Tactics and Techniques¶
Tactics¶
Collection¶
Command and Control¶
Credential Access¶
Defense Evasion¶
Discovery¶
Execution¶
Exfiltration¶
Impact¶
Initial Access¶
Lateral Movement¶
Persistence¶
Privilege Escalation¶
Reconnaissance¶
Resource Development¶
Techniques¶
Abuse Elevation Control Mechanism¶
Tactics: Defense Evasion, Privilege Escalation
Access Token Manipulation¶
Tactics: Defense Evasion, Privilege Escalation
Account Access Removal¶
Tactics: Impact
Account Discovery¶
Tactics: Discovery
Account Manipulation¶
Tactics: Persistence
Acquire Infrastructure¶
Tactics: Resource Development
Active Scanning¶
Tactics: Reconnaissance
Adversary-in-the-Middle¶
Tactics: Collection, Credential Access
Application Layer Protocol¶
Tactics: Command and Control
Application Window Discovery¶
Tactics: Discovery
Archive Collected Data¶
Tactics: Collection
Audio Capture¶
Tactics: Collection
Automated Collection¶
Tactics: Collection
Automated Exfiltration¶
Tactics: Exfiltration
BITS Jobs¶
Tactics: Defense Evasion, Persistence
Boot or Logon Autostart Execution¶
Tactics: Persistence, Privilege Escalation
Boot or Logon Initialization Scripts¶
Tactics: Persistence, Privilege Escalation
Browser Bookmark Discovery¶
Tactics: Discovery
Browser Extensions¶
Tactics: Persistence
Browser Session Hijacking¶
Tactics: Collection
Brute Force¶
Tactics: Credential Access
Build Image on Host¶
Tactics: Defense Evasion
Clipboard Data¶
Tactics: Collection
Cloud Infrastructure Discovery¶
Tactics: Discovery
Cloud Service Dashboard¶
Tactics: Discovery
Cloud Service Discovery¶
Tactics: Discovery
Cloud Storage Object Discovery¶
Tactics: Discovery
Command and Scripting Interpreter¶
Tactics: Execution
Communication Through Removable Media¶
Tactics: Command and Control
Compromise Accounts¶
Tactics: Resource Development
Compromise Client Software Binary¶
Tactics: Persistence
Compromise Infrastructure¶
Tactics: Resource Development
Container Administration Command¶
Tactics: Execution
Container and Resource Discovery¶
Tactics: Discovery
Create Account¶
Tactics: Persistence
Create or Modify System Process¶
Tactics: Persistence, Privilege Escalation
Credentials from Password Stores¶
Tactics: Credential Access
Data Destruction¶
Tactics: Impact
Data Encoding¶
Tactics: Command and Control
Data Encrypted for Impact¶
Tactics: Impact
Data Manipulation¶
Tactics: Impact
Data Obfuscation¶
Tactics: Command and Control
Data Staged¶
Tactics: Collection
Data Transfer Size Limits¶
Tactics: Exfiltration
Data from Cloud Storage¶
Tactics: Collection
Data from Configuration Repository¶
Tactics: Collection
Data from Information Repositories¶
Tactics: Collection
Data from Local System¶
Tactics: Collection
Data from Removable Media¶
Tactics: Collection
Debugger Evasion¶
Tactics: Defense Evasion, Discovery
Defacement¶
Tactics: Impact
Deobfuscate/Decode Files or Information¶
Tactics: Defense Evasion
Deploy Container¶
Tactics: Defense Evasion, Execution
Develop Capabilities¶
Tactics: Resource Development
Direct Volume Access¶
Tactics: Defense Evasion
Disk Wipe¶
Tactics: Impact
Domain Policy Modification¶
Tactics: Defense Evasion, Privilege Escalation
Domain Trust Discovery¶
Tactics: Discovery
Drive-by Compromise¶
Tactics: Initial Access
Dynamic Resolution¶
Tactics: Command and Control
Email Collection¶
Tactics: Collection
Encrypted Channel¶
Tactics: Command and Control
Endpoint Denial of Service¶
Tactics: Impact
Escape to Host¶
Tactics: Privilege Escalation
Establish Accounts¶
Tactics: Resource Development
Event Triggered Execution¶
Tactics: Persistence, Privilege Escalation
Execution Guardrails¶
Tactics: Defense Evasion
Exfiltration Over Alternative Protocol¶
Tactics: Exfiltration
Exfiltration Over C2 Channel¶
Tactics: Exfiltration
Exfiltration Over Other Network Medium¶
Tactics: Exfiltration
Exfiltration Over Physical Medium¶
Tactics: Exfiltration
Exfiltration Over Web Service¶
Tactics: Exfiltration
Exploit Public-Facing Application¶
Tactics: Initial Access
Exploitation for Client Execution¶
Tactics: Execution
Exploitation for Credential Access¶
Tactics: Credential Access
Exploitation for Defense Evasion¶
Tactics: Defense Evasion
Exploitation for Privilege Escalation¶
Tactics: Privilege Escalation
Exploitation of Remote Services¶
Tactics: Lateral Movement
External Remote Services¶
Tactics: Initial Access, Persistence
Fallback Channels¶
Tactics: Command and Control
File and Directory Discovery¶
Tactics: Discovery
File and Directory Permissions Modification¶
Tactics: Defense Evasion
Firmware Corruption¶
Tactics: Impact
Forced Authentication¶
Tactics: Credential Access
Forge Web Credentials¶
Tactics: Credential Access
Gather Victim Host Information¶
Tactics: Reconnaissance
Gather Victim Identity Information¶
Tactics: Reconnaissance
Gather Victim Network Information¶
Tactics: Reconnaissance
Gather Victim Org Information¶
Tactics: Reconnaissance
Group Policy Discovery¶
Tactics: Discovery
Hardware Additions¶
Tactics: Initial Access
Hide Artifacts¶
Tactics: Defense Evasion
Hijack Execution Flow¶
Tactics: Defense Evasion, Persistence, Privilege Escalation
Impair Defenses¶
Tactics: Defense Evasion
Implant Internal Image¶
Tactics: Persistence
Indicator Removal¶
Tactics: Defense Evasion
Indirect Command Execution¶
Tactics: Defense Evasion
Ingress Tool Transfer¶
Tactics: Command and Control
Inhibit System Recovery¶
Tactics: Impact
Input Capture¶
Tactics: Collection, Credential Access
Inter-Process Communication¶
Tactics: Execution
Internal Spearphishing¶
Tactics: Lateral Movement
Lateral Tool Transfer¶
Tactics: Lateral Movement
Masquerading¶
Tactics: Defense Evasion
Modify Authentication Process¶
Tactics: Credential Access, Defense Evasion, Persistence
Modify Cloud Compute Infrastructure¶
Tactics: Defense Evasion
Modify Registry¶
Tactics: Defense Evasion
Modify System Image¶
Tactics: Defense Evasion
Multi-Factor Authentication Interception¶
Tactics: Credential Access
Multi-Factor Authentication Request Generation¶
Tactics: Credential Access
Multi-Stage Channels¶
Tactics: Command and Control
Native API¶
Tactics: Execution
Network Boundary Bridging¶
Tactics: Defense Evasion
Network Denial of Service¶
Tactics: Impact
Network Service Discovery¶
Tactics: Discovery
Network Sniffing¶
Tactics: Credential Access, Discovery
Non-Application Layer Protocol¶
Tactics: Command and Control
Non-Standard Port¶
Tactics: Command and Control
OS Credential Dumping¶
Tactics: Credential Access
Obfuscated Files or Information¶
Tactics: Defense Evasion
Obtain Capabilities¶
Tactics: Resource Development
Office Application Startup¶
Tactics: Persistence
Password Policy Discovery¶
Tactics: Discovery
Peripheral Device Discovery¶
Tactics: Discovery
Permission Groups Discovery¶
Tactics: Discovery
Phishing¶
Tactics: Initial Access
Phishing for Information¶
Tactics: Reconnaissance
Plist File Modification¶
Tactics: Defense Evasion
Pre-OS Boot¶
Tactics: Defense Evasion, Persistence
Process Discovery¶
Tactics: Discovery
Process Injection¶
Tactics: Defense Evasion, Privilege Escalation
Protocol Tunneling¶
Tactics: Command and Control
Proxy¶
Tactics: Command and Control
Query Registry¶
Tactics: Discovery
Reflective Code Loading¶
Tactics: Defense Evasion
Remote Access Software¶
Tactics: Command and Control
Remote Service Session Hijacking¶
Tactics: Lateral Movement
Remote Services¶
Tactics: Lateral Movement
Remote System Discovery¶
Tactics: Discovery
Replication Through Removable Media¶
Tactics: Initial Access, Lateral Movement
Resource Hijacking¶
Tactics: Impact
Rogue Domain Controller¶
Tactics: Defense Evasion
Rootkit¶
Tactics: Defense Evasion
Scheduled Task/Job¶
Tactics: Execution, Persistence, Privilege Escalation
Scheduled Transfer¶
Tactics: Exfiltration
Screen Capture¶
Tactics: Collection
Search Closed Sources¶
Tactics: Reconnaissance
Search Open Technical Databases¶
Tactics: Reconnaissance
Search Open Websites/Domains¶
Tactics: Reconnaissance
Search Victim-Owned Websites¶
Tactics: Reconnaissance
Server Software Component¶
Tactics: Persistence
Serverless Execution¶
Tactics: Execution
Service Stop¶
Tactics: Impact
Software Deployment Tools¶
Tactics: Execution, Lateral Movement
Software Discovery¶
Tactics: Discovery
Stage Capabilities¶
Tactics: Resource Development
Steal Application Access Token¶
Tactics: Credential Access
Steal or Forge Authentication Certificates¶
Tactics: Credential Access
Steal or Forge Kerberos Tickets¶
Tactics: Credential Access
Subvert Trust Controls¶
Tactics: Defense Evasion
Supply Chain Compromise¶
Tactics: Initial Access
System Binary Proxy Execution¶
Tactics: Defense Evasion
System Information Discovery¶
Tactics: Discovery
System Location Discovery¶
Tactics: Discovery
System Network Configuration Discovery¶
Tactics: Discovery
System Network Connections Discovery¶
Tactics: Discovery
System Owner/User Discovery¶
Tactics: Discovery
System Script Proxy Execution¶
Tactics: Defense Evasion
System Service Discovery¶
Tactics: Discovery
System Services¶
Tactics: Execution
System Shutdown/Reboot¶
Tactics: Impact
System Time Discovery¶
Tactics: Discovery
Template Injection¶
Tactics: Defense Evasion
Traffic Signaling¶
Tactics: Command and Control, Defense Evasion, Persistence
Transfer Data to Cloud Account¶
Tactics: Exfiltration
Trusted Developer Utilities Proxy Execution¶
Tactics: Defense Evasion
Trusted Relationship¶
Tactics: Initial Access
Unsecured Credentials¶
Tactics: Credential Access
Unused/Unsupported Cloud Regions¶
Tactics: Defense Evasion
Use Alternate Authentication Material¶
Tactics: Defense Evasion, Lateral Movement
User Execution¶
Tactics: Execution
Valid Accounts¶
Tactics: Defense Evasion, Initial Access, Persistence, Privilege Escalation
Video Capture¶
Tactics: Collection
Virtualization/Sandbox Evasion¶
Tactics: Defense Evasion, Discovery
Weaken Encryption¶
Tactics: Defense Evasion
Web Service¶
Tactics: Command and Control
Windows Management Instrumentation¶
Tactics: Execution
XSL Script Processing¶
Tactics: Defense Evasion