection](/tactics/TA0009)

[Command and Control](/tactics/TA0011)

[Exfiltration](/tactics/TA0010)

[Impact](/tactics/TA0040)

10 techniques

8 techniques

10 techniques

14 techniques

20 techniques

14 techniques

44 techniques

17 techniques

32 techniques

9 techniques

17 techniques

18 techniques

9 techniques

14 techniques

[Active Scanning (3)](/techniques/T1595)

\=

[Scanning IP Blocks](/techniques/T1595/001)

[Vulnerability Scanning](/techniques/T1595/002)

[Wordlist Scanning](/techniques/T1595/003)

[Gather Victim Host Information (4)](/techniques/T1592)

\=

[Hardware](/techniques/T1592/001)

[Software](/techniques/T1592/002)

[Firmware](/techniques/T1592/003)

[Client Configurations](/techniques/T1592/004)

[Gather Victim Identity Information (3)](/techniques/T1589)

\=

[Credentials](/techniques/T1589/001)

[Email Addresses](/techniques/T1589/002)

[Employee Names](/techniques/T1589/003)

[Gather Victim Network Information (6)](/techniques/T1590)

\=

[Domain Properties](/techniques/T1590/001)

[DNS](/techniques/T1590/002)

[Network Trust Dependencies](/techniques/T1590/003)

[Network Topology](/techniques/T1590/004)

[IP Addresses](/techniques/T1590/005)

[Network Security Appliances](/techniques/T1590/006)

[Gather Victim Org Information (4)](/techniques/T1591)

\=

[Determine Physical Locations](/techniques/T1591/001)

[Business Relationships](/techniques/T1591/002)

[Identify Business Tempo](/techniques/T1591/003)

[Identify Roles](/techniques/T1591/004)

[Phishing for Information (4)](/techniques/T1598)

\=

[Spearphishing Service](/techniques/T1598/001)

[Spearphishing Attachment](/techniques/T1598/002)

[Spearphishing Link](/techniques/T1598/003)

[Spearphishing Voice](/techniques/T1598/004)

[Search Closed Sources (2)](/techniques/T1597)

\=

[Threat Intel Vendors](/techniques/T1597/001)

[Purchase Technical Data](/techniques/T1597/002)

[Search Open Technical Databases (5)](/techniques/T1596)

\=

[DNS/Passive DNS](/techniques/T1596/001)

[WHOIS](/techniques/T1596/002)

[Digital Certificates](/techniques/T1596/003)

[CDNs](/techniques/T1596/004)

[Scan Databases](/techniques/T1596/005)

[Search Open Websites/Domains (3)](/techniques/T1593)

\=

[Social Media](/techniques/T1593/001)

[Search Engines](/techniques/T1593/002)

[Code Repositories](/techniques/T1593/003)

[Search Victim-Owned Websites](/techniques/T1594)

[Acquire Access](/techniques/T1650)

[Acquire Infrastructure (8)](/techniques/T1583)

\=

[Domains](/techniques/T1583/001)

[DNS Server](/techniques/T1583/002)

[Virtual Private Server](/techniques/T1583/003)

[Server](/techniques/T1583/004)

[Botnet](/techniques/T1583/005)

[Web Services](/techniques/T1583/006)

[Serverless](/techniques/T1583/007)

[Malvertising](/techniques/T1583/008)

[Compromise Accounts (3)](/techniques/T1586)

\=

[Social Media Accounts](/techniques/T1586/001)

[Email Accounts](/techniques/T1586/002)

[Cloud Accounts](/techniques/T1586/003)

[Compromise Infrastructure (8)](/techniques/T1584)

\=

[Domains](/techniques/T1584/001)

[DNS Server](/techniques/T1584/002)

[Virtual Private Server](/techniques/T1584/003)

[Server](/techniques/T1584/004)

[Botnet](/techniques/T1584/005)

[Web Services](/techniques/T1584/006)

[Serverless](/techniques/T1584/007)

[Network Devices](/techniques/T1584/008)

[Develop Capabilities (4)](/techniques/T1587)

\=

[Malware](/techniques/T1587/001)

[Code Signing Certificates](/techniques/T1587/002)

[Digital Certificates](/techniques/T1587/003)

[Exploits](/techniques/T1587/004)

[Establish Accounts (3)](/techniques/T1585)

\=

[Social Media Accounts](/techniques/T1585/001)

[Email Accounts](/techniques/T1585/002)

[Cloud Accounts](/techniques/T1585/003)

[Obtain Capabilities (7)](/techniques/T1588)

\=

[Malware](/techniques/T1588/001)

[Tool](/techniques/T1588/002)

[Code Signing Certificates](/techniques/T1588/003)

[Digital Certificates](/techniques/T1588/004)

[Exploits](/techniques/T1588/005)

[Vulnerabilities](/techniques/T1588/006)

[Artificial Intelligence](/techniques/T1588/007)

[Stage Capabilities (6)](/techniques/T1608)

\=

[Upload Malware](/techniques/T1608/001)

[Upload Tool](/techniques/T1608/002)

[Install Digital Certificate](/techniques/T1608/003)

[Drive-by Target](/techniques/T1608/004)

[Link Target](/techniques/T1608/005)

[SEO Poisoning](/techniques/T1608/006)

[Content Injection](/techniques/T1659)

[Drive-by Compromise](/techniques/T1189)

[Exploit Public-Facing Application](/techniques/T1190)

[External Remote Services](/techniques/T1133)

[Hardware Additions](/techniques/T1200)

[Phishing (4)](/techniques/T1566)

\=

[Spearphishing Attachment](/techniques/T1566/001)

[Spearphishing Link](/techniques/T1566/002)

[Spearphishing via Service](/techniques/T1566/003)

[Spearphishing Voice](/techniques/T1566/004)

[Replication Through Removable Media](/techniques/T1091)

[Supply Chain Compromise (3)](/techniques/T1195)

\=

[Compromise Software Dependencies and Development Tools](/techniques/T1195/001)

[Compromise Software Supply Chain](/techniques/T1195/002)

[Compromise Hardware Supply Chain](/techniques/T1195/003)

[Trusted Relationship](/techniques/T1199)

[Valid Accounts (4)](/techniques/T1078)

\=

[Default Accounts](/techniques/T1078/001)

[Domain Accounts](/techniques/T1078/002)

[Local Accounts](/techniques/T1078/003)

[Cloud Accounts](/techniques/T1078/004)

[Cloud Administration Command](/techniques/T1651)

[Command and Scripting Interpreter (11)](/techniques/T1059)

\=

[PowerShell](/techniques/T1059/001)

[AppleScript](/techniques/T1059/002)

[Windows Command Shell](/techniques/T1059/003)

[Unix Shell](/techniques/T1059/004)

[Visual Basic](/techniques/T1059/005)

[Python](/techniques/T1059/006)

[JavaScript](/techniques/T1059/007)

[Network Device CLI](/techniques/T1059/008)

[Cloud API](/techniques/T1059/009)

[AutoHotKey & AutoIT](/techniques/T1059/010)

[Lua](/techniques/T1059/011)

[Container Administration Command](/techniques/T1609)

[Deploy Container](/techniques/T1610)

[Exploitation for Client Execution](/techniques/T1203)

[Inter-Process Communication (3)](/techniques/T1559)

\=

[Component Object Model](/techniques/T1559/001)

[Dynamic Data Exchange](/techniques/T1559/002)

[XPC Services](/techniques/T1559/003)

[Native API](/techniques/T1106)

[Scheduled Task/Job (5)](/techniques/T1053)

\=

[At](/techniques/T1053/002)

[Cron](/techniques/T1053/003)

[Scheduled Task](/techniques/T1053/005)

[Systemd Timers](/techniques/T1053/006)

[Container Orchestration Job](/techniques/T1053/007)

[Serverless Execution](/techniques/T1648)

[Shared Modules](/techniques/T1129)

[Software Deployment Tools](/techniques/T1072)

[System Services (2)](/techniques/T1569)

\=

[Launchctl](/techniques/T1569/001)

[Service Execution](/techniques/T1569/002)

[User Execution (3)](/techniques/T1204)

\=

[Malicious Link](/techniques/T1204/001)

[Malicious File](/techniques/T1204/002)

[Malicious Image](/techniques/T1204/003)

[Windows Management Instrumentation](/techniques/T1047)

[Account Manipulation (7)](/techniques/T1098)

\=

[Additional Cloud Credentials](/techniques/T1098/001)

[Additional Email Delegate Permissions](/techniques/T1098/002)

[Additional Cloud Roles](/techniques/T1098/003)

[SSH Authorized Keys](/techniques/T1098/004)

[Device Registration](/techniques/T1098/005)

[Additional Container Cluster Roles](/techniques/T1098/006)

[Additional Local or Domain Groups](/techniques/T1098/007)

[BITS Jobs](/techniques/T1197)

[Boot or Logon Autostart Execution (14)](/techniques/T1547)

\=

[Registry Run Keys / Startup Folder](/techniques/T1547/001)

[Authentication Package](/techniques/T1547/002)

[Time Providers](/techniques/T1547/003)

[Winlogon Helper DLL](/techniques/T1547/004)

[Security Support Provider](/techniques/T1547/005)

[Kernel Modules and Extensions](/techniques/T1547/006)

[Re-opened Applications](/techniques/T1547/007)

[LSASS Driver](/techniques/T1547/008)

[Shortcut Modification](/techniques/T1547/009)

[Port Monitors](/techniques/T1547/010)

[Print Processors](/techniques/T1547/012)

[XDG Autostart Entries](/techniques/T1547/013)

[Active Setup](/techniques/T1547/014)

[Login Items](/techniques/T1547/015)

[Boot or Logon Initialization Scripts (5)](/techniques/T1037)

\=

[Logon Script (Windows)](/techniques/T1037/001)

[Login Hook](/techniques/T1037/002)

[Network Logon Script](/techniques/T1037/003)

[RC Scripts](/techniques/T1037/004)

[Startup Items](/techniques/T1037/005)

[Browser Extensions](/techniques/T1176)

[Compromise Host Software Binary](/techniques/T1554)

[Create Account (3)](/techniques/T1136)

\=

[Local Account](/techniques/T1136/001)

[Domain Account](/techniques/T1136/002)

[Cloud Account](/techniques/T1136/003)

[Create or Modify System Process (5)](/techniques/T1543)

\=

[Launch Agent](/techniques/T1543/001)

[Systemd Service](/techniques/T1543/002)

[Windows Service](/techniques/T1543/003)

[Launch Daemon](/techniques/T1543/004)

[Container Service](/techniques/T1543/005)

[Event Triggered Execution (17)](/techniques/T1546)

\=

[Change Default File Association](/techniques/T1546/001)

[Screensaver](/techniques/T1546/002)

[Windows Management Instrumentation Event Subscription](/techniques/T1546/003)

[Unix Shell Configuration Modification](/techniques/T1546/004)

[Trap](/techniques/T1546/005)

[LC\_LOAD\_DYLIB Addition](/techniques/T1546/006)

[Netsh Helper DLL](/techniques/T1546/007)

[Accessibility Features](/techniques/T1546/008)

[AppCert DLLs](/techniques/T1546/009)

[AppInit DLLs](/techniques/T1546/010)

[Application Shimming](/techniques/T1546/011)

[Image File Execution Options Injection](/techniques/T1546/012)

[PowerShell Profile](/techniques/T1546/013)

[Emond](/techniques/T1546/014)

[Component Object Model Hijacking](/techniques/T1546/015)

[Installer Packages](/techniques/T1546/016)

[Udev Rules](/techniques/T1546/017)

[External Remote Services](/techniques/T1133)

[Hijack Execution Flow (13)](/techniques/T1574)

\=

[DLL Search Order Hijacking](/techniques/T1574/001)

[DLL Side-Loading](/techniques/T1574/002)

[Dylib Hijacking](/techniques/T1574/004)

[Executable Installer File Permissions Weakness](/techniques/T1574/005)

[Dynamic Linker Hijacking](/techniques/T1574/006)

[Path Interception by PATH Environment Variable](/techniques/T1574/007)

[Path Interception by Search Order Hijacking](/techniques/T1574/008)

[Path Interception by Unquoted Path](/techniques/T1574/009)

[Services File Permissions Weakness](/techniques/T1574/010)

[Services Registry Permissions Weakness](/techniques/T1574/011)

[COR\_PROFILER](/techniques/T1574/012)

[KernelCallbackTable](/techniques/T1574/013)

[AppDomainManager](/techniques/T1574/014)

[Implant Internal Image](/techniques/T1525)

[Modify Authentication Process (9)](/techniques/T1556)

\=

[Domain Controller Authentication](/techniques/T1556/001)

[Password Filter DLL](/techniques/T1556/002)

[Pluggable Authentication Modules](/techniques/T1556/003)

[Network Device Authentication](/techniques/T1556/004)

[Reversible Encryption](/techniques/T1556/005)

[Multi-Factor Authentication](/techniques/T1556/006)

[Hybrid Identity](/techniques/T1556/007)

[Network Provider DLL](/techniques/T1556/008)

[Conditional Access Policies](/techniques/T1556/009)

[Office Application Startup (6)](/techniques/T1137)

\=

[Office Template Macros](/techniques/T1137/001)

[Office Test](/techniques/T1137/002)

[Outlook Forms](/techniques/T1137/003)

[Outlook Home Page](/techniques/T1137/004)

[Outlook Rules](/techniques/T1137/005)

[Add-ins](/techniques/T1137/006)

[Power Settings](/techniques/T1653)

[Pre-OS Boot (5)](/techniques/T1542)

\=

[System Firmware](/techniques/T1542/001)

[Component Firmware](/techniques/T1542/002)

[Bootkit](/techniques/T1542/003)

[ROMMONkit](/techniques/T1542/004)

[TFTP Boot](/techniques/T1542/005)

[Scheduled Task/Job (5)](/techniques/T1053)

\=

[At](/techniques/T1053/002)

[Cron](/techniques/T1053/003)

[Scheduled Task](/techniques/T1053/005)

[Systemd Timers](/techniques/T1053/006)

[Container Orchestration Job](/techniques/T1053/007)

[Server Software Component (5)](/techniques/T1505)

\=

[SQL Stored Procedures](/techniques/T1505/001)

[Transport Agent](/techniques/T1505/002)

[Web Shell](/techniques/T1505/003)

[IIS Components](/techniques/T1505/004)

[Terminal Services DLL](/techniques/T1505/005)

[Traffic Signaling (2)](/techniques/T1205)

\=

[Port Knocking](/techniques/T1205/001)

[Socket Filters](/techniques/T1205/002)

[Valid Accounts (4)](/techniques/T1078)

\=

[Default Accounts](/techniques/T1078/001)

[Domain Accounts](/techniques/T1078/002)

[Local Accounts](/techniques/T1078/003)

[Cloud Accounts](/techniques/T1078/004)

[Abuse Elevation Control Mechanism (6)](/techniques/T1548)

\=

[Setuid and Setgid](/techniques/T1548/001)

[Bypass User Account Control](/techniques/T1548/002)

[Sudo and Sudo Caching](/techniques/T1548/003)

[Elevated Execution with Prompt](/techniques/T1548/004)

[Temporary Elevated Cloud Access](/techniques/T1548/005)

[TCC Manipulation](/techniques/T1548/006)

[Access Token Manipulation (5)](/techniques/T1134)

\=

[Token Impersonation/Theft](/techniques/T1134/001)

[Create Process with Token](/techniques/T1134/002)

[Make and Impersonate Token](/techniques/T1134/003)

[Parent PID Spoofing](/techniques/T1134/004)

[SID-History Injection](/techniques/T1134/005)

[Account Manipulation (7)](/techniques/T1098)

\=

[Additional Cloud Credentials](/techniques/T1098/001)

[Additional Email Delegate Permissions](/techniques/T1098/002)

[Additional Cloud Roles](/techniques/T1098/003)

[SSH Authorized Keys](/techniques/T1098/004)

[Device Registration](/techniques/T1098/005)

[Additional Container Cluster Roles](/techniques/T1098/006)

[Additional Local or Domain Groups](/techniques/T1098/007)

[Boot or Logon Autostart Execution (14)](/techniques/T1547)

\=

[Registry Run Keys / Startup Folder](/techniques/T1547/001)

[Authentication Package](/techniques/T1547/002)

[Time Providers](/techniques/T1547/003)

[Winlogon Helper DLL](/techniques/T1547/004)

[Security Support Provider](/techniques/T1547/005)

[Kernel Modules and Extensions](/techniques/T1547/006)

[Re-opened Applications](/techniques/T1547/007)

[LSASS Driver](/techniques/T1547/008)

[Shortcut Modification](/techniques/T1547/009)

[Port Monitors](/techniques/T1547/010)

[Print Processors](/techniques/T1547/012)

[XDG Autostart Entries](/techniques/T1547/013)

[Active Setup](/techniques/T1547/014)

[Login Items](/techniques/T1547/015)

[Boot or Logon Initialization Scripts (5)](/techniques/T1037)

\=

[Logon Script (Windows)](/techniques/T1037/001)

[Login Hook](/techniques/T1037/002)

[Network Logon Script](/techniques/T1037/003)

[RC Scripts](/techniques/T1037/004)

[Startup Items](/techniques/T1037/005)

[Create or Modify System Process (5)](/techniques/T1543)

\=

[Launch Agent](/techniques/T1543/001)

[Systemd Service](/techniques/T1543/002)

[Windows Service](/techniques/T1543/003)

[Launch Daemon](/techniques/T1543/004)

[Container Service](/techniques/T1543/005)

[Domain or Tenant Policy Modification (2)](/techniques/T1484)

\=

[Group Policy Modification](/techniques/T1484/001)

[Trust Modification](/techniques/T1484/002)

[Escape to Host](/techniques/T1611)

[Event Triggered Execution (17)](/techniques/T1546)

\=

[Change Default File Association](/techniques/T1546/001)

[Screensaver](/techniques/T1546/002)

[Windows Management Instrumentation Event Subscription](/techniques/T1546/003)

[Unix Shell Configuration Modification](/techniques/T1546/004)

[Trap](/techniques/T1546/005)

[LC\_LOAD\_DYLIB Addition](/techniques/T1546/006)

[Netsh Helper DLL](/techniques/T1546/007)

[Accessibility Features](/techniques/T1546/008)

[AppCert DLLs](/techniques/T1546/009)

[AppInit DLLs](/techniques/T1546/010)

[Application Shimming](/techniques/T1546/011)

[Image File Execution Options Injection](/techniques/T1546/012)

[PowerShell Profile](/techniques/T1546/013)

[Emond](/techniques/T1546/014)

[Component Object Model Hijacking](/techniques/T1546/015)

[Installer Packages](/techniques/T1546/016)

[Udev Rules](/techniques/T1546/017)

[Exploitation for Privilege Escalation](/techniques/T1068)

[Hijack Execution Flow (13)](/techniques/T1574)

\=

[DLL Search Order Hijacking](/techniques/T1574/001)

[DLL Side-Loading](/techniques/T1574/002)

[Dylib Hijacking](/techniques/T1574/004)

[Executable Installer File Permissions Weakness](/techniques/T1574/005)

[Dynamic Linker Hijacking](/techniques/T1574/006)

[Path Interception by PATH Environment Variable](/techniques/T1574/007)

[Path Interception by Search Order Hijacking](/techniques/T1574/008)

[Path Interception by Unquoted Path](/techniques/T1574/009)

[Services File Permissions Weakness](/techniques/T1574/010)

[Services Registry Permissions Weakness](/techniques/T1574/011)

[COR\_PROFILER](/techniques/T1574/012)

[KernelCallbackTable](/techniques/T1574/013)

[AppDomainManager](/techniques/T1574/014)

[Process Injection (12)](/techniques/T1055)

\=

[Dynamic-link Library Injection](/techniques/T1055/001)

[Portable Executable Injection](/techniques/T1055/002)

[Thread Execution Hijacking](/techniques/T1055/003)

[Asynchronous Procedure Call](/techniques/T1055/004)

[Thread Local Storage](/techniques/T1055/005)

[Ptrace System Calls](/techniques/T1055/008)

[Proc Memory](/techniques/T1055/009)

[Extra Window Memory Injection](/techniques/T1055/011)

[Process Hollowing](/techniques/T1055/012)

[Process Doppelgänging](/techniques/T1055/013)

[VDSO Hijacking](/techniques/T1055/014)

[ListPlanting](/techniques/T1055/015)

[Scheduled Task/Job (5)](/techniques/T1053)

\=

[At](/techniques/T1053/002)

[Cron](/techniques/T1053/003)

[Scheduled Task](/techniques/T1053/005)

[Systemd Timers](/techniques/T1053/006)

[Container Orchestration Job](/techniques/T1053/007)

[Valid Accounts (4)](/techniques/T1078)

\=

[Default Accounts](/techniques/T1078/001)

[Domain Accounts](/techniques/T1078/002)

[Local Accounts](/techniques/T1078/003)

[Cloud Accounts](/techniques/T1078/004)

[Abuse Elevation Control Mechanism (6)](/techniques/T1548)

\=

[Setuid and Setgid](/techniques/T1548/001)

[Bypass User Account Control](/techniques/T1548/002)

[Sudo and Sudo Caching](/techniques/T1548/003)

[Elevated Execution with Prompt](/techniques/T1548/004)

[Temporary Elevated Cloud Access](/techniques/T1548/005)

[TCC Manipulation](/techniques/T1548/006)

[Access Token Manipulation (5)](/techniques/T1134)

\=

[Token Impersonation/Theft](/techniques/T1134/001)

[Create Process with Token](/techniques/T1134/002)

[Make and Impersonate Token](/techniques/T1134/003)

[Parent PID Spoofing](/techniques/T1134/004)

[SID-History Injection](/techniques/T1134/005)

[BITS Jobs](/techniques/T1197)

[Build Image on Host](/techniques/T1612)

[Debugger Evasion](/techniques/T1622)

[Deobfuscate/Decode Files or Information](/techniques/T1140)

[Deploy Container](/techniques/T1610)

[Direct Volume Access](/techniques/T1006)

[Domain or Tenant Policy Modification (2)](/techniques/T1484)

\=

[Group Policy Modification](/techniques/T1484/001)

[Trust Modification](/techniques/T1484/002)

[Execution Guardrails (2)](/techniques/T1480)

\=

[Environmental Keying](/techniques/T1480/001)

[Mutual Exclusion](/techniques/T1480/002)

[Exploitation for Defense Evasion](/techniques/T1211)

[File and Directory Permissions Modification (2)](/techniques/T1222)

\=

[Windows File and Directory Permissions Modification](/techniques/T1222/001)

[Linux and Mac File and Directory Permissions Modification](/techniques/T1222/002)

[Hide Artifacts (12)](/techniques/T1564)

\=

[Hidden Files and Directories](/techniques/T1564/001)

[Hidden Users](/techniques/T1564/002)

[Hidden Window](/techniques/T1564/003)

[NTFS File Attributes](/techniques/T1564/004)

[Hidden File System](/techniques/T1564/005)

[Run Virtual Instance](/techniques/T1564/006)

[VBA Stomping](/techniques/T1564/007)

[Email Hiding Rules](/techniques/T1564/008)

[Resource Forking](/techniques/T1564/009)

[Process Argument Spoofing](/techniques/T1564/010)

[Ignore Process Interrupts](/techniques/T1564/011)

[File/Path Exclusions](/techniques/T1564/012)

[Hijack Execution Flow (13)](/techniques/T1574)

\=

[DLL Search Order Hijacking](/techniques/T1574/001)

[DLL Side-Loading](/techniques/T1574/002)

[Dylib Hijacking](/techniques/T1574/004)

[Executable Installer File Permissions Weakness](/techniques/T1574/005)

[Dynamic Linker Hijacking](/techniques/T1574/006)

[Path Interception by PATH Environment Variable](/techniques/T1574/007)

[Path Interception by Search Order Hijacking](/techniques/T1574/008)

[Path Interception by Unquoted Path](/techniques/T1574/009)

[Services File Permissions Weakness](/techniques/T1574/010)

[Services Registry Permissions Weakness](/techniques/T1574/011)

[COR\_PROFILER](/techniques/T1574/012)

[KernelCallbackTable](/techniques/T1574/013)

[AppDomainManager](/techniques/T1574/014)

[Impair Defenses (11)](/techniques/T1562)

\=

[Disable or Modify Tools](/techniques/T1562/001)

[Disable Windows Event Logging](/techniques/T1562/002)

[Impair Command History Logging](/techniques/T1562/003)

[Disable or Modify System Firewall](/techniques/T1562/004)

[Indicator Blocking](/techniques/T1562/006)

[Disable or Modify Cloud Firewall](/techniques/T1562/007)

[Disable or Modify Cloud Logs](/techniques/T1562/008)

[Safe Mode Boot](/techniques/T1562/009)

[Downgrade Attack](/techniques/T1562/010)

[Spoof Security Alerting](/techniques/T1562/011)

[Disable or Modify Linux Audit System](/techniques/T1562/012)

[Impersonation](/techniques/T1656)

[Indicator Removal (10)](/techniques/T1070)

\=

[Clear Windows Event Logs](/techniques/T1070/001)

[Clear Linux or Mac System Logs](/techniques/T1070/002)

[Clear Command History](/techniques/T1070/003)

[File Deletion](/techniques/T1070/004)

[Network Share Connection Removal](/techniques/T1070/005)

[Timestomp](/techniques/T1070/006)

[Clear Network Connection History and Configurations](/techniques/T1070/007)

[Clear Mailbox Data](/techniques/T1070/008)

[Clear Persistence](/techniques/T1070/009)

[Relocate Malware](/techniques/T1070/010)

[Indirect Command Execution](/techniques/T1202)

[Masquerading (10)](/techniques/T1036)

\=

[Invalid Code Signature](/techniques/T1036/001)

[Right-to-Left Override](/techniques/T1036/002)

[Rename System Utilities](/techniques/T1036/003)

[Masquerade Task or Service](/techniques/T1036/004)

[Match Legitimate Name or Location](/techniques/T1036/005)

[Space after Filename](/techniques/T1036/006)

[Double File Extension](/techniques/T1036/007)

[Masquerade File Type](/techniques/T1036/008)

[Break Process Trees](/techniques/T1036/009)

[Masquerade Account Name](/techniques/T1036/010)

[Modify Authentication Process (9)](/techniques/T1556)

\=

[Domain Controller Authentication](/techniques/T1556/001)

[Password Filter DLL](/techniques/T1556/002)

[Pluggable Authentication Modules](/techniques/T1556/003)

[Network Device Authentication](/techniques/T1556/004)

[Reversible Encryption](/techniques/T1556/005)

[Multi-Factor Authentication](/techniques/T1556/006)

[Hybrid Identity](/techniques/T1556/007)

[Network Provider DLL](/techniques/T1556/008)

[Conditional Access Policies](/techniques/T1556/009)

[Modify Cloud Compute Infrastructure (5)](/techniques/T1578)

\=

[Create Snapshot](/techniques/T1578/001)

[Create Cloud Instance](/techniques/T1578/002)

[Delete Cloud Instance](/techniques/T1578/003)

[Revert Cloud Instance](/techniques/T1578/004)

[Modify Cloud Compute Configurations](/techniques/T1578/005)

[Modify Cloud Resource Hierarchy](/techniques/T1666)

[Modify Registry](/techniques/T1112)

[Modify System Image (2)](/techniques/T1601)

\=

[Patch System Image](/techniques/T1601/001)

[Downgrade System Image](/techniques/T1601/002)

[Network Boundary Bridging (1)](/techniques/T1599)

\=

[Network Address Translation Traversal](/techniques/T1599/001)

[Obfuscated Files or Information (14)](/techniques/T1027)

\=

[Binary Padding](/techniques/T1027/001)

[Software Packing](/techniques/T1027/002)

[Steganography](/techniques/T1027/003)

[Compile After Delivery](/techniques/T1027/004)

[Indicator Removal from Tools](/techniques/T1027/005)

[HTML Smuggling](/techniques/T1027/006)

[Dynamic API Resolution](/techniques/T1027/007)

[Stripped Payloads](/techniques/T1027/008)

[Embedded Payloads](/techniques/T1027/009)

[Command Obfuscation](/techniques/T1027/010)

[Fileless Storage](/techniques/T1027/011)

[LNK Icon Smuggling](/techniques/T1027/012)

[Encrypted/Encoded File](/techniques/T1027/013)

[Polymorphic Code](/techniques/T1027/014)

[Plist File Modification](/techniques/T1647)

[Pre-OS Boot (5)](/techniques/T1542)

\=

[System Firmware](/techniques/T1542/001)

[Component Firmware](/techniques/T1542/002)

[Bootkit](/techniques/T1542/003)

[ROMMONkit](/techniques/T1542/004)

[TFTP Boot](/techniques/T1542/005)

[Process Injection (12)](/techniques/T1055)

\=

[Dynamic-link Library Injection](/techniques/T1055/001)

[Portable Executable Injection](/techniques/T1055/002)

[Thread Execution Hijacking](/techniques/T1055/003)

[Asynchronous Procedure Call](/techniques/T1055/004)

[Thread Local Storage](/techniques/T1055/005)

[Ptrace System Calls](/techniques/T1055/008)

[Proc Memory](/techniques/T1055/009)

[Extra Window Memory Injection](/techniques/T1055/011)

[Process Hollowing](/techniques/T1055/012)

[Process Doppelgänging](/techniques/T1055/013)

[VDSO Hijacking](/techniques/T1055/014)

[ListPlanting](/techniques/T1055/015)

[Reflective Code Loading](/techniques/T1620)

[Rogue Domain Controller](/techniques/T1207)

[Rootkit](/techniques/T1014)

[Subvert Trust Controls (6)](/techniques/T1553)

\=

[Gatekeeper Bypass](/techniques/T1553/001)

[Code Signing](/techniques/T1553/002)

[SIP and Trust Provider Hijacking](/techniques/T1553/003)

[Install Root Certificate](/techniques/T1553/004)

[Mark-of-the-Web Bypass](/techniques/T1553/005)

[Code Signing Policy Modification](/techniques/T1553/006)

[System Binary Proxy Execution (14)](/techniques/T1218)

\=

[Compiled HTML File](/techniques/T1218/001)

[Control Panel](/techniques/T1218/002)

[CMSTP](/techniques/T1218/003)

[InstallUtil](/techniques/T1218/004)

[Mshta](/techniques/T1218/005)

[Msiexec](/techniques/T1218/007)

[Odbcconf](/techniques/T1218/008)

[Regsvcs/Regasm](/techniques/T1218/009)

[Regsvr32](/techniques/T1218/010)

[Rundll32](/techniques/T1218/011)

[Verclsid](/techniques/T1218/012)

[Mavinject](/techniques/T1218/013)

[MMC](/techniques/T1218/014)

[Electron Applications](/techniques/T1218/015)

[System Script Proxy Execution (2)](/techniques/T1216)

\=

[PubPrn](/techniques/T1216/001)

[SyncAppvPublishingServer](/techniques/T1216/002)

[Template Injection](/techniques/T1221)

[Traffic Signaling (2)](/techniques/T1205)

\=

[Port Knocking](/techniques/T1205/001)

[Socket Filters](/techniques/T1205/002)

[Trusted Developer Utilities Proxy Execution (2)](/techniques/T1127)

\=

[MSBuild](/techniques/T1127/001)

[ClickOnce](/techniques/T1127/002)

[Unused/Unsupported Cloud Regions](/techniques/T1535)

[Use Alternate Authentication Material (4)](/techniques/T1550)

\=

[Application Access Token](/techniques/T1550/001)

[Pass the Hash](/techniques/T1550/002)

[Pass the Ticket](/techniques/T1550/003)

[Web Session Cookie](/techniques/T1550/004)

[Valid Accounts (4)](/techniques/T1078)

\=

[Default Accounts](/techniques/T1078/001)

[Domain Accounts](/techniques/T1078/002)

[Local Accounts](/techniques/T1078/003)

[Cloud Accounts](/techniques/T1078/004)

[Virtualization/Sandbox Evasion (3)](/techniques/T1497)

\=

[System Checks](/techniques/T1497/001)

[User Activity Based Checks](/techniques/T1497/002)

[Time Based Evasion](/techniques/T1497/003)

[Weaken Encryption (2)](/techniques/T1600)

\=

[Reduce Key Space](/techniques/T1600/001)

[Disable Crypto Hardware](/techniques/T1600/002)

[XSL Script Processing](/techniques/T1220)

[Adversary-in-the-Middle (4)](/techniques/T1557)

\=

[LLMNR/NBT-NS Poisoning and SMB Relay](/techniques/T1557/001)

[ARP Cache Poisoning](/techniques/T1557/002)

[DHCP Spoofing](/techniques/T1557/003)

[Evil Twin](/techniques/T1557/004)

[Brute Force (4)](/techniques/T1110)

\=

[Password Guessing](/techniques/T1110/001)

[Password Cracking](/techniques/T1110/002)

[Password Spraying](/techniques/T1110/003)

[Credential Stuffing](/techniques/T1110/004)

[Credentials from Password Stores (6)](/techniques/T1555)

\=

[Keychain](/techniques/T1555/001)

[Securityd Memory](/techniques/T1555/002)

[Credentials from Web Browsers](/techniques/T1555/003)

[Windows Credential Manager](/techniques/T1555/004)

[Password Managers](/techniques/T1555/005)

[Cloud Secrets Management Stores](/techniques/T1555/006)

[Exploitation for Credential Access](/techniques/T1212)

[Forced Authentication](/techniques/T1187)

[Forge Web Credentials (2)](/techniques/T1606)

\=

[Web Cookies](/techniques/T1606/001)

[SAML Tokens](/techniques/T1606/002)

[Input Capture (4)](/techniques/T1056)

\=

[Keylogging](/techniques/T1056/001)

[GUI Input Capture](/techniques/T1056/002)

[Web Portal Capture](/techniques/T1056/003)

[Credential API Hooking](/techniques/T1056/004)

[Modify Authentication Process (9)](/techniques/T1556)

\=

[Domain Controller Authentication](/techniques/T1556/001)

[Password Filter DLL](/techniques/T1556/002)

[Pluggable Authentication Modules](/techniques/T1556/003)

[Network Device Authentication](/techniques/T1556/004)

[Reversible Encryption](/techniques/T1556/005)

[Multi-Factor Authentication](/techniques/T1556/006)

[Hybrid Identity](/techniques/T1556/007)

[Network Provider DLL](/techniques/T1556/008)

[Conditional Access Policies](/techniques/T1556/009)

[Multi-Factor Authentication Interception](/techniques/T1111)

[Multi-Factor Authentication Request Generation](/techniques/T1621)

[Network Sniffing](/techniques/T1040)

[OS Credential Dumping (8)](/techniques/T1003)

\=

[LSASS Memory](/techniques/T1003/001)

[Security Account Manager](/techniques/T1003/002)

[NTDS](/techniques/T1003/003)

[LSA Secrets](/techniques/T1003/004)

[Cached Domain Credentials](/techniques/T1003/005)

[DCSync](/techniques/T1003/006)

[Proc Filesystem](/techniques/T1003/007)

[/etc/passwd and /etc/shadow](/techniques/T1003/008)

[Steal Application Access Token](/techniques/T1528)

[Steal or Forge Authentication Certificates](/techniques/T1649)

[Steal or Forge Kerberos Tickets (5)](/techniques/T1558)

\=

[Golden Ticket](/techniques/T1558/001)

[Silver Ticket](/techniques/T1558/002)

[Kerberoasting](/techniques/T1558/003)

[AS-REP Roasting](/techniques/T1558/004)

[Ccache Files](/techniques/T1558/005)

[Steal Web Session Cookie](/techniques/T1539)

[Unsecured Credentials (8)](/techniques/T1552)

\=

[Credentials In Files](/techniques/T1552/001)

[Credentials in Registry](/techniques/T1552/002)

[Bash History](/techniques/T1552/003)

[Private Keys](/techniques/T1552/004)

[Cloud Instance Metadata API](/techniques/T1552/005)

[Group Policy Preferences](/techniques/T1552/006)

[Container API](/techniques/T1552/007)

[Chat Messages](/techniques/T1552/008)

[Account Discovery (4)](/techniques/T1087)

\=

[Local Account](/techniques/T1087/001)

[Domain Account](/techniques/T1087/002)

[Email Account](/techniques/T1087/003)

[Cloud Account](/techniques/T1087/004)

[Application Window Discovery](/techniques/T1010)

[Browser Information Discovery](/techniques/T1217)

[Cloud Infrastructure Discovery](/techniques/T1580)

[Cloud Service Dashboard](/techniques/T1538)

[Cloud Service Discovery](/techniques/T1526)

[Cloud Storage Object Discovery](/techniques/T1619)

[Container and Resource Discovery](/techniques/T1613)

[Debugger Evasion](/techniques/T1622)

[Device Driver Discovery](/techniques/T1652)

[Domain Trust Discovery](/techniques/T1482)

[File and Directory Discovery](/techniques/T1083)

[Group Policy Discovery](/techniques/T1615)

[Log Enumeration](/techniques/T1654)

[Network Service Discovery](/techniques/T1046)

[Network Share Discovery](/techniques/T1135)

[Network Sniffing](/techniques/T1040)

[Password Policy Discovery](/techniques/T1201)

[Peripheral Device Discovery](/techniques/T1120)

[Permission Groups Discovery (3)](/techniques/T1069)

\=

[Local Groups](/techniques/T1069/001)

[Domain Groups](/techniques/T1069/002)

[Cloud Groups](/techniques/T1069/003)

[Process Discovery](/techniques/T1057)

[Query Registry](/techniques/T1012)

[Remote System Discovery](/techniques/T1018)

[Software Discovery (1)](/techniques/T1518)

\=

[Security Software Discovery](/techniques/T1518/001)

[System Information Discovery](/techniques/T1082)

[System Location Discovery (1)](/techniques/T1614)

\=

[System Language Discovery](/techniques/T1614/001)

[System Network Configuration Discovery (2)](/techniques/T1016)

\=

[Internet Connection Discovery](/techniques/T1016/001)

[Wi-Fi Discovery](/techniques/T1016/002)

[System Network Connections Discovery](/techniques/T1049)

[System Owner/User Discovery](/techniques/T1033)

[System Service Discovery](/techniques/T1007)

[System Time Discovery](/techniques/T1124)

[Virtualization/Sandbox Evasion (3)](/techniques/T1497)

\=

[System Checks](/techniques/T1497/001)

[User Activity Based Checks](/techniques/T1497/002)

[Time Based Evasion](/techniques/T1497/003)

[Exploitation of Remote Services](/techniques/T1210)

[Internal Spearphishing](/techniques/T1534)

[Lateral Tool Transfer](/techniques/T1570)

[Remote Service Session Hijacking (2)](/techniques/T1563)

\=

[SSH Hijacking](/techniques/T1563/001)

[RDP Hijacking](/techniques/T1563/002)

[Remote Services (8)](/techniques/T1021)

\=

[Remote Desktop Protocol](/techniques/T1021/001)

[SMB/Windows Admin Shares](/techniques/T1021/002)

[Distributed Component Object Model](/techniques/T1021/003)

[SSH](/techniques/T1021/004)

[VNC](/techniques/T1021/005)

[Windows Remote Management](/techniques/T1021/006)

[Cloud Services](/techniques/T1021/007)

[Direct Cloud VM Connections](/techniques/T1021/008)

[Replication Through Removable Media](/techniques/T1091)

[Software Deployment Tools](/techniques/T1072)

[Taint Shared Content](/techniques/T1080)

[Use Alternate Authentication Material (4)](/techniques/T1550)

\=

[Application Access Token](/techniques/T1550/001)

[Pass the Hash](/techniques/T1550/002)

[Pass the Ticket](/techniques/T1550/003)

[Web Session Cookie](/techniques/T1550/004)

[Adversary-in-the-Middle (4)](/techniques/T1557)

\=

[LLMNR/NBT-NS Poisoning and SMB Relay](/techniques/T1557/001)

[ARP Cache Poisoning](/techniques/T1557/002)

[DHCP Spoofing](/techniques/T1557/003)

[Evil Twin](/techniques/T1557/004)

[Archive Collected Data (3)](/techniques/T1560)

\=

[Archive via Utility](/techniques/T1560/001)

[Archive via Library](/techniques/T1560/002)

[Archive via Custom Method](/techniques/T1560/003)

[Audio Capture](/techniques/T1123)

[Automated Collection](/techniques/T1119)

[Browser Session Hijacking](/techniques/T1185)

[Clipboard Data](/techniques/T1115)

[Data from Cloud Storage](/techniques/T1530)

[Data from Configuration Repository (2)](/techniques/T1602)

\=

[SNMP (MIB Dump)](/techniques/T1602/001)

[Network Device Configuration Dump](/techniques/T1602/002)

[Data from Information Repositories (5)](/techniques/T1213)

\=

[Confluence](/techniques/T1213/001)

[Sharepoint](/techniques/T1213/002)

[Code Repositories](/techniques/T1213/003)

[Customer Relationship Management Software](/techniques/T1213/004)

[Messaging Applications](/techniques/T1213/005)

[Data from Local System](/techniques/T1005)

[Data from Network Shared Drive](/techniques/T1039)

[Data from Removable Media](/techniques/T1025)

[Data Staged (2)](/techniques/T1074)

\=

[Local Data Staging](/techniques/T1074/001)

[Remote Data Staging](/techniques/T1074/002)

[Email Collection (3)](/techniques/T1114)

\=

[Local Email Collection](/techniques/T1114/001)

[Remote Email Collection](/techniques/T1114/002)

[Email Forwarding Rule](/techniques/T1114/003)

[Input Capture (4)](/techniques/T1056)

\=

[Keylogging](/techniques/T1056/001)

[GUI Input Capture](/techniques/T1056/002)

[Web Portal Capture](/techniques/T1056/003)

[Credential API Hooking](/techniques/T1056/004)

[Screen Capture](/techniques/T1113)

[Video Capture](/techniques/T1125)

[Application Layer Protocol (5)](/techniques/T1071)

\=

[Web Protocols](/techniques/T1071/001)

[File Transfer Protocols](/techniques/T1071/002)

[Mail Protocols](/techniques/T1071/003)

[DNS](/techniques/T1071/004)

[Publish/Subscribe Protocols](/techniques/T1071/005)

[Communication Through Removable Media](/techniques/T1092)

[Content Injection](/techniques/T1659)

[Data Encoding (2)](/techniques/T1132)

\=

[Standard Encoding](/techniques/T1132/001)

[Non-Standard Encoding](/techniques/T1132/002)

[Data Obfuscation (3)](/techniques/T1001)

\=

[Junk Data](/techniques/T1001/001)

[Steganography](/techniques/T1001/002)

[Protocol or Service Impersonation](/techniques/T1001/003)

[Dynamic Resolution (3)](/techniques/T1568)

\=

[Fast Flux DNS](/techniques/T1568/001)

[Domain Generation Algorithms](/techniques/T1568/002)

[DNS Calculation](/techniques/T1568/003)

[Encrypted Channel (2)](/techniques/T1573)

\=

[Symmetric Cryptography](/techniques/T1573/001)

[Asymmetric Cryptography](/techniques/T1573/002)

[Fallback Channels](/techniques/T1008)

[Hide Infrastructure](/techniques/T1665)

[Ingress Tool Transfer](/techniques/T1105)

[Multi-Stage Channels](/techniques/T1104)

[Non-Application Layer Protocol](/techniques/T1095)

[Non-Standard Port](/techniques/T1571)

[Protocol Tunneling](/techniques/T1572)

[Proxy (4)](/techniques/T1090)

\=

[Internal Proxy](/techniques/T1090/001)

[External Proxy](/techniques/T1090/002)

[Multi-hop Proxy](/techniques/T1090/003)

[Domain Fronting](/techniques/T1090/004)

[Remote Access Software](/techniques/T1219)

[Traffic Signaling (2)](/techniques/T1205)

\=

[Port Knocking](/techniques/T1205/001)

[Socket Filters](/techniques/T1205/002)

[Web Service (3)](/techniques/T1102)

\=

[Dead Drop Resolver](/techniques/T1102/001)

[Bidirectional Communication](/techniques/T1102/002)

[One-Way Communication](/techniques/T1102/003)

[Automated Exfiltration (1)](/techniques/T1020)

\=

[Traffic Duplication](/techniques/T1020/001)

[Data Transfer Size Limits](/techniques/T1030)

[Exfiltration Over Alternative Protocol (3)](/techniques/T1048)

\=

[Exfiltration Over Symmetric Encrypted Non-C2 Protocol](/techniques/T1048/001)

[Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](/techniques/T1048/002)

[Exfiltration Over Unencrypted Non-C2 Protocol](/techniques/T1048/003)

[Exfiltration Over C2 Channel](/techniques/T1041)

[Exfiltration Over Other Network Medium (1)](/techniques/T1011)

\=

[Exfiltration Over Bluetooth](/techniques/T1011/001)

[Exfiltration Over Physical Medium (1)](/techniques/T1052)

\=

[Exfiltration over USB](/techniques/T1052/001)

[Exfiltration Over Web Service (4)](/techniques/T1567)

\=

[Exfiltration to Code Repository](/techniques/T1567/001)

[Exfiltration to Cloud Storage](/techniques/T1567/002)

[Exfiltration to Text Storage Sites](/techniques/T1567/003)

[Exfiltration Over Webhook](/techniques/T1567/004)

[Scheduled Transfer](/techniques/T1029)

[Transfer Data to Cloud Account](/techniques/T1537)

[Account Access Removal](/techniques/T1531)

[Data Destruction (1)](/techniques/T1485)

\=

[Lifecycle-Triggered Deletion](/techniques/T1485/001)

[Data Encrypted for Impact](/techniques/T1486)

[Data Manipulation (3)](/techniques/T1565)

\=

[Stored Data Manipulation](/techniques/T1565/001)

[Transmitted Data Manipulation](/techniques/T1565/002)

[Runtime Data Manipulation](/techniques/T1565/003)

[Defacement (2)](/techniques/T1491)

\=

[Internal Defacement](/techniques/T1491/001)

[External Defacement](/techniques/T1491/002)

[Disk Wipe (2)](/techniques/T1561)

\=

[Disk Content Wipe](/techniques/T1561/001)

[Disk Structure Wipe](/techniques/T1561/002)

[Endpoint Denial of Service (4)](/techniques/T1499)

\=

[OS Exhaustion Flood](/techniques/T1499/001)

[Service Exhaustion Flood](/techniques/T1499/002)

[Application Exhaustion Flood](/techniques/T1499/003)

[Application or System Exploitation](/techniques/T1499/004)

[Financial Theft](/techniques/T1657)

[Firmware Corruption](/techniques/T1495)

[Inhibit System Recovery](/techniques/T1490)

[Network Denial of Service (2)](/techniques/T1498)

\=

[Direct Network Flood](/techniques/T1498/001)

[Reflection Amplification](/techniques/T1498/002)

[Resource Hijacking (4)](/techniques/T1496)

\=

[Compute Hijacking](/techniques/T1496/001)

[Bandwidth Hijacking](/techniques/T1496/002)

[SMS Pumping](/techniques/T1496/003)

[Cloud Service Hijacking](/techniques/T1496/004)

[Service Stop](/techniques/T1489)

[System Shutdown/Reboot](/techniques/T1529)

[Reconnaissance](/tactics/TA0043)

[Resource Development](/tactics/TA0042)

[Initial Access](/tactics/TA0001)

[Execution](/tactics/TA0002)

[Persistence](/tactics/TA0003)

[Privilege Escalation](/tactics/TA0004)

[Defense Evasion](/tactics/TA0005)

[Credential Access](/tactics/TA0006)

[Discovery](/tactics/TA0007)

[Lateral Movement](/tactics/TA0008)

[Collection](/tactics/TA0009)

[Command and Control](/tactics/TA0011)

[Exfiltration](/tactics/TA0010)

[Impact](/tactics/TA0040)

10 techniques

8 techniques

10 techniques

14 techniques

20 techniques

14 techniques

44 techniques

17 techniques

32 techniques

9 techniques

17 techniques

18 techniques

9 techniques

14 techniques

\=

[Active Scanning (3)](/techniques/T1595)

[Scanning IP Blocks](/techniques/T1595/001)

[Vulnerability Scanning](/techniques/T1595/002)

[Wordlist Scanning](/techniques/T1595/003)

\=

[Gather Victim Host Information (4)](/techniques/T1592)

[Hardware](/techniques/T1592/001)

[Software](/techniques/T1592/002)

[Firmware](/techniques/T1592/003)

[Client Configurations](/techniques/T1592/004)

\=

[Gather Victim Identity Information (3)](/techniques/T1589)

[Credentials](/techniques/T1589/001)

[Email Addresses](/techniques/T1589/002)

[Employee Names](/techniques/T1589/003)

\=

[Gather Victim Network Information (6)](/techniques/T1590)

[Domain Properties](/techniques/T1590/001)

[DNS](/techniques/T1590/002)

[Network Trust Dependencies](/techniques/T1590/003)

[Network Topology](/techniques/T1590/004)

[IP Addresses](/techniques/T1590/005)

[Network Security Appliances](/techniques/T1590/006)

\=

[Gather Victim Org Information (4)](/techniques/T1591)

[Determine Physical Locations](/techniques/T1591/001)

[Business Relationships](/techniques/T1591/002)

[Identify Business Tempo](/techniques/T1591/003)

[Identify Roles](/techniques/T1591/004)

\=

[Phishing for Information (4)](/techniques/T1598)

[Spearphishing Service](/techniques/T1598/001)

[Spearphishing Attachment](/techniques/T1598/002)

[Spearphishing Link](/techniques/T1598/003)

[Spearphishing Voice](/techniques/T1598/004)

\=

[Search Closed Sources (2)](/techniques/T1597)

[Threat Intel Vendors](/techniques/T1597/001)

[Purchase Technical Data](/techniques/T1597/002)

\=

[Search Open Technical Databases (5)](/techniques/T1596)

[DNS/Passive DNS](/techniques/T1596/001)

[WHOIS](/techniques/T1596/002)

[Digital Certificates](/techniques/T1596/003)

[CDNs](/techniques/T1596/004)

[Scan Databases](/techniques/T1596/005)

\=

[Search Open Websites/Domains (3)](/techniques/T1593)

[Social Media](/techniques/T1593/001)

[Search Engines](/techniques/T1593/002)

[Code Repositories](/techniques/T1593/003)

[Search Victim-Owned Websites](/techniques/T1594)

[Acquire Access](/techniques/T1650)

\=

[Acquire Infrastructure (8)](/techniques/T1583)

[Domains](/techniques/T1583/001)

[DNS Server](/techniques/T1583/002)

[Virtual Private Server](/techniques/T1583/003)

[Server](/techniques/T1583/004)

[Botnet](/techniques/T1583/005)

[Web Services](/techniques/T1583/006)

[Serverless](/techniques/T1583/007)

[Malvertising](/techniques/T1583/008)

\=

[Compromise Accounts (3)](/techniques/T1586)

[Social Media Accounts](/techniques/T1586/001)

[Email Accounts](/techniques/T1586/002)

[Cloud Accounts](/techniques/T1586/003)

\=

[Compromise Infrastructure (8)](/techniques/T1584)

[Domains](/techniques/T1584/001)

[DNS Server](/techniques/T1584/002)

[Virtual Private Server](/techniques/T1584/003)

[Server](/techniques/T1584/004)

[Botnet](/techniques/T1584/005)

[Web Services](/techniques/T1584/006)

[Serverless](/techniques/T1584/007)

[Network Devices](/techniques/T1584/008)

\=

[Develop Capabilities (4)](/techniques/T1587)

[Malware](/techniques/T1587/001)

[Code Signing Certificates](/techniques/T1587/002)

[Digital Certificates](/techniques/T1587/003)

[Exploits](/techniques/T1587/004)

\=

[Establish Accounts (3)](/techniques/T1585)

[Social Media Accounts](/techniques/T1585/001)

[Email Accounts](/techniques/T1585/002)

[Cloud Accounts](/techniques/T1585/003)

\=

[Obtain Capabilities (7)](/techniques/T1588)

[Malware](/techniques/T1588/001)

[Tool](/techniques/T1588/002)

[Code Signing Certificates](/techniques/T1588/003)

[Digital Certificates](/techniques/T1588/004)

[Exploits](/techniques/T1588/005)

[Vulnerabilities](/techniques/T1588/006)

[Artificial Intelligence](/techniques/T1588/007)

\=

[Stage Capabilities (6)](/techniques/T1608)

[Upload Malware](/techniques/T1608/001)

[Upload Tool](/techniques/T1608/002)

[Install Digital Certificate](/techniques/T1608/003)

[Drive-by Target](/techniques/T1608/004)

[Link Target](/techniques/T1608/005)

[SEO Poisoning](/techniques/T1608/006)

[Content Injection](/techniques/T1659)

[Drive-by Compromise](/techniques/T1189)

[Exploit Public-Facing Application](/techniques/T1190)

[External Remote Services](/techniques/T1133)

[Hardware Additions](/techniques/T1200)

\=

[Phishing (4)](/techniques/T1566)

[Spearphishing Attachment](/techniques/T1566/001)

[Spearphishing Link](/techniques/T1566/002)

[Spearphishing via Service](/techniques/T1566/003)

[Spearphishing Voice](/techniques/T1566/004)

[Replication Through Removable Media](/techniques/T1091)

\=

[Supply Chain Compromise (3)](/techniques/T1195)

[Compromise Software Dependencies and Development Tools](/techniques/T1195/001)

[Compromise Software Supply Chain](/techniques/T1195/002)

[Compromise Hardware Supply Chain](/techniques/T1195/003)

[Trusted Relationship](/techniques/T1199)

\=

[Valid Accounts (4)](/techniques/T1078)

[Default Accounts](/techniques/T1078/001)

[Domain Accounts](/techniques/T1078/002)

[Local Accounts](/techniques/T1078/003)

[Cloud Accounts](/techniques/T1078/004)

[Cloud Administration Command](/techniques/T1651)

\=

[Command and Scripting Interpreter (11)](/techniques/T1059)

[PowerShell](/techniques/T1059/001)

[AppleScript](/techniques/T1059/002)

[Windows Command Shell](/techniques/T1059/003)

[Unix Shell](/techniques/T1059/004)

[Visual Basic](/techniques/T1059/005)

[Python](/techniques/T1059/006)

[JavaScript](/techniques/T1059/007)

[Network Device CLI](/techniques/T1059/008)

[Cloud API](/techniques/T1059/009)

[AutoHotKey & AutoIT](/techniques/T1059/010)

[Lua](/techniques/T1059/011)

[Container Administration Command](/techniques/T1609)

[Deploy Container](/techniques/T1610)

[Exploitation for Client Execution](/techniques/T1203)

\=

[Inter-Process Communication (3)](/techniques/T1559)

[Component Object Model](/techniques/T1559/001)

[Dynamic Data Exchange](/techniques/T1559/002)

[XPC Services](/techniques/T1559/003)

[Native API](/techniques/T1106)

\=

[Scheduled Task/Job (5)](/techniques/T1053)

[At](/techniques/T1053/002)

[Cron](/techniques/T1053/003)

[Scheduled Task](/techniques/T1053/005)

[Systemd Timers](/techniques/T1053/006)

[Container Orchestration Job](/techniques/T1053/007)

[Serverless Execution](/techniques/T1648)

[Shared Modules](/techniques/T1129)

[Software Deployment Tools](/techniques/T1072)

\=

[System Services (2)](/techniques/T1569)

[Launchctl](/techniques/T1569/001)

[Service Execution](/techniques/T1569/002)

\=

[User Execution (3)](/techniques/T1204)

[Malicious Link](/techniques/T1204/001)

[Malicious File](/techniques/T1204/002)

[Malicious Image](/techniques/T1204/003)

[Windows Management Instrumentation](/techniques/T1047)

\=

[Account Manipulation (7)](/techniques/T1098)

[Additional Cloud Credentials](/techniques/T1098/001)

[Additional Email Delegate Permissions](/techniques/T1098/002)

[Additional Cloud Roles](/techniques/T1098/003)

[SSH Authorized Keys](/techniques/T1098/004)

[Device Registration](/techniques/T1098/005)

[Additional Container Cluster Roles](/techniques/T1098/006)

[Additional Local or Domain Groups](/techniques/T1098/007)

[BITS Jobs](/techniques/T1197)

\=

[Boot or Logon Autostart Execution (14)](/techniques/T1547)

[Registry Run Keys / Startup Folder](/techniques/T1547/001)

[Authentication Package](/techniques/T1547/002)

[Time Providers](/techniques/T1547/003)

[Winlogon Helper DLL](/techniques/T1547/004)

[Security Support Provider](/techniques/T1547/005)

[Kernel Modules and Extensions](/techniques/T1547/006)

[Re-opened Applications](/techniques/T1547/007)

[LSASS Driver](/techniques/T1547/008)

[Shortcut Modification](/techniques/T1547/009)

[Port Monitors](/techniques/T1547/010)

[Print Processors](/techniques/T1547/012)

[XDG Autostart Entries](/techniques/T1547/013)

[Active Setup](/techniques/T1547/014)

[Login Items](/techniques/T1547/015)

\=

[Boot or Logon Initialization Scripts (5)](/techniques/T1037)

[Logon Script (Windows)](/techniques/T1037/001)

[Login Hook](/techniques/T1037/002)

[Network Logon Script](/techniques/T1037/003)

[RC Scripts](/techniques/T1037/004)

[Startup Items](/techniques/T1037/005)

[Browser Extensions](/techniques/T1176)

[Compromise Host Software Binary](/techniques/T1554)

\=

[Create Account (3)](/techniques/T1136)

[Local Account](/techniques/T1136/001)

[Domain Account](/techniques/T1136/002)

[Cloud Account](/techniques/T1136/003)

\=

[Create or Modify System Process (5)](/techniques/T1543)

[Launch Agent](/techniques/T1543/001)

[Systemd Service](/techniques/T1543/002)

[Windows Service](/techniques/T1543/003)

[Launch Daemon](/techniques/T1543/004)

[Container Service](/techniques/T1543/005)

\=

[Event Triggered Execution (17)](/techniques/T1546)

[Change Default File Association](/techniques/T1546/001)

[Screensaver](/techniques/T1546/002)

[Windows Management Instrumentation Event Subscription](/techniques/T1546/003)

[Unix Shell Configuration Modification](/techniques/T1546/004)

[Trap](/techniques/T1546/005)

[LC\_LOAD\_DYLIB Addition](/techniques/T1546/006)

[Netsh Helper DLL](/techniques/T1546/007)

[Accessibility Features](/techniques/T1546/008)

[AppCert DLLs](/techniques/T1546/009)

[AppInit DLLs](/techniques/T1546/010)

[Application Shimming](/techniques/T1546/011)

[Image File Execution Options Injection](/techniques/T1546/012)

[PowerShell Profile](/techniques/T1546/013)

[Emond](/techniques/T1546/014)

[Component Object Model Hijacking](/techniques/T1546/015)

[Installer Packages](/techniques/T1546/016)

[Udev Rules](/techniques/T1546/017)

[External Remote Services](/techniques/T1133)

\=

[Hijack Execution Flow (13)](/techniques/T1574)

[DLL Search Order Hijacking](/techniques/T1574/001)

[DLL Side-Loading](/techniques/T1574/002)

[Dylib Hijacking](/techniques/T1574/004)

[Executable Installer File Permissions Weakness](/techniques/T1574/005)

[Dynamic Linker Hijacking](/techniques/T1574/006)

[Path Interception by PATH Environment Variable](/techniques/T1574/007)

[Path Interception by Search Order Hijacking](/techniques/T1574/008)

[Path Interception by Unquoted Path](/techniques/T1574/009)

[Services File Permissions Weakness](/techniques/T1574/010)

[Services Registry Permissions Weakness](/techniques/T1574/011)

[COR\_PROFILER](/techniques/T1574/012)

[KernelCallbackTable](/techniques/T1574/013)

[AppDomainManager](/techniques/T1574/014)

[Implant Internal Image](/techniques/T1525)

\=

[Modify Authentication Process (9)](/techniques/T1556)

[Domain Controller Authentication](/techniques/T1556/001)

[Password Filter DLL](/techniques/T1556/002)

[Pluggable Authentication Modules](/techniques/T1556/003)

[Network Device Authentication](/techniques/T1556/004)

[Reversible Encryption](/techniques/T1556/005)

[Multi-Factor Authentication](/techniques/T1556/006)

[Hybrid Identity](/techniques/T1556/007)

[Network Provider DLL](/techniques/T1556/008)

[Conditional Access Policies](/techniques/T1556/009)

\=

[Office Application Startup (6)](/techniques/T1137)

[Office Template Macros](/techniques/T1137/001)

[Office Test](/techniques/T1137/002)

[Outlook Forms](/techniques/T1137/003)

[Outlook Home Page](/techniques/T1137/004)

[Outlook Rules](/techniques/T1137/005)

[Add-ins](/techniques/T1137/006)

[Power Settings](/techniques/T1653)

\=

[Pre-OS Boot (5)](/techniques/T1542)

[System Firmware](/techniques/T1542/001)

[Component Firmware](/techniques/T1542/002)

[Bootkit](/techniques/T1542/003)

[ROMMONkit](/techniques/T1542/004)

[TFTP Boot](/techniques/T1542/005)

\=

[Scheduled Task/Job (5)](/techniques/T1053)

[At](/techniques/T1053/002)

[Cron](/techniques/T1053/003)

[Scheduled Task](/techniques/T1053/005)

[Systemd Timers](/techniques/T1053/006)

[Container Orchestration Job](/techniques/T1053/007)

\=

[Server Software Component (5)](/techniques/T1505)

[SQL Stored Procedures](/techniques/T1505/001)

[Transport Agent](/techniques/T1505/002)

[Web Shell](/techniques/T1505/003)

[IIS Components](/techniques/T1505/004)

[Terminal Services DLL](/techniques/T1505/005)

\=

[Traffic Signaling (2)](/techniques/T1205)

[Port Knocking](/techniques/T1205/001)

[Socket Filters](/techniques/T1205/002)

\=

[Valid Accounts (4)](/techniques/T1078)

[Default Accounts](/techniques/T1078/001)

[Domain Accounts](/techniques/T1078/002)

[Local Accounts](/techniques/T1078/003)

[Cloud Accounts](/techniques/T1078/004)

\=

[Abuse Elevation Control Mechanism (6)](/techniques/T1548)

[Setuid and Setgid](/techniques/T1548/001)

[Bypass User Account Control](/techniques/T1548/002)

[Sudo and Sudo Caching](/techniques/T1548/003)

[Elevated Execution with Prompt](/techniques/T1548/004)

[Temporary Elevated Cloud Access](/techniques/T1548/005)

[TCC Manipulation](/techniques/T1548/006)

\=

[Access Token Manipulation (5)](/techniques/T1134)

[Token Impersonation/Theft](/techniques/T1134/001)

[Create Process with Token](/techniques/T1134/002)

[Make and Impersonate Token](/techniques/T1134/003)

[Parent PID Spoofing](/techniques/T1134/004)

[SID-History Injection](/techniques/T1134/005)

\=

[Account Manipulation (7)](/techniques/T1098)

[Additional Cloud Credentials](/techniques/T1098/001)

[Additional Email Delegate Permissions](/techniques/T1098/002)

[Additional Cloud Roles](/techniques/T1098/003)

[SSH Authorized Keys](/techniques/T1098/004)

[Device Registration](/techniques/T1098/005)

[Additional Container Cluster Roles](/techniques/T1098/006)

[Additional Local or Domain Groups](/techniques/T1098/007)

\=

[Boot or Logon Autostart Execution (14)](/techniques/T1547)

[Registry Run Keys / Startup Folder](/techniques/T1547/001)

[Authentication Package](/techniques/T1547/002)

[Time Providers](/techniques/T1547/003)

[Winlogon Helper DLL](/techniques/T1547/004)

[Security Support Provider](/techniques/T1547/005)

[Kernel Modules and Extensions](/techniques/T1547/006)

[Re-opened Applications](/techniques/T1547/007)

[LSASS Driver](/techniques/T1547/008)

[Shortcut Modification](/techniques/T1547/009)

[Port Monitors](/techniques/T1547/010)

[Print Processors](/techniques/T1547/012)

[XDG Autostart Entries](/techniques/T1547/013)

[Active Setup](/techniques/T1547/014)

[Login Items](/techniques/T1547/015)

\=

[Boot or Logon Initialization Scripts (5)](/techniques/T1037)

[Logon Script (Windows)](/techniques/T1037/001)

[Login Hook](/techniques/T1037/002)

[Network Logon Script](/techniques/T1037/003)

[RC Scripts](/techniques/T1037/004)

[Startup Items](/techniques/T1037/005)

\=

[Create or Modify System Process (5)](/techniques/T1543)

[Launch Agent](/techniques/T1543/001)

[Systemd Service](/techniques/T1543/002)

[Windows Service](/techniques/T1543/003)

[Launch Daemon](/techniques/T1543/004)

[Container Service](/techniques/T1543/005)

\=

[Domain or Tenant Policy Modification (2)](/techniques/T1484)

[Group Policy Modification](/techniques/T1484/001)

[Trust Modification](/techniques/T1484/002)

[Escape to Host](/techniques/T1611)

\=

[Event Triggered Execution (17)](/techniques/T1546)

[Change Default File Association](/techniques/T1546/001)

[Screensaver](/techniques/T1546/002)

[Windows Management Instrumentation Event Subscription](/techniques/T1546/003)

[Unix Shell Configuration Modification](/techniques/T1546/004)

[Trap](/techniques/T1546/005)

[LC\_LOAD\_DYLIB Addition](/techniques/T1546/006)

[Netsh Helper DLL](/techniques/T1546/007)

[Accessibility Features](/techniques/T1546/008)

[AppCert DLLs](/techniques/T1546/009)

[AppInit DLLs](/techniques/T1546/010)

[Application Shimming](/techniques/T1546/011)

[Image File Execution Options Injection](/techniques/T1546/012)

[PowerShell Profile](/techniques/T1546/013)

[Emond](/techniques/T1546/014)

[Component Object Model Hijacking](/techniques/T1546/015)

[Installer Packages](/techniques/T1546/016)

[Udev Rules](/techniques/T1546/017)

[Exploitation for Privilege Escalation](/techniques/T1068)

\=

[Hijack Execution Flow (13)](/techniques/T1574)

[DLL Search Order Hijacking](/techniques/T1574/001)

[DLL Side-Loading](/techniques/T1574/002)

[Dylib Hijacking](/techniques/T1574/004)

[Executable Installer File Permissions Weakness](/techniques/T1574/005)

[Dynamic Linker Hijacking](/techniques/T1574/006)

[Path Interception by PATH Environment Variable](/techniques/T1574/007)

[Path Interception by Search Order Hijacking](/techniques/T1574/008)

[Path Interception by Unquoted Path](/techniques/T1574/009)

[Services File Permissions Weakness](/techniques/T1574/010)

[Services Registry Permissions Weakness](/techniques/T1574/011)

[COR\_PROFILER](/techniques/T1574/012)

[KernelCallbackTable](/techniques/T1574/013)

[AppDomainManager](/techniques/T1574/014)

\=

[Process Injection (12)](/techniques/T1055)

[Dynamic-link Library Injection](/techniques/T1055/001)

[Portable Executable Injection](/techniques/T1055/002)

[Thread Execution Hijacking](/techniques/T1055/003)

[Asynchronous Procedure Call](/techniques/T1055/004)

[Thread Local Storage](/techniques/T1055/005)

[Ptrace System Calls](/techniques/T1055/008)

[Proc Memory](/techniques/T1055/009)

[Extra Window Memory Injection](/techniques/T1055/011)

[Process Hollowing](/techniques/T1055/012)

[Process Doppelgänging](/techniques/T1055/013)

[VDSO Hijacking](/techniques/T1055/014)

[ListPlanting](/techniques/T1055/015)

\=

[Scheduled Task/Job (5)](/techniques/T1053)

[At](/techniques/T1053/002)

[Cron](/techniques/T1053/003)

[Scheduled Task](/techniques/T1053/005)

[Systemd Timers](/techniques/T1053/006)

[Container Orchestration Job](/techniques/T1053/007)

\=

[Valid Accounts (4)](/techniques/T1078)

[Default Accounts](/techniques/T1078/001)

[Domain Accounts](/techniques/T1078/002)

[Local Accounts](/techniques/T1078/003)

[Cloud Accounts](/techniques/T1078/004)

\=

[Abuse Elevation Control Mechanism (6)](/techniques/T1548)

[Setuid and Setgid](/techniques/T1548/001)

[Bypass User Account Control](/techniques/T1548/002)

[Sudo and Sudo Caching](/techniques/T1548/003)

[Elevated Execution with Prompt](/techniques/T1548/004)

[Temporary Elevated Cloud Access](/techniques/T1548/005)

[TCC Manipulation](/techniques/T1548/006)

\=

[Access Token Manipulation (5)](/techniques/T1134)

[Token Impersonation/Theft](/techniques/T1134/001)

[Create Process with Token](/techniques/T1134/002)

[Make and Impersonate Token](/techniques/T1134/003)

[Parent PID Spoofing](/techniques/T1134/004)

[SID-History Injection](/techniques/T1134/005)

[BITS Jobs](/techniques/T1197)

[Build Image on Host](/techniques/T1612)

[Debugger Evasion](/techniques/T1622)

[Deobfuscate/Decode Files or Information](/techniques/T1140)

[Deploy Container](/techniques/T1610)

[Direct Volume Access](/techniques/T1006)

\=

[Domain or Tenant Policy Modification (2)](/techniques/T1484)

[Group Policy Modification](/techniques/T1484/001)

[Trust Modification](/techniques/T1484/002)

\=

[Execution Guardrails (2)](/techniques/T1480)

[Environmental Keying](/techniques/T1480/001)

[Mutual Exclusion](/techniques/T1480/002)

[Exploitation for Defense Evasion](/techniques/T1211)

\=

[File and Directory Permissions Modification (2)](/techniques/T1222)

[Windows File and Directory Permissions Modification](/techniques/T1222/001)

[Linux and Mac File and Directory Permissions Modification](/techniques/T1222/002)

\=

[Hide Artifacts (12)](/techniques/T1564)

[Hidden Files and Directories](/techniques/T1564/001)

[Hidden Users](/techniques/T1564/002)

[Hidden Window](/techniques/T1564/003)

[NTFS File Attributes](/techniques/T1564/004)

[Hidden File System](/techniques/T1564/005)

[Run Virtual Instance](/techniques/T1564/006)

[VBA Stomping](/techniques/T1564/007)

[Email Hiding Rules](/techniques/T1564/008)

[Resource Forking](/techniques/T1564/009)

[Process Argument Spoofing](/techniques/T1564/010)

[Ignore Process Interrupts](/techniques/T1564/011)

[File/Path Exclusions](/techniques/T1564/012)

\=

[Hijack Execution Flow (13)](/techniques/T1574)

[DLL Search Order Hijacking](/techniques/T1574/001)

[DLL Side-Loading](/techniques/T1574/002)

[Dylib Hijacking](/techniques/T1574/004)

[Executable Installer File Permissions Weakness](/techniques/T1574/005)

[Dynamic Linker Hijacking](/techniques/T1574/006)

[Path Interception by PATH Environment Variable](/techniques/T1574/007)

[Path Interception by Search Order Hijacking](/techniques/T1574/008)

[Path Interception by Unquoted Path](/techniques/T1574/009)

[Services File Permissions Weakness](/techniques/T1574/010)

[Services Registry Permissions Weakness](/techniques/T1574/011)

[COR\_PROFILER](/techniques/T1574/012)

[KernelCallbackTable](/techniques/T1574/013)

[AppDomainManager](/techniques/T1574/014)

\=

[Impair Defenses (11)](/techniques/T1562)

[Disable or Modify Tools](/techniques/T1562/001)

[Disable Windows Event Logging](/techniques/T1562/002)

[Impair Command History Logging](/techniques/T1562/003)

[Disable or Modify System Firewall](/techniques/T1562/004)

[Indicator Blocking](/techniques/T1562/006)

[Disable or Modify Cloud Firewall](/techniques/T1562/007)

[Disable or Modify Cloud Logs](/techniques/T1562/008)

[Safe Mode Boot](/techniques/T1562/009)

[Downgrade Attack](/techniques/T1562/010)

[Spoof Security Alerting](/techniques/T1562/011)

[Disable or Modify Linux Audit System](/techniques/T1562/012)

[Impersonation](/techniques/T1656)

\=

[Indicator Removal (10)](/techniques/T1070)

[Clear Windows Event Logs](/techniques/T1070/001)

[Clear Linux or Mac System Logs](/techniques/T1070/002)

[Clear Command History](/techniques/T1070/003)

[File Deletion](/techniques/T1070/004)

[Network Share Connection Removal](/techniques/T1070/005)

[Timestomp](/techniques/T1070/006)

[Clear Network Connection History and Configurations](/techniques/T1070/007)

[Clear Mailbox Data](/techniques/T1070/008)

[Clear Persistence](/techniques/T1070/009)

[Relocate Malware](/techniques/T1070/010)

[Indirect Command Execution](/techniques/T1202)

\=

[Masquerading (10)](/techniques/T1036)

[Invalid Code Signature](/techniques/T1036/001)

[Right-to-Left Override](/techniques/T1036/002)

[Rename System Utilities](/techniques/T1036/003)

[Masquerade Task or Service](/techniques/T1036/004)

[Match Legitimate Name or Location](/techniques/T1036/005)

[Space after Filename](/techniques/T1036/006)

[Double File Extension](/techniques/T1036/007)

[Masquerade File Type](/techniques/T1036/008)

[Break Process Trees](/techniques/T1036/009)

[Masquerade Account Name](/techniques/T1036/010)

\=

[Modify Authentication Process (9)](/techniques/T1556)

[Domain Controller Authentication](/techniques/T1556/001)

[Password Filter DLL](/techniques/T1556/002)

[Pluggable Authentication Modules](/techniques/T1556/003)

[Network Device Authentication](/techniques/T1556/004)

[Reversible Encryption](/techniques/T1556/005)

[Multi-Factor Authentication](/techniques/T1556/006)

[Hybrid Identity](/techniques/T1556/007)

[Network Provider DLL](/techniques/T1556/008)

[Conditional Access Policies](/techniques/T1556/009)

\=

[Modify Cloud Compute Infrastructure (5)](/techniques/T1578)

[Create Snapshot](/techniques/T1578/001)

[Create Cloud Instance](/techniques/T1578/002)

[Delete Cloud Instance](/techniques/T1578/003)

[Revert Cloud Instance](/techniques/T1578/004)

[Modify Cloud Compute Configurations](/techniques/T1578/005)

[Modify Cloud Resource Hierarchy](/techniques/T1666)

[Modify Registry](/techniques/T1112)

\=

[Modify System Image (2)](/techniques/T1601)

[Patch System Image](/techniques/T1601/001)

[Downgrade System Image](/techniques/T1601/002)

\=

[Network Boundary Bridging (1)](/techniques/T1599)

[Network Address Translation Traversal](/techniques/T1599/001)

\=

[Obfuscated Files or Information (14)](/techniques/T1027)

[Binary Padding](/techniques/T1027/001)

[Software Packing](/techniques/T1027/002)

[Steganography](/techniques/T1027/003)

[Compile After Delivery](/techniques/T1027/004)

[Indicator Removal from Tools](/techniques/T1027/005)

[HTML Smuggling](/techniques/T1027/006)

[Dynamic API Resolution](/techniques/T1027/007)

[Stripped Payloads](/techniques/T1027/008)

[Embedded Payloads](/techniques/T1027/009)

[Command Obfuscation](/techniques/T1027/010)

[Fileless Storage](/techniques/T1027/011)

[LNK Icon Smuggling](/techniques/T1027/012)

[Encrypted/Encoded File](/techniques/T1027/013)

[Polymorphic Code](/techniques/T1027/014)

[Plist File Modification](/techniques/T1647)

\=

[Pre-OS Boot (5)](/techniques/T1542)

[System Firmware](/techniques/T1542/001)

[Component Firmware](/techniques/T1542/002)

[Bootkit](/techniques/T1542/003)

[ROMMONkit](/techniques/T1542/004)

[TFTP Boot](/techniques/T1542/005)

\=

[Process Injection (12)](/techniques/T1055)

[Dynamic-link Library Injection](/techniques/T1055/001)

[Portable Executable Injection](/techniques/T1055/002)

[Thread Execution Hijacking](/techniques/T1055/003)

[Asynchronous Procedure Call](/techniques/T1055/004)

[Thread Local Storage](/techniques/T1055/005)

[Ptrace System Calls](/techniques/T1055/008)

[Proc Memory](/techniques/T1055/009)

[Extra Window Memory Injection](/techniques/T1055/011)

[Process Hollowing](/techniques/T1055/012)

[Process Doppelgänging](/techniques/T1055/013)

[VDSO Hijacking](/techniques/T1055/014)

[ListPlanting](/techniques/T1055/015)

[Reflective Code Loading](/techniques/T1620)

[Rogue Domain Controller](/techniques/T1207)

[Rootkit](/techniques/T1014)

\=

[Subvert Trust Controls (6)](/techniques/T1553)

[Gatekeeper Bypass](/techniques/T1553/001)

[Code Signing](/techniques/T1553/002)

[SIP and Trust Provider Hijacking](/techniques/T1553/003)

[Install Root Certificate](/techniques/T1553/004)

[Mark-of-the-Web Bypass](/techniques/T1553/005)

[Code Signing Policy Modification](/techniques/T1553/006)

\=

[System Binary Proxy Execution (14)](/techniques/T1218)

[Compiled HTML File](/techniques/T1218/001)

[Control Panel](/techniques/T1218/002)

[CMSTP](/techniques/T1218/003)

[InstallUtil](/techniques/T1218/004)

[Mshta](/techniques/T1218/005)

[Msiexec](/techniques/T1218/007)

[Odbcconf](/techniques/T1218/008)

[Regsvcs/Regasm](/techniques/T1218/009)

[Regsvr32](/techniques/T1218/010)

[Rundll32](/techniques/T1218/011)

[Verclsid](/techniques/T1218/012)

[Mavinject](/techniques/T1218/013)

[MMC](/techniques/T1218/014)

[Electron Applications](/techniques/T1218/015)

\=

[System Script Proxy Execution (2)](/techniques/T1216)

[PubPrn](/techniques/T1216/001)

[SyncAppvPublishingServer](/techniques/T1216/002)

[Template Injection](/techniques/T1221)

\=

[Traffic Signaling (2)](/techniques/T1205)

[Port Knocking](/techniques/T1205/001)

[Socket Filters](/techniques/T1205/002)

\=

[Trusted Developer Utilities Proxy Execution (2)](/techniques/T1127)

[MSBuild](/techniques/T1127/001)

[ClickOnce](/techniques/T1127/002)

[Unused/Unsupported Cloud Regions](/techniques/T1535)

\=

[Use Alternate Authentication Material (4)](/techniques/T1550)

[Application Access Token](/techniques/T1550/001)

[Pass the Hash](/techniques/T1550/002)

[Pass the Ticket](/techniques/T1550/003)

[Web Session Cookie](/techniques/T1550/004)

\=

[Valid Accounts (4)](/techniques/T1078)

[Default Accounts](/techniques/T1078/001)

[Domain Accounts](/techniques/T1078/002)

[Local Accounts](/techniques/T1078/003)

[Cloud Accounts](/techniques/T1078/004)

\=

[Virtualization/Sandbox Evasion (3)](/techniques/T1497)

[System Checks](/techniques/T1497/001)

[User Activity Based Checks](/techniques/T1497/002)

[Time Based Evasion](/techniques/T1497/003)

\=

[Weaken Encryption (2)](/techniques/T1600)

[Reduce Key Space](/techniques/T1600/001)

[Disable Crypto Hardware](/techniques/T1600/002)

[XSL Script Processing](/techniques/T1220)

\=

[Adversary-in-the-Middle (4)](/techniques/T1557)

[LLMNR/NBT-NS Poisoning and SMB Relay](/techniques/T1557/001)

[ARP Cache Poisoning](/techniques/T1557/002)

[DHCP Spoofing](/techniques/T1557/003)

[Evil Twin](/techniques/T1557/004)

\=

[Brute Force (4)](/techniques/T1110)

[Password Guessing](/techniques/T1110/001)

[Password Cracking](/techniques/T1110/002)

[Password Spraying](/techniques/T1110/003)

[Credential Stuffing](/techniques/T1110/004)

\=

[Credentials from Password Stores (6)](/techniques/T1555)

[Keychain](/techniques/T1555/001)

[Securityd Memory](/techniques/T1555/002)

[Credentials from Web Browsers](/techniques/T1555/003)

[Windows Credential Manager](/techniques/T1555/004)

[Password Managers](/techniques/T1555/005)

[Cloud Secrets Management Stores](/techniques/T1555/006)

[Exploitation for Credential Access](/techniques/T1212)

[Forced Authentication](/techniques/T1187)

\=

[Forge Web Credentials (2)](/techniques/T1606)

[Web Cookies](/techniques/T1606/001)

[SAML Tokens](/techniques/T1606/002)

\=

[Input Capture (4)](/techniques/T1056)

[Keylogging](/techniques/T1056/001)

[GUI Input Capture](/techniques/T1056/002)

[Web Portal Capture](/techniques/T1056/003)

[Credential API Hooking](/techniques/T1056/004)

\=

[Modify Authentication Process (9)](/techniques/T1556)

[Domain Controller Authentication](/techniques/T1556/001)

[Password Filter DLL](/techniques/T1556/002)

[Pluggable Authentication Modules](/techniques/T1556/003)

[Network Device Authentication](/techniques/T1556/004)

[Reversible Encryption](/techniques/T1556/005)

[Multi-Factor Authentication](/techniques/T1556/006)

[Hybrid Identity](/techniques/T1556/007)

[Network Provider DLL](/techniques/T1556/008)

[Conditional Access Policies](/techniques/T1556/009)

[Multi-Factor Authentication Interception](/techniques/T1111)

[Multi-Factor Authentication Request Generation](/techniques/T1621)

[Network Sniffing](/techniques/T1040)

\=

[OS Credential Dumping (8)](/techniques/T1003)

[LSASS Memory](/techniques/T1003/001)

[Security Account Manager](/techniques/T1003/002)

[NTDS](/techniques/T1003/003)

[LSA Secrets](/techniques/T1003/004)

[Cached Domain Credentials](/techniques/T1003/005)

[DCSync](/techniques/T1003/006)

[Proc Filesystem](/techniques/T1003/007)

[/etc/passwd and /etc/shadow](/techniques/T1003/008)

[Steal Application Access Token](/techniques/T1528)

[Steal or Forge Authentication Certificates](/techniques/T1649)

\=

[Steal or Forge Kerberos Tickets (5)](/techniques/T1558)

[Golden Ticket](/techniques/T1558/001)

[Silver Ticket](/techniques/T1558/002)

[Kerberoasting](/techniques/T1558/003)

[AS-REP Roasting](/techniques/T1558/004)

[Ccache Files](/techniques/T1558/005)

[Steal Web Session Cookie](/techniques/T1539)

\=

[Unsecured Credentials (8)](/techniques/T1552)

[Credentials In Files](/techniques/T1552/001)

[Credentials in Registry](/techniques/T1552/002)

[Bash History](/techniques/T1552/003)

[Private Keys](/techniques/T1552/004)

[Cloud Instance Metadata API](/techniques/T1552/005)

[Group Policy Preferences](/techniques/T1552/006)

[Container API](/techniques/T1552/007)

[Chat Messages](/techniques/T1552/008)

\=

[Account Discovery (4)](/techniques/T1087)

[Local Account](/techniques/T1087/001)

[Domain Account](/techniques/T1087/002)

[Email Account](/techniques/T1087/003)

[Cloud Account](/techniques/T1087/004)

[Application Window Discovery](/techniques/T1010)

[Browser Information Discovery](/techniques/T1217)

[Cloud Infrastructure Discovery](/techniques/T1580)

[Cloud Service Dashboard](/techniques/T1538)

[Cloud Service Discovery](/techniques/T1526)

[Cloud Storage Object Discovery](/techniques/T1619)

[Container and Resource Discovery](/techniques/T1613)

[Debugger Evasion](/techniques/T1622)

[Device Driver Discovery](/techniques/T1652)

[Domain Trust Discovery](/techniques/T1482)

[File and Directory Discovery](/techniques/T1083)

[Group Policy Discovery](/techniques/T1615)

[Log Enumeration](/techniques/T1654)

[Network Service Discovery](/techniques/T1046)

[Network Share Discovery](/techniques/T1135)

[Network Sniffing](/techniques/T1040)

[Password Policy Discovery](/techniques/T1201)

[Peripheral Device Discovery](/techniques/T1120)

\=

[Permission Groups Discovery (3)](/techniques/T1069)

[Local Groups](/techniques/T1069/001)

[Domain Groups](/techniques/T1069/002)

[Cloud Groups](/techniques/T1069/003)

[Process Discovery](/techniques/T1057)

[Query Registry](/techniques/T1012)

[Remote System Discovery](/techniques/T1018)

\=

[Software Discovery (1)](/techniques/T1518)

[Security Software Discovery](/techniques/T1518/001)

[System Information Discovery](/techniques/T1082)

\=

[System Location Discovery (1)](/techniques/T1614)

[System Language Discovery](/techniques/T1614/001)

\=

[System Network Configuration Discovery (2)](/techniques/T1016)

[Internet Connection Discovery](/techniques/T1016/001)

[Wi-Fi Discovery](/techniques/T1016/002)

[System Network Connections Discovery](/techniques/T1049)

[System Owner/User Discovery](/techniques/T1033)

[System Service Discovery](/techniques/T1007)

[System Time Discovery](/techniques/T1124)

\=

[Virtualization/Sandbox Evasion (3)](/techniques/T1497)

[System Checks](/techniques/T1497/001)

[User Activity Based Checks](/techniques/T1497/002)

[Time Based Evasion](/techniques/T1497/003)

[Exploitation of Remote Services](/techniques/T1210)

[Internal Spearphishing](/techniques/T1534)

[Lateral Tool Transfer](/techniques/T1570)

\=

[Remote Service Session Hijacking (2)](/techniques/T1563)

[SSH Hijacking](/techniques/T1563/001)

[RDP Hijacking](/techniques/T1563/002)

\=

[Remote Services (8)](/techniques/T1021)

[Remote Desktop Protocol](/techniques/T1021/001)

[SMB/Windows Admin Shares](/techniques/T1021/002)

[Distributed Component Object Model](/techniques/T1021/003)

[SSH](/techniques/T1021/004)

[VNC](/techniques/T1021/005)

[Windows Remote Management](/techniques/T1021/006)

[Cloud Services](/techniques/T1021/007)

[Direct Cloud VM Connections](/techniques/T1021/008)

[Replication Through Removable Media](/techniques/T1091)

[Software Deployment Tools](/techniques/T1072)

[Taint Shared Content](/techniques/T1080)

\=

[Use Alternate Authentication Material (4)](/techniques/T1550)

[Application Access Token](/techniques/T1550/001)

[Pass the Hash](/techniques/T1550/002)

[Pass the Ticket](/techniques/T1550/003)

[Web Session Cookie](/techniques/T1550/004)

\=

[Adversary-in-the-Middle (4)](/techniques/T1557)

[LLMNR/NBT-NS Poisoning and SMB Relay](/techniques/T1557/001)

[ARP Cache Poisoning](/techniques/T1557/002)

[DHCP Spoofing](/techniques/T1557/003)

[Evil Twin](/techniques/T1557/004)

\=

[Archive Collected Data (3)](/techniques/T1560)

[Archive via Utility](/techniques/T1560/001)

[Archive via Library](/techniques/T1560/002)

[Archive via Custom Method](/techniques/T1560/003)

[Audio Capture](/techniques/T1123)

[Automated Collection](/techniques/T1119)

[Browser Session Hijacking](/techniques/T1185)

[Clipboard Data](/techniques/T1115)

[Data from Cloud Storage](/techniques/T1530)

\=

[Data from Configuration Repository (2)](/techniques/T1602)

[SNMP (MIB Dump)](/techniques/T1602/001)

[Network Device Configuration Dump](/techniques/T1602/002)

\=

[Data from Information Repositories (5)](/techniques/T1213)

[Confluence](/techniques/T1213/001)

[Sharepoint](/techniques/T1213/002)

[Code Repositories](/techniques/T1213/003)

[Customer Relationship Management Software](/techniques/T1213/004)

[Messaging Applications](/techniques/T1213/005)

[Data from Local System](/techniques/T1005)

[Data from Network Shared Drive](/techniques/T1039)

[Data from Removable Media](/techniques/T1025)

\=

[Data Staged (2)](/techniques/T1074)

[Local Data Staging](/techniques/T1074/001)

[Remote Data Staging](/techniques/T1074/002)

\=

[Email Collection (3)](/techniques/T1114)

[Local Email Collection](/techniques/T1114/001)

[Remote Email Collection](/techniques/T1114/002)

[Email Forwarding Rule](/techniques/T1114/003)

\=

[Input Capture (4)](/techniques/T1056)

[Keylogging](/techniques/T1056/001)

[GUI Input Capture](/techniques/T1056/002)

[Web Portal Capture](/techniques/T1056/003)

[Credential API Hooking](/techniques/T1056/004)

[Screen Capture](/techniques/T1113)

[Video Capture](/techniques/T1125)

\=

[Application Layer Protocol (5)](/techniques/T1071)

[Web Protocols](/techniques/T1071/001)

[File Transfer Protocols](/techniques/T1071/002)

[Mail Protocols](/techniques/T1071/003)

[DNS](/techniques/T1071/004)

[Publish/Subscribe Protocols](/techniques/T1071/005)

[Communication Through Removable Media](/techniques/T1092)

[Content Injection](/techniques/T1659)

\=

[Data Encoding (2)](/techniques/T1132)

[Standard Encoding](/techniques/T1132/001)

[Non-Standard Encoding](/techniques/T1132/002)

\=

[Data Obfuscation (3)](/techniques/T1001)

[Junk Data](/techniques/T1001/001)

[Steganography](/techniques/T1001/002)

[Protocol or Service Impersonation](/techniques/T1001/003)

\=

[Dynamic Resolution (3)](/techniques/T1568)

[Fast Flux DNS](/techniques/T1568/001)

[Domain Generation Algorithms](/techniques/T1568/002)

[DNS Calculation](/techniques/T1568/003)

\=

[Encrypted Channel (2)](/techniques/T1573)

[Symmetric Cryptography](/techniques/T1573/001)

[Asymmetric Cryptography](/techniques/T1573/002)

[Fallback Channels](/techniques/T1008)

[Hide Infrastructure](/techniques/T1665)

[Ingress Tool Transfer](/techniques/T1105)

[Multi-Stage Channels](/techniques/T1104)

[Non-Application Layer Protocol](/techniques/T1095)

[Non-Standard Port](/techniques/T1571)

[Protocol Tunneling](/techniques/T1572)

\=

[Proxy (4)](/techniques/T1090)

[Internal Proxy](/techniques/T1090/001)

[External Proxy](/techniques/T1090/002)

[Multi-hop Proxy](/techniques/T1090/003)

[Domain Fronting](/techniques/T1090/004)

[Remote Access Software](/techniques/T1219)

\=

[Traffic Signaling (2)](/techniques/T1205)

[Port Knocking](/techniques/T1205/001)

[Socket Filters](/techniques/T1205/002)

\=

[Web Service (3)](/techniques/T1102)

[Dead Drop Resolver](/techniques/T1102/001)

[Bidirectional Communication](/techniques/T1102/002)

[One-Way Communication](/techniques/T1102/003)

\=

[Automated Exfiltration (1)](/techniques/T1020)

[Traffic Duplication](/techniques/T1020/001)

[Data Transfer Size Limits](/techniques/T1030)

\=

[Exfiltration Over Alternative Protocol (3)](/techniques/T1048)

[Exfiltration Over Symmetric Encrypted Non-C2 Protocol](/techniques/T1048/001)

[Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](/techniques/T1048/002)

[Exfiltration Over Unencrypted Non-C2 Protocol](/techniques/T1048/003)

[Exfiltration Over C2 Channel](/techniques/T1041)

\=

[Exfiltration Over Other Network Medium (1)](/techniques/T1011)

[Exfiltration Over Bluetooth](/techniques/T1011/001)

\=

[Exfiltration Over Physical Medium (1)](/techniques/T1052)

[Exfiltration over USB](/techniques/T1052/001)

\=

[Exfiltration Over Web Service (4)](/techniques/T1567)

[Exfiltration to Code Repository](/techniques/T1567/001)

[Exfiltration to Cloud Storage](/techniques/T1567/002)

[Exfiltration to Text Storage Sites](/techniques/T1567/003)

[Exfiltration Over Webhook](/techniques/T1567/004)

[Scheduled Transfer](/techniques/T1029)

[Transfer Data to Cloud Account](/techniques/T1537)

[Account Access Removal](/techniques/T1531)

\=

[Data Destruction (1)](/techniques/T1485)

[Lifecycle-Triggered Deletion](/techniques/T1485/001)

[Data Encrypted for Impact](/techniques/T1486)

\=

[Data Manipulation (3)](/techniques/T1565)

[Stored Data Manipulation](/techniques/T1565/001)

[Transmitted Data Manipulation](/techniques/T1565/002)

[Runtime Data Manipulation](/techniques/T1565/003)

\=

[Defacement (2)](/techniques/T1491)

[Internal Defacement](/techniques/T1491/001)

[External Defacement](/techniques/T1491/002)

\=

[Disk Wipe (2)](/techniques/T1561)

[Disk Content Wipe](/techniques/T1561/001)

[Disk Structure Wipe](/techniques/T1561/002)

\=

[Endpoint Denial of Service (4)](/techniques/T1499)

[OS Exhaustion Flood](/techniques/T1499/001)

[Service Exhaustion Flood](/techniques/T1499/002)

[Application Exhaustion Flood](/techniques/T1499/003)

[Application or System Exploitation](/techniques/T1499/004)

[Financial Theft](/techniques/T1657)

[Firmware Corruption](/techniques/T1495)

[Inhibit System Recovery](/techniques/T1490)

\=

[Network Denial of Service (2)](/techniques/T1498)

[Direct Network Flood](/techniques/T1498/001)

[Reflection Amplification](/techniques/T1498/002)

\=

[Resource Hijacking (4)](/techniques/T1496)

[Compute Hijacking](/techniques/T1496/001)

[Bandwidth Hijacking](/techniques/T1496/002)

[SMS Pumping](/techniques/T1496/003)

[Cloud Service Hijacking](/techniques/T1496/004)

[Service Stop](/techniques/T1489)

[System Shutdown/Reboot](/techniques/T1529)

×

load more results