O365 New Forwarding Mailflow Rule Created
Email Collection
Email Collection
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
DLL Side-Loading, Boot or Logon Autostart Execution
Valid Accounts, Brute Force
Exploit Public-Facing Application
Email Collection, Remote Email Collection
Email Collection, Remote Email Collection
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Email Collection, Email Forwarding Rule
Email Collection, Email Forwarding Rule
System Binary Proxy Execution
Email Collection, Email Forwarding Rule
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Valid Accounts, Cloud Accounts
DLL Side-Loading
System Binary Proxy Execution
System Binary Proxy Execution
System Binary Proxy Execution
Phishing, Modify Registry
Modify Registry
Exploitation for Credential Access
File and Directory Discovery
Valid Accounts, Domain Accounts
Local Account, Create Account
Valid Accounts, Local Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force
Local Account, Create Account
Valid Accounts
Exploitation for Credential Access
Log Enumeration
Steal Web Session Cookie
Cloud Account
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
System Information Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Modify Authentication Process
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Modify Authentication Process, Multi-Factor Authentication
Account Manipulation, Device Registration
Cloud Accounts
Cloud Account
Password Spraying
Brute Force
Data Destruction
Multi-Factor Authentication Request Generation
Data Destruction
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Password Spraying, Valid Accounts, Default Accounts
Exploit Public-Facing Application
Exploit Public-Facing Application
Remote Access Software
Remote Access Software
Exfiltration Over Web Service
Remote Access Software
Remote Access Software
Remote Access Software
Exploit Public-Facing Application
Remote Access Software
Modify Cloud Compute Configurations
Account Manipulation, Valid Accounts
Exploit Public-Facing Application
Exploit Public-Facing Application
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Query Registry
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Query Registry
Hide Artifacts, NTFS File Attributes
IP Addresses, Gather Victim Network Information
Hide Artifacts, NTFS File Attributes
Remote Services, SMB/Windows Admin Shares
Inhibit System Recovery
System Network Configuration Discovery, Internet Connection Discovery
Time Based Evasion, Virtualization/Sandbox Evasion
Local Account, Create Account
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Unsecured Credentials
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Permission Groups Discovery, Domain Groups
Cloud Accounts
Additional Cloud Roles
Additional Cloud Roles
Cloud Account
Cloud Account
Cloud Account
Cloud Account
Service Stop
Scheduled Task, Scheduled Task/Job
Exploit Public-Facing Application
Remote Email Collection
Remote Email Collection
Remote Email Collection
Process Injection
Exfiltration Over Unencrypted Non-C2 Protocol
System Binary Proxy Execution, Regsvcs/Regasm
System Information Discovery
Security Account Manager
Security Account Manager
System Binary Proxy Execution, Regsvcs/Regasm
Additional Email Delegate Permissions, Additional Cloud Roles
Additional Email Delegate Permissions, Additional Cloud Roles
Exploit Public-Facing Application
Systemd Timers, Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
Use Alternate Authentication Material
Exploit Public-Facing Application
Abuse Elevation Control Mechanism, Indirect Command Execution
Exploit Public-Facing Application
Abuse Elevation Control Mechanism
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
User Execution
User Execution
User Execution
User Execution
User Execution
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
DCSync, OS Credential Dumping
DCSync, OS Credential Dumping
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Process Injection
Steal or Forge Authentication Certificates
Msiexec, System Binary Proxy Execution
NTDS, OS Credential Dumping
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
System Binary Proxy Execution, Mshta
Remote System Discovery
Modify Registry
LSASS Memory, OS Credential Dumping
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Disable or Modify Tools, Impair Defenses
Security Account Manager, OS Credential Dumping
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Credentials from Password Stores, Credentials from Web Browsers
Disable or Modify Tools, Impair Defenses
LSASS Memory, OS Credential Dumping
Modify Registry
Command and Scripting Interpreter, PowerShell
Domain Account, Account Discovery
Disable or Modify Tools, Impair Defenses
Command and Scripting Interpreter, PowerShell
Scheduled Task, Scheduled Task/Job
Windows Management Instrumentation
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Query Registry
LSASS Memory, OS Credential Dumping
OS Credential Dumping
Masquerading
Steal or Forge Kerberos Tickets, Kerberoasting
Exploit Public-Facing Application
Disable or Modify Tools, Impair Defenses
Create or Modify System Process
Domain Account, Account Discovery
Bypass User Account Control, Abuse Elevation Control Mechanism
Modify Registry
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Modify Registry
Security Account Manager, OS Credential Dumping
Password Policy Discovery
Disable or Modify Tools, Impair Defenses
System Owner/User Discovery
Remote System Discovery
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
OS Credential Dumping, PowerShell
Credentials from Password Stores, Credentials from Web Browsers
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Password Policy Discovery
Scheduled Task
Create Process with Token, Access Token Manipulation
Command and Scripting Interpreter, JavaScript
Modify Registry
Domain Account, Account Discovery
Use Alternate Authentication Material, Pass the Ticket
Windows Command Shell, Command and Scripting Interpreter
Remote System Discovery
Steal or Forge Authentication Certificates
Modify Registry
Scheduled Task/Job, Scheduled Task
Disable or Modify Tools, Impair Defenses
System Network Connections Discovery
LSASS Memory, OS Credential Dumping
Clear Windows Event Logs, Indicator Removal
Modify Registry
Windows Management Instrumentation
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Indicator Removal, Clear Windows Event Logs
Disable or Modify Tools, Impair Defenses
Modify Registry
Domain Account, Account Discovery
Modify Registry
LSASS Memory, OS Credential Dumping
Use Alternate Authentication Material, Pass the Ticket
Steal or Forge Kerberos Tickets, AS-REP Roasting
Modify Registry
Service Stop
Domain Account, Account Discovery
Windows Management Instrumentation
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Brute Force, Password Guessing, Password Spraying
Account Manipulation, Additional Cloud Credentials
Steal Application Access Token, Phishing, Spearphishing Link
Multi-Factor Authentication Request Generation
Cloud Account
Brute Force, Password Guessing, Password Spraying
Steal Application Access Token
Browser Session Hijacking
Domain Policy Modification, Domain Trust Modification
Security Account Manager
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Impair Defenses
Create Account, Cloud Account
Additional Cloud Roles
Account Manipulation
Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Roles
Valid Accounts
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Domain Policy Modification, Domain Trust Modification
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Account Manipulation
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Steal Application Access Token
Account Manipulation, Device Registration
User Execution
Archive Collected Data
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
DLL Side-Loading, Hijack Execution Flow
User Execution
User Execution
User Execution
Account Discovery, Local Account
Account Discovery
Modify Registry
Disable or Modify Cloud Firewall, Impair Defenses
Account Discovery, Domain Account
System Owner/User Discovery
Account Discovery
Process Discovery
LSA Secrets
User Execution
User Execution
Container Orchestration Job
User Execution
User Execution
User Execution
Disable or Modify System Firewall, Impair Defenses
System Binary Proxy Execution, Rundll32
Modify Registry
Network Service Discovery
Command and Scripting Interpreter, Windows Command Shell
User Execution
Cloud Service Discovery
Network Service Discovery
Container API
Container API
Container API
Container API
Browser Session Hijacking
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Modify Registry
Modify Registry
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Indicator Removal
Credentials from Password Stores
Windows Remote Management, Remote Services
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Credentials from Password Stores
Archive via Utility, Archive Collected Data
Modify Registry
Exploitation of Remote Services
Masquerading
Parent PID Spoofing, Access Token Manipulation
Abuse Elevation Control Mechanism, Bypass User Account Control
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Abuse Elevation Control Mechanism, Bypass User Account Control
Exploitation of Remote Services
Drive-by Compromise
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Spearphishing Attachment
Account Discovery
Domain Account, Account Discovery
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Hardware, Gather Victim Host Information
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Print Processors, Boot or Logon Autostart Execution
Path Interception by Unquoted Path, Hijack Execution Flow
Abuse Elevation Control Mechanism
Plist File Modification
System Binary Proxy Execution, Regsvcs/Regasm
Local Account, Create Account
Gather Victim Host Information
Masquerading
Phishing, Spearphishing Attachment
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Remote Services, Windows Remote Management
Archive via Utility, Archive Collected Data
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Account Manipulation
Transfer Data to Cloud Account
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
Account Manipulation
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Regsvcs/Regasm
SID-History Injection, Access Token Manipulation
Exploitation of Remote Services
System Binary Proxy Execution, Rundll32
Phishing, Spearphishing Attachment
Unix Shell, Command and Scripting Interpreter
Security Account Manager, OS Credential Dumping
Rogue Domain Controller
InstallUtil, System Binary Proxy Execution
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Security Account Manager, OS Credential Dumping
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Compromise Accounts, Unused/Unsupported Cloud Regions
Modify Registry
Account Manipulation
Create Account, Cloud Account
Phishing, Spearphishing Attachment
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Account Manipulation
Phishing, Spearphishing Attachment
Gather Victim Host Information, PowerShell
Hidden Window, Run Virtual Instance
Msiexec
Phishing
Command and Scripting Interpreter
Command and Scripting Interpreter
Hide Artifacts, NTFS File Attributes
Malicious Image, User Execution
Steal Application Access Token
Impair Defenses
Exploit Public-Facing Application
Valid Accounts
Exploit Public-Facing Application
Account Manipulation, Additional Cloud Roles
Account Manipulation, Device Registration
Multi-Factor Authentication Request Generation
Steal Application Access Token
Exploit Public-Facing Application
Account Manipulation, Additional Email Delegate Permissions
Exploit Public-Facing Application
Steal Application Access Token
Steal Application Access Token
Steal Application Access Token
SIP and Trust Provider Hijacking
SIP and Trust Provider Hijacking
Brute Force, Password Guessing
SIP and Trust Provider Hijacking
Steal or Forge Kerberos Tickets
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploitation for Privilege Escalation
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Modify Registry
Proxy, Multi-hop Proxy
Web Service
Local Groups
Impair Defenses, Disable or Modify Cloud Logs
Account Manipulation, Additional Cloud Roles
Fileless Storage, Obfuscated Files or Information
Impair Defenses, Disable or Modify Tools
Shared Modules
Hidden Window
Impair Defenses, Disable or Modify System Firewall
Hidden Window
Virtualization/Sandbox Evasion, Time Based Evasion
Account Manipulation
Replication Through Removable Media
Email Collection, Remote Email Collection
Account Manipulation, Additional Cloud Roles
Network Denial of Service
File and Directory Discovery
Drive-by Compromise
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Account Discovery, Domain Account
Account Discovery, Domain Account
Account Manipulation, Additional Cloud Credentials
Account Discovery, Domain Account
Account Discovery, Domain Account
Application or System Exploitation
Ingress Tool Transfer
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Ingress Tool Transfer
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Rename System Utilities, Masquerading
Mark-of-the-Web Bypass
Exploit Public-Facing Application, External Remote Services
Cloud Account, Create Account
Modify Authentication Process
Cloud Account, Create Account
Exploit Public-Facing Application, External Remote Services
Bypass User Account Control
DLL Side-Loading
Exploit Public-Facing Application
Modify Registry
Exploit Public-Facing Application
Exploit Public-Facing Application
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Cloud Account, Create Account
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Process Injection
Process Injection
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Process Injection
Process Injection
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
System Binary Proxy Execution, Rundll32
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Process Injection
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
System Binary Proxy Execution, Rundll32
Modify Registry
Process Injection
Command and Scripting Interpreter, PowerShell
Modify Registry
System Binary Proxy Execution, Rundll32
Command and Scripting Interpreter, PowerShell
Process Injection
Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell
Server Software Component, Web Shell
System Binary Proxy Execution, Regsvr32
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Steal or Forge Authentication Certificates, Archive Collected Data
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
System Shutdown/Reboot
PowerShell, Command and Scripting Interpreter
Obfuscated Files or Information, Fileless Storage
Process Injection, Portable Executable Injection
Modify Registry
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Permission Groups Discovery, Domain Groups
Scheduled Task, Command and Scripting Interpreter
Malicious File, Masquerade File Type
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Disk Structure Wipe, Disk Wipe
Domain Account, Account Discovery
Account Discovery, Domain Account, User Execution, Malicious File
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Service Stop
Disk Structure Wipe, Disk Wipe
Security Account Manager, OS Credential Dumping
NTDS, OS Credential Dumping
Permission Groups Discovery, Local Groups
PowerShell, Ingress Tool Transfer
Account Access Removal
Account Access Removal
Service Stop
PowerShell, Ingress Tool Transfer, Fileless Storage
Scheduled Task, PowerShell, Command and Scripting Interpreter
File and Directory Permissions Modification
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
File and Directory Permissions Modification
Account Manipulation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Cloud Service Discovery
Account Discovery, Domain Account
Exploit Public-Facing Application, External Remote Services
Account Discovery, Domain Account
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Internal Proxy, Proxy
Ingress Tool Transfer, Domain Groups
Internal Proxy, Proxy
HTML Smuggling
Network Share Discovery
Browser Session Hijacking
Domain Policy Modification
Abuse Elevation Control Mechanism
Password Policy Discovery
Modify Authentication Process, Multi-Factor Authentication
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
File and Directory Discovery
Kernel Modules and Extensions, Service Execution
Kernel Modules and Extensions
Application or System Exploitation
Access Token Manipulation
Obfuscated Files or Information
Modify Registry
Exploitation for Credential Access
Drive-by Compromise
Pre-OS Boot, Registry Run Keys / Startup Folder
Steal or Forge Authentication Certificates
Inhibit System Recovery
Transfer Data to Cloud Account
Disable or Modify Tools, Impair Defenses, Modify Registry
Active Setup, Boot or Logon Autostart Execution
Port Monitors, Boot or Logon Autostart Execution
Application Shimming, Event Triggered Execution
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses, Modify Registry
Modify Registry
Image File Execution Options Injection, Event Triggered Execution
Modify Registry
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Modify Registry
Data Destruction, File Deletion, Indicator Removal
Modify Registry
Data Destruction, File Deletion, Indicator Removal
Remote Services
Exfiltration Over Unencrypted Non-C2 Protocol
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Install Root Certificate, Subvert Trust Controls
Time Providers, Boot or Logon Autostart Execution
Data Destruction
Modify Registry
Data Destruction, File Deletion, Indicator Removal
Services Registry Permissions Weakness
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Modify Registry
Modify Registry, OS Credential Dumping
Right-to-Left Override, Masquerading
Right-to-Left Override, Masquerading
Disable or Modify Tools, Impair Defenses
Query Registry
Query Registry
Domain Policy Modification, Group Policy Modification
Automated Collection
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Domain Accounts, Permission Groups Discovery
RDP Hijacking
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Indicator Removal
System Binary Proxy Execution, Regsvr32
Service Stop
PowerShell, Command and Scripting Interpreter
Unix Shell, Command and Scripting Interpreter
System Shutdown/Reboot
Indicator Removal
Disable or Modify System Firewall, Impair Defenses
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Service Stop
Service Stop
Virtualization/Sandbox Evasion, Time Based Evasion
Command and Scripting Interpreter, PowerShell
DLL Side-Loading, Hijack Execution Flow
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Hardware Additions
Data Destruction
Command and Scripting Interpreter, PowerShell
Scheduled Task/Job
Data Destruction
Obfuscated Files or Information, Indicator Removal from Tools
Disable or Modify Tools, Impair Defenses
Exploitation for Privilege Escalation
Command and Scripting Interpreter, Process Injection, PowerShell
Impair Defenses, PowerShell, Command and Scripting Interpreter
Data Destruction
Disable or Modify Tools, Impair Defenses
LSASS Memory, OS Credential Dumping
Domain Account, Account Discovery
Exploit Public-Facing Application, External Remote Services
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
File Deletion, Indicator Removal
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Steal or Forge Kerberos Tickets, Kerberoasting
Event Triggered Execution, Screensaver
System Network Configuration Discovery
Cron, Scheduled Task/Job
Domain Account, Account Discovery
System Firmware, Pre-OS Boot
Visual Basic, Command and Scripting Interpreter
Boot or Logon Initialization Scripts, Logon Script (Windows)
Access Token Manipulation, Token Impersonation/Theft
Spearphishing Attachment, Phishing
Change Default File Association, Event Triggered Execution
Disable or Modify Tools, Impair Defenses
Visual Basic, Command and Scripting Interpreter
Data Destruction
Gather Victim Host Information
Print Processors, Boot or Logon Autostart Execution
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Modify Registry
Event Triggered Execution, Accessibility Features
Data Destruction
Command and Scripting Interpreter, PowerShell
Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Masquerade Task or Service, Masquerading
User Execution, Malicious File
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Credentials in Registry, Unsecured Credentials
Automated Collection
Automated Collection
Domain Policy Modification, Group Policy Modification
Account Discovery, Local Account
Scheduled Task
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Command and Scripting Interpreter, PowerShell
Account Discovery, Local Account, PowerShell
Screen Capture
Exfiltration Over C2 Channel
Scheduled Task/Job
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Scheduled Task, Scheduled Task/Job
Exfiltration Over C2 Channel
Transfer Data to Cloud Account
Compromise Software Supply Chain
Compromise Software Supply Chain
Compromise Software Supply Chain
Credentials in Registry, Unsecured Credentials
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Domain Policy Modification, Group Policy Modification
Abuse Elevation Control Mechanism
Remote Desktop Protocol, Remote Services
Domain Policy Modification, Group Policy Modification
PowerShell, Command and Scripting Interpreter
Domain Policy Modification, Group Policy Modification, Domain Accounts
Scheduled Task
PowerShell
Network Share Discovery
Security Account Manager
Transfer Data to Cloud Account
Windows Management Instrumentation
PowerShell, Command and Scripting Interpreter
Brute Force, Credential Stuffing
Windows Management Instrumentation
Lateral Tool Transfer
Network Share Discovery
Network Share Discovery, Valid Accounts
Transfer Data to Cloud Account
Create or Modify System Process, Windows Service
Windows Service, Create or Modify System Process
Multi-Factor Authentication Request Generation
User Execution
Web Session Cookie, Cloud Service Dashboard
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
DLL Side-Loading, Hijack Execution Flow
Exfiltration Over Unencrypted Non-C2 Protocol
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Data Destruction
System Services, Service Execution
System Binary Proxy Execution, Regsvr32
Rootkit, Exploitation for Privilege Escalation
Process Injection, Portable Executable Injection
Process Injection
Exploit Public-Facing Application, External Remote Services
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Endpoint Denial of Service
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Phishing, Spearphishing Attachment
Drive-by Compromise
Drive-by Compromise
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Exploitation for Privilege Escalation
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Browser Session Hijacking
Steal or Forge Authentication Certificates
Modify Authentication Process, Multi-Factor Authentication
Brute Force, Password Spraying, Credential Stuffing
Password Policy Discovery
Disable or Modify Tools
Rogue Domain Controller
Password Policy Discovery
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
LSASS Memory
Command and Scripting Interpreter
Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Domain Generation Algorithms
Server Software Component, IIS Components
Spearphishing Attachment, Phishing
Server Software Component, IIS Components
Modify Registry
Domain Generation Algorithms
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Malicious File, User Execution
Domain Account, Account Discovery
Server Software Component, IIS Components
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
DNS, Application Layer Protocol
Server Software Component, IIS Components
IIS Components, Server Software Component
Server Software Component, IIS Components
Server Software Component, IIS Components
Query Registry
Windows Service
Windows Management Instrumentation
System Network Configuration Discovery
Change Default File Association, Event Triggered Execution
Credentials from Password Stores
Indirect Command Execution
System Network Connections Discovery
Clipboard Data
Credentials in Registry, Unsecured Credentials
Password Managers
Private Keys, Unsecured Credentials
Cached Domain Credentials, OS Credential Dumping
Security Support Provider, Boot or Logon Autostart Execution
System Information Discovery
System Owner/User Discovery
Steal or Forge Kerberos Tickets
BITS Jobs, Ingress Tool Transfer
OS Credential Dumping, DCSync, Rogue Domain Controller
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter
Account Manipulation
Domain Policy Modification
SID-History Injection, Access Token Manipulation
Protocol Tunneling, Proxy, Web Service
Access Token Manipulation, SID-History Injection
Windows Management Instrumentation
Event Triggered Execution
Modify Registry
Modify Registry
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
System Services, Service Execution
File Deletion, Indicator Removal
Data Encrypted for Impact
Data Destruction
Application Layer Protocol
Encrypted Channel
Exfiltration Over Web Service
Encrypted Channel
Dynamic-link Library Injection, Process Injection
Application Layer Protocol
Regsvr32, System Binary Proxy Execution
Process Injection
Process Injection
Windows Management Instrumentation
DLL Side-Loading, Hijack Execution Flow
System Owner/User Discovery
System Owner/User Discovery
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Rogue Domain Controller
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Exploit Public-Facing Application, External Remote Services
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Drive-by Compromise
Exploitation of Remote Services
Exploitation of Remote Services
Drive-by Compromise
Drive-by Compromise
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Brute Force
Brute Force
Brute Force, Password Spraying, Credential Stuffing
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Event Triggered Execution
System Script Proxy Execution, System Binary Proxy Execution
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Brute Force
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Cloud Accounts
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Spearphishing Attachment, Phishing
Valid Accounts, Default Accounts
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
Protocol Tunneling, SSH
Data Encrypted for Impact
Command and Scripting Interpreter
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
SID-History Injection, Access Token Manipulation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Image File Execution Options Injection
Account Manipulation
Rogue Domain Controller
Account Manipulation
LSASS Memory, OS Credential Dumping
Compiled HTML File, System Binary Proxy Execution
Abuse Elevation Control Mechanism
Ingress Tool Transfer
Process Injection
InstallUtil, System Binary Proxy Execution
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Token Impersonation/Theft, Access Token Manipulation
Service Stop
Token Impersonation/Theft, Access Token Manipulation
Credentials, Gather Victim Identity Information
DLL Search Order Hijacking, Hijack Execution Flow
Remote Access Software, OS Credential Dumping
Process Injection, Portable Executable Injection
GUI Input Capture, Input Capture
Remote Access Software
Cloud Account
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Account Discovery
Endpoint Denial of Service
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
DLL Search Order Hijacking
Ingress Tool Transfer
Proxy, Non-Application Layer Protocol
Ingress Tool Transfer
Ingress Tool Transfer
System Time Discovery
Clipboard Data
Windows Command Shell, Command and Scripting Interpreter
SSH Authorized Keys
System Shutdown/Reboot
System Shutdown/Reboot
System Information Discovery, Rootkit
Obfuscated Files or Information, Unix Shell
Obfuscated Files or Information
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Tools, Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Impair Defenses, Disable or Modify Cloud Logs
Windows Management Instrumentation Event Subscription
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Disable or Modify Cloud Logs, Impair Defenses
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Screen Capture
Mavinject, System Binary Proxy Execution
Screen Capture
Odbcconf
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Odbcconf
System Binary Proxy Execution
Remote System Discovery
Exploit Public-Facing Application, External Remote Services
Odbcconf
Disable or Modify Tools, Impair Defenses
Remote Desktop Protocol, Remote Services
Application Layer Protocol
Modify Registry
Disable or Modify Tools, Impair Defenses
Service Stop
Modify Registry
Remote Access Software
Steal or Forge Kerberos Tickets, Kerberoasting
Modify Registry
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Command and Scripting Interpreter
Msiexec
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exfiltration Over Alternative Protocol
Gather Victim Network Information, IP Addresses
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Digital Certificates
At, Scheduled Task/Job
Process Injection
At, Scheduled Task/Job
Digital Certificates
Digital Certificates
Protocol Impersonation
Network Sniffing
Digital Certificates
Valid Accounts
Command and Scripting Interpreter
Scheduled Task, Scheduled Task/Job
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Cloud Accounts, Valid Accounts
Exploitation for Privilege Escalation
Local Accounts, Credentials In Files
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Exploit Public-Facing Application, External Remote Services
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Steal or Forge Kerberos Tickets, AS-REP Roasting
Remote System Discovery
Windows Service
Remote System Discovery
Email Collection, Local Email Collection
Password Policy Discovery
Domain Trust Discovery
Permission Groups Discovery, Domain Groups
Remote System Discovery
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Inhibit System Recovery
Remote System Discovery
Permission Groups Discovery, Domain Groups
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
Drive-by Compromise
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
Permission Groups Discovery, Local Groups
Domain Trust Discovery
Scheduled Task, Impair Defenses
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
System Services, Service Execution
System Binary Proxy Execution, Compiled HTML File
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Indirect Command Execution
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Indirect Command Execution
Compromise Software Supply Chain, Supply Chain Compromise
System Network Connections Discovery
Rootkit, Exploitation for Privilege Escalation
Exploit Public-Facing Application
Remote System Discovery
Network Denial of Service
Remote Services, Distributed Component Object Model
Permission Groups Discovery, Domain Groups
System Owner/User Discovery
Remote Services, Windows Remote Management
System Owner/User Discovery
Permission Groups Discovery, Local Groups
Steal or Forge Kerberos Tickets, AS-REP Roasting
Account Discovery, Local Account, PowerShell
Password Policy Discovery
File and Directory Permissions Modification
InstallUtil, System Binary Proxy Execution
System Binary Proxy Execution, Regsvcs/Regasm
Steal or Forge Kerberos Tickets, Golden Ticket
System Binary Proxy Execution, Regsvcs/Regasm
Gather Victim Identity Information, Email Addresses
Use Alternate Authentication Material
Cloud Account, Create Account
Cloud Account, Create Account
Command and Scripting Interpreter
Kerberoasting
Domain Trust Discovery, PowerShell
User Execution
Process Injection
Steal or Forge Kerberos Tickets, AS-REP Roasting
System Binary Proxy Execution, Rundll32
Brute Force
Bypass User Account Control, Abuse Elevation Control Mechanism
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
System Binary Proxy Execution
Exfiltration Over Unencrypted Non-C2 Protocol
Steal or Forge Kerberos Tickets, Kerberoasting
System Binary Proxy Execution, Rundll32
Process Injection
Scheduled Task, Scheduled Task/Job
Disable or Modify Cloud Firewall, Impair Defenses
Modify Authentication Process
Ingress Tool Transfer
Ingress Tool Transfer
Exploitation for Privilege Escalation
Obfuscated Files or Information
Windows Command Shell
SSH Authorized Keys, Account Manipulation
SSH Authorized Keys, Account Manipulation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
/etc/passwd and /etc/shadow, OS Credential Dumping
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Dynamic Linker Hijacking, Hijack Execution Flow
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Valid Accounts, Domain Accounts
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Setuid and Setgid, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Local Account, Create Account
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Systemd Timers, Scheduled Task/Job
Unix Shell Configuration Modification, Event Triggered Execution
RC Scripts, Boot or Logon Initialization Scripts
Valid Accounts, Domain Accounts
Unix Shell Configuration Modification, Event Triggered Execution
Valid Accounts, Domain Accounts
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, Command and Scripting Interpreter
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Disable or Modify Tools
Unix Shell
Valid Accounts
Valid Accounts
Scheduled Task/Job, Scheduled Task
Automated Exfiltration
Create or Modify System Process, Windows Service
Remote Services, Distributed Component Object Model, MMC
Create or Modify System Process, Windows Service
Windows Management Instrumentation
Credentials from Web Browsers, Credentials from Password Stores
Create or Modify System Process, Windows Service
Remote Services, Windows Remote Management
Scheduled Task/Job, Scheduled Task
Gather Victim Host Information
Process Injection, Dynamic-link Library Injection
Remote Services, Windows Remote Management
Transfer Data to Cloud Account
Data Encrypted for Impact
Remote Services, Distributed Component Object Model
Windows Management Instrumentation
Compile After Delivery, Obfuscated Files or Information
InstallUtil, System Binary Proxy Execution
Disable or Modify System Firewall, Impair Defenses
Cloud Infrastructure Discovery
InstallUtil, System Binary Proxy Execution
Scheduled Task/Job, Scheduled Task
XSL Script Processing
Scheduled Task/Job, At
Remote Services, Windows Remote Management
Create or Modify System Process, Windows Service
Ingress Tool Transfer
Create or Modify System Process, Windows Service
Phishing
Phishing
Ingress Tool Transfer
Disable or Modify Tools, Impair Defenses
Kerberoasting
Data Destruction, File Deletion, Indicator Removal
Process Injection
Command and Scripting Interpreter, Component Object Model
Modify Registry
Regsvr32, Modify Registry
MSBuild, Trusted Developer Utilities Proxy Execution
Visual Basic, Command and Scripting Interpreter
Verclsid, System Binary Proxy Execution
Screen Capture
BITS Jobs
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Disable or Modify System Firewall, Impair Defenses
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Compiled HTML File
Automated Exfiltration
Install Root Certificate, Subvert Trust Controls
Account Discovery, Local Account
Account Discovery, Local Account
Archive via Utility, Archive Collected Data
NTDS, OS Credential Dumping
Remote Services, SMB/Windows Admin Shares
Archive via Utility, Archive Collected Data
System Binary Proxy Execution, Compiled HTML File
System Owner/User Discovery
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
System Owner/User Discovery
System Owner/User Discovery
Command and Scripting Interpreter, JavaScript
System Owner/User Discovery
Command and Scripting Interpreter, JavaScript
XSL Script Processing
Command and Scripting Interpreter, JavaScript
System Network Connections Discovery
System Network Connections Discovery
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Control Panel
Remote System Discovery
Remote System Discovery
Domain Account, Account Discovery
Remote System Discovery
Remote System Discovery
Inhibit System Recovery
Malicious Image, User Execution
Inhibit System Recovery
Malicious Image, User Execution
Domain Trust Discovery
Compromise Client Software Binary
Trusted Relationship
Permission Groups Discovery, Domain Groups
Remote System Discovery
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Compromise Client Software Binary
Remote System Discovery
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
OS Credential Dumping
Remote System Discovery
Forced Authentication
Remote System Discovery
Password Policy Discovery
Phishing, Spearphishing Link
Password Policy Discovery
Password Policy Discovery
System Network Connections Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Domain Account, Account Discovery
Domain Trust Discovery
Cloud Service Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Spearphishing Attachment, Phishing
Account Discovery, Local Account
Spearphishing Attachment, Phishing
Trusted Relationship
Spearphishing Attachment, Phishing
Malicious Image, User Execution
Security Account Manager, OS Credential Dumping
Archive via Utility, Archive Collected Data
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Spearphishing Attachment, Phishing
System Binary Proxy Execution, CMSTP
Indicator Removal
System Binary Proxy Execution, Rundll32
Msiexec, System Binary Proxy Execution
Data from Local System
User Execution, Malicious File
Archive via Utility, Archive Collected Data
Process Injection
System Binary Proxy Execution, Regsvr32
Command and Scripting Interpreter
Process Injection
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Security Account Manager, OS Credential Dumping
System Binary Proxy Execution, Mshta
Data from Cloud Storage
Data from Cloud Storage
Cloud Account, Create Account
Cloud Accounts, Valid Accounts
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Print Processors, Boot or Logon Autostart Execution
Exploitation for Privilege Escalation
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Disable or Modify Tools, Impair Defenses
System Services, Service Execution
Disable or Modify Cloud Firewall, Impair Defenses
Command and Scripting Interpreter, Visual Basic
Indicator Removal, Clear Windows Event Logs
Windows Management Instrumentation Event Subscription, Event Triggered Execution
File and Directory Permissions Modification
File Deletion, Indicator Removal
Inhibit System Recovery
Inhibit System Recovery
Defacement
System Binary Proxy Execution, CMSTP
User Execution
User Execution
Remote Desktop Protocol, Remote Services
System Binary Proxy Execution, CMSTP
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
File and Directory Permissions Modification
Ingress Tool Transfer
Disable or Modify Tools, Impair Defenses
Account Access Removal
Service Stop
Service Stop
Disable or Modify Tools, Impair Defenses
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Process Injection
Phishing, Spearphishing Attachment
Command and Scripting Interpreter
Obfuscated Files or Information
Scheduled Task/Job
Password Spraying, Brute Force
Exfiltration Over Alternative Protocol
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Cloud Service Discovery
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Password Spraying, Brute Force
System Services, Service Execution
Cloud Infrastructure Discovery, Brute Force
Account Manipulation
Cloud Groups, Account Manipulation, Permission Groups Discovery
Domain Trust Discovery
Disable or Modify Tools, Impair Defenses
BITS Jobs
Deobfuscate/Decode Files or Information
Create or Modify System Process
Data Encrypted for Impact
Inhibit System Recovery
Command and Scripting Interpreter, PowerShell
Cloud Accounts, Valid Accounts
Command and Scripting Interpreter, Windows Command Shell
Data Staged
Launch Agent, Create or Modify System Process
Ingress Tool Transfer
Launch Agent, Create or Modify System Process
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
LSASS Memory
Exploitation for Privilege Escalation
NTDS, OS Credential Dumping
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Valid Accounts
Valid Accounts
Inhibit System Recovery
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
PowerShell
Drive-by Compromise
Disable or Modify Cloud Firewall, Impair Defenses
Trusted Developer Utilities Proxy Execution, MSBuild
Trusted Developer Utilities Proxy Execution
Data Encrypted for Impact
Disable or Modify Cloud Firewall, Impair Defenses
Web Shell, External Remote Services
Inhibit System Recovery
Email Forwarding Rule, Email Collection
Email Forwarding Rule, Email Collection
Password Guessing, Brute Force
Email Collection
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Exploitation for Client Execution
User Execution, Malicious File
Masquerading, Rename System Utilities
Application Shimming, Event Triggered Execution
Scheduled Task, Scheduled Task/Job
Services Registry Permissions Weakness, Hijack Execution Flow
Disable or Modify System Firewall
Application Shimming, Event Triggered Execution
Rename System Utilities
Bypass User Account Control, Abuse Elevation Control Mechanism
Masquerading, Rename System Utilities
Command and Scripting Interpreter, Windows Command Shell
System Network Configuration Discovery
Inhibit System Recovery
Data Destruction
Windows Command Shell
Data Encrypted for Impact
TFTP Boot, Pre-OS Boot
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Exfiltration Over C2 Channel
Use Alternate Authentication Material, Pass the Hash
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Exploitation of Remote Services
Indicator Removal, Network Share Connection Removal
Exploit Public-Facing Application
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Unused/Unsupported Cloud Regions
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Data from Cloud Storage
Data from Cloud Storage
Exploit Public-Facing Application
Cloud Accounts, Valid Accounts
Exploitation for Client Execution
Exploitation for Client Execution
Valid Accounts
Valid Accounts
Use Alternate Authentication Material
Valid Accounts
Valid Accounts
SMB/Windows Admin Shares, Remote Services
Masquerading
Modify Registry
SMB/Windows Admin Shares, Remote Services
Phishing
Malicious File
Change Default File Association
Remote Desktop Protocol, Remote Services
Windows Service, Create or Modify System Process
Cloud Accounts
Exfiltration Over Alternative Protocol
Cloud Accounts
Cloud Accounts
Cloud Accounts
Remote Desktop Protocol, Remote Services
PowerShell, Windows Command Shell
Command and Scripting Interpreter, PowerShell
Email Collection, Local Email Collection
Cloud Accounts
System Services, Service Execution
Email Collection, Remote Email Collection
Remote Email Collection, Email Collection
Exfiltration Over Unencrypted Non-C2 Protocol
Cloud Accounts
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Software Deployment Tools
Cloud Accounts
Spearphishing via Service
Cloud Accounts
Cloud Accounts
File Transfer Protocols, Application Layer Protocol
Web Protocols
Scheduled Task
Exfiltration Over Unencrypted Non-C2 Protocol
Cloud Service Discovery
Remote Desktop Protocol, Remote Services
Indicator Removal, Clear Windows Event Logs
Exploitation for Privilege Escalation
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Windows Management Instrumentation
Windows Management Instrumentation
LSASS Memory, OS Credential Dumping
DNS, Application Layer Protocol
LSASS Memory, OS Credential Dumping
LSASS Memory
LSASS Memory, OS Credential Dumping
System Information Discovery
LSASS Memory
Hidden Files and Directories
Data Encrypted for Impact
Indicator Removal
Data from Cloud Storage
Windows Management Instrumentation
Windows Management Instrumentation
Create Account
Valid Accounts
Data from Cloud Storage
Non-Application Layer Protocol
Disable or Modify Cloud Firewall
Cloud Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
System Information Discovery, External Remote Services
Network Denial of Service, Reflection Amplification
Domain Accounts
Email Collection
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
DLL Side-Loading, Boot or Logon Autostart Execution
Valid Accounts, Brute Force
Exploit Public-Facing Application
Email Collection, Remote Email Collection
Email Collection, Remote Email Collection
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Email Collection, Email Forwarding Rule
Email Collection, Email Forwarding Rule
System Binary Proxy Execution
Email Collection, Email Forwarding Rule
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Valid Accounts, Cloud Accounts
DLL Side-Loading
System Binary Proxy Execution
System Binary Proxy Execution
System Binary Proxy Execution
Phishing, Modify Registry
Modify Registry
Exploitation for Credential Access
File and Directory Discovery
Valid Accounts, Domain Accounts
Local Account, Create Account
Valid Accounts, Local Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force
Local Account, Create Account
Valid Accounts
Exploitation for Credential Access
Steal Web Session Cookie
Cloud Account
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
System Information Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Modify Authentication Process
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Modify Authentication Process, Multi-Factor Authentication
Account Manipulation, Device Registration
Cloud Accounts
Cloud Account
Password Spraying
Brute Force
Data Destruction
Multi-Factor Authentication Request Generation
Data Destruction
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Password Spraying, Valid Accounts, Default Accounts
Exploit Public-Facing Application
Exploit Public-Facing Application
Remote Access Software
Remote Access Software
Exfiltration Over Web Service
Remote Access Software
Remote Access Software
Remote Access Software
Exploit Public-Facing Application
Remote Access Software
Modify Cloud Compute Configurations
Account Manipulation, Valid Accounts
Exploit Public-Facing Application
Exploit Public-Facing Application
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Query Registry
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Query Registry
Hide Artifacts, NTFS File Attributes
IP Addresses, Gather Victim Network Information
Hide Artifacts, NTFS File Attributes
Remote Services, SMB/Windows Admin Shares
Inhibit System Recovery
System Network Configuration Discovery, Internet Connection Discovery
Time Based Evasion, Virtualization/Sandbox Evasion
Local Account, Create Account
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Unsecured Credentials
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Permission Groups Discovery, Domain Groups
Cloud Accounts
Additional Cloud Roles
Additional Cloud Roles
Cloud Account
Cloud Account
Cloud Account
Cloud Account
Service Stop
Scheduled Task, Scheduled Task/Job
Exploit Public-Facing Application
Remote Email Collection
Remote Email Collection
Remote Email Collection
Process Injection
Exfiltration Over Unencrypted Non-C2 Protocol
System Binary Proxy Execution, Regsvcs/Regasm
Security Account Manager
Security Account Manager
System Binary Proxy Execution, Regsvcs/Regasm
Additional Email Delegate Permissions, Additional Cloud Roles
Additional Email Delegate Permissions, Additional Cloud Roles
Exploit Public-Facing Application
Systemd Timers, Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
Use Alternate Authentication Material
Exploit Public-Facing Application
Abuse Elevation Control Mechanism, Indirect Command Execution
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
User Execution
User Execution
User Execution
User Execution
User Execution
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
DCSync, OS Credential Dumping
DCSync, OS Credential Dumping
Endpoint Denial of Service
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Endpoint Denial of Service
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Process Injection
Steal or Forge Authentication Certificates
Msiexec, System Binary Proxy Execution
NTDS, OS Credential Dumping
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
System Binary Proxy Execution, Mshta
Remote System Discovery
Modify Registry
LSASS Memory, OS Credential Dumping
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Disable or Modify Tools, Impair Defenses
Security Account Manager, OS Credential Dumping
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Credentials from Password Stores, Credentials from Web Browsers
Disable or Modify Tools, Impair Defenses
LSASS Memory, OS Credential Dumping
Modify Registry
Command and Scripting Interpreter, PowerShell
Domain Account, Account Discovery
Disable or Modify Tools, Impair Defenses
Command and Scripting Interpreter, PowerShell
Scheduled Task, Scheduled Task/Job
Windows Management Instrumentation
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Query Registry
LSASS Memory, OS Credential Dumping
OS Credential Dumping
Masquerading
Steal or Forge Kerberos Tickets, Kerberoasting
Exploit Public-Facing Application
Disable or Modify Tools, Impair Defenses
Create or Modify System Process
Domain Account, Account Discovery
Bypass User Account Control, Abuse Elevation Control Mechanism
Modify Registry
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Modify Registry
Security Account Manager, OS Credential Dumping
Password Policy Discovery
Disable or Modify Tools, Impair Defenses
System Owner/User Discovery
Remote System Discovery
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
OS Credential Dumping, PowerShell
Credentials from Password Stores, Credentials from Web Browsers
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Password Policy Discovery
Scheduled Task
Create Process with Token, Access Token Manipulation
Command and Scripting Interpreter, JavaScript
Modify Registry
Domain Account, Account Discovery
Use Alternate Authentication Material, Pass the Ticket
Windows Command Shell, Command and Scripting Interpreter
Remote System Discovery
Steal or Forge Authentication Certificates
Modify Registry
Scheduled Task/Job, Scheduled Task
Disable or Modify Tools, Impair Defenses
System Network Connections Discovery
LSASS Memory, OS Credential Dumping
Clear Windows Event Logs, Indicator Removal
Modify Registry
Windows Management Instrumentation
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Indicator Removal, Clear Windows Event Logs
Disable or Modify Tools, Impair Defenses
Modify Registry
Domain Account, Account Discovery
Modify Registry
LSASS Memory, OS Credential Dumping
Use Alternate Authentication Material, Pass the Ticket
Steal or Forge Kerberos Tickets, AS-REP Roasting
Modify Registry
Service Stop
Domain Account, Account Discovery
Windows Management Instrumentation
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Brute Force, Password Guessing, Password Spraying
Account Manipulation, Additional Cloud Credentials
Steal Application Access Token, Phishing, Spearphishing Link
Multi-Factor Authentication Request Generation
Cloud Account
Brute Force, Password Guessing, Password Spraying
Steal Application Access Token
Browser Session Hijacking
Domain Policy Modification, Domain Trust Modification
Security Account Manager
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Impair Defenses
Create Account, Cloud Account
Additional Cloud Roles
Account Manipulation
Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Roles
Valid Accounts
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Domain Policy Modification, Domain Trust Modification
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Account Manipulation
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Steal Application Access Token
Account Manipulation, Device Registration
User Execution
Archive Collected Data
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
DLL Side-Loading, Hijack Execution Flow
User Execution
User Execution
User Execution
Account Discovery, Local Account
Account Discovery
Modify Registry
Disable or Modify Cloud Firewall, Impair Defenses
Account Discovery, Domain Account
System Owner/User Discovery
Account Discovery
Process Discovery
LSA Secrets
User Execution
User Execution
Container Orchestration Job
User Execution
User Execution
User Execution
Disable or Modify System Firewall, Impair Defenses
System Binary Proxy Execution, Rundll32
Modify Registry
Network Service Discovery
Command and Scripting Interpreter, Windows Command Shell
User Execution
Cloud Service Discovery
Network Service Discovery
Container API
Container API
Container API
Container API
Browser Session Hijacking
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Modify Registry
Modify Registry
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Indicator Removal
Credentials from Password Stores
Windows Remote Management, Remote Services
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Credentials from Password Stores
Archive via Utility, Archive Collected Data
Modify Registry
Exploitation of Remote Services
Masquerading
Parent PID Spoofing, Access Token Manipulation
Abuse Elevation Control Mechanism, Bypass User Account Control
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Abuse Elevation Control Mechanism, Bypass User Account Control
Exploitation of Remote Services
Drive-by Compromise
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Spearphishing Attachment
Account Discovery
Domain Account, Account Discovery
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Hardware, Gather Victim Host Information
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Print Processors, Boot or Logon Autostart Execution
Path Interception by Unquoted Path, Hijack Execution Flow
Abuse Elevation Control Mechanism
Plist File Modification
System Binary Proxy Execution, Regsvcs/Regasm
Local Account, Create Account
Gather Victim Host Information
Masquerading
Phishing, Spearphishing Attachment
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Remote Services, Windows Remote Management
Archive via Utility, Archive Collected Data
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Account Manipulation
Transfer Data to Cloud Account
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
Account Manipulation
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Regsvcs/Regasm
SID-History Injection, Access Token Manipulation
Exploitation of Remote Services
System Binary Proxy Execution, Rundll32
Phishing, Spearphishing Attachment
Unix Shell, Command and Scripting Interpreter
Security Account Manager, OS Credential Dumping
Rogue Domain Controller
InstallUtil, System Binary Proxy Execution
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Security Account Manager, OS Credential Dumping
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Compromise Accounts, Unused/Unsupported Cloud Regions
Modify Registry
Account Manipulation
Create Account, Cloud Account
Phishing, Spearphishing Attachment
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Account Manipulation
Phishing, Spearphishing Attachment
Gather Victim Host Information, PowerShell
Hidden Window, Run Virtual Instance
Msiexec
Phishing
Command and Scripting Interpreter
Command and Scripting Interpreter
Hide Artifacts, NTFS File Attributes
Malicious Image, User Execution
Steal Application Access Token
Impair Defenses
Exploit Public-Facing Application
Valid Accounts
Exploit Public-Facing Application
Account Manipulation, Additional Cloud Roles
Account Manipulation, Device Registration
Multi-Factor Authentication Request Generation
Steal Application Access Token
Exploit Public-Facing Application
Account Manipulation, Additional Email Delegate Permissions
Exploit Public-Facing Application
Steal Application Access Token
Steal Application Access Token
Steal Application Access Token
SIP and Trust Provider Hijacking
SIP and Trust Provider Hijacking
Brute Force, Password Guessing
SIP and Trust Provider Hijacking
Steal or Forge Kerberos Tickets
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploitation for Privilege Escalation
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Modify Registry
Proxy, Multi-hop Proxy
Web Service
Local Groups
Impair Defenses, Disable or Modify Cloud Logs
Account Manipulation, Additional Cloud Roles
Fileless Storage, Obfuscated Files or Information
Impair Defenses, Disable or Modify Tools
Shared Modules
Hidden Window
Impair Defenses, Disable or Modify System Firewall
Hidden Window
Virtualization/Sandbox Evasion, Time Based Evasion
Account Manipulation
Replication Through Removable Media
Email Collection, Remote Email Collection
Account Manipulation, Additional Cloud Roles
Network Denial of Service
File and Directory Discovery
Drive-by Compromise
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Account Discovery, Domain Account
Account Discovery, Domain Account
Account Manipulation, Additional Cloud Credentials
Account Discovery, Domain Account
Account Discovery, Domain Account
Application or System Exploitation
Ingress Tool Transfer
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Ingress Tool Transfer
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Rename System Utilities, Masquerading
Mark-of-the-Web Bypass
Exploit Public-Facing Application, External Remote Services
Cloud Account, Create Account
Modify Authentication Process
Cloud Account, Create Account
Exploit Public-Facing Application, External Remote Services
Bypass User Account Control
DLL Side-Loading
Exploit Public-Facing Application
Modify Registry
Exploit Public-Facing Application
Exploit Public-Facing Application
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Cloud Account, Create Account
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Process Injection
Process Injection
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Process Injection
Process Injection
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
System Binary Proxy Execution, Rundll32
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Process Injection
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
System Binary Proxy Execution, Rundll32
Modify Registry
Process Injection
Command and Scripting Interpreter, PowerShell
Modify Registry
System Binary Proxy Execution, Rundll32
Command and Scripting Interpreter, PowerShell
Process Injection
Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell
Server Software Component, Web Shell
System Binary Proxy Execution, Regsvr32
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Steal or Forge Authentication Certificates, Archive Collected Data
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
System Shutdown/Reboot
PowerShell, Command and Scripting Interpreter
Obfuscated Files or Information, Fileless Storage
Process Injection, Portable Executable Injection
Modify Registry
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Permission Groups Discovery, Domain Groups
Scheduled Task, Command and Scripting Interpreter
Malicious File, Masquerade File Type
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Disk Structure Wipe, Disk Wipe
Domain Account, Account Discovery
Account Discovery, Domain Account, User Execution, Malicious File
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Service Stop
Disk Structure Wipe, Disk Wipe
Security Account Manager, OS Credential Dumping
NTDS, OS Credential Dumping
Permission Groups Discovery, Local Groups
PowerShell, Ingress Tool Transfer
Account Access Removal
Account Access Removal
Service Stop
PowerShell, Ingress Tool Transfer, Fileless Storage
Scheduled Task, PowerShell, Command and Scripting Interpreter
File and Directory Permissions Modification
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
File and Directory Permissions Modification
Account Manipulation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Cloud Service Discovery
Account Discovery, Domain Account
Exploit Public-Facing Application, External Remote Services
Account Discovery, Domain Account
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Internal Proxy, Proxy
Ingress Tool Transfer, Domain Groups
Internal Proxy, Proxy
Network Share Discovery
Browser Session Hijacking
Domain Policy Modification
Abuse Elevation Control Mechanism
Password Policy Discovery
Modify Authentication Process, Multi-Factor Authentication
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Kernel Modules and Extensions, Service Execution
Kernel Modules and Extensions
Obfuscated Files or Information
Modify Registry
Pre-OS Boot, Registry Run Keys / Startup Folder
Steal or Forge Authentication Certificates
Inhibit System Recovery
Transfer Data to Cloud Account
Disable or Modify Tools, Impair Defenses, Modify Registry
Active Setup, Boot or Logon Autostart Execution
Port Monitors, Boot or Logon Autostart Execution
Application Shimming, Event Triggered Execution
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses, Modify Registry
Modify Registry
Image File Execution Options Injection, Event Triggered Execution
Modify Registry
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Modify Registry
Data Destruction, File Deletion, Indicator Removal
Modify Registry
Data Destruction, File Deletion, Indicator Removal
Remote Services
Exfiltration Over Unencrypted Non-C2 Protocol
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Install Root Certificate, Subvert Trust Controls
Time Providers, Boot or Logon Autostart Execution
Data Destruction
Modify Registry
Data Destruction, File Deletion, Indicator Removal
Services Registry Permissions Weakness
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Modify Registry
Modify Registry, OS Credential Dumping
Right-to-Left Override, Masquerading
Right-to-Left Override, Masquerading
Disable or Modify Tools, Impair Defenses
Query Registry
Query Registry
Domain Policy Modification, Group Policy Modification
Automated Collection
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Domain Accounts, Permission Groups Discovery
RDP Hijacking
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Indicator Removal
System Binary Proxy Execution, Regsvr32
Service Stop
PowerShell, Command and Scripting Interpreter
Unix Shell, Command and Scripting Interpreter
System Shutdown/Reboot
Indicator Removal
Disable or Modify System Firewall, Impair Defenses
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Service Stop
Service Stop
Virtualization/Sandbox Evasion, Time Based Evasion
Command and Scripting Interpreter, PowerShell
DLL Side-Loading, Hijack Execution Flow
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Hardware Additions
Data Destruction
Command and Scripting Interpreter, PowerShell
Scheduled Task/Job
Data Destruction
Obfuscated Files or Information, Indicator Removal from Tools
Disable or Modify Tools, Impair Defenses
Exploitation for Privilege Escalation
Command and Scripting Interpreter, Process Injection, PowerShell
Impair Defenses, PowerShell, Command and Scripting Interpreter
Data Destruction
Disable or Modify Tools, Impair Defenses
LSASS Memory, OS Credential Dumping
Domain Account, Account Discovery
Exploit Public-Facing Application, External Remote Services
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
File Deletion, Indicator Removal
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Steal or Forge Kerberos Tickets, Kerberoasting
Event Triggered Execution, Screensaver
System Network Configuration Discovery
Cron, Scheduled Task/Job
Domain Account, Account Discovery
System Firmware, Pre-OS Boot
Visual Basic, Command and Scripting Interpreter
Boot or Logon Initialization Scripts, Logon Script (Windows)
Access Token Manipulation, Token Impersonation/Theft
Spearphishing Attachment, Phishing
Change Default File Association, Event Triggered Execution
Disable or Modify Tools, Impair Defenses
Visual Basic, Command and Scripting Interpreter
Data Destruction
Gather Victim Host Information
Print Processors, Boot or Logon Autostart Execution
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Modify Registry
Event Triggered Execution, Accessibility Features
Data Destruction
Command and Scripting Interpreter, PowerShell
Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Masquerade Task or Service, Masquerading
User Execution, Malicious File
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Credentials in Registry, Unsecured Credentials
Automated Collection
Automated Collection
Domain Policy Modification, Group Policy Modification
Account Discovery, Local Account
Scheduled Task
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Command and Scripting Interpreter, PowerShell
Account Discovery, Local Account, PowerShell
Screen Capture
Exfiltration Over C2 Channel
Scheduled Task/Job
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Scheduled Task, Scheduled Task/Job
Exfiltration Over C2 Channel
Transfer Data to Cloud Account
Compromise Software Supply Chain
Compromise Software Supply Chain
Compromise Software Supply Chain
Credentials in Registry, Unsecured Credentials
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Domain Policy Modification, Group Policy Modification
Abuse Elevation Control Mechanism
Remote Desktop Protocol, Remote Services
Domain Policy Modification, Group Policy Modification
PowerShell, Command and Scripting Interpreter
Domain Policy Modification, Group Policy Modification, Domain Accounts
Scheduled Task
PowerShell
Network Share Discovery
Security Account Manager
Transfer Data to Cloud Account
Windows Management Instrumentation
PowerShell, Command and Scripting Interpreter
Brute Force, Credential Stuffing
Windows Management Instrumentation
Lateral Tool Transfer
Network Share Discovery
Network Share Discovery, Valid Accounts
Transfer Data to Cloud Account
Create or Modify System Process, Windows Service
Windows Service, Create or Modify System Process
Multi-Factor Authentication Request Generation
User Execution
Web Session Cookie, Cloud Service Dashboard
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
DLL Side-Loading, Hijack Execution Flow
Exfiltration Over Unencrypted Non-C2 Protocol
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Data Destruction
System Services, Service Execution
System Binary Proxy Execution, Regsvr32
Rootkit, Exploitation for Privilege Escalation
Process Injection, Portable Executable Injection
Process Injection
Exploit Public-Facing Application, External Remote Services
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Phishing, Spearphishing Attachment
Drive-by Compromise
Drive-by Compromise
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Exploitation for Privilege Escalation
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Browser Session Hijacking
Steal or Forge Authentication Certificates
Modify Authentication Process, Multi-Factor Authentication
Brute Force, Password Spraying, Credential Stuffing
Password Policy Discovery
Disable or Modify Tools
Rogue Domain Controller
Password Policy Discovery
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
LSASS Memory
Command and Scripting Interpreter
Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Domain Generation Algorithms
Server Software Component, IIS Components
Spearphishing Attachment, Phishing
Server Software Component, IIS Components
Modify Registry
Domain Generation Algorithms
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Malicious File, User Execution
Domain Account, Account Discovery
Server Software Component, IIS Components
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
DNS, Application Layer Protocol
Server Software Component, IIS Components
IIS Components, Server Software Component
Server Software Component, IIS Components
Server Software Component, IIS Components
Query Registry
Windows Service
Windows Management Instrumentation
System Network Configuration Discovery
Change Default File Association, Event Triggered Execution
Credentials from Password Stores
Indirect Command Execution
System Network Connections Discovery
Clipboard Data
Credentials in Registry, Unsecured Credentials
Password Managers
Private Keys, Unsecured Credentials
Cached Domain Credentials, OS Credential Dumping
Security Support Provider, Boot or Logon Autostart Execution
System Information Discovery
System Owner/User Discovery
Steal or Forge Kerberos Tickets
BITS Jobs, Ingress Tool Transfer
OS Credential Dumping, DCSync, Rogue Domain Controller
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter
Account Manipulation
Domain Policy Modification
SID-History Injection, Access Token Manipulation
Protocol Tunneling, Proxy, Web Service
Access Token Manipulation, SID-History Injection
Windows Management Instrumentation
Event Triggered Execution
Modify Registry
Modify Registry
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
System Services, Service Execution
File Deletion, Indicator Removal
Data Encrypted for Impact
Data Destruction
Application Layer Protocol
Encrypted Channel
Exfiltration Over Web Service
Encrypted Channel
Dynamic-link Library Injection, Process Injection
Application Layer Protocol
Regsvr32, System Binary Proxy Execution
Process Injection
Process Injection
Windows Management Instrumentation
DLL Side-Loading, Hijack Execution Flow
System Owner/User Discovery
System Owner/User Discovery
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Rogue Domain Controller
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Exploit Public-Facing Application, External Remote Services
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Drive-by Compromise
Exploitation of Remote Services
Exploitation of Remote Services
Drive-by Compromise
Drive-by Compromise
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Brute Force
Brute Force
Brute Force, Password Spraying, Credential Stuffing
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Event Triggered Execution
System Script Proxy Execution, System Binary Proxy Execution
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Brute Force
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Cloud Accounts
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Spearphishing Attachment, Phishing
Valid Accounts, Default Accounts
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
Protocol Tunneling, SSH
Data Encrypted for Impact
Command and Scripting Interpreter
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
SID-History Injection, Access Token Manipulation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Image File Execution Options Injection
Account Manipulation
Rogue Domain Controller
Account Manipulation
LSASS Memory, OS Credential Dumping
Compiled HTML File, System Binary Proxy Execution
Abuse Elevation Control Mechanism
Ingress Tool Transfer
Process Injection
InstallUtil, System Binary Proxy Execution
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Token Impersonation/Theft, Access Token Manipulation
Service Stop
Token Impersonation/Theft, Access Token Manipulation
Credentials, Gather Victim Identity Information
DLL Search Order Hijacking, Hijack Execution Flow
Remote Access Software, OS Credential Dumping
Process Injection, Portable Executable Injection
GUI Input Capture, Input Capture
Remote Access Software
Cloud Account
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Account Discovery
Endpoint Denial of Service
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
DLL Search Order Hijacking
Ingress Tool Transfer
Proxy, Non-Application Layer Protocol
Ingress Tool Transfer
Ingress Tool Transfer
System Time Discovery
Clipboard Data
Windows Command Shell, Command and Scripting Interpreter
SSH Authorized Keys
System Shutdown/Reboot
System Shutdown/Reboot
System Information Discovery, Rootkit
Obfuscated Files or Information, Unix Shell
Obfuscated Files or Information
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Tools, Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Impair Defenses, Disable or Modify Cloud Logs
Windows Management Instrumentation Event Subscription
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Disable or Modify Cloud Logs, Impair Defenses
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Screen Capture
Mavinject, System Binary Proxy Execution
Screen Capture
Odbcconf
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Odbcconf
System Binary Proxy Execution
Remote System Discovery
Exploit Public-Facing Application, External Remote Services
Odbcconf
Disable or Modify Tools, Impair Defenses
Remote Desktop Protocol, Remote Services
Application Layer Protocol
Modify Registry
Disable or Modify Tools, Impair Defenses
Service Stop
Modify Registry
Remote Access Software
Steal or Forge Kerberos Tickets, Kerberoasting
Modify Registry
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Command and Scripting Interpreter
Msiexec
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exfiltration Over Alternative Protocol
Gather Victim Network Information, IP Addresses
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Digital Certificates
At, Scheduled Task/Job
Process Injection
At, Scheduled Task/Job
Digital Certificates
Digital Certificates
Protocol Impersonation
Network Sniffing
Digital Certificates
Valid Accounts
Command and Scripting Interpreter
Scheduled Task, Scheduled Task/Job
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Cloud Accounts, Valid Accounts
Exploitation for Privilege Escalation
Local Accounts, Credentials In Files
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Exploit Public-Facing Application, External Remote Services
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Steal or Forge Kerberos Tickets, AS-REP Roasting
Remote System Discovery
Windows Service
Remote System Discovery
Email Collection, Local Email Collection
Password Policy Discovery
Domain Trust Discovery
Permission Groups Discovery, Domain Groups
Remote System Discovery
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Inhibit System Recovery
Remote System Discovery
Permission Groups Discovery, Domain Groups
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
Drive-by Compromise
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
Permission Groups Discovery, Local Groups
Domain Trust Discovery
Scheduled Task, Impair Defenses
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
System Services, Service Execution
System Binary Proxy Execution, Compiled HTML File
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Indirect Command Execution
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Indirect Command Execution
Compromise Software Supply Chain, Supply Chain Compromise
System Network Connections Discovery
Rootkit, Exploitation for Privilege Escalation
Exploit Public-Facing Application
Remote System Discovery
Network Denial of Service
Remote Services, Distributed Component Object Model
Permission Groups Discovery, Domain Groups
System Owner/User Discovery
Remote Services, Windows Remote Management
System Owner/User Discovery
Permission Groups Discovery, Local Groups
Steal or Forge Kerberos Tickets, AS-REP Roasting
Account Discovery, Local Account, PowerShell
Password Policy Discovery
File and Directory Permissions Modification
InstallUtil, System Binary Proxy Execution
System Binary Proxy Execution, Regsvcs/Regasm
Steal or Forge Kerberos Tickets, Golden Ticket
System Binary Proxy Execution, Regsvcs/Regasm
Gather Victim Identity Information, Email Addresses
Use Alternate Authentication Material
Cloud Account, Create Account
Cloud Account, Create Account
Command and Scripting Interpreter
Kerberoasting
Domain Trust Discovery, PowerShell
User Execution
Process Injection
Steal or Forge Kerberos Tickets, AS-REP Roasting
System Binary Proxy Execution, Rundll32
Brute Force
Bypass User Account Control, Abuse Elevation Control Mechanism
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
System Binary Proxy Execution
Exfiltration Over Unencrypted Non-C2 Protocol
Steal or Forge Kerberos Tickets, Kerberoasting
System Binary Proxy Execution, Rundll32
Process Injection
Scheduled Task, Scheduled Task/Job
Disable or Modify Cloud Firewall, Impair Defenses
Modify Authentication Process
Ingress Tool Transfer
Ingress Tool Transfer
Exploitation for Privilege Escalation
Obfuscated Files or Information
Windows Command Shell
SSH Authorized Keys, Account Manipulation
SSH Authorized Keys, Account Manipulation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
/etc/passwd and /etc/shadow, OS Credential Dumping
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Dynamic Linker Hijacking, Hijack Execution Flow
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Valid Accounts, Domain Accounts
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Setuid and Setgid, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Local Account, Create Account
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Systemd Timers, Scheduled Task/Job
Unix Shell Configuration Modification, Event Triggered Execution
RC Scripts, Boot or Logon Initialization Scripts
Valid Accounts, Domain Accounts
Unix Shell Configuration Modification, Event Triggered Execution
Valid Accounts, Domain Accounts
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, Command and Scripting Interpreter
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Disable or Modify Tools
Unix Shell
Valid Accounts
Valid Accounts
Scheduled Task/Job, Scheduled Task
Automated Exfiltration
Create or Modify System Process, Windows Service
Remote Services, Distributed Component Object Model, MMC
Create or Modify System Process, Windows Service
Windows Management Instrumentation
Credentials from Web Browsers, Credentials from Password Stores
Create or Modify System Process, Windows Service
Remote Services, Windows Remote Management
Scheduled Task/Job, Scheduled Task
Gather Victim Host Information
Process Injection, Dynamic-link Library Injection
Remote Services, Windows Remote Management
Transfer Data to Cloud Account
Data Encrypted for Impact
Remote Services, Distributed Component Object Model
Windows Management Instrumentation
Compile After Delivery, Obfuscated Files or Information
InstallUtil, System Binary Proxy Execution
Disable or Modify System Firewall, Impair Defenses
Cloud Infrastructure Discovery
InstallUtil, System Binary Proxy Execution
Scheduled Task/Job, Scheduled Task
XSL Script Processing
Scheduled Task/Job, At
Remote Services, Windows Remote Management
Create or Modify System Process, Windows Service
Ingress Tool Transfer
Create or Modify System Process, Windows Service
Phishing
Phishing
Ingress Tool Transfer
Disable or Modify Tools, Impair Defenses
Kerberoasting
Data Destruction, File Deletion, Indicator Removal
Process Injection
Command and Scripting Interpreter, Component Object Model
Modify Registry
Regsvr32, Modify Registry
MSBuild, Trusted Developer Utilities Proxy Execution
Visual Basic, Command and Scripting Interpreter
Verclsid, System Binary Proxy Execution
Screen Capture
BITS Jobs
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Disable or Modify System Firewall, Impair Defenses
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Compiled HTML File
Automated Exfiltration
Install Root Certificate, Subvert Trust Controls
Account Discovery, Local Account
Account Discovery, Local Account
Archive via Utility, Archive Collected Data
NTDS, OS Credential Dumping
Remote Services, SMB/Windows Admin Shares
Archive via Utility, Archive Collected Data
System Binary Proxy Execution, Compiled HTML File
System Owner/User Discovery
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
System Owner/User Discovery
System Owner/User Discovery
Command and Scripting Interpreter, JavaScript
System Owner/User Discovery
Command and Scripting Interpreter, JavaScript
XSL Script Processing
Command and Scripting Interpreter, JavaScript
System Network Connections Discovery
System Network Connections Discovery
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Control Panel
Remote System Discovery
Remote System Discovery
Domain Account, Account Discovery
Remote System Discovery
Remote System Discovery
Inhibit System Recovery
Malicious Image, User Execution
Inhibit System Recovery
Malicious Image, User Execution
Domain Trust Discovery
Compromise Client Software Binary
Trusted Relationship
Permission Groups Discovery, Domain Groups
Remote System Discovery
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Compromise Client Software Binary
Remote System Discovery
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
OS Credential Dumping
Remote System Discovery
Forced Authentication
Remote System Discovery
Password Policy Discovery
Phishing, Spearphishing Link
Password Policy Discovery
Password Policy Discovery
System Network Connections Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Domain Account, Account Discovery
Domain Trust Discovery
Cloud Service Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Spearphishing Attachment, Phishing
Account Discovery, Local Account
Spearphishing Attachment, Phishing
Trusted Relationship
Spearphishing Attachment, Phishing
Malicious Image, User Execution
Security Account Manager, OS Credential Dumping
Archive via Utility, Archive Collected Data
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Spearphishing Attachment, Phishing
System Binary Proxy Execution, CMSTP
Indicator Removal
System Binary Proxy Execution, Rundll32
Msiexec, System Binary Proxy Execution
Data from Local System
User Execution, Malicious File
Archive via Utility, Archive Collected Data
Process Injection
System Binary Proxy Execution, Regsvr32
Command and Scripting Interpreter
Process Injection
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Security Account Manager, OS Credential Dumping
System Binary Proxy Execution, Mshta
Data from Cloud Storage
Data from Cloud Storage
Cloud Account, Create Account
Cloud Accounts, Valid Accounts
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Print Processors, Boot or Logon Autostart Execution
Exploitation for Privilege Escalation
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Disable or Modify Tools, Impair Defenses
System Services, Service Execution
Disable or Modify Cloud Firewall, Impair Defenses
Command and Scripting Interpreter, Visual Basic
Indicator Removal, Clear Windows Event Logs
Windows Management Instrumentation Event Subscription, Event Triggered Execution
File and Directory Permissions Modification
File Deletion, Indicator Removal
Inhibit System Recovery
Inhibit System Recovery
Defacement
System Binary Proxy Execution, CMSTP
User Execution
User Execution
Remote Desktop Protocol, Remote Services
System Binary Proxy Execution, CMSTP
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
File and Directory Permissions Modification
Ingress Tool Transfer
Disable or Modify Tools, Impair Defenses
Account Access Removal
Service Stop
Service Stop
Disable or Modify Tools, Impair Defenses
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Process Injection
Phishing, Spearphishing Attachment
Command and Scripting Interpreter
Obfuscated Files or Information
Scheduled Task/Job
Password Spraying, Brute Force
Exfiltration Over Alternative Protocol
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Cloud Service Discovery
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Password Spraying, Brute Force
System Services, Service Execution
Cloud Infrastructure Discovery, Brute Force
Account Manipulation
Cloud Groups, Account Manipulation, Permission Groups Discovery
Domain Trust Discovery
Disable or Modify Tools, Impair Defenses
BITS Jobs
Deobfuscate/Decode Files or Information
Create or Modify System Process
Data Encrypted for Impact
Inhibit System Recovery
Command and Scripting Interpreter, PowerShell
Cloud Accounts, Valid Accounts
Command and Scripting Interpreter, Windows Command Shell
Data Staged
Launch Agent, Create or Modify System Process
Ingress Tool Transfer
Launch Agent, Create or Modify System Process
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
LSASS Memory
Exploitation for Privilege Escalation
NTDS, OS Credential Dumping
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Valid Accounts
Valid Accounts
Inhibit System Recovery
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
PowerShell
Drive-by Compromise
Disable or Modify Cloud Firewall, Impair Defenses
Trusted Developer Utilities Proxy Execution, MSBuild
Trusted Developer Utilities Proxy Execution
Data Encrypted for Impact
Disable or Modify Cloud Firewall, Impair Defenses
Web Shell, External Remote Services
Inhibit System Recovery
Email Forwarding Rule, Email Collection
Email Forwarding Rule, Email Collection
Password Guessing, Brute Force
Email Collection
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Exploitation for Client Execution
User Execution, Malicious File
Masquerading, Rename System Utilities
Application Shimming, Event Triggered Execution
Scheduled Task, Scheduled Task/Job
Services Registry Permissions Weakness, Hijack Execution Flow
Disable or Modify System Firewall
Application Shimming, Event Triggered Execution
Rename System Utilities
Bypass User Account Control, Abuse Elevation Control Mechanism
Masquerading, Rename System Utilities
Command and Scripting Interpreter, Windows Command Shell
System Network Configuration Discovery
Inhibit System Recovery
Data Destruction
Windows Command Shell
Data Encrypted for Impact
TFTP Boot, Pre-OS Boot
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Exfiltration Over C2 Channel
Use Alternate Authentication Material, Pass the Hash
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Exploitation of Remote Services
Indicator Removal, Network Share Connection Removal
Exploit Public-Facing Application
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Unused/Unsupported Cloud Regions
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Data from Cloud Storage
Data from Cloud Storage
Exploit Public-Facing Application
Cloud Accounts, Valid Accounts
Exploitation for Client Execution
Exploitation for Client Execution
Valid Accounts
Valid Accounts
Use Alternate Authentication Material
Valid Accounts
Valid Accounts
SMB/Windows Admin Shares, Remote Services
Masquerading
Modify Registry
SMB/Windows Admin Shares, Remote Services
Phishing
Malicious File
Change Default File Association
Remote Desktop Protocol, Remote Services
Windows Service, Create or Modify System Process
Cloud Accounts
Exfiltration Over Alternative Protocol
Cloud Accounts
Cloud Accounts
Cloud Accounts
Remote Desktop Protocol, Remote Services
PowerShell, Windows Command Shell
Command and Scripting Interpreter, PowerShell
Email Collection, Local Email Collection
Cloud Accounts
System Services, Service Execution
Email Collection, Remote Email Collection
Remote Email Collection, Email Collection
Exfiltration Over Unencrypted Non-C2 Protocol
Cloud Accounts
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Software Deployment Tools
Cloud Accounts
Spearphishing via Service
Cloud Accounts
Cloud Accounts
File Transfer Protocols, Application Layer Protocol
Web Protocols
Scheduled Task
Exfiltration Over Unencrypted Non-C2 Protocol
Cloud Service Discovery
Remote Desktop Protocol, Remote Services
Indicator Removal, Clear Windows Event Logs
Exploitation for Privilege Escalation
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Windows Management Instrumentation
Windows Management Instrumentation
LSASS Memory, OS Credential Dumping
DNS, Application Layer Protocol
LSASS Memory, OS Credential Dumping
LSASS Memory
LSASS Memory, OS Credential Dumping
System Information Discovery
LSASS Memory
Hidden Files and Directories
Data Encrypted for Impact
Indicator Removal
Data from Cloud Storage
Windows Management Instrumentation
Windows Management Instrumentation
Create Account
Valid Accounts
Data from Cloud Storage
Non-Application Layer Protocol
Disable or Modify Cloud Firewall
Cloud Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
System Information Discovery, External Remote Services
Network Denial of Service, Reflection Amplification
Domain Accounts
Email Collection
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
DLL Side-Loading, Boot or Logon Autostart Execution
Valid Accounts, Brute Force
Exploit Public-Facing Application
Email Collection, Remote Email Collection
Email Collection, Remote Email Collection
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Email Collection, Email Forwarding Rule
Email Collection, Email Forwarding Rule
System Binary Proxy Execution
Email Collection, Email Forwarding Rule
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Valid Accounts, Cloud Accounts
DLL Side-Loading
System Binary Proxy Execution
System Binary Proxy Execution
System Binary Proxy Execution
Phishing, Modify Registry
Modify Registry
Exploitation for Credential Access
Valid Accounts, Domain Accounts
Local Account, Create Account
Valid Accounts, Local Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force
Local Account, Create Account
Valid Accounts
Exploitation for Credential Access
Log Enumeration
Steal Web Session Cookie
Cloud Account
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
System Information Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Modify Authentication Process
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Modify Authentication Process, Multi-Factor Authentication
Account Manipulation, Device Registration
Cloud Accounts
Cloud Account
Password Spraying
Brute Force
Data Destruction
Multi-Factor Authentication Request Generation
Data Destruction
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Password Spraying, Valid Accounts, Default Accounts
Exploit Public-Facing Application
Exploit Public-Facing Application
Remote Access Software
Remote Access Software
Exfiltration Over Web Service
Remote Access Software
Remote Access Software
Remote Access Software
Exploit Public-Facing Application
Remote Access Software
Modify Cloud Compute Configurations
Account Manipulation, Valid Accounts
Exploit Public-Facing Application
Exploit Public-Facing Application
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Query Registry
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Query Registry
Hide Artifacts, NTFS File Attributes
IP Addresses, Gather Victim Network Information
Hide Artifacts, NTFS File Attributes
Remote Services, SMB/Windows Admin Shares
Inhibit System Recovery
System Network Configuration Discovery, Internet Connection Discovery
Time Based Evasion, Virtualization/Sandbox Evasion
Local Account, Create Account
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Unsecured Credentials
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Permission Groups Discovery, Domain Groups
Cloud Accounts
Additional Cloud Roles
Additional Cloud Roles
Cloud Account
Cloud Account
Cloud Account
Cloud Account
Service Stop
Scheduled Task, Scheduled Task/Job
Exploit Public-Facing Application
Remote Email Collection
Remote Email Collection
Remote Email Collection
Process Injection
Exfiltration Over Unencrypted Non-C2 Protocol
System Binary Proxy Execution, Regsvcs/Regasm
Security Account Manager
Security Account Manager
System Binary Proxy Execution, Regsvcs/Regasm
Additional Email Delegate Permissions, Additional Cloud Roles
Additional Email Delegate Permissions, Additional Cloud Roles
Exploit Public-Facing Application
Systemd Timers, Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
Use Alternate Authentication Material
Exploit Public-Facing Application
Abuse Elevation Control Mechanism, Indirect Command Execution
Abuse Elevation Control Mechanism
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
User Execution
User Execution
User Execution
User Execution
User Execution
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
DCSync, OS Credential Dumping
DCSync, OS Credential Dumping
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Process Injection
Steal or Forge Authentication Certificates
Msiexec, System Binary Proxy Execution
NTDS, OS Credential Dumping
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
System Binary Proxy Execution, Mshta
Remote System Discovery
Modify Registry
LSASS Memory, OS Credential Dumping
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Disable or Modify Tools, Impair Defenses
Security Account Manager, OS Credential Dumping
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Credentials from Password Stores, Credentials from Web Browsers
Disable or Modify Tools, Impair Defenses
LSASS Memory, OS Credential Dumping
Modify Registry
Command and Scripting Interpreter, PowerShell
Domain Account, Account Discovery
Disable or Modify Tools, Impair Defenses
Command and Scripting Interpreter, PowerShell
Scheduled Task, Scheduled Task/Job
Windows Management Instrumentation
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Query Registry
LSASS Memory, OS Credential Dumping
OS Credential Dumping
Masquerading
Steal or Forge Kerberos Tickets, Kerberoasting
Exploit Public-Facing Application
Disable or Modify Tools, Impair Defenses
Create or Modify System Process
Domain Account, Account Discovery
Bypass User Account Control, Abuse Elevation Control Mechanism
Modify Registry
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Modify Registry
Security Account Manager, OS Credential Dumping
Password Policy Discovery
Disable or Modify Tools, Impair Defenses
System Owner/User Discovery
Remote System Discovery
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
OS Credential Dumping, PowerShell
Credentials from Password Stores, Credentials from Web Browsers
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Password Policy Discovery
Scheduled Task
Create Process with Token, Access Token Manipulation
Command and Scripting Interpreter, JavaScript
Modify Registry
Domain Account, Account Discovery
Use Alternate Authentication Material, Pass the Ticket
Windows Command Shell, Command and Scripting Interpreter
Remote System Discovery
Steal or Forge Authentication Certificates
Modify Registry
Scheduled Task/Job, Scheduled Task
Disable or Modify Tools, Impair Defenses
System Network Connections Discovery
LSASS Memory, OS Credential Dumping
Clear Windows Event Logs, Indicator Removal
Modify Registry
Windows Management Instrumentation
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Indicator Removal, Clear Windows Event Logs
Disable or Modify Tools, Impair Defenses
Modify Registry
Domain Account, Account Discovery
Modify Registry
LSASS Memory, OS Credential Dumping
Use Alternate Authentication Material, Pass the Ticket
Steal or Forge Kerberos Tickets, AS-REP Roasting
Modify Registry
Service Stop
Domain Account, Account Discovery
Windows Management Instrumentation
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Brute Force, Password Guessing, Password Spraying
Account Manipulation, Additional Cloud Credentials
Steal Application Access Token, Phishing, Spearphishing Link
Multi-Factor Authentication Request Generation
Cloud Account
Brute Force, Password Guessing, Password Spraying
Steal Application Access Token
Browser Session Hijacking
Domain Policy Modification, Domain Trust Modification
Security Account Manager
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Impair Defenses
Create Account, Cloud Account
Additional Cloud Roles
Account Manipulation
Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Roles
Valid Accounts
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Domain Policy Modification, Domain Trust Modification
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Account Manipulation
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Steal Application Access Token
Account Manipulation, Device Registration
User Execution
Archive Collected Data
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
DLL Side-Loading, Hijack Execution Flow
User Execution
User Execution
User Execution
Account Discovery, Local Account
Account Discovery
Modify Registry
Disable or Modify Cloud Firewall, Impair Defenses
Account Discovery, Domain Account
System Owner/User Discovery
Account Discovery
Process Discovery
LSA Secrets
User Execution
User Execution
Container Orchestration Job
User Execution
User Execution
User Execution
Disable or Modify System Firewall, Impair Defenses
System Binary Proxy Execution, Rundll32
Modify Registry
Network Service Discovery
Command and Scripting Interpreter, Windows Command Shell
User Execution
Cloud Service Discovery
Network Service Discovery
Container API
Container API
Container API
Container API
Browser Session Hijacking
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Modify Registry
Modify Registry
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Indicator Removal
Credentials from Password Stores
Windows Remote Management, Remote Services
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Credentials from Password Stores
Archive via Utility, Archive Collected Data
Modify Registry
Exploitation of Remote Services
Masquerading
Parent PID Spoofing, Access Token Manipulation
Abuse Elevation Control Mechanism, Bypass User Account Control
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Abuse Elevation Control Mechanism, Bypass User Account Control
Exploitation of Remote Services
Drive-by Compromise
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Spearphishing Attachment
Account Discovery
Domain Account, Account Discovery
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Hardware, Gather Victim Host Information
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Print Processors, Boot or Logon Autostart Execution
Path Interception by Unquoted Path, Hijack Execution Flow
Abuse Elevation Control Mechanism
Plist File Modification
System Binary Proxy Execution, Regsvcs/Regasm
Local Account, Create Account
Gather Victim Host Information
Masquerading
Phishing, Spearphishing Attachment
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Remote Services, Windows Remote Management
Archive via Utility, Archive Collected Data
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Account Manipulation
Transfer Data to Cloud Account
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
Account Manipulation
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Regsvcs/Regasm
SID-History Injection, Access Token Manipulation
Exploitation of Remote Services
System Binary Proxy Execution, Rundll32
Phishing, Spearphishing Attachment
Unix Shell, Command and Scripting Interpreter
Security Account Manager, OS Credential Dumping
Rogue Domain Controller
InstallUtil, System Binary Proxy Execution
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Security Account Manager, OS Credential Dumping
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Compromise Accounts, Unused/Unsupported Cloud Regions
Modify Registry
Account Manipulation
Create Account, Cloud Account
Phishing, Spearphishing Attachment
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Account Manipulation
Phishing, Spearphishing Attachment
Gather Victim Host Information, PowerShell
Hidden Window, Run Virtual Instance
Msiexec
Phishing
Command and Scripting Interpreter
Command and Scripting Interpreter
Hide Artifacts, NTFS File Attributes
Malicious Image, User Execution
Steal Application Access Token
Impair Defenses
Exploit Public-Facing Application
Valid Accounts
Exploit Public-Facing Application
Account Manipulation, Additional Cloud Roles
Account Manipulation, Device Registration
Multi-Factor Authentication Request Generation
Steal Application Access Token
Exploit Public-Facing Application
Account Manipulation, Additional Email Delegate Permissions
Exploit Public-Facing Application
Steal Application Access Token
Steal Application Access Token
Steal Application Access Token
SIP and Trust Provider Hijacking
SIP and Trust Provider Hijacking
Brute Force, Password Guessing
SIP and Trust Provider Hijacking
Steal or Forge Kerberos Tickets
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploitation for Privilege Escalation
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Modify Registry
Proxy, Multi-hop Proxy
Web Service
Local Groups
Impair Defenses, Disable or Modify Cloud Logs
Account Manipulation, Additional Cloud Roles
Fileless Storage, Obfuscated Files or Information
Impair Defenses, Disable or Modify Tools
Shared Modules
Hidden Window
Impair Defenses, Disable or Modify System Firewall
Hidden Window
Virtualization/Sandbox Evasion, Time Based Evasion
Account Manipulation
Replication Through Removable Media
Email Collection, Remote Email Collection
Account Manipulation, Additional Cloud Roles
Network Denial of Service
File and Directory Discovery
Drive-by Compromise
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Account Discovery, Domain Account
Account Discovery, Domain Account
Account Manipulation, Additional Cloud Credentials
Account Discovery, Domain Account
Account Discovery, Domain Account
Application or System Exploitation
Ingress Tool Transfer
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Ingress Tool Transfer
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Rename System Utilities, Masquerading
Mark-of-the-Web Bypass
Exploit Public-Facing Application, External Remote Services
Cloud Account, Create Account
Modify Authentication Process
Cloud Account, Create Account
Exploit Public-Facing Application, External Remote Services
Bypass User Account Control
DLL Side-Loading
Exploit Public-Facing Application
Modify Registry
Exploit Public-Facing Application
Exploit Public-Facing Application
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Cloud Account, Create Account
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Process Injection
Process Injection
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Process Injection
Process Injection
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
System Binary Proxy Execution, Rundll32
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Process Injection
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
System Binary Proxy Execution, Rundll32
Modify Registry
Process Injection
Command and Scripting Interpreter, PowerShell
Modify Registry
System Binary Proxy Execution, Rundll32
Command and Scripting Interpreter, PowerShell
Process Injection
Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell
Server Software Component, Web Shell
System Binary Proxy Execution, Regsvr32
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Steal or Forge Authentication Certificates, Archive Collected Data
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
System Shutdown/Reboot
PowerShell, Command and Scripting Interpreter
Obfuscated Files or Information, Fileless Storage
Process Injection, Portable Executable Injection
Modify Registry
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Permission Groups Discovery, Domain Groups
Scheduled Task, Command and Scripting Interpreter
Malicious File, Masquerade File Type
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Disk Structure Wipe, Disk Wipe
Domain Account, Account Discovery
Account Discovery, Domain Account, User Execution, Malicious File
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Service Stop
Disk Structure Wipe, Disk Wipe
Security Account Manager, OS Credential Dumping
NTDS, OS Credential Dumping
Permission Groups Discovery, Local Groups
PowerShell, Ingress Tool Transfer
Account Access Removal
Account Access Removal
Service Stop
PowerShell, Ingress Tool Transfer, Fileless Storage
Scheduled Task, PowerShell, Command and Scripting Interpreter
File and Directory Permissions Modification
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
File and Directory Permissions Modification
Account Manipulation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Cloud Service Discovery
Account Discovery, Domain Account
Exploit Public-Facing Application, External Remote Services
Account Discovery, Domain Account
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Internal Proxy, Proxy
Ingress Tool Transfer, Domain Groups
Internal Proxy, Proxy
Network Share Discovery
Browser Session Hijacking
Domain Policy Modification
Abuse Elevation Control Mechanism
Password Policy Discovery
Modify Authentication Process, Multi-Factor Authentication
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Kernel Modules and Extensions, Service Execution
Kernel Modules and Extensions
Obfuscated Files or Information
Modify Registry
Pre-OS Boot, Registry Run Keys / Startup Folder
Steal or Forge Authentication Certificates
Inhibit System Recovery
Transfer Data to Cloud Account
Disable or Modify Tools, Impair Defenses, Modify Registry
Active Setup, Boot or Logon Autostart Execution
Port Monitors, Boot or Logon Autostart Execution
Application Shimming, Event Triggered Execution
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses, Modify Registry
Modify Registry
Image File Execution Options Injection, Event Triggered Execution
Modify Registry
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Modify Registry
Data Destruction, File Deletion, Indicator Removal
Modify Registry
Data Destruction, File Deletion, Indicator Removal
Remote Services
Exfiltration Over Unencrypted Non-C2 Protocol
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Install Root Certificate, Subvert Trust Controls
Time Providers, Boot or Logon Autostart Execution
Data Destruction
Modify Registry
Data Destruction, File Deletion, Indicator Removal
Services Registry Permissions Weakness
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Modify Registry
Modify Registry, OS Credential Dumping
Right-to-Left Override, Masquerading
Right-to-Left Override, Masquerading
Disable or Modify Tools, Impair Defenses
Query Registry
Query Registry
Domain Policy Modification, Group Policy Modification
Automated Collection
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Domain Accounts, Permission Groups Discovery
RDP Hijacking
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Indicator Removal
System Binary Proxy Execution, Regsvr32
Service Stop
PowerShell, Command and Scripting Interpreter
Unix Shell, Command and Scripting Interpreter
System Shutdown/Reboot
Indicator Removal
Disable or Modify System Firewall, Impair Defenses
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Service Stop
Service Stop
Virtualization/Sandbox Evasion, Time Based Evasion
Command and Scripting Interpreter, PowerShell
DLL Side-Loading, Hijack Execution Flow
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Hardware Additions
Data Destruction
Command and Scripting Interpreter, PowerShell
Scheduled Task/Job
Data Destruction
Obfuscated Files or Information, Indicator Removal from Tools
Disable or Modify Tools, Impair Defenses
Exploitation for Privilege Escalation
Command and Scripting Interpreter, Process Injection, PowerShell
Impair Defenses, PowerShell, Command and Scripting Interpreter
Data Destruction
Disable or Modify Tools, Impair Defenses
LSASS Memory, OS Credential Dumping
Domain Account, Account Discovery
Exploit Public-Facing Application, External Remote Services
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
File Deletion, Indicator Removal
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Steal or Forge Kerberos Tickets, Kerberoasting
Event Triggered Execution, Screensaver
System Network Configuration Discovery
Cron, Scheduled Task/Job
Domain Account, Account Discovery
System Firmware, Pre-OS Boot
Visual Basic, Command and Scripting Interpreter
Boot or Logon Initialization Scripts, Logon Script (Windows)
Access Token Manipulation, Token Impersonation/Theft
Spearphishing Attachment, Phishing
Change Default File Association, Event Triggered Execution
Disable or Modify Tools, Impair Defenses
Visual Basic, Command and Scripting Interpreter
Data Destruction
Gather Victim Host Information
Print Processors, Boot or Logon Autostart Execution
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Modify Registry
Event Triggered Execution, Accessibility Features
Data Destruction
Command and Scripting Interpreter, PowerShell
Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Masquerade Task or Service, Masquerading
User Execution, Malicious File
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Credentials in Registry, Unsecured Credentials
Automated Collection
Automated Collection
Domain Policy Modification, Group Policy Modification
Account Discovery, Local Account
Scheduled Task
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Command and Scripting Interpreter, PowerShell
Account Discovery, Local Account, PowerShell
Screen Capture
Exfiltration Over C2 Channel
Scheduled Task/Job
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Scheduled Task, Scheduled Task/Job
Exfiltration Over C2 Channel
Transfer Data to Cloud Account
Compromise Software Supply Chain
Compromise Software Supply Chain
Compromise Software Supply Chain
Credentials in Registry, Unsecured Credentials
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Domain Policy Modification, Group Policy Modification
Abuse Elevation Control Mechanism
Remote Desktop Protocol, Remote Services
Domain Policy Modification, Group Policy Modification
PowerShell, Command and Scripting Interpreter
Domain Policy Modification, Group Policy Modification, Domain Accounts
Scheduled Task
PowerShell
Network Share Discovery
Security Account Manager
Transfer Data to Cloud Account
Windows Management Instrumentation
PowerShell, Command and Scripting Interpreter
Brute Force, Credential Stuffing
Windows Management Instrumentation
Lateral Tool Transfer
Network Share Discovery
Network Share Discovery, Valid Accounts
Transfer Data to Cloud Account
Create or Modify System Process, Windows Service
Windows Service, Create or Modify System Process
Multi-Factor Authentication Request Generation
User Execution
Web Session Cookie, Cloud Service Dashboard
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
DLL Side-Loading, Hijack Execution Flow
Exfiltration Over Unencrypted Non-C2 Protocol
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Data Destruction
System Services, Service Execution
System Binary Proxy Execution, Regsvr32
Rootkit, Exploitation for Privilege Escalation
Process Injection, Portable Executable Injection
Process Injection
Exploit Public-Facing Application, External Remote Services
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Phishing, Spearphishing Attachment
Drive-by Compromise
Drive-by Compromise
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Exploitation for Privilege Escalation
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Browser Session Hijacking
Steal or Forge Authentication Certificates
Modify Authentication Process, Multi-Factor Authentication
Brute Force, Password Spraying, Credential Stuffing
Password Policy Discovery
Disable or Modify Tools
Rogue Domain Controller
Password Policy Discovery
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
LSASS Memory
Command and Scripting Interpreter
Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Domain Generation Algorithms
Server Software Component, IIS Components
Spearphishing Attachment, Phishing
Server Software Component, IIS Components
Modify Registry
Domain Generation Algorithms
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Malicious File, User Execution
Domain Account, Account Discovery
Server Software Component, IIS Components
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
DNS, Application Layer Protocol
Server Software Component, IIS Components
IIS Components, Server Software Component
Server Software Component, IIS Components
Server Software Component, IIS Components
Query Registry
Windows Service
Windows Management Instrumentation
System Network Configuration Discovery
Change Default File Association, Event Triggered Execution
Credentials from Password Stores
Indirect Command Execution
System Network Connections Discovery
Clipboard Data
Credentials in Registry, Unsecured Credentials
Password Managers
Private Keys, Unsecured Credentials
Cached Domain Credentials, OS Credential Dumping
Security Support Provider, Boot or Logon Autostart Execution
System Information Discovery
System Owner/User Discovery
Steal or Forge Kerberos Tickets
BITS Jobs, Ingress Tool Transfer
OS Credential Dumping, DCSync, Rogue Domain Controller
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter
Account Manipulation
Domain Policy Modification
SID-History Injection, Access Token Manipulation
Protocol Tunneling, Proxy, Web Service
Access Token Manipulation, SID-History Injection
Windows Management Instrumentation
Event Triggered Execution
Modify Registry
Modify Registry
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
System Services, Service Execution
File Deletion, Indicator Removal
Data Encrypted for Impact
Data Destruction
Application Layer Protocol
Encrypted Channel
Exfiltration Over Web Service
Encrypted Channel
Dynamic-link Library Injection, Process Injection
Application Layer Protocol
Regsvr32, System Binary Proxy Execution
Process Injection
Process Injection
Windows Management Instrumentation
DLL Side-Loading, Hijack Execution Flow
System Owner/User Discovery
System Owner/User Discovery
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Rogue Domain Controller
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Exploit Public-Facing Application, External Remote Services
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Drive-by Compromise
Exploitation of Remote Services
Exploitation of Remote Services
Drive-by Compromise
Drive-by Compromise
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Brute Force
Brute Force
Brute Force, Password Spraying, Credential Stuffing
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Event Triggered Execution
System Script Proxy Execution, System Binary Proxy Execution
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Brute Force
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Cloud Accounts
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Spearphishing Attachment, Phishing
Valid Accounts, Default Accounts
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
Protocol Tunneling, SSH
Data Encrypted for Impact
Command and Scripting Interpreter
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
SID-History Injection, Access Token Manipulation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Image File Execution Options Injection
Account Manipulation
Rogue Domain Controller
Account Manipulation
LSASS Memory, OS Credential Dumping
Compiled HTML File, System Binary Proxy Execution
Abuse Elevation Control Mechanism
Ingress Tool Transfer
Process Injection
InstallUtil, System Binary Proxy Execution
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Token Impersonation/Theft, Access Token Manipulation
Service Stop
Token Impersonation/Theft, Access Token Manipulation
Credentials, Gather Victim Identity Information
DLL Search Order Hijacking, Hijack Execution Flow
Remote Access Software, OS Credential Dumping
Process Injection, Portable Executable Injection
GUI Input Capture, Input Capture
Remote Access Software
Cloud Account
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Account Discovery
Endpoint Denial of Service
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
DLL Search Order Hijacking
Ingress Tool Transfer
Proxy, Non-Application Layer Protocol
Ingress Tool Transfer
Ingress Tool Transfer
System Time Discovery
Clipboard Data
Windows Command Shell, Command and Scripting Interpreter
SSH Authorized Keys
System Shutdown/Reboot
System Shutdown/Reboot
System Information Discovery, Rootkit
Obfuscated Files or Information, Unix Shell
Obfuscated Files or Information
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Tools, Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Impair Defenses, Disable or Modify Cloud Logs
Windows Management Instrumentation Event Subscription
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Disable or Modify Cloud Logs, Impair Defenses
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Screen Capture
Mavinject, System Binary Proxy Execution
Screen Capture
Odbcconf
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Odbcconf
System Binary Proxy Execution
Remote System Discovery
Exploit Public-Facing Application, External Remote Services
Odbcconf
Disable or Modify Tools, Impair Defenses
Remote Desktop Protocol, Remote Services
Application Layer Protocol
Modify Registry
Disable or Modify Tools, Impair Defenses
Service Stop
Modify Registry
Remote Access Software
Steal or Forge Kerberos Tickets, Kerberoasting
Modify Registry
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Command and Scripting Interpreter
Msiexec
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exfiltration Over Alternative Protocol
Gather Victim Network Information, IP Addresses
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Digital Certificates
At, Scheduled Task/Job
Process Injection
At, Scheduled Task/Job
Digital Certificates
Digital Certificates
Protocol Impersonation
Network Sniffing
Digital Certificates
Valid Accounts
Command and Scripting Interpreter
Scheduled Task, Scheduled Task/Job
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Cloud Accounts, Valid Accounts
Exploitation for Privilege Escalation
Local Accounts, Credentials In Files
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Exploit Public-Facing Application, External Remote Services
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Steal or Forge Kerberos Tickets, AS-REP Roasting
Remote System Discovery
Windows Service
Remote System Discovery
Email Collection, Local Email Collection
Password Policy Discovery
Domain Trust Discovery
Permission Groups Discovery, Domain Groups
Remote System Discovery
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Inhibit System Recovery
Remote System Discovery
Permission Groups Discovery, Domain Groups
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
Drive-by Compromise
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
Permission Groups Discovery, Local Groups
Domain Trust Discovery
Scheduled Task, Impair Defenses
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
System Services, Service Execution
System Binary Proxy Execution, Compiled HTML File
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Indirect Command Execution
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Indirect Command Execution
Compromise Software Supply Chain, Supply Chain Compromise
System Network Connections Discovery
Rootkit, Exploitation for Privilege Escalation
Exploit Public-Facing Application
Remote System Discovery
Network Denial of Service
Remote Services, Distributed Component Object Model
Permission Groups Discovery, Domain Groups
System Owner/User Discovery
Remote Services, Windows Remote Management
System Owner/User Discovery
Permission Groups Discovery, Local Groups
Steal or Forge Kerberos Tickets, AS-REP Roasting
Account Discovery, Local Account, PowerShell
Password Policy Discovery
File and Directory Permissions Modification
InstallUtil, System Binary Proxy Execution
System Binary Proxy Execution, Regsvcs/Regasm
Steal or Forge Kerberos Tickets, Golden Ticket
System Binary Proxy Execution, Regsvcs/Regasm
Gather Victim Identity Information, Email Addresses
Use Alternate Authentication Material
Cloud Account, Create Account
Cloud Account, Create Account
Command and Scripting Interpreter
Kerberoasting
Domain Trust Discovery, PowerShell
User Execution
Process Injection
Steal or Forge Kerberos Tickets, AS-REP Roasting
System Binary Proxy Execution, Rundll32
Brute Force
Bypass User Account Control, Abuse Elevation Control Mechanism
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
System Binary Proxy Execution
Exfiltration Over Unencrypted Non-C2 Protocol
Steal or Forge Kerberos Tickets, Kerberoasting
System Binary Proxy Execution, Rundll32
Process Injection
Scheduled Task, Scheduled Task/Job
Disable or Modify Cloud Firewall, Impair Defenses
Modify Authentication Process
Ingress Tool Transfer
Ingress Tool Transfer
Exploitation for Privilege Escalation
Obfuscated Files or Information
Windows Command Shell
SSH Authorized Keys, Account Manipulation
SSH Authorized Keys, Account Manipulation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
/etc/passwd and /etc/shadow, OS Credential Dumping
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Dynamic Linker Hijacking, Hijack Execution Flow
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Valid Accounts, Domain Accounts
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Setuid and Setgid, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Local Account, Create Account
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Systemd Timers, Scheduled Task/Job
Unix Shell Configuration Modification, Event Triggered Execution
RC Scripts, Boot or Logon Initialization Scripts
Valid Accounts, Domain Accounts
Unix Shell Configuration Modification, Event Triggered Execution
Valid Accounts, Domain Accounts
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, Command and Scripting Interpreter
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Disable or Modify Tools
Unix Shell
Valid Accounts
Valid Accounts
Scheduled Task/Job, Scheduled Task
Automated Exfiltration
Create or Modify System Process, Windows Service
Remote Services, Distributed Component Object Model, MMC
Create or Modify System Process, Windows Service
Windows Management Instrumentation
Credentials from Web Browsers, Credentials from Password Stores
Create or Modify System Process, Windows Service
Remote Services, Windows Remote Management
Scheduled Task/Job, Scheduled Task
Gather Victim Host Information
Process Injection, Dynamic-link Library Injection
Remote Services, Windows Remote Management
Transfer Data to Cloud Account
Data Encrypted for Impact
Remote Services, Distributed Component Object Model
Windows Management Instrumentation
Compile After Delivery, Obfuscated Files or Information
InstallUtil, System Binary Proxy Execution
Disable or Modify System Firewall, Impair Defenses
Cloud Infrastructure Discovery
InstallUtil, System Binary Proxy Execution
Scheduled Task/Job, Scheduled Task
XSL Script Processing
Scheduled Task/Job, At
Remote Services, Windows Remote Management
Create or Modify System Process, Windows Service
Ingress Tool Transfer
Create or Modify System Process, Windows Service
Phishing
Phishing
Ingress Tool Transfer
Disable or Modify Tools, Impair Defenses
Kerberoasting
Data Destruction, File Deletion, Indicator Removal
Process Injection
Command and Scripting Interpreter, Component Object Model
Modify Registry
Regsvr32, Modify Registry
MSBuild, Trusted Developer Utilities Proxy Execution
Visual Basic, Command and Scripting Interpreter
Verclsid, System Binary Proxy Execution
Screen Capture
BITS Jobs
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Disable or Modify System Firewall, Impair Defenses
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Compiled HTML File
Automated Exfiltration
Install Root Certificate, Subvert Trust Controls
Account Discovery, Local Account
Account Discovery, Local Account
Archive via Utility, Archive Collected Data
NTDS, OS Credential Dumping
Remote Services, SMB/Windows Admin Shares
Archive via Utility, Archive Collected Data
System Binary Proxy Execution, Compiled HTML File
System Owner/User Discovery
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
System Owner/User Discovery
System Owner/User Discovery
Command and Scripting Interpreter, JavaScript
System Owner/User Discovery
Command and Scripting Interpreter, JavaScript
XSL Script Processing
Command and Scripting Interpreter, JavaScript
System Network Connections Discovery
System Network Connections Discovery
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Control Panel
Remote System Discovery
Remote System Discovery
Domain Account, Account Discovery
Remote System Discovery
Remote System Discovery
Inhibit System Recovery
Malicious Image, User Execution
Inhibit System Recovery
Malicious Image, User Execution
Domain Trust Discovery
Compromise Client Software Binary
Trusted Relationship
Permission Groups Discovery, Domain Groups
Remote System Discovery
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Compromise Client Software Binary
Remote System Discovery
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
OS Credential Dumping
Remote System Discovery
Forced Authentication
Remote System Discovery
Password Policy Discovery
Phishing, Spearphishing Link
Password Policy Discovery
Password Policy Discovery
System Network Connections Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Domain Account, Account Discovery
Domain Trust Discovery
Cloud Service Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Spearphishing Attachment, Phishing
Account Discovery, Local Account
Spearphishing Attachment, Phishing
Trusted Relationship
Spearphishing Attachment, Phishing
Malicious Image, User Execution
Security Account Manager, OS Credential Dumping
Archive via Utility, Archive Collected Data
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Spearphishing Attachment, Phishing
System Binary Proxy Execution, CMSTP
Indicator Removal
System Binary Proxy Execution, Rundll32
Msiexec, System Binary Proxy Execution
Data from Local System
User Execution, Malicious File
Archive via Utility, Archive Collected Data
Process Injection
System Binary Proxy Execution, Regsvr32
Command and Scripting Interpreter
Process Injection
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Security Account Manager, OS Credential Dumping
System Binary Proxy Execution, Mshta
Data from Cloud Storage
Data from Cloud Storage
Cloud Account, Create Account
Cloud Accounts, Valid Accounts
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Print Processors, Boot or Logon Autostart Execution
Exploitation for Privilege Escalation
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Disable or Modify Tools, Impair Defenses
System Services, Service Execution
Disable or Modify Cloud Firewall, Impair Defenses
Command and Scripting Interpreter, Visual Basic
Indicator Removal, Clear Windows Event Logs
Windows Management Instrumentation Event Subscription, Event Triggered Execution
File and Directory Permissions Modification
File Deletion, Indicator Removal
Inhibit System Recovery
Inhibit System Recovery
Defacement
System Binary Proxy Execution, CMSTP
User Execution
User Execution
Remote Desktop Protocol, Remote Services
System Binary Proxy Execution, CMSTP
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
File and Directory Permissions Modification
Ingress Tool Transfer
Disable or Modify Tools, Impair Defenses
Account Access Removal
Service Stop
Service Stop
Disable or Modify Tools, Impair Defenses
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Process Injection
Phishing, Spearphishing Attachment
Command and Scripting Interpreter
Obfuscated Files or Information
Scheduled Task/Job
Password Spraying, Brute Force
Exfiltration Over Alternative Protocol
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Cloud Service Discovery
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Password Spraying, Brute Force
System Services, Service Execution
Cloud Infrastructure Discovery, Brute Force
Account Manipulation
Cloud Groups, Account Manipulation, Permission Groups Discovery
Domain Trust Discovery
Disable or Modify Tools, Impair Defenses
BITS Jobs
Deobfuscate/Decode Files or Information
Create or Modify System Process
Data Encrypted for Impact
Inhibit System Recovery
Command and Scripting Interpreter, PowerShell
Cloud Accounts, Valid Accounts
Command and Scripting Interpreter, Windows Command Shell
Data Staged
Launch Agent, Create or Modify System Process
Ingress Tool Transfer
Launch Agent, Create or Modify System Process
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
LSASS Memory
Exploitation for Privilege Escalation
NTDS, OS Credential Dumping
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Valid Accounts
Valid Accounts
Inhibit System Recovery
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
PowerShell
Drive-by Compromise
Disable or Modify Cloud Firewall, Impair Defenses
Trusted Developer Utilities Proxy Execution, MSBuild
Trusted Developer Utilities Proxy Execution
Data Encrypted for Impact
Disable or Modify Cloud Firewall, Impair Defenses
Web Shell, External Remote Services
Inhibit System Recovery
Email Forwarding Rule, Email Collection
Email Forwarding Rule, Email Collection
Password Guessing, Brute Force
Email Collection
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Exploitation for Client Execution
User Execution, Malicious File
Masquerading, Rename System Utilities
Application Shimming, Event Triggered Execution
Scheduled Task, Scheduled Task/Job
Services Registry Permissions Weakness, Hijack Execution Flow
Disable or Modify System Firewall
Application Shimming, Event Triggered Execution
Rename System Utilities
Bypass User Account Control, Abuse Elevation Control Mechanism
Masquerading, Rename System Utilities
Command and Scripting Interpreter, Windows Command Shell
System Network Configuration Discovery
Inhibit System Recovery
Data Destruction
Windows Command Shell
Data Encrypted for Impact
TFTP Boot, Pre-OS Boot
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Exfiltration Over C2 Channel
Use Alternate Authentication Material, Pass the Hash
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Exploitation of Remote Services
Indicator Removal, Network Share Connection Removal
Exploit Public-Facing Application
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Unused/Unsupported Cloud Regions
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Data from Cloud Storage
Data from Cloud Storage
Exploit Public-Facing Application
Cloud Accounts, Valid Accounts
Exploitation for Client Execution
Exploitation for Client Execution
Valid Accounts
Valid Accounts
Use Alternate Authentication Material
Valid Accounts
Valid Accounts
SMB/Windows Admin Shares, Remote Services
Masquerading
Modify Registry
SMB/Windows Admin Shares, Remote Services
Phishing
Malicious File
Change Default File Association
Remote Desktop Protocol, Remote Services
Windows Service, Create or Modify System Process
Cloud Accounts
Exfiltration Over Alternative Protocol
Cloud Accounts
Cloud Accounts
Cloud Accounts
Remote Desktop Protocol, Remote Services
PowerShell, Windows Command Shell
Command and Scripting Interpreter, PowerShell
Email Collection, Local Email Collection
Cloud Accounts
System Services, Service Execution
Email Collection, Remote Email Collection
Remote Email Collection, Email Collection
Exfiltration Over Unencrypted Non-C2 Protocol
Cloud Accounts
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Software Deployment Tools
Cloud Accounts
Spearphishing via Service
Cloud Accounts
Cloud Accounts
File Transfer Protocols, Application Layer Protocol
Web Protocols
Scheduled Task
Exfiltration Over Unencrypted Non-C2 Protocol
Cloud Service Discovery
Remote Desktop Protocol, Remote Services
Indicator Removal, Clear Windows Event Logs
Exploitation for Privilege Escalation
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Windows Management Instrumentation
Windows Management Instrumentation
LSASS Memory, OS Credential Dumping
DNS, Application Layer Protocol
LSASS Memory, OS Credential Dumping
LSASS Memory
LSASS Memory, OS Credential Dumping
System Information Discovery
LSASS Memory
Hidden Files and Directories
Data Encrypted for Impact
Indicator Removal
Data from Cloud Storage
Windows Management Instrumentation
Windows Management Instrumentation
Create Account
Valid Accounts
Data from Cloud Storage
Non-Application Layer Protocol
Disable or Modify Cloud Firewall
Cloud Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
System Information Discovery, External Remote Services
Network Denial of Service, Reflection Amplification
Domain Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
DLL Side-Loading, Boot or Logon Autostart Execution
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Valid Accounts, Brute Force
System Binary Proxy Execution
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
DLL Side-Loading
System Binary Proxy Execution
System Binary Proxy Execution
System Binary Proxy Execution
Phishing, Modify Registry
Modify Registry
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Valid Accounts, Local Accounts
Valid Accounts, Local Accounts
Valid Accounts
Modify Authentication Process
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Password Spraying, Valid Accounts, Default Accounts
Password Spraying, Valid Accounts, Default Accounts
Modify Cloud Compute Configurations
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Hide Artifacts, NTFS File Attributes
Hide Artifacts, NTFS File Attributes
Hide Artifacts, NTFS File Attributes
Hide Artifacts, NTFS File Attributes
Time Based Evasion, Virtualization/Sandbox Evasion
Time Based Evasion, Virtualization/Sandbox Evasion
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Cloud Accounts
Process Injection
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Use Alternate Authentication Material
Abuse Elevation Control Mechanism, Indirect Command Execution
Abuse Elevation Control Mechanism, Indirect Command Execution
Abuse Elevation Control Mechanism
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Process Injection
Msiexec, System Binary Proxy Execution
Msiexec, System Binary Proxy Execution
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Masquerading
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Modify Registry
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Create Process with Token, Access Token Manipulation
Create Process with Token, Access Token Manipulation
Modify Registry
Use Alternate Authentication Material, Pass the Ticket
Use Alternate Authentication Material, Pass the Ticket
Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Clear Windows Event Logs, Indicator Removal
Clear Windows Event Logs, Indicator Removal
Modify Registry
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Modify Registry
Modify Registry
Use Alternate Authentication Material, Pass the Ticket
Use Alternate Authentication Material, Pass the Ticket
Modify Registry
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Domain Policy Modification, Domain Trust Modification
Domain Policy Modification, Domain Trust Modification
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Impair Defenses
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Valid Accounts
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Domain Policy Modification, Domain Trust Modification
Domain Policy Modification, Domain Trust Modification
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Modify Registry
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Modify Registry
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Modify Registry
Modify Registry
Indicator Removal
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Masquerading
Parent PID Spoofing, Access Token Manipulation
Parent PID Spoofing, Access Token Manipulation
Abuse Elevation Control Mechanism, Bypass User Account Control
Abuse Elevation Control Mechanism, Bypass User Account Control
Abuse Elevation Control Mechanism, Bypass User Account Control
Abuse Elevation Control Mechanism, Bypass User Account Control
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Path Interception by Unquoted Path, Hijack Execution Flow
Path Interception by Unquoted Path, Hijack Execution Flow
Abuse Elevation Control Mechanism
Plist File Modification
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
Masquerading
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
SID-History Injection, Access Token Manipulation
SID-History Injection, Access Token Manipulation
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Rogue Domain Controller
InstallUtil, System Binary Proxy Execution
InstallUtil, System Binary Proxy Execution
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Compromise Accounts, Unused/Unsupported Cloud Regions
Modify Registry
Hidden Window, Run Virtual Instance
Hidden Window, Run Virtual Instance
Msiexec
Hide Artifacts, NTFS File Attributes
Hide Artifacts, NTFS File Attributes
Impair Defenses
Valid Accounts
SIP and Trust Provider Hijacking
SIP and Trust Provider Hijacking
SIP and Trust Provider Hijacking
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Modify Registry
Impair Defenses, Disable or Modify Cloud Logs
Impair Defenses, Disable or Modify Cloud Logs
Fileless Storage, Obfuscated Files or Information
Fileless Storage, Obfuscated Files or Information
Impair Defenses, Disable or Modify Tools
Impair Defenses, Disable or Modify Tools
Hidden Window
Impair Defenses, Disable or Modify System Firewall
Impair Defenses, Disable or Modify System Firewall
Hidden Window
Virtualization/Sandbox Evasion, Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Rename System Utilities, Masquerading
Rename System Utilities, Masquerading
Mark-of-the-Web Bypass
Modify Authentication Process
Bypass User Account Control
DLL Side-Loading
Modify Registry
Process Injection
Process Injection
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Process Injection
Process Injection
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Process Injection
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Modify Registry
Process Injection
Modify Registry
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Process Injection
System Binary Proxy Execution, Regsvr32
System Binary Proxy Execution, Regsvr32
Obfuscated Files or Information, Fileless Storage
Obfuscated Files or Information, Fileless Storage
Process Injection, Portable Executable Injection
Process Injection, Portable Executable Injection
Modify Registry
Malicious File, Masquerade File Type
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
PowerShell, Ingress Tool Transfer, Fileless Storage
File and Directory Permissions Modification
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
File and Directory Permissions Modification
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Impair Defenses, Disable or Modify Cloud Logs
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
HTML Smuggling
Domain Policy Modification
Abuse Elevation Control Mechanism
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Access Token Manipulation
Obfuscated Files or Information
Modify Registry
Pre-OS Boot, Registry Run Keys / Startup Folder
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Modify Registry
Modify Registry
Modify Registry
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Modify Registry
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Install Root Certificate, Subvert Trust Controls
Install Root Certificate, Subvert Trust Controls
Modify Registry
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Services Registry Permissions Weakness
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Modify Registry
Modify Registry, OS Credential Dumping
Right-to-Left Override, Masquerading
Right-to-Left Override, Masquerading
Right-to-Left Override, Masquerading
Right-to-Left Override, Masquerading
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Domain Accounts, Permission Groups Discovery
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Indicator Removal
System Binary Proxy Execution, Regsvr32
System Binary Proxy Execution, Regsvr32
Indicator Removal
Disable or Modify System Firewall, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Virtualization/Sandbox Evasion, Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Obfuscated Files or Information, Indicator Removal from Tools
Obfuscated Files or Information, Indicator Removal from Tools
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Command and Scripting Interpreter, Process Injection, PowerShell
Impair Defenses, PowerShell, Command and Scripting Interpreter
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
File Deletion, Indicator Removal
File Deletion, Indicator Removal
System Firmware, Pre-OS Boot
System Firmware, Pre-OS Boot
Access Token Manipulation, Token Impersonation/Theft
Access Token Manipulation, Token Impersonation/Theft
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Masquerade Task or Service, Masquerading
Masquerade Task or Service, Masquerading
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification
Abuse Elevation Control Mechanism
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification, Domain Accounts
Domain Policy Modification, Group Policy Modification, Domain Accounts
Domain Policy Modification, Group Policy Modification, Domain Accounts
Network Share Discovery, Valid Accounts
Web Session Cookie, Cloud Service Dashboard
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Valid Accounts, Default Accounts, Password Spraying
System Binary Proxy Execution, Regsvr32
System Binary Proxy Execution, Regsvr32
Rootkit, Exploitation for Privilege Escalation
Process Injection, Portable Executable Injection
Process Injection, Portable Executable Injection
Process Injection
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Disable or Modify Tools
Rogue Domain Controller
Modify Registry
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Indirect Command Execution
BITS Jobs, Ingress Tool Transfer
OS Credential Dumping, DCSync, Rogue Domain Controller
Domain Policy Modification
SID-History Injection, Access Token Manipulation
SID-History Injection, Access Token Manipulation
Access Token Manipulation, SID-History Injection
Access Token Manipulation, SID-History Injection
Modify Registry
Modify Registry
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
File Deletion, Indicator Removal
File Deletion, Indicator Removal
Dynamic-link Library Injection, Process Injection
Dynamic-link Library Injection, Process Injection
Regsvr32, System Binary Proxy Execution
Regsvr32, System Binary Proxy Execution
Process Injection
Process Injection
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Rogue Domain Controller
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
System Script Proxy Execution, System Binary Proxy Execution
System Script Proxy Execution, System Binary Proxy Execution
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
System Binary Proxy Execution
Odbcconf, System Binary Proxy Execution
Odbcconf, System Binary Proxy Execution
SID-History Injection, Access Token Manipulation
SID-History Injection, Access Token Manipulation
Rogue Domain Controller
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Abuse Elevation Control Mechanism
Process Injection
InstallUtil, System Binary Proxy Execution
InstallUtil, System Binary Proxy Execution
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Token Impersonation/Theft, Access Token Manipulation
Token Impersonation/Theft, Access Token Manipulation
Token Impersonation/Theft, Access Token Manipulation
Token Impersonation/Theft, Access Token Manipulation
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
Process Injection, Portable Executable Injection
Process Injection, Portable Executable Injection
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
DLL Search Order Hijacking
System Information Discovery, Rootkit
Obfuscated Files or Information, Unix Shell
Obfuscated Files or Information
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Impair Defenses, Disable or Modify Cloud Logs
Impair Defenses, Disable or Modify Cloud Logs
Impair Defenses, Disable or Modify Cloud Logs
Impair Defenses, Disable or Modify Cloud Logs
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Mavinject, System Binary Proxy Execution
Mavinject, System Binary Proxy Execution
Odbcconf
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Odbcconf
System Binary Proxy Execution
Odbcconf
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Modify Registry
Modify Registry
Msiexec
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Process Injection
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Local Accounts, Credentials In Files
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Scheduled Task, Impair Defenses
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Compiled HTML File
Indirect Command Execution
Indirect Command Execution
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Rootkit, Exploitation for Privilege Escalation
Masquerading
File and Directory Permissions Modification
File and Directory Permissions Modification
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
InstallUtil, System Binary Proxy Execution
InstallUtil, System Binary Proxy Execution
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
Use Alternate Authentication Material
MSBuild, Trusted Developer Utilities Proxy Execution
MSBuild, Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution, MSBuild
Trusted Developer Utilities Proxy Execution, MSBuild
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
Process Injection
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
System Binary Proxy Execution
BITS Jobs, Ingress Tool Transfer
Deobfuscate/Decode Files or Information
BITS Jobs, Ingress Tool Transfer
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
System Binary Proxy Execution
BITS Jobs
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Process Injection
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Modify Authentication Process
Obfuscated Files or Information
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Dynamic Linker Hijacking, Hijack Execution Flow
Dynamic Linker Hijacking, Hijack Execution Flow
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Setuid and Setgid, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
File Deletion, Indicator Removal
File Deletion, Indicator Removal
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Indicator Removal
Disable or Modify Tools
Valid Accounts
Valid Accounts
File and Directory Permissions Modification
Service Stop, Valid Accounts
File and Directory Permissions Modification
Remote Services, Distributed Component Object Model, MMC
Process Injection, Dynamic-link Library Injection
Process Injection, Dynamic-link Library Injection
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Compile After Delivery, Obfuscated Files or Information
Compile After Delivery, Obfuscated Files or Information
InstallUtil, System Binary Proxy Execution
InstallUtil, System Binary Proxy Execution
Disable or Modify System Firewall, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
InstallUtil, System Binary Proxy Execution
InstallUtil, System Binary Proxy Execution
XSL Script Processing
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Process Injection
Modify Registry
Regsvr32, Modify Registry
Regsvr32, Modify Registry
MSBuild, Trusted Developer Utilities Proxy Execution
MSBuild, Trusted Developer Utilities Proxy Execution
Verclsid, System Binary Proxy Execution
Verclsid, System Binary Proxy Execution
BITS Jobs
Disable or Modify System Firewall, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Compiled HTML File
Install Root Certificate, Subvert Trust Controls
Install Root Certificate, Subvert Trust Controls
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Compiled HTML File
XSL Script Processing
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Control Panel
System Binary Proxy Execution, Control Panel
System Binary Proxy Execution, CMSTP
System Binary Proxy Execution, CMSTP
Indicator Removal
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Msiexec, System Binary Proxy Execution
Msiexec, System Binary Proxy Execution
Process Injection
System Binary Proxy Execution, Regsvr32
System Binary Proxy Execution, Regsvr32
Process Injection
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
File and Directory Permissions Modification
File Deletion, Indicator Removal
File Deletion, Indicator Removal
System Binary Proxy Execution, CMSTP
System Binary Proxy Execution, CMSTP
System Binary Proxy Execution, CMSTP
System Binary Proxy Execution, CMSTP
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
File and Directory Permissions Modification
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Process Injection
Obfuscated Files or Information
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
BITS Jobs
Deobfuscate/Decode Files or Information
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Valid Accounts
Valid Accounts
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Trusted Developer Utilities Proxy Execution, MSBuild
Trusted Developer Utilities Proxy Execution, MSBuild
Trusted Developer Utilities Proxy Execution
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Services Registry Permissions Weakness, Hijack Execution Flow
Services Registry Permissions Weakness, Hijack Execution Flow
Disable or Modify System Firewall
Rename System Utilities
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
TFTP Boot, Pre-OS Boot
TFTP Boot, Pre-OS Boot
Use Alternate Authentication Material, Pass the Hash
Use Alternate Authentication Material, Pass the Hash
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Indicator Removal, Network Share Connection Removal
Indicator Removal, Network Share Connection Removal
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Unused/Unsupported Cloud Regions
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Valid Accounts
Use Alternate Authentication Material
Valid Accounts
Valid Accounts
Masquerading
Modify Registry
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Hidden Files and Directories
Indicator Removal
Valid Accounts
Disable or Modify Cloud Firewall
Cloud Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Domain Accounts
Phishing, Modify Registry
Modify Registry
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
System Information Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Modify Authentication Process
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Remote Access Software
Remote Access Software
Exploit Public-Facing Application
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Inhibit System Recovery
System Network Configuration Discovery, Internet Connection Discovery
Time Based Evasion, Virtualization/Sandbox Evasion
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Service Stop
Exfiltration Over Unencrypted Non-C2 Protocol
Systemd Timers, Scheduled Task/Job
Use Alternate Authentication Material
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Process Injection
Msiexec, System Binary Proxy Execution
NTDS, OS Credential Dumping
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
System Binary Proxy Execution, Mshta
Modify Registry
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Disable or Modify Tools, Impair Defenses
Security Account Manager, OS Credential Dumping
Disable or Modify Tools, Impair Defenses
Modify Registry
Disable or Modify Tools, Impair Defenses
Scheduled Task, Scheduled Task/Job
Windows Management Instrumentation
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Query Registry
OS Credential Dumping
Masquerading
Exploit Public-Facing Application
Disable or Modify Tools, Impair Defenses
Create or Modify System Process
Domain Account, Account Discovery
Bypass User Account Control, Abuse Elevation Control Mechanism
Modify Registry
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Modify Registry
Security Account Manager, OS Credential Dumping
Password Policy Discovery
Disable or Modify Tools, Impair Defenses
System Owner/User Discovery
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Command and Scripting Interpreter, JavaScript
Modify Registry
Windows Command Shell, Command and Scripting Interpreter
Remote System Discovery
Steal or Forge Authentication Certificates
Modify Registry
Scheduled Task/Job, Scheduled Task
Disable or Modify Tools, Impair Defenses
System Network Connections Discovery
Clear Windows Event Logs, Indicator Removal
Modify Registry
Windows Management Instrumentation
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Indicator Removal, Clear Windows Event Logs
Disable or Modify Tools, Impair Defenses
Modify Registry
Modify Registry
Use Alternate Authentication Material, Pass the Ticket
Modify Registry
Domain Account, Account Discovery
Windows Management Instrumentation
Modify Registry
Disable or Modify Cloud Firewall, Impair Defenses
System Owner/User Discovery
Process Discovery
LSA Secrets
Disable or Modify System Firewall, Impair Defenses
System Binary Proxy Execution, Rundll32
Modify Registry
Command and Scripting Interpreter, Windows Command Shell
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Indicator Removal
Credentials from Password Stores
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Credentials from Password Stores
Archive via Utility, Archive Collected Data
Modify Registry
Masquerading
Parent PID Spoofing, Access Token Manipulation
Abuse Elevation Control Mechanism, Bypass User Account Control
Abuse Elevation Control Mechanism, Bypass User Account Control
Spearphishing Attachment
Command and Scripting Interpreter
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Print Processors, Boot or Logon Autostart Execution
Path Interception by Unquoted Path, Hijack Execution Flow
Abuse Elevation Control Mechanism
System Binary Proxy Execution, Regsvcs/Regasm
Local Account, Create Account
Masquerading
Phishing, Spearphishing Attachment
Archive via Utility, Archive Collected Data
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
DLL Search Order Hijacking, Hijack Execution Flow
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Regsvcs/Regasm
Security Account Manager, OS Credential Dumping
InstallUtil, System Binary Proxy Execution
Security Account Manager, OS Credential Dumping
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Modify Registry
Phishing, Spearphishing Attachment
Account Manipulation
Phishing, Spearphishing Attachment
Hidden Window, Run Virtual Instance
Msiexec
Command and Scripting Interpreter
Command and Scripting Interpreter
Hide Artifacts, NTFS File Attributes
SIP and Trust Provider Hijacking
Modify Registry
Local Groups
Fileless Storage, Obfuscated Files or Information
Impair Defenses, Disable or Modify Tools
Hidden Window
Impair Defenses, Disable or Modify System Firewall
Hidden Window
Virtualization/Sandbox Evasion, Time Based Evasion
Replication Through Removable Media
Ingress Tool Transfer
Ingress Tool Transfer
Rename System Utilities, Masquerading
Bypass User Account Control
Modify Registry
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Process Injection
Process Injection
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Process Injection
Process Injection
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
System Binary Proxy Execution, Rundll32
Process Injection
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
System Binary Proxy Execution, Rundll32
Modify Registry
Modify Registry
System Binary Proxy Execution, Rundll32
Process Injection
Server Software Component, Web Shell
Server Software Component, Web Shell
System Binary Proxy Execution, Regsvr32
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Steal or Forge Authentication Certificates, Archive Collected Data
System Shutdown/Reboot
PowerShell, Command and Scripting Interpreter
Obfuscated Files or Information, Fileless Storage
Permission Groups Discovery, Domain Groups
Scheduled Task, Command and Scripting Interpreter
Malicious File, Masquerade File Type
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Disable or Modify Tools, Impair Defenses
Remote System Discovery
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Domain Account, Account Discovery
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Service Stop
NTDS, OS Credential Dumping
Permission Groups Discovery, Local Groups
Account Access Removal
Account Access Removal
Service Stop
File and Directory Permissions Modification
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
File and Directory Permissions Modification
Exploit Public-Facing Application, External Remote Services
Internal Proxy, Proxy
Ingress Tool Transfer, Domain Groups
Internal Proxy, Proxy
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Kernel Modules and Extensions
Obfuscated Files or Information
Modify Registry
Pre-OS Boot, Registry Run Keys / Startup Folder
Disable or Modify Tools, Impair Defenses, Modify Registry
Active Setup, Boot or Logon Autostart Execution
Port Monitors, Boot or Logon Autostart Execution
Application Shimming, Event Triggered Execution
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses, Modify Registry
Modify Registry
Image File Execution Options Injection, Event Triggered Execution
Modify Registry
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Modify Registry
Data Destruction, File Deletion, Indicator Removal
Modify Registry
Data Destruction, File Deletion, Indicator Removal
Remote Services
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Disable or Modify Tools, Impair Defenses
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Install Root Certificate, Subvert Trust Controls
Time Providers, Boot or Logon Autostart Execution
Data Destruction
Modify Registry
Data Destruction, File Deletion, Indicator Removal
Services Registry Permissions Weakness
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Modify Registry
Modify Registry, OS Credential Dumping
Right-to-Left Override, Masquerading
Right-to-Left Override, Masquerading
Domain Policy Modification, Group Policy Modification
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
System Binary Proxy Execution, Regsvr32
Service Stop
PowerShell, Command and Scripting Interpreter
Unix Shell, Command and Scripting Interpreter
System Shutdown/Reboot
Indicator Removal
Disable or Modify System Firewall, Impair Defenses
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Service Stop
Virtualization/Sandbox Evasion, Time Based Evasion
Command and Scripting Interpreter, PowerShell
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Command and Scripting Interpreter, PowerShell
Hardware Additions
Data Destruction
Scheduled Task/Job
Data Destruction
Exploitation for Privilege Escalation
Data Destruction
LSASS Memory, OS Credential Dumping
Exploit Public-Facing Application, External Remote Services
Disable or Modify Tools, Impair Defenses
File Deletion, Indicator Removal
Event Triggered Execution, Screensaver
System Network Configuration Discovery
Cron, Scheduled Task/Job
Boot or Logon Initialization Scripts, Logon Script (Windows)
Access Token Manipulation, Token Impersonation/Theft
Change Default File Association, Event Triggered Execution
Disable or Modify Tools, Impair Defenses
Data Destruction
Print Processors, Boot or Logon Autostart Execution
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Modify Registry
Event Triggered Execution, Accessibility Features
Data Destruction
Systemd Timers, Scheduled Task/Job
Disable or Modify Tools, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Masquerade Task or Service, Masquerading
User Execution, Malicious File
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Credentials in Registry, Unsecured Credentials
Account Discovery, Local Account
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Compromise Software Supply Chain
Credentials in Registry, Unsecured Credentials
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Abuse Elevation Control Mechanism
Remote Desktop Protocol, Remote Services
Scheduled Task
Lateral Tool Transfer
Create or Modify System Process, Windows Service
User Execution
Unsecured Credentials, Group Policy Preferences
DLL Side-Loading, Hijack Execution Flow
Exfiltration Over Unencrypted Non-C2 Protocol
System Binary Proxy Execution, Regsvr32
Process Injection
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Spearphishing Attachment, Phishing
LSASS Memory
Command and Scripting Interpreter
Exploit Public-Facing Application, External Remote Services
Spearphishing Attachment, Phishing
Server Software Component, IIS Components
Modify Registry
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Malicious File, User Execution
Domain Account, Account Discovery
Server Software Component, IIS Components
Query Registry
Windows Management Instrumentation
System Network Configuration Discovery
Change Default File Association, Event Triggered Execution
Credentials from Password Stores
Indirect Command Execution
System Network Connections Discovery
Credentials in Registry, Unsecured Credentials
Password Managers
Private Keys, Unsecured Credentials
Cached Domain Credentials, OS Credential Dumping
Security Support Provider, Boot or Logon Autostart Execution
System Information Discovery
System Owner/User Discovery
Steal or Forge Kerberos Tickets
BITS Jobs, Ingress Tool Transfer
Command and Scripting Interpreter
Modify Registry
Modify Registry
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
File Deletion, Indicator Removal
Data Destruction
Regsvr32, System Binary Proxy Execution
Process Injection
Process Injection
System Owner/User Discovery
System Owner/User Discovery
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Component Object Model Hijacking, Event Triggered Execution
System Script Proxy Execution, System Binary Proxy Execution
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Spearphishing Attachment, Phishing
Protocol Tunneling, SSH
Command and Scripting Interpreter
LSASS Memory, OS Credential Dumping
Compiled HTML File, System Binary Proxy Execution
Ingress Tool Transfer
Service Stop
Remote Access Software
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
DLL Search Order Hijacking
Ingress Tool Transfer
Proxy, Non-Application Layer Protocol
Ingress Tool Transfer
Ingress Tool Transfer
System Time Discovery
Clipboard Data
Windows Command Shell, Command and Scripting Interpreter
SSH Authorized Keys
System Shutdown/Reboot
System Shutdown/Reboot
System Information Discovery, Rootkit
Obfuscated Files or Information, Unix Shell
Obfuscated Files or Information
Disable or Modify Tools, Impair Defenses
Windows Management Instrumentation Event Subscription
Disable or Modify Tools, Impair Defenses
Screen Capture
Mavinject, System Binary Proxy Execution
Screen Capture
Odbcconf
Odbcconf
System Binary Proxy Execution
Exploit Public-Facing Application, External Remote Services
Odbcconf
Disable or Modify Tools, Impair Defenses
Remote Desktop Protocol, Remote Services
Modify Registry
Disable or Modify Tools, Impair Defenses
Service Stop
Modify Registry
Remote Access Software
Modify Registry
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Msiexec
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Exploit Public-Facing Application, External Remote Services
Command and Scripting Interpreter
Command and Scripting Interpreter
At, Scheduled Task/Job
At, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Exploitation for Privilege Escalation
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Domain Trust Discovery
Scheduled Task, Impair Defenses
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
System Services, Service Execution
System Binary Proxy Execution, Compiled HTML File
Indirect Command Execution
Indirect Command Execution
File and Directory Permissions Modification
InstallUtil, System Binary Proxy Execution
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
Command and Scripting Interpreter
Process Injection
Bypass User Account Control, Abuse Elevation Control Mechanism
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
System Binary Proxy Execution
System Binary Proxy Execution, Rundll32
Process Injection
Scheduled Task, Scheduled Task/Job
Ingress Tool Transfer
Ingress Tool Transfer
Exploitation for Privilege Escalation
Obfuscated Files or Information
Windows Command Shell
SSH Authorized Keys, Account Manipulation
SSH Authorized Keys, Account Manipulation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
/etc/passwd and /etc/shadow, OS Credential Dumping
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Dynamic Linker Hijacking, Hijack Execution Flow
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Setuid and Setgid, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Local Account, Create Account
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Systemd Timers, Scheduled Task/Job
Unix Shell Configuration Modification, Event Triggered Execution
RC Scripts, Boot or Logon Initialization Scripts
Unix Shell Configuration Modification, Event Triggered Execution
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Ingress Tool Transfer
Ingress Tool Transfer
Disable or Modify Tools
Unix Shell
Automated Exfiltration
Remote Services, Distributed Component Object Model, MMC
Create or Modify System Process, Windows Service
Windows Management Instrumentation
Credentials from Web Browsers, Credentials from Password Stores
Remote Services, Windows Remote Management
Scheduled Task/Job, Scheduled Task
Gather Victim Host Information
Remote Services, Windows Remote Management
Data Encrypted for Impact
Remote Services, Distributed Component Object Model
Windows Management Instrumentation
Compile After Delivery, Obfuscated Files or Information
InstallUtil, System Binary Proxy Execution
Disable or Modify System Firewall, Impair Defenses
InstallUtil, System Binary Proxy Execution
Scheduled Task/Job, Scheduled Task
XSL Script Processing
Scheduled Task/Job, At
Remote Services, Windows Remote Management
Create or Modify System Process, Windows Service
Ingress Tool Transfer
Create or Modify System Process, Windows Service
Ingress Tool Transfer
Disable or Modify Tools, Impair Defenses
Kerberoasting
Data Destruction, File Deletion, Indicator Removal
Process Injection
Command and Scripting Interpreter, Component Object Model
Modify Registry
Regsvr32, Modify Registry
MSBuild, Trusted Developer Utilities Proxy Execution
Visual Basic, Command and Scripting Interpreter
Verclsid, System Binary Proxy Execution
Screen Capture
BITS Jobs
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Disable or Modify System Firewall, Impair Defenses
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Compiled HTML File
Automated Exfiltration
Install Root Certificate, Subvert Trust Controls
Account Discovery, Local Account
Account Discovery, Local Account
Archive via Utility, Archive Collected Data
NTDS, OS Credential Dumping
Remote Services, SMB/Windows Admin Shares
Archive via Utility, Archive Collected Data
System Binary Proxy Execution, Compiled HTML File
System Owner/User Discovery
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
XSL Script Processing
Command and Scripting Interpreter, JavaScript
System Network Connections Discovery
System Network Connections Discovery
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Control Panel
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Inhibit System Recovery
Inhibit System Recovery
Domain Trust Discovery
Permission Groups Discovery, Domain Groups
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Password Policy Discovery
Phishing, Spearphishing Link
Password Policy Discovery
Password Policy Discovery
System Network Connections Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Domain Account, Account Discovery
Domain Trust Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Account Discovery, Local Account
Security Account Manager, OS Credential Dumping
Archive via Utility, Archive Collected Data
Indicator Removal
System Binary Proxy Execution, Rundll32
Msiexec, System Binary Proxy Execution
System Binary Proxy Execution, Regsvr32
Command and Scripting Interpreter
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Mshta
Print Processors, Boot or Logon Autostart Execution
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Command and Scripting Interpreter, Visual Basic
File and Directory Permissions Modification
File Deletion, Indicator Removal
Inhibit System Recovery
User Execution
User Execution
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
File and Directory Permissions Modification
Disable or Modify Tools, Impair Defenses
Account Access Removal
Service Stop
Service Stop
Disable or Modify Tools, Impair Defenses
Phishing, Spearphishing Attachment
Command and Scripting Interpreter
Exfiltration Over Alternative Protocol
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Domain Trust Discovery
Disable or Modify Tools, Impair Defenses
BITS Jobs
Deobfuscate/Decode Files or Information
Inhibit System Recovery
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, Windows Command Shell
Data Staged
Launch Agent, Create or Modify System Process
Ingress Tool Transfer
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
NTDS, OS Credential Dumping
Inhibit System Recovery
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
PowerShell
Trusted Developer Utilities Proxy Execution, MSBuild
Trusted Developer Utilities Proxy Execution
Inhibit System Recovery
User Execution, Malicious File
Masquerading, Rename System Utilities
Application Shimming, Event Triggered Execution
Scheduled Task, Scheduled Task/Job
Services Registry Permissions Weakness, Hijack Execution Flow
Disable or Modify System Firewall
Application Shimming, Event Triggered Execution
Rename System Utilities
Bypass User Account Control, Abuse Elevation Control Mechanism
Masquerading, Rename System Utilities
Command and Scripting Interpreter, Windows Command Shell
System Network Configuration Discovery
Inhibit System Recovery
Data Destruction
Windows Command Shell
Data Encrypted for Impact
Indicator Removal, Network Share Connection Removal
Modify Registry
Malicious File
Change Default File Association
Remote Desktop Protocol, Remote Services
Windows Service, Create or Modify System Process
PowerShell, Windows Command Shell
Command and Scripting Interpreter, PowerShell
Email Collection, Local Email Collection
Software Deployment Tools
Scheduled Task
Exploitation for Privilege Escalation
Windows Management Instrumentation
Windows Management Instrumentation
System Information Discovery
Hidden Files and Directories
Data Encrypted for Impact
Indicator Removal
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
DLL Side-Loading, Boot or Logon Autostart Execution
DLL Side-Loading, Boot or Logon Autostart Execution
Valid Accounts, Brute Force
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
DLL Side-Loading
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Valid Accounts, Local Accounts
Valid Accounts, Local Accounts
Valid Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Account Manipulation, Device Registration
Account Manipulation, Device Registration
Password Spraying, Valid Accounts, Default Accounts
Password Spraying, Valid Accounts, Default Accounts
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Cloud Accounts
Additional Cloud Roles
Additional Cloud Roles
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Process Injection
Additional Email Delegate Permissions, Additional Cloud Roles
Additional Email Delegate Permissions, Additional Cloud Roles
Additional Email Delegate Permissions, Additional Cloud Roles
Additional Email Delegate Permissions, Additional Cloud Roles
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Abuse Elevation Control Mechanism, Indirect Command Execution
Abuse Elevation Control Mechanism
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Process Injection
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Create or Modify System Process
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task
Create Process with Token, Access Token Manipulation
Create Process with Token, Access Token Manipulation
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Account Manipulation, Additional Cloud Credentials
Account Manipulation, Additional Cloud Credentials
Domain Policy Modification, Domain Trust Modification
Domain Policy Modification, Domain Trust Modification
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Additional Cloud Roles
Account Manipulation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Valid Accounts
Domain Policy Modification, Domain Trust Modification
Domain Policy Modification, Domain Trust Modification
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Account Manipulation
Account Manipulation, Device Registration
Account Manipulation, Device Registration
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Container Orchestration Job
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Parent PID Spoofing, Access Token Manipulation
Parent PID Spoofing, Access Token Manipulation
Abuse Elevation Control Mechanism, Bypass User Account Control
Abuse Elevation Control Mechanism, Bypass User Account Control
Abuse Elevation Control Mechanism, Bypass User Account Control
Abuse Elevation Control Mechanism, Bypass User Account Control
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Path Interception by Unquoted Path, Hijack Execution Flow
Path Interception by Unquoted Path, Hijack Execution Flow
Abuse Elevation Control Mechanism
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Account Manipulation
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
Account Manipulation
SID-History Injection, Access Token Manipulation
SID-History Injection, Access Token Manipulation
Account Manipulation
Account Manipulation
Valid Accounts
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Device Registration
Account Manipulation, Device Registration
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Exploitation for Privilege Escalation
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Credentials
Account Manipulation, Additional Cloud Credentials
Bypass User Account Control
DLL Side-Loading
Process Injection
Process Injection
Process Injection
Process Injection
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Process Injection
Process Injection
Process Injection
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Process Injection, Portable Executable Injection
Process Injection, Portable Executable Injection
Scheduled Task, Command and Scripting Interpreter
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Scheduled Task, PowerShell, Command and Scripting Interpreter
Account Manipulation
Domain Policy Modification
Abuse Elevation Control Mechanism
Kernel Modules and Extensions, Service Execution
Kernel Modules and Extensions
Access Token Manipulation
Pre-OS Boot, Registry Run Keys / Startup Folder
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification
Active Setup, Boot or Logon Autostart Execution
Active Setup, Boot or Logon Autostart Execution
Port Monitors, Boot or Logon Autostart Execution
Port Monitors, Boot or Logon Autostart Execution
Application Shimming, Event Triggered Execution
Application Shimming, Event Triggered Execution
Image File Execution Options Injection, Event Triggered Execution
Image File Execution Options Injection, Event Triggered Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Time Providers, Boot or Logon Autostart Execution
Time Providers, Boot or Logon Autostart Execution
Services Registry Permissions Weakness
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification
Domain Accounts, Permission Groups Discovery
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Scheduled Task/Job
Exploitation for Privilege Escalation
Command and Scripting Interpreter, Process Injection, PowerShell
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Event Triggered Execution, Screensaver
Event Triggered Execution, Screensaver
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Boot or Logon Initialization Scripts, Logon Script (Windows)
Boot or Logon Initialization Scripts, Logon Script (Windows)
Access Token Manipulation, Token Impersonation/Theft
Access Token Manipulation, Token Impersonation/Theft
Change Default File Association, Event Triggered Execution
Change Default File Association, Event Triggered Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Event Triggered Execution, Accessibility Features
Event Triggered Execution, Accessibility Features
Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification
Scheduled Task
Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification
Abuse Elevation Control Mechanism
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification, Domain Accounts
Domain Policy Modification, Group Policy Modification, Domain Accounts
Domain Policy Modification, Group Policy Modification, Domain Accounts
Scheduled Task
Network Share Discovery, Valid Accounts
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Valid Accounts, Default Accounts, Password Spraying
Rootkit, Exploitation for Privilege Escalation
Process Injection, Portable Executable Injection
Process Injection, Portable Executable Injection
Process Injection
Exploitation for Privilege Escalation
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows Service
Change Default File Association, Event Triggered Execution
Change Default File Association, Event Triggered Execution
Security Support Provider, Boot or Logon Autostart Execution
Security Support Provider, Boot or Logon Autostart Execution
Account Manipulation
Domain Policy Modification
SID-History Injection, Access Token Manipulation
SID-History Injection, Access Token Manipulation
Access Token Manipulation, SID-History Injection
Access Token Manipulation, SID-History Injection
Event Triggered Execution
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Dynamic-link Library Injection, Process Injection
Dynamic-link Library Injection, Process Injection
Process Injection
Process Injection
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Component Object Model Hijacking, Event Triggered Execution
Component Object Model Hijacking, Event Triggered Execution
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Event Triggered Execution
Component Object Model Hijacking, Event Triggered Execution
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
SID-History Injection, Access Token Manipulation
SID-History Injection, Access Token Manipulation
Image File Execution Options Injection
Account Manipulation
Account Manipulation
Abuse Elevation Control Mechanism
Process Injection
Token Impersonation/Theft, Access Token Manipulation
Token Impersonation/Theft, Access Token Manipulation
Token Impersonation/Theft, Access Token Manipulation
Token Impersonation/Theft, Access Token Manipulation
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
Process Injection, Portable Executable Injection
Process Injection, Portable Executable Injection
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
DLL Search Order Hijacking
SSH Authorized Keys
Windows Management Instrumentation Event Subscription
At, Scheduled Task/Job
At, Scheduled Task/Job
Process Injection
At, Scheduled Task/Job
At, Scheduled Task/Job
Valid Accounts
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Exploitation for Privilege Escalation
Local Accounts, Credentials In Files
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Windows Service
Scheduled Task, Impair Defenses
Rootkit, Exploitation for Privilege Escalation
Process Injection
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Process Injection
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Exploitation for Privilege Escalation
SSH Authorized Keys, Account Manipulation
SSH Authorized Keys, Account Manipulation
SSH Authorized Keys, Account Manipulation
SSH Authorized Keys, Account Manipulation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Dynamic Linker Hijacking, Hijack Execution Flow
Dynamic Linker Hijacking, Hijack Execution Flow
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Setuid and Setgid, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Unix Shell Configuration Modification, Event Triggered Execution
Unix Shell Configuration Modification, Event Triggered Execution
RC Scripts, Boot or Logon Initialization Scripts
RC Scripts, Boot or Logon Initialization Scripts
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Unix Shell Configuration Modification, Event Triggered Execution
Unix Shell Configuration Modification, Event Triggered Execution
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Valid Accounts
Valid Accounts
Service Stop, Valid Accounts
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Service Stop, Create or Modify System Process, Windows Service
Service Stop, Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Process Injection, Dynamic-link Library Injection
Process Injection, Dynamic-link Library Injection
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, At
Scheduled Task/Job, At
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Process Injection
Process Injection
Process Injection
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Exploitation for Privilege Escalation
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Process Injection
Scheduled Task/Job
Account Manipulation
Cloud Groups, Account Manipulation, Permission Groups Discovery
Create or Modify System Process
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Launch Agent, Create or Modify System Process
Launch Agent, Create or Modify System Process
Launch Agent, Create or Modify System Process
Launch Agent, Create or Modify System Process
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Valid Accounts
Valid Accounts
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Application Shimming, Event Triggered Execution
Application Shimming, Event Triggered Execution
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Services Registry Permissions Weakness, Hijack Execution Flow
Services Registry Permissions Weakness, Hijack Execution Flow
Application Shimming, Event Triggered Execution
Application Shimming, Event Triggered Execution
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Change Default File Association
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Scheduled Task
Exploitation for Privilege Escalation
Valid Accounts
Cloud Accounts
Cloud Accounts
Domain Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
DLL Side-Loading, Boot or Logon Autostart Execution
DLL Side-Loading, Boot or Logon Autostart Execution
Valid Accounts, Brute Force
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
DLL Side-Loading
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Local Account, Create Account
Local Account, Create Account
Valid Accounts, Local Accounts
Valid Accounts, Local Accounts
Local Account, Create Account
Local Account, Create Account
Valid Accounts
Modify Authentication Process
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Account Manipulation, Device Registration
Account Manipulation, Device Registration
Password Spraying, Valid Accounts, Default Accounts
Password Spraying, Valid Accounts, Default Accounts
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Local Account, Create Account
Local Account, Create Account
Cloud Accounts
Additional Cloud Roles
Additional Cloud Roles
Cloud Account
Cloud Account
Cloud Account
Cloud Account
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Additional Email Delegate Permissions, Additional Cloud Roles
Additional Email Delegate Permissions, Additional Cloud Roles
Additional Email Delegate Permissions, Additional Cloud Roles
Additional Email Delegate Permissions, Additional Cloud Roles
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Create or Modify System Process
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Account Manipulation, Additional Cloud Credentials
Account Manipulation, Additional Cloud Credentials
Cloud Account
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Create Account, Cloud Account
Create Account, Cloud Account
Additional Cloud Roles
Account Manipulation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Valid Accounts
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Account Manipulation
Account Manipulation, Device Registration
Account Manipulation, Device Registration
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Container Orchestration Job
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Path Interception by Unquoted Path, Hijack Execution Flow
Path Interception by Unquoted Path, Hijack Execution Flow
Local Account, Create Account
Local Account, Create Account
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Account Manipulation
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
Account Manipulation
Account Manipulation
Create Account, Cloud Account
Create Account, Cloud Account
Account Manipulation
Valid Accounts
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Device Registration
Account Manipulation, Device Registration
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Credentials
Account Manipulation, Additional Cloud Credentials
Exploit Public-Facing Application, External Remote Services
Cloud Account, Create Account
Cloud Account, Create Account
Modify Authentication Process
Cloud Account, Create Account
Cloud Account, Create Account
Exploit Public-Facing Application, External Remote Services
DLL Side-Loading
Cloud Account, Create Account
Cloud Account, Create Account
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell
Server Software Component, Web Shell
Server Software Component, Web Shell
Server Software Component, Web Shell
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Scheduled Task, Command and Scripting Interpreter
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Scheduled Task, PowerShell, Command and Scripting Interpreter
Account Manipulation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Exploit Public-Facing Application, External Remote Services
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Kernel Modules and Extensions, Service Execution
Kernel Modules and Extensions
Pre-OS Boot, Registry Run Keys / Startup Folder
Pre-OS Boot, Registry Run Keys / Startup Folder
Active Setup, Boot or Logon Autostart Execution
Active Setup, Boot or Logon Autostart Execution
Port Monitors, Boot or Logon Autostart Execution
Port Monitors, Boot or Logon Autostart Execution
Application Shimming, Event Triggered Execution
Application Shimming, Event Triggered Execution
Image File Execution Options Injection, Event Triggered Execution
Image File Execution Options Injection, Event Triggered Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Time Providers, Boot or Logon Autostart Execution
Time Providers, Boot or Logon Autostart Execution
Services Registry Permissions Weakness
Domain Accounts, Permission Groups Discovery
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Scheduled Task/Job
Exploit Public-Facing Application, External Remote Services
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Event Triggered Execution, Screensaver
Event Triggered Execution, Screensaver
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
System Firmware, Pre-OS Boot
System Firmware, Pre-OS Boot
Boot or Logon Initialization Scripts, Logon Script (Windows)
Boot or Logon Initialization Scripts, Logon Script (Windows)
Change Default File Association, Event Triggered Execution
Change Default File Association, Event Triggered Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Event Triggered Execution, Accessibility Features
Event Triggered Execution, Accessibility Features
Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Scheduled Task
Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Domain Policy Modification, Group Policy Modification, Domain Accounts
Scheduled Task
Network Share Discovery, Valid Accounts
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Valid Accounts, Default Accounts, Password Spraying
Exploit Public-Facing Application, External Remote Services
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Server Software Component, IIS Components
Server Software Component, IIS Components
Server Software Component, IIS Components
Server Software Component, IIS Components
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Server Software Component, IIS Components
Server Software Component, IIS Components
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Server Software Component, IIS Components
Server Software Component, IIS Components
IIS Components, Server Software Component
IIS Components, Server Software Component
Server Software Component, IIS Components
Server Software Component, IIS Components
Server Software Component, IIS Components
Server Software Component, IIS Components
Windows Service
Change Default File Association, Event Triggered Execution
Change Default File Association, Event Triggered Execution
Security Support Provider, Boot or Logon Autostart Execution
Security Support Provider, Boot or Logon Autostart Execution
BITS Jobs, Ingress Tool Transfer
Account Manipulation
Event Triggered Execution
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Exploit Public-Facing Application, External Remote Services
Component Object Model Hijacking, Event Triggered Execution
Component Object Model Hijacking, Event Triggered Execution
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Event Triggered Execution
Component Object Model Hijacking, Event Triggered Execution
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Image File Execution Options Injection
Account Manipulation
Account Manipulation
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
Cloud Account
DLL Search Order Hijacking
SSH Authorized Keys
Windows Management Instrumentation Event Subscription
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Server Software Component, Exploit Public-Facing Application, External Remote Services
Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
At, Scheduled Task/Job
At, Scheduled Task/Job
At, Scheduled Task/Job
At, Scheduled Task/Job
Valid Accounts
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Local Accounts, Credentials In Files
Exploit Public-Facing Application, External Remote Services
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Windows Service
Scheduled Task, Impair Defenses
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Cloud Account, Create Account
Cloud Account, Create Account
Cloud Account, Create Account
Cloud Account, Create Account
BITS Jobs, Ingress Tool Transfer
BITS Jobs, Ingress Tool Transfer
BITS Jobs
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Modify Authentication Process
SSH Authorized Keys, Account Manipulation
SSH Authorized Keys, Account Manipulation
SSH Authorized Keys, Account Manipulation
SSH Authorized Keys, Account Manipulation
Dynamic Linker Hijacking, Hijack Execution Flow
Dynamic Linker Hijacking, Hijack Execution Flow
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Local Account, Create Account
Local Account, Create Account
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Unix Shell Configuration Modification, Event Triggered Execution
Unix Shell Configuration Modification, Event Triggered Execution
RC Scripts, Boot or Logon Initialization Scripts
RC Scripts, Boot or Logon Initialization Scripts
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Unix Shell Configuration Modification, Event Triggered Execution
Unix Shell Configuration Modification, Event Triggered Execution
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Valid Accounts
Valid Accounts
Service Stop, Valid Accounts
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Service Stop, Create or Modify System Process, Windows Service
Service Stop, Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, At
Scheduled Task/Job, At
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
BITS Jobs
Compromise Client Software Binary
Compromise Client Software Binary
Cloud Account, Create Account
Cloud Account, Create Account
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Scheduled Task/Job
Account Manipulation
Cloud Groups, Account Manipulation, Permission Groups Discovery
BITS Jobs
Create or Modify System Process
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Launch Agent, Create or Modify System Process
Launch Agent, Create or Modify System Process
Launch Agent, Create or Modify System Process
Launch Agent, Create or Modify System Process
Valid Accounts
Valid Accounts
Web Shell, External Remote Services
Web Shell, External Remote Services
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Application Shimming, Event Triggered Execution
Application Shimming, Event Triggered Execution
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Services Registry Permissions Weakness, Hijack Execution Flow
Services Registry Permissions Weakness, Hijack Execution Flow
Application Shimming, Event Triggered Execution
Application Shimming, Event Triggered Execution
TFTP Boot, Pre-OS Boot
TFTP Boot, Pre-OS Boot
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Change Default File Association
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Scheduled Task
Create Account
Valid Accounts
Cloud Accounts
Cloud Accounts
System Information Discovery, External Remote Services
Domain Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Valid Accounts, Brute Force
Exploit Public-Facing Application
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Phishing, Modify Registry
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Valid Accounts, Local Accounts
Valid Accounts, Local Accounts
Valid Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Password Spraying, Valid Accounts, Default Accounts
Password Spraying, Valid Accounts, Default Accounts
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Account Manipulation, Valid Accounts
Exploit Public-Facing Application
Exploit Public-Facing Application
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Cloud Accounts
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Exploit Public-Facing Application
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Steal Application Access Token, Phishing, Spearphishing Link
Steal Application Access Token, Phishing, Spearphishing Link
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Valid Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Drive-by Compromise
Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing
Exploit Public-Facing Application
Valid Accounts
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Replication Through Removable Media
Drive-by Compromise
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Drive-by Compromise
Domain Accounts, Permission Groups Discovery
Hardware Additions
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Compromise Software Supply Chain
Compromise Software Supply Chain
Compromise Software Supply Chain
Domain Policy Modification, Group Policy Modification, Domain Accounts
Network Share Discovery, Valid Accounts
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Valid Accounts, Default Accounts, Password Spraying
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Drive-by Compromise
Drive-by Compromise
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Cloud Accounts
Valid Accounts, Cloud Accounts
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Server Software Component, Exploit Public-Facing Application, External Remote Services
Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Valid Accounts
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Local Accounts, Credentials In Files
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Drive-by Compromise
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Compromise Software Supply Chain, Supply Chain Compromise
Compromise Software Supply Chain, Supply Chain Compromise
Exploit Public-Facing Application
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, Command and Scripting Interpreter
Valid Accounts
Valid Accounts
Service Stop, Valid Accounts
Phishing
Phishing
Trusted Relationship
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Phishing, Spearphishing Link
Phishing, Spearphishing Link
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Trusted Relationship
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Valid Accounts
Drive-by Compromise
Web Shell, External Remote Services
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Exploit Public-Facing Application
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Exploit Public-Facing Application
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Phishing
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Spearphishing via Service
Cloud Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Cloud Accounts
System Information Discovery, External Remote Services
Domain Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Valid Accounts, Brute Force
Exploitation for Credential Access
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force
Exploitation for Credential Access
Steal Web Session Cookie
Modify Authentication Process
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Password Spraying
Brute Force
Multi-Factor Authentication Request Generation
Password Spraying, Valid Accounts, Default Accounts
Unsecured Credentials
Security Account Manager
Security Account Manager
DCSync, OS Credential Dumping
DCSync, OS Credential Dumping
DCSync, OS Credential Dumping
DCSync, OS Credential Dumping
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Steal or Forge Authentication Certificates
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Credentials from Password Stores, Credentials from Web Browsers
Credentials from Password Stores, Credentials from Web Browsers
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
OS Credential Dumping
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets, Kerberoasting
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
OS Credential Dumping, PowerShell
Credentials from Password Stores, Credentials from Web Browsers
Credentials from Password Stores, Credentials from Web Browsers
Steal or Forge Authentication Certificates
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Brute Force, Password Guessing, Password Spraying
Brute Force, Password Guessing, Password Spraying
Brute Force, Password Guessing, Password Spraying
Steal Application Access Token, Phishing, Spearphishing Link
Multi-Factor Authentication Request Generation
Brute Force, Password Guessing, Password Spraying
Brute Force, Password Guessing, Password Spraying
Brute Force, Password Guessing, Password Spraying
Steal Application Access Token
Security Account Manager
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Guessing
Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Steal Application Access Token
LSA Secrets
Container API
Container API
Container API
Container API
Credentials from Password Stores
Credentials from Password Stores
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Steal Application Access Token
Multi-Factor Authentication Request Generation
Steal Application Access Token
Steal Application Access Token
Steal Application Access Token
Steal Application Access Token
Brute Force, Password Guessing
Brute Force, Password Guessing
Steal or Forge Kerberos Tickets
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Modify Authentication Process
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Steal or Forge Authentication Certificates, Archive Collected Data
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Exploitation for Credential Access
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Steal or Forge Authentication Certificates
Modify Registry, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets, Kerberoasting
Credentials in Registry, Unsecured Credentials
Credentials in Registry, Unsecured Credentials
Credentials in Registry, Unsecured Credentials
Credentials in Registry, Unsecured Credentials
Security Account Manager
Brute Force, Credential Stuffing
Brute Force, Credential Stuffing
Multi-Factor Authentication Request Generation
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Spraying, Credential Stuffing
LSASS Memory
Credentials from Password Stores
Credentials in Registry, Unsecured Credentials
Credentials in Registry, Unsecured Credentials
Password Managers
Private Keys, Unsecured Credentials
Private Keys, Unsecured Credentials
Cached Domain Credentials, OS Credential Dumping
Cached Domain Credentials, OS Credential Dumping
Steal or Forge Kerberos Tickets
OS Credential Dumping, DCSync, Rogue Domain Controller
OS Credential Dumping, DCSync, Rogue Domain Controller
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Brute Force
Brute Force
Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Spraying, Credential Stuffing
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Brute Force
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Remote Access Software, OS Credential Dumping
GUI Input Capture, Input Capture
GUI Input Capture, Input Capture
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets, Kerberoasting
Network Sniffing
Local Accounts, Credentials In Files
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, Golden Ticket
Steal or Forge Kerberos Tickets, Golden Ticket
Kerberoasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Brute Force
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets, Kerberoasting
Modify Authentication Process
/etc/passwd and /etc/shadow, OS Credential Dumping
/etc/passwd and /etc/shadow, OS Credential Dumping
OS Credential Dumping, Security Account Manager
OS Credential Dumping, Security Account Manager
Credentials from Web Browsers, Credentials from Password Stores
Credentials from Web Browsers, Credentials from Password Stores
Kerberoasting
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
OS Credential Dumping
Forced Authentication
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Cloud Infrastructure Discovery, Brute Force
LSASS Memory
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Password Guessing, Brute Force
Password Guessing, Brute Force
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
User Execution
User Execution
User Execution
User Execution
User Execution
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Windows Management Instrumentation
OS Credential Dumping, PowerShell
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, JavaScript
Windows Command Shell, Command and Scripting Interpreter
Windows Command Shell, Command and Scripting Interpreter
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Windows Management Instrumentation
Windows Management Instrumentation
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
Container Orchestration Job
User Execution
User Execution
User Execution
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter, Windows Command Shell
Command and Scripting Interpreter, Windows Command Shell
User Execution
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
PowerShell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter
Unix Shell, Command and Scripting Interpreter
Unix Shell, Command and Scripting Interpreter
Gather Victim Host Information, PowerShell
Command and Scripting Interpreter
Command and Scripting Interpreter
Malicious Image, User Execution
Malicious Image, User Execution
Shared Modules
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
PowerShell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Scheduled Task, Command and Scripting Interpreter
Scheduled Task, Command and Scripting Interpreter
Malicious File, Masquerade File Type
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Account Discovery, Domain Account, User Execution, Malicious File
Account Discovery, Domain Account, User Execution, Malicious File
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
PowerShell, Ingress Tool Transfer
PowerShell, Ingress Tool Transfer, Fileless Storage
Scheduled Task, PowerShell, Command and Scripting Interpreter
Scheduled Task, PowerShell, Command and Scripting Interpreter
Scheduled Task, PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Kernel Modules and Extensions, Service Execution
PowerShell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Unix Shell, Command and Scripting Interpreter
Unix Shell, Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
PowerShell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Scheduled Task/Job
Command and Scripting Interpreter, Process Injection, PowerShell
Command and Scripting Interpreter, Process Injection, PowerShell
Impair Defenses, PowerShell, Command and Scripting Interpreter
Impair Defenses, PowerShell, Command and Scripting Interpreter
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Visual Basic, Command and Scripting Interpreter
Visual Basic, Command and Scripting Interpreter
Visual Basic, Command and Scripting Interpreter
Visual Basic, Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
User Execution, Malicious File
User Execution, Malicious File
Scheduled Task
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Account Discovery, Local Account, PowerShell
Scheduled Task/Job
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
PowerShell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Scheduled Task
PowerShell
Windows Management Instrumentation
PowerShell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Windows Management Instrumentation
User Execution
System Services, Service Execution
System Services, Service Execution
Command and Scripting Interpreter
Malicious File, User Execution
Malicious File, User Execution
Windows Management Instrumentation
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter
Windows Management Instrumentation
System Services, Service Execution
System Services, Service Execution
Windows Management Instrumentation
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Command and Scripting Interpreter
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Windows Command Shell, Command and Scripting Interpreter
Windows Command Shell, Command and Scripting Interpreter
Obfuscated Files or Information, Unix Shell
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
At, Scheduled Task/Job
At, Scheduled Task/Job
At, Scheduled Task/Job
At, Scheduled Task/Job
Command and Scripting Interpreter
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Scheduled Task, Impair Defenses
System Services, Service Execution
System Services, Service Execution
Account Discovery, Local Account, PowerShell
Command and Scripting Interpreter
Domain Trust Discovery, PowerShell
User Execution
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Windows Command Shell
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Exploit Public-Facing Application, Command and Scripting Interpreter
Unix Shell
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Windows Management Instrumentation
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Windows Management Instrumentation
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, At
Scheduled Task/Job, At
Command and Scripting Interpreter, Component Object Model
Command and Scripting Interpreter, Component Object Model
Visual Basic, Command and Scripting Interpreter
Visual Basic, Command and Scripting Interpreter
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, JavaScript
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
User Execution, Malicious File
User Execution, Malicious File
Command and Scripting Interpreter
System Services, Service Execution
System Services, Service Execution
Command and Scripting Interpreter, Visual Basic
Command and Scripting Interpreter, Visual Basic
User Execution
User Execution
Command and Scripting Interpreter
Scheduled Task/Job
System Services, Service Execution
System Services, Service Execution
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, Windows Command Shell
Command and Scripting Interpreter, Windows Command Shell
PowerShell
Exploitation for Client Execution
User Execution, Malicious File
User Execution, Malicious File
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Command and Scripting Interpreter, Windows Command Shell
Command and Scripting Interpreter, Windows Command Shell
Windows Command Shell
Exploitation for Client Execution
Exploitation for Client Execution
Malicious File
PowerShell, Windows Command Shell
PowerShell, Windows Command Shell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
System Services, Service Execution
System Services, Service Execution
Software Deployment Tools
Scheduled Task
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
File and Directory Discovery
Log Enumeration
Cloud Account
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
System Information Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Cloud Account
Query Registry
Query Registry
System Network Configuration Discovery, Internet Connection Discovery
System Network Configuration Discovery, Internet Connection Discovery
Time Based Evasion, Virtualization/Sandbox Evasion
Time Based Evasion, Virtualization/Sandbox Evasion
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
System Information Discovery
Remote System Discovery
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Domain Account, Account Discovery
Domain Account, Account Discovery
Query Registry
Domain Account, Account Discovery
Domain Account, Account Discovery
Password Policy Discovery
System Owner/User Discovery
Remote System Discovery
Password Policy Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Remote System Discovery
System Network Connections Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Account Discovery, Local Account
Account Discovery, Local Account
Account Discovery
Account Discovery, Domain Account
Account Discovery, Domain Account
System Owner/User Discovery
Account Discovery
Process Discovery
Network Service Discovery
Cloud Service Discovery
Network Service Discovery
Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Local Groups
Virtualization/Sandbox Evasion, Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
File and Directory Discovery
Account Discovery, Domain Account
Account Discovery, Domain Account
Account Discovery, Domain Account
Account Discovery, Domain Account
Account Discovery, Domain Account
Account Discovery, Domain Account
Account Discovery, Domain Account
Account Discovery, Domain Account
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Remote System Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Account Discovery, Domain Account, User Execution, Malicious File
Account Discovery, Domain Account, User Execution, Malicious File
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Cloud Service Discovery
Account Discovery, Domain Account
Account Discovery, Domain Account
Account Discovery, Domain Account
Account Discovery, Domain Account
Ingress Tool Transfer, Domain Groups
Network Share Discovery
Password Policy Discovery
File and Directory Discovery
Query Registry
Query Registry
Domain Accounts, Permission Groups Discovery
Virtualization/Sandbox Evasion, Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Domain Account, Account Discovery
Domain Account, Account Discovery
System Network Configuration Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Account Discovery, Local Account
Account Discovery, Local Account
Account Discovery, Local Account, PowerShell
Account Discovery, Local Account, PowerShell
Network Share Discovery
Network Share Discovery
Network Share Discovery, Valid Accounts
Web Session Cookie, Cloud Service Dashboard
Password Policy Discovery
Password Policy Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Query Registry
System Network Configuration Discovery
System Network Connections Discovery
System Information Discovery
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
Account Discovery
System Time Discovery
System Information Discovery, Rootkit
Remote System Discovery
Network Sniffing
Remote System Discovery
Remote System Discovery
Password Policy Discovery
Domain Trust Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Remote System Discovery
Remote System Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Domain Trust Discovery
System Network Connections Discovery
Remote System Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
System Owner/User Discovery
System Owner/User Discovery
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Account Discovery, Local Account, PowerShell
Account Discovery, Local Account, PowerShell
Password Policy Discovery
Domain Trust Discovery, PowerShell
Cloud Infrastructure Discovery
Account Discovery, Local Account
Account Discovery, Local Account
Account Discovery, Local Account
Account Discovery, Local Account
System Owner/User Discovery
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
System Network Connections Discovery
System Network Connections Discovery
Remote System Discovery
Remote System Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Remote System Discovery
Remote System Discovery
Domain Trust Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
System Network Connections Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Trust Discovery
Cloud Service Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Account Discovery, Local Account
Account Discovery, Local Account
Cloud Service Discovery
Cloud Infrastructure Discovery, Brute Force
Cloud Groups, Account Manipulation, Permission Groups Discovery
Cloud Groups, Account Manipulation, Permission Groups Discovery
Domain Trust Discovery
System Network Configuration Discovery
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
System Information Discovery
System Information Discovery, External Remote Services
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Disable or Modify Tools, Impair Defenses
Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Impair Defenses, Disable or Modify Tools
Impair Defenses, Disable or Modify System Firewall
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Disable or Modify Tools, Impair Defenses
Impair Defenses, PowerShell, Command and Scripting Interpreter
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Tools, Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Impair Defenses, Disable or Modify Cloud Logs
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Scheduled Task, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Remote Services, SMB/Windows Admin Shares
Remote Services, SMB/Windows Admin Shares
Use Alternate Authentication Material
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Use Alternate Authentication Material, Pass the Ticket
Use Alternate Authentication Material, Pass the Ticket
Use Alternate Authentication Material, Pass the Ticket
Use Alternate Authentication Material, Pass the Ticket
Windows Remote Management, Remote Services
Windows Remote Management, Remote Services
Exploitation of Remote Services
Exploitation of Remote Services
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Exploitation of Remote Services
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Replication Through Removable Media
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Remote Services
RDP Hijacking
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
RDP Hijacking, Remote Service Session Hijacking, Windows Service
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Lateral Tool Transfer
Web Session Cookie, Cloud Service Dashboard
Exploitation of Remote Services
Exploitation of Remote Services
Protocol Tunneling, SSH
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Services, Distributed Component Object Model
Remote Services, Distributed Component Object Model
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Use Alternate Authentication Material
Remote Services, Distributed Component Object Model, MMC
Remote Services, Distributed Component Object Model, MMC
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Remote Services, Distributed Component Object Model
Remote Services, Distributed Component Object Model
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Remote Services, SMB/Windows Admin Shares
Remote Services, SMB/Windows Admin Shares
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Use Alternate Authentication Material, Pass the Hash
Use Alternate Authentication Material, Pass the Hash
Exploitation of Remote Services
Use Alternate Authentication Material
SMB/Windows Admin Shares, Remote Services
SMB/Windows Admin Shares, Remote Services
SMB/Windows Admin Shares, Remote Services
SMB/Windows Admin Shares, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Software Deployment Tools
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Data Destruction
Data Destruction
Inhibit System Recovery
Service Stop
Endpoint Denial of Service
Endpoint Denial of Service
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Service Stop
Network Denial of Service
Application or System Exploitation
System Shutdown/Reboot
Disk Structure Wipe, Disk Wipe
Disk Structure Wipe, Disk Wipe
Service Stop
Disk Structure Wipe, Disk Wipe
Disk Structure Wipe, Disk Wipe
Account Access Removal
Account Access Removal
Service Stop
Application or System Exploitation
Inhibit System Recovery
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction
Data Destruction, File Deletion, Indicator Removal
Service Stop
System Shutdown/Reboot
Service Stop
Service Stop
Data Destruction
Data Destruction
Data Destruction
Data Destruction
Data Destruction
Data Destruction
Endpoint Denial of Service
Data Encrypted for Impact
Data Destruction
Data Encrypted for Impact
Service Stop
Endpoint Denial of Service
System Shutdown/Reboot
System Shutdown/Reboot
Service Stop
Inhibit System Recovery
Network Denial of Service
Account Access Removal
Inhibit System Recovery
Inhibit System Recovery
Service Stop
Service Stop, Valid Accounts
Service Stop
Service Stop, Create or Modify System Process, Windows Service
Data Destruction, File Deletion, Indicator Removal
Data Encrypted for Impact
Data Destruction, File Deletion, Indicator Removal
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Defacement
Account Access Removal
Service Stop
Service Stop
Data Encrypted for Impact
Inhibit System Recovery
Inhibit System Recovery
Data Encrypted for Impact
Inhibit System Recovery
Inhibit System Recovery
Data Destruction
Data Encrypted for Impact
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Data Encrypted for Impact
Network Denial of Service, Reflection Amplification
Network Denial of Service, Reflection Amplification
Remote Access Software
Remote Access Software
Remote Access Software
Remote Access Software
Remote Access Software
Remote Access Software
Proxy, Multi-hop Proxy
Proxy, Multi-hop Proxy
Web Service
Ingress Tool Transfer
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Ingress Tool Transfer
Steal or Forge Authentication Certificates, Ingress Tool Transfer
PowerShell, Ingress Tool Transfer
PowerShell, Ingress Tool Transfer, Fileless Storage
Internal Proxy, Proxy
Internal Proxy, Proxy
Ingress Tool Transfer, Domain Groups
Internal Proxy, Proxy
Internal Proxy, Proxy
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Domain Generation Algorithms
Domain Generation Algorithms
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
DNS, Application Layer Protocol
DNS, Application Layer Protocol
BITS Jobs, Ingress Tool Transfer
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Application Layer Protocol
Encrypted Channel
Encrypted Channel
Application Layer Protocol
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
Protocol Tunneling, SSH
Ingress Tool Transfer
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Ingress Tool Transfer
Remote Access Software, OS Credential Dumping
Remote Access Software
Ingress Tool Transfer
Proxy, Non-Application Layer Protocol
Proxy, Non-Application Layer Protocol
Ingress Tool Transfer
Ingress Tool Transfer
Application Layer Protocol
Remote Access Software
Protocol Impersonation
BITS Jobs, Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
BITS Jobs, Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
File Transfer Protocols, Application Layer Protocol
File Transfer Protocols, Application Layer Protocol
Web Protocols
DNS, Application Layer Protocol
DNS, Application Layer Protocol
Non-Application Layer Protocol
Email Collection
Email Collection, Remote Email Collection
Email Collection, Remote Email Collection
Email Collection, Remote Email Collection
Email Collection, Remote Email Collection
Email Collection, Email Forwarding Rule
Email Collection, Email Forwarding Rule
Email Collection, Email Forwarding Rule
Email Collection, Email Forwarding Rule
Email Collection, Email Forwarding Rule
Email Collection, Email Forwarding Rule
Remote Email Collection
Remote Email Collection
Remote Email Collection
Browser Session Hijacking
Archive Collected Data
Browser Session Hijacking
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Email Collection, Remote Email Collection
Email Collection, Remote Email Collection
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Steal or Forge Authentication Certificates, Archive Collected Data
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Browser Session Hijacking
Automated Collection
Automated Collection
Automated Collection
Screen Capture
Browser Session Hijacking
Clipboard Data
GUI Input Capture, Input Capture
GUI Input Capture, Input Capture
Clipboard Data
Screen Capture
Screen Capture
Email Collection, Local Email Collection
Email Collection, Local Email Collection
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Screen Capture
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Data from Local System
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Data from Cloud Storage
Data from Cloud Storage
Data Staged
Email Forwarding Rule, Email Collection
Email Forwarding Rule, Email Collection
Email Forwarding Rule, Email Collection
Email Forwarding Rule, Email Collection
Email Collection
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Data from Cloud Storage
Data from Cloud Storage
Email Collection, Local Email Collection
Email Collection, Local Email Collection
Email Collection, Remote Email Collection
Email Collection, Remote Email Collection
Remote Email Collection, Email Collection
Remote Email Collection, Email Collection
Data from Cloud Storage
Data from Cloud Storage
System Binary Proxy Execution
System Binary Proxy Execution
System Binary Proxy Execution
System Binary Proxy Execution
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
Msiexec, System Binary Proxy Execution
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Rundll32
InstallUtil, System Binary Proxy Execution
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Regsvr32
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
System Binary Proxy Execution, Regsvr32
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
System Binary Proxy Execution, Regsvr32
Regsvr32, System Binary Proxy Execution
System Script Proxy Execution, System Binary Proxy Execution
System Binary Proxy Execution
Odbcconf, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
InstallUtil, System Binary Proxy Execution
Mavinject, System Binary Proxy Execution
System Binary Proxy Execution
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
System Binary Proxy Execution, Compiled HTML File
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
InstallUtil, System Binary Proxy Execution
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
System Binary Proxy Execution
System Binary Proxy Execution, Rundll32
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
InstallUtil, System Binary Proxy Execution
InstallUtil, System Binary Proxy Execution
Verclsid, System Binary Proxy Execution
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Control Panel
System Binary Proxy Execution, CMSTP
System Binary Proxy Execution, Rundll32
Msiexec, System Binary Proxy Execution
System Binary Proxy Execution, Regsvr32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, CMSTP
System Binary Proxy Execution, CMSTP
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Domain Policy Modification, Group Policy Modification
Unsecured Credentials, Group Policy Preferences
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Phishing, Spearphishing Attachment
Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Event Triggered Execution
System Binary Proxy Execution
Odbcconf, System Binary Proxy Execution
Ingress Tool Transfer
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
LSASS Memory, OS Credential Dumping
NTDS, OS Credential Dumping
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities
NTDS, OS Credential Dumping
Masquerading, Rename System Utilities
Masquerading
File and Directory Permissions Modification
Account Access Removal
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
MSBuild, Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution, MSBuild
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
System Binary Proxy Execution, Mshta
System Binary Proxy Execution
BITS Jobs, Ingress Tool Transfer
Deobfuscate/Decode Files or Information
Ingress Tool Transfer
Ingress Tool Transfer
BITS Jobs, Ingress Tool Transfer
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
BITS Jobs
Automated Exfiltration
Automated Exfiltration
File Deletion, Indicator Removal
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Indicator Removal
Inhibit System Recovery
Inhibit System Recovery
Exfiltration Over Alternative Protocol
Automated Exfiltration
Ingress Tool Transfer
Service Stop
File and Directory Permissions Modification
Service Stop, Valid Accounts
File and Directory Permissions Modification
OS Credential Dumping, Security Account Manager
Service Stop
Service Stop, Create or Modify System Process, Windows Service
Archive via Utility, Archive Collected Data
Data Destruction, File Deletion, Indicator Removal
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, JavaScript
Windows Command Shell, Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter, Windows Command Shell
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter
Unix Shell, Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
PowerShell, Command and Scripting Interpreter
Scheduled Task, Command and Scripting Interpreter
Scheduled Task, PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
PowerShell, Command and Scripting Interpreter
Unix Shell, Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, Process Injection, PowerShell
Impair Defenses, PowerShell, Command and Scripting Interpreter
Visual Basic, Command and Scripting Interpreter
Visual Basic, Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
PowerShell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Windows Command Shell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Exploit Public-Facing Application, Command and Scripting Interpreter
Command and Scripting Interpreter, Component Object Model
Visual Basic, Command and Scripting Interpreter
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter
Command and Scripting Interpreter, Visual Basic
Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, Windows Command Shell
Command and Scripting Interpreter, Windows Command Shell
Command and Scripting Interpreter, PowerShell
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force
Compromise Accounts, Cloud Accounts, Brute Force
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Cloud Accounts
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Digital Certificates
Digital Certificates
Digital Certificates
Digital Certificates
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Impair Defenses, Disable or Modify Tools
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Exploit Public-Facing Application, External Remote Services
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, Command and Scripting Interpreter
Exploit Public-Facing Application
Exploit Public-Facing Application
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Cloud Accounts
Cloud Accounts
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Cloud Accounts, Valid Accounts
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Valid Accounts, Brute Force
Valid Accounts, Cloud Accounts
Valid Accounts, Domain Accounts
Valid Accounts, Local Accounts
Valid Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Password Spraying, Valid Accounts, Default Accounts
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Valid Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Valid Accounts
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Network Share Discovery, Valid Accounts
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Cloud Accounts
Valid Accounts, Default Accounts
Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Valid Accounts
Valid Accounts
Service Stop, Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Valid Accounts
Exploit Public-Facing Application
Log Enumeration
Exploit Public-Facing Application
Exploit Public-Facing Application
Exfiltration Over Web Service
Remote Access Software
Exploit Public-Facing Application
Exploit Public-Facing Application
Remote Email Collection
Remote Email Collection
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Disable or Modify Tools, Impair Defenses
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploitation for Privilege Escalation
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Disable or Modify Cloud Logs, Impair Defenses
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Server Software Component, IIS Components
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Exploit Public-Facing Application, External Remote Services
Disable or Modify Cloud Logs, Impair Defenses
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Server Software Component, Exploit Public-Facing Application, External Remote Services
Protocol Impersonation
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Web Shell, External Remote Services
Spearphishing via Service
Web Protocols
System Information Discovery, External Remote Services
Phishing, Modify Registry
Modify Registry
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Disable or Modify Tools, Impair Defenses, Modify Registry
Modify Registry
Modify Registry, OS Credential Dumping
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Modify Registry
Regsvr32, Modify Registry
Modify Registry
Abuse Elevation Control Mechanism, Indirect Command Execution
Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Abuse Elevation Control Mechanism, Bypass User Account Control
Abuse Elevation Control Mechanism, Bypass User Account Control
Abuse Elevation Control Mechanism
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Phishing, Modify Registry
Steal Application Access Token, Phishing, Spearphishing Link
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Spearphishing Attachment, Phishing
Phishing
Phishing
Phishing, Spearphishing Link
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing
Valid Accounts, Brute Force
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force
Brute Force
Brute Force, Password Guessing, Password Spraying
Brute Force, Password Guessing, Password Spraying
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Guessing
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Brute Force, Credential Stuffing
Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Brute Force
Brute Force
Brute Force, Password Spraying, Credential Stuffing
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Brute Force
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Cloud Infrastructure Discovery, Brute Force
Password Guessing, Brute Force
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
OS Credential Dumping, PowerShell
PowerShell, Command and Scripting Interpreter
Gather Victim Host Information, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
PowerShell, Command and Scripting Interpreter
PowerShell, Ingress Tool Transfer
PowerShell, Ingress Tool Transfer, Fileless Storage
Scheduled Task, PowerShell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, Process Injection, PowerShell
Impair Defenses, PowerShell, Command and Scripting Interpreter
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Command and Scripting Interpreter, PowerShell
Account Discovery, Local Account, PowerShell
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
PowerShell, Command and Scripting Interpreter
PowerShell
PowerShell, Command and Scripting Interpreter
Command and Scripting Interpreter, PowerShell
Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Account Discovery, Local Account, PowerShell
Domain Trust Discovery, PowerShell
Command and Scripting Interpreter, PowerShell
PowerShell
PowerShell, Windows Command Shell
Command and Scripting Interpreter, PowerShell
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Web Service
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Transfer Data to Cloud Account
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Transfer Data to Cloud Account
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over C2 Channel
Exfiltration Over C2 Channel
Transfer Data to Cloud Account
Transfer Data to Cloud Account
Transfer Data to Cloud Account
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Web Service
Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Automated Exfiltration
Automated Exfiltration
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Exfiltration Over Alternative Protocol
Automated Exfiltration
Automated Exfiltration
Transfer Data to Cloud Account
Automated Exfiltration
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Exfiltration Over Alternative Protocol
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Exfiltration Over C2 Channel
Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Account Discovery, Local Account
Account Discovery
Account Discovery, Domain Account
Account Discovery
Account Discovery
Domain Account, Account Discovery
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Account Discovery, Domain Account
Account Discovery, Domain Account
Account Discovery, Domain Account
Account Discovery, Domain Account
Domain Account, Account Discovery
Account Discovery, Domain Account, User Execution, Malicious File
Account Discovery, Domain Account
Account Discovery, Domain Account
Domain Account, Account Discovery
Domain Account, Account Discovery
Account Discovery, Local Account
Account Discovery, Local Account, PowerShell
Domain Account, Account Discovery
Account Discovery
Account Discovery, Local Account, PowerShell
Account Discovery, Local Account
Account Discovery, Local Account
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Account Discovery, Local Account
DCSync, OS Credential Dumping
DCSync, OS Credential Dumping
NTDS, OS Credential Dumping
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
LSASS Memory, OS Credential Dumping
Security Account Manager, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
OS Credential Dumping
Security Account Manager, OS Credential Dumping
OS Credential Dumping, PowerShell
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Security Account Manager, OS Credential Dumping
NTDS, OS Credential Dumping
Modify Registry, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Cached Domain Credentials, OS Credential Dumping
OS Credential Dumping, DCSync, Rogue Domain Controller
LSASS Memory, OS Credential Dumping
NTDS, OS Credential Dumping
LSASS Memory, OS Credential Dumping
Remote Access Software, OS Credential Dumping
NTDS, OS Credential Dumping
/etc/passwd and /etc/shadow, OS Credential Dumping
OS Credential Dumping, Security Account Manager
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
OS Credential Dumping
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
NTDS, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Account Discovery, Domain Account, User Execution, Malicious File
User Execution, Malicious File
User Execution
Malicious File, User Execution
Spearphishing Attachment, Phishing, Malicious Link, User Execution
User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
User Execution, Malicious File
User Execution
User Execution
User Execution, Malicious File
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Device Registration
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Account Manipulation, Valid Accounts
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Credentials
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation
Account Manipulation, Additional Cloud Roles
Account Manipulation
Account Manipulation, Device Registration
Account Manipulation
Account Manipulation
Account Manipulation
Account Manipulation
Account Manipulation, Additional Cloud Roles
Account Manipulation, Device Registration
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Cloud Roles
Account Manipulation
Account Manipulation, Additional Cloud Roles
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Credentials
Account Manipulation
Account Manipulation
Account Manipulation
Account Manipulation
SSH Authorized Keys, Account Manipulation
SSH Authorized Keys, Account Manipulation
Account Manipulation
Cloud Groups, Account Manipulation, Permission Groups Discovery
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Account Manipulation, Additional Email Delegate Permissions
Valid Accounts, Domain Accounts
Local Account, Create Account
Valid Accounts, Local Accounts
Local Account, Create Account
Modify Authentication Process, Multi-Factor Authentication
Account Manipulation, Device Registration
Brute Force
Modify Cloud Compute Configurations
DCSync, OS Credential Dumping
DCSync, OS Credential Dumping
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Impair Defenses, Disable or Modify Cloud Logs
Modify Registry
Disable or Modify Tools
Domain Policy Modification
Valid Accounts, Default Accounts
Account Manipulation
Rogue Domain Controller
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets, AS-REP Roasting
Cloud Accounts, Valid Accounts
Valid Accounts
Valid Accounts
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Unused/Unsupported Cloud Regions
Cloud Accounts, Valid Accounts
Cloud Accounts, Valid Accounts
Valid Accounts
Cloud Accounts, Valid Accounts
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Spearphishing Attachment, Phishing
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Exploit Public-Facing Application, External Remote Services
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Web Shell, External Remote Services
System Information Discovery, External Remote Services
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Remote Access Software
Exfiltration Over Unencrypted Non-C2 Protocol
Use Alternate Authentication Material
InstallUtil, System Binary Proxy Execution
Proxy, Multi-hop Proxy
Process Injection
Process Injection
System Binary Proxy Execution, Rundll32
Process Injection
Account Discovery, Domain Account, User Execution, Malicious File
OS Credential Dumping, DCSync, Rogue Domain Controller
Exploit Public-Facing Application, External Remote Services
InstallUtil, System Binary Proxy Execution
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, Command and Scripting Interpreter
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
TFTP Boot, Pre-OS Boot
Exploitation for Client Execution
SMB/Windows Admin Shares, Remote Services
SMB/Windows Admin Shares, Remote Services
Exfiltration Over Alternative Protocol
Remote Desktop Protocol, Remote Services
Email Collection, Remote Email Collection
Remote Email Collection, Email Collection
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
File Transfer Protocols, Application Layer Protocol
Remote Desktop Protocol, Remote Services
Non-Application Layer Protocol
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Password Spraying
Password Spraying, Valid Accounts, Default Accounts
Brute Force, Password Guessing, Password Spraying
Brute Force, Password Guessing, Password Spraying
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Spraying, Credential Stuffing
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Password Spraying, Brute Force
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Ingress Tool Transfer
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Ingress Tool Transfer
Steal or Forge Authentication Certificates, Ingress Tool Transfer
PowerShell, Ingress Tool Transfer
PowerShell, Ingress Tool Transfer, Fileless Storage
Ingress Tool Transfer, Domain Groups
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
BITS Jobs, Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
BITS Jobs, Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
BITS Jobs, Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
Ingress Tool Transfer
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Masquerading
Masquerading
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Masquerading
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Rename System Utilities, Masquerading
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Right-to-Left Override, Masquerading
Right-to-Left Override, Masquerading
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerade Task or Service, Masquerading
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Local Groups
Domain Accounts, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Cloud Groups, Account Manipulation, Permission Groups Discovery
Process Injection
Process Injection
Process Injection
Process Injection
Process Injection
Process Injection
Process Injection
Process Injection
Process Injection
Process Injection, Portable Executable Injection
Command and Scripting Interpreter, Process Injection, PowerShell
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Process Injection, Portable Executable Injection
Process Injection
Dynamic-link Library Injection, Process Injection
Process Injection
Process Injection
Process Injection
Process Injection, Portable Executable Injection
Process Injection
Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Process Injection
Process Injection, Dynamic-link Library Injection
Process Injection
Process Injection
Process Injection
Process Injection
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Account Discovery, Domain Account
Domain Account, Account Discovery
Account Discovery, Domain Account
Account Discovery, Domain Account
Account Discovery, Domain Account
Account Discovery, Domain Account
Domain Account, Account Discovery
Account Discovery, Domain Account, User Execution, Malicious File
Account Discovery, Domain Account
Account Discovery, Domain Account
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Domain Account, Account Discovery
Scheduled Task, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job
Cron, Scheduled Task/Job
Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
At, Scheduled Task/Job
At, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, At
Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Remote Services, SMB/Windows Admin Shares
Windows Remote Management, Remote Services
Remote Services, Windows Remote Management
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Services, Distributed Component Object Model
Remote Services, Windows Remote Management
Remote Services, Distributed Component Object Model, MMC
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Remote Services, Distributed Component Object Model
Remote Services, Windows Remote Management
Remote Services, SMB/Windows Admin Shares
Remote Desktop Protocol, Remote Services
SMB/Windows Admin Shares, Remote Services
SMB/Windows Admin Shares, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Cloud Accounts
Cloud Account
Password Spraying
DCSync, OS Credential Dumping
DCSync, OS Credential Dumping
Security Account Manager
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Valid Accounts
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Account Manipulation, Device Registration
Modify Registry
Account Manipulation, Device Registration
Brute Force
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Local Accounts, Credentials In Files
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Steal or Forge Kerberos Tickets
Brute Force
Disable or Modify Cloud Firewall, Impair Defenses
Modify Authentication Process
Clear Windows Event Logs, Indicator Removal
Indicator Removal, Clear Windows Event Logs
Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Indicator Removal
Indicator Removal
File Deletion, Indicator Removal
File Deletion, Indicator Removal
File Deletion, Indicator Removal
Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Indicator Removal
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
File Deletion, Indicator Removal
Indicator Removal, Network Share Connection Removal
Indicator Removal, Clear Windows Event Logs
Indicator Removal
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Rename System Utilities, Masquerading
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Masquerading, Rename System Utilities
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities
Rename System Utilities
Masquerading, Rename System Utilities
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Ingress Tool Transfer, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Permission Groups Discovery, Domain Groups
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task, Scheduled Task/Job
Scheduled Task
Scheduled Task/Job, Scheduled Task
Scheduled Task, Command and Scripting Interpreter
Scheduled Task, PowerShell, Command and Scripting Interpreter
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Scheduled Task
Scheduled Task, Scheduled Task/Job
Scheduled Task
Scheduled Task, Scheduled Task/Job
Scheduled Task, Impair Defenses
Scheduled Task, Scheduled Task/Job
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Scheduled Task/Job, Scheduled Task
Scheduled Task, Scheduled Task/Job
Scheduled Task
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Create or Modify System Process, Windows Service
Windows Service, Create or Modify System Process
Windows Service
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Windows Service
Create or Modify System Process, Windows Service
Service Stop, Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Data Destruction
Data Destruction
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction
Data Destruction, File Deletion, Indicator Removal
Data Destruction
Data Destruction
Data Destruction
Data Destruction
Data Destruction
Data Destruction
Data Destruction
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction
Remote Access Software
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Compromise Software Supply Chain
Domain Generation Algorithms
Domain Generation Algorithms
DNS, Application Layer Protocol
Protocol Tunneling, Proxy, Web Service
Exfiltration Over Unencrypted Non-C2 Protocol
Drive-by Compromise
Exploitation for Client Execution
Exfiltration Over Unencrypted Non-C2 Protocol
Spearphishing via Service
Exfiltration Over Unencrypted Non-C2 Protocol
DNS, Application Layer Protocol
Network Denial of Service, Reflection Amplification
Local Account, Create Account
Local Account, Create Account
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Local Account, Create Account
Account Discovery, Local Account
Local Account, Create Account
Account Discovery, Local Account
Account Discovery, Local Account, PowerShell
Account Discovery, Local Account, PowerShell
Local Account, Create Account
Account Discovery, Local Account
Account Discovery, Local Account
Account Discovery, Local Account
Valid Accounts, Brute Force
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Impair Defenses
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Transfer Data to Cloud Account
Exploitation of Remote Services
Malicious Image, User Execution
Steal Application Access Token
Impair Defenses
Steal Application Access Token
Exploit Public-Facing Application, External Remote Services
Modify Registry
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Domain Policy Modification
Steal or Forge Authentication Certificates
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Abuse Elevation Control Mechanism
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
Create or Modify System Process
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Create or Modify System Process, Windows Service
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Create or Modify System Process, Windows Service
Service Stop, Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Create or Modify System Process, Windows Service
Windows Service, Create or Modify System Process
Windows Service, Create or Modify System Process
Create or Modify System Process
Launch Agent, Create or Modify System Process
Launch Agent, Create or Modify System Process
Windows Service, Create or Modify System Process
DLL Side-Loading, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Active Setup, Boot or Logon Autostart Execution
Port Monitors, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Time Providers, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Security Support Provider, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Remote System Discovery
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, Golden Ticket
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, Kerberoasting
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Multi-Factor Authentication Request Generation
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Rootkit, Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Rootkit, Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell
Server Software Component, Web Shell
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Server Software Component, IIS Components
Server Software Component, IIS Components
Server Software Component, IIS Components
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Server Software Component, IIS Components
IIS Components, Server Software Component
Server Software Component, IIS Components
Server Software Component, IIS Components
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Steal or Forge Authentication Certificates, Archive Collected Data
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Steal or Forge Authentication Certificates
Email Collection
Email Collection, Remote Email Collection
Email Collection, Remote Email Collection
Email Collection, Email Forwarding Rule
Email Collection, Email Forwarding Rule
Email Collection, Email Forwarding Rule
Email Collection, Remote Email Collection
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Email Collection, Local Email Collection
Email Forwarding Rule, Email Collection
Email Forwarding Rule, Email Collection
Email Collection
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Email Collection, Local Email Collection
Email Collection, Remote Email Collection
Remote Email Collection, Email Collection
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Application Shimming, Event Triggered Execution
Image File Execution Options Injection, Event Triggered Execution
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Event Triggered Execution, Screensaver
Change Default File Association, Event Triggered Execution
Event Triggered Execution, Accessibility Features
Change Default File Association, Event Triggered Execution
Event Triggered Execution
Component Object Model Hijacking, Event Triggered Execution
Component Object Model Hijacking, Event Triggered Execution
Unix Shell Configuration Modification, Event Triggered Execution
Unix Shell Configuration Modification, Event Triggered Execution
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Application Shimming, Event Triggered Execution
Application Shimming, Event Triggered Execution
Cloud Account
Cloud Account
Cloud Account
Cloud Account
Cloud Account
Cloud Account
Cloud Account
Create Account, Cloud Account
Create Account, Cloud Account
Cloud Account, Create Account
Cloud Account, Create Account
Cloud Account, Create Account
Cloud Account
Cloud Account, Create Account
Cloud Account, Create Account
Cloud Account, Create Account
IP Addresses, Gather Victim Network Information
IP Addresses, Gather Victim Network Information
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Hardware, Gather Victim Host Information
Hardware, Gather Victim Host Information
Gather Victim Host Information
Gather Victim Host Information, PowerShell
Gather Victim Host Information
Credentials, Gather Victim Identity Information
Credentials, Gather Victim Identity Information
Gather Victim Network Information, IP Addresses
Gather Victim Network Information, IP Addresses
Gather Victim Identity Information, Email Addresses
Gather Victim Identity Information, Email Addresses
Gather Victim Host Information
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory
LSASS Memory, OS Credential Dumping
LSASS Memory, OS Credential Dumping
LSASS Memory
LSASS Memory, OS Credential Dumping
LSASS Memory
Service Stop
Service Stop
Service Stop
Service Stop
Service Stop
Service Stop
Service Stop
Service Stop
Service Stop
Service Stop
Service Stop, Valid Accounts
Service Stop
Service Stop, Create or Modify System Process, Windows Service
Service Stop
Service Stop
Unsecured Credentials
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Credentials in Registry, Unsecured Credentials
Credentials in Registry, Unsecured Credentials
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Credentials in Registry, Unsecured Credentials
Private Keys, Unsecured Credentials
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Local Account, Create Account
Local Account, Create Account
Local Account, Create Account
Create Account, Cloud Account
Local Account, Create Account
Create Account, Cloud Account
Cloud Account, Create Account
Cloud Account, Create Account
Cloud Account, Create Account
Cloud Account, Create Account
Cloud Account, Create Account
Local Account, Create Account
Cloud Account, Create Account
Create Account
Bypass User Account Control, Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism, Bypass User Account Control
Abuse Elevation Control Mechanism, Bypass User Account Control
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Bypass User Account Control, Abuse Elevation Control Mechanism
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Permission Groups Discovery, Local Groups
Create Process with Token, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Parent PID Spoofing, Access Token Manipulation
SID-History Injection, Access Token Manipulation
Access Token Manipulation
Access Token Manipulation, Token Impersonation/Theft
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
SID-History Injection, Access Token Manipulation
Access Token Manipulation, SID-History Injection
SID-History Injection, Access Token Manipulation
Token Impersonation/Theft, Access Token Manipulation
Token Impersonation/Theft, Access Token Manipulation
Additional Cloud Roles
Additional Cloud Roles
Additional Email Delegate Permissions, Additional Cloud Roles
Additional Email Delegate Permissions, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Account Manipulation, Additional Cloud Roles
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
Inhibit System Recovery
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Path Interception by Unquoted Path, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
Dynamic Linker Hijacking, Hijack Execution Flow
Services Registry Permissions Weakness, Hijack Execution Flow
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
Mshta, System Binary Proxy Execution
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
System Binary Proxy Execution, Mshta
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Domain Trust Discovery
Domain Trust Discovery
Domain Trust Discovery, PowerShell
Domain Trust Discovery
Domain Trust Discovery
Domain Trust Discovery
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
File and Directory Permissions Modification
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
File and Directory Permissions Modification
File and Directory Permissions Modification
File and Directory Permissions Modification
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
File and Directory Permissions Modification
File and Directory Permissions Modification
File and Directory Permissions Modification
File and Directory Permissions Modification
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
File Deletion, Indicator Removal
File Deletion, Indicator Removal
File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
Data Destruction, File Deletion, Indicator Removal
File Deletion, Indicator Removal
Windows Command Shell, Command and Scripting Interpreter
PowerShell, Command and Scripting Interpreter
Exploit Public-Facing Application, External Remote Services
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, Command and Scripting Interpreter
Ingress Tool Transfer
Ingress Tool Transfer
Security Account Manager
Security Account Manager
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Security Account Manager
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Security Account Manager
OS Credential Dumping, Security Account Manager
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
System Owner/User Discovery
Modify Authentication Process
Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Valid Accounts, Default Accounts, Modify Authentication Process
Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Brute Force, Credential Stuffing
Valid Accounts, Default Accounts, Credential Stuffing
Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Brute Force, Password Spraying, Credential Stuffing
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
Fileless Storage, Obfuscated Files or Information
Obfuscated Files or Information, Fileless Storage
Obfuscated Files or Information
Obfuscated Files or Information, Indicator Removal from Tools
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Obfuscated Files or Information, Unix Shell
Obfuscated Files or Information
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Obfuscated Files or Information
Compile After Delivery, Obfuscated Files or Information
Obfuscated Files or Information
Msiexec, System Binary Proxy Execution
Msiexec
Msiexec
Msiexec, System Binary Proxy Execution
Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Modify Authentication Process, Multi-Factor Authentication
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Email Collection, Remote Email Collection
Email Collection, Remote Email Collection
Remote Email Collection
Remote Email Collection
Remote Email Collection
Email Collection, Remote Email Collection
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Email Collection, Remote Email Collection
Remote Email Collection, Email Collection
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Password Policy Discovery
Impair Defenses, Disable or Modify Cloud Logs
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
Impair Defenses, Disable or Modify Cloud Logs
Impair Defenses, Disable or Modify Cloud Logs
Disable or Modify Cloud Logs, Impair Defenses
Disable or Modify Cloud Logs, Impair Defenses
DLL Side-Loading, Boot or Logon Autostart Execution
DLL Side-Loading
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
DLL Side-Loading, Hijack Execution Flow
Domain Policy Modification, Domain Trust Modification
Domain Policy Modification, Domain Trust Modification
Domain Policy Modification
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification, Domain Accounts
Domain Policy Modification
Query Registry
Query Registry
Query Registry
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Query Registry
Query Registry
Query Registry
Spearphishing Attachment, Phishing
Valid Accounts
Valid Accounts
Valid Accounts
Data from Cloud Storage
Phishing
Cloud Service Discovery
Compromise Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
Unused/Unsupported Cloud Regions
DNS, Application Layer Protocol
Application Layer Protocol
Application Layer Protocol
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
Application Layer Protocol
File Transfer Protocols, Application Layer Protocol
DNS, Application Layer Protocol
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Remote Desktop Protocol, Remote Services
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Windows Command Shell, Command and Scripting Interpreter
Command and Scripting Interpreter, Windows Command Shell
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Windows Command Shell, Command and Scripting Interpreter
Windows Command Shell
Command and Scripting Interpreter, Windows Command Shell
Command and Scripting Interpreter, Windows Command Shell
Windows Command Shell
PowerShell, Windows Command Shell
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
MSBuild, Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution, MSBuild
MSBuild, Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution, MSBuild
Trusted Developer Utilities Proxy Execution
Print Processors, Boot or Logon Autostart Execution
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
Print Processors, Boot or Logon Autostart Execution
Exploitation for Privilege Escalation
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Steal or Forge Authentication Certificates, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
InstallUtil, System Binary Proxy Execution
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
InstallUtil, System Binary Proxy Execution
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
InstallUtil, System Binary Proxy Execution
InstallUtil, System Binary Proxy Execution
InstallUtil, System Binary Proxy Execution
Remote Access Software
Remote Access Software
Remote Access Software
Remote Access Software
Remote Access Software
Remote Access Software
Remote Access Software, OS Credential Dumping
Remote Access Software
Remote Access Software
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Server Software Component, IIS Components
Server Software Component, IIS Components
Server Software Component, IIS Components
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Server Software Component, IIS Components
IIS Components, Server Software Component
Server Software Component, IIS Components
Server Software Component, IIS Components
Network Denial of Service
Network Denial of Service
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Network Denial of Service, Reflection Amplification
Use Alternate Authentication Material
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Use Alternate Authentication Material, Pass the Ticket
Use Alternate Authentication Material, Pass the Ticket
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Use Alternate Authentication Material
Use Alternate Authentication Material, Pass the Hash
Use Alternate Authentication Material
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell
Server Software Component, Web Shell
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web Shell, External Remote Services
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
NTDS, OS Credential Dumping
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
Malicious Image, User Execution
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
System Network Connections Discovery
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
System Network Connections Discovery
System Network Connections Discovery
System Network Connections Discovery
System Network Connections Discovery
System Network Connections Discovery
System Binary Proxy Execution, Compiled HTML File
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
Compiled HTML File, System Binary Proxy Execution
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Compiled HTML File
System Binary Proxy Execution, Compiled HTML File
Password Spraying, Valid Accounts, Default Accounts
Valid Accounts, Default Accounts, Modify Authentication Process
Valid Accounts, Default Accounts, Credential Stuffing
Valid Accounts, Default Accounts, Password Spraying
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Valid Accounts, Default Accounts
Steal Application Access Token, Phishing, Spearphishing Link
Steal Application Access Token
Steal Application Access Token
Steal Application Access Token
Steal Application Access Token
Steal Application Access Token
Steal Application Access Token
Steal Application Access Token
Valid Accounts, Domain Accounts
Domain Accounts, Permission Groups Discovery
Domain Policy Modification, Group Policy Modification, Domain Accounts
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Domain Accounts
System Information Discovery
System Information Discovery
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
System Information Discovery
System Information Discovery, Rootkit
System Information Discovery
System Information Discovery, External Remote Services
Data Encrypted for Impact
Data Encrypted for Impact
Data Encrypted for Impact
Data Encrypted for Impact
Data Encrypted for Impact
Data Encrypted for Impact
Data Encrypted for Impact
Kernel Modules and Extensions, Service Execution
System Services, Service Execution
System Services, Service Execution
System Services, Service Execution
System Services, Service Execution
System Services, Service Execution
System Services, Service Execution
Malicious File, Masquerade File Type
Account Discovery, Domain Account, User Execution, Malicious File
User Execution, Malicious File
Malicious File, User Execution
User Execution, Malicious File
User Execution, Malicious File
Malicious File
Exploitation of Remote Services
Exploitation of Remote Services
Exploitation of Remote Services
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Exploitation of Remote Services
Exploitation of Remote Services
Exploitation of Remote Services
Disable or Modify System Firewall, Impair Defenses
Impair Defenses, Disable or Modify System Firewall
Disable or Modify System Firewall, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Disable or Modify System Firewall, Impair Defenses
Disable or Modify System Firewall
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Account Manipulation, Additional Email Delegate Permissions
Additional Email Delegate Permissions, Additional Cloud Roles
Additional Email Delegate Permissions, Additional Cloud Roles
Account Manipulation, Additional Email Delegate Permissions
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Brute Force, Password Guessing, Password Spraying
Brute Force, Password Guessing, Password Spraying
Brute Force, Password Guessing
Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Password Guessing, Brute Force
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Archive via Utility, Archive Collected Data
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets, Kerberoasting
Steal or Forge Kerberos Tickets, Kerberoasting
Kerberoasting
Steal or Forge Kerberos Tickets, Kerberoasting
Kerberoasting
Windows Remote Management, Remote Services
Remote Services, Windows Remote Management
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Remote Services, Windows Remote Management
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model
Remote Services, Distributed Component Object Model, MMC
Remote Services, Distributed Component Object Model
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Steal or Forge Kerberos Tickets, AS-REP Roasting
Proxy, Multi-hop Proxy
Internal Proxy, Proxy
Internal Proxy, Proxy
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Proxy, Non-Application Layer Protocol
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall, Impair Defenses
Disable or Modify Cloud Firewall
Data from Cloud Storage
Data from Cloud Storage
Data from Cloud Storage
Data from Cloud Storage
Data from Cloud Storage
Data from Cloud Storage
Clear Windows Event Logs, Indicator Removal
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
Indicator Removal, Clear Windows Event Logs
System Services, Service Execution
System Services, Service Execution
System Services, Service Execution
System Services, Service Execution
System Services, Service Execution
System Services, Service Execution
Hardware Additions
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Automated Exfiltration
Automated Exfiltration
Automated Exfiltration
Automated Exfiltration
Automated Exfiltration
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
System Network Configuration Discovery, Internet Connection Discovery
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
System Network Configuration Discovery
System Network Configuration Discovery
System Network Configuration Discovery
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
MSBuild, Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution, MSBuild
MSBuild, Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution, MSBuild
BITS Jobs, Ingress Tool Transfer
BITS Jobs, Ingress Tool Transfer
BITS Jobs, Ingress Tool Transfer
BITS Jobs
BITS Jobs
BITS Jobs
System Binary Proxy Execution, Regsvr32
System Binary Proxy Execution, Regsvr32
System Binary Proxy Execution, Regsvr32
Regsvr32, System Binary Proxy Execution
Regsvr32, Modify Registry
System Binary Proxy Execution, Regsvr32
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
Phishing, Spearphishing Attachment
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Rundll32
System Binary Proxy Execution, Control Panel
Transfer Data to Cloud Account
Transfer Data to Cloud Account
Transfer Data to Cloud Account
Transfer Data to Cloud Account
Transfer Data to Cloud Account
Transfer Data to Cloud Account
Credentials from Password Stores, Credentials from Web Browsers
Credentials from Password Stores, Credentials from Web Browsers
Credentials from Password Stores
Credentials from Password Stores
Credentials from Password Stores
Credentials from Web Browsers, Credentials from Password Stores
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
Cron, Scheduled Task/Job
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
System Binary Proxy Execution, Regsvcs/Regasm
Abuse Elevation Control Mechanism, Indirect Command Execution
Endpoint Denial of Service
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification
Domain Policy Modification, Group Policy Modification, Domain Accounts
Account Manipulation, Device Registration
Account Manipulation, Device Registration
Account Manipulation, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
DNS, Application Layer Protocol
DNS, Application Layer Protocol
Email Collection, Email Forwarding Rule
Email Collection, Email Forwarding Rule
Email Collection, Email Forwarding Rule
Email Forwarding Rule, Email Collection
Email Forwarding Rule, Email Collection
Steal Application Access Token, Phishing, Spearphishing Link
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Phishing, Spearphishing Link
Hardware, Gather Victim Host Information
Gather Victim Host Information
Gather Victim Host Information, PowerShell
Gather Victim Host Information
Gather Victim Host Information
Kernel Modules and Extensions, Service Execution
Kernel Modules and Extensions
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Kernel Modules and Extensions, Boot or Logon Autostart Execution
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
System Shutdown/Reboot
System Shutdown/Reboot
System Shutdown/Reboot
System Shutdown/Reboot
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking, Hijack Execution Flow
DLL Search Order Hijacking
Rogue Domain Controller
Rogue Domain Controller
OS Credential Dumping, DCSync, Rogue Domain Controller
Rogue Domain Controller
Rogue Domain Controller
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Unsecured Credentials, Group Policy Preferences
Disable or Modify Tools, Impair Defenses
Disable or Modify Tools, Impair Defenses
Modify Registry
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Account Access Removal
Account Access Removal
Account Access Removal
Account Access Removal
Visual Basic, Command and Scripting Interpreter
Visual Basic, Command and Scripting Interpreter
Visual Basic, Command and Scripting Interpreter
Command and Scripting Interpreter, Visual Basic
Exfiltration Over Web Service
Exfiltration Over Web Service
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, JavaScript
Command and Scripting Interpreter, JavaScript
Screen Capture
Screen Capture
Screen Capture
Screen Capture
Dynamic-link Library Injection, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Process Injection, Dynamic-link Library Injection
Unix Shell, Command and Scripting Interpreter
Unix Shell, Command and Scripting Interpreter
Obfuscated Files or Information, Unix Shell
Unix Shell
Compromise Software Supply Chain
Compromise Software Supply Chain
Compromise Software Supply Chain
Compromise Software Supply Chain, Supply Chain Compromise
Abuse Elevation Control Mechanism, Indirect Command Execution
Indirect Command Execution
Indirect Command Execution
Indirect Command Execution
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Command and Scripting Interpreter
Digital Certificates
Digital Certificates
Digital Certificates
Digital Certificates
Odbcconf, System Binary Proxy Execution
Odbcconf
Odbcconf
Odbcconf
Endpoint Denial of Service
Endpoint Denial of Service
Endpoint Denial of Service
Endpoint Denial of Service
SID-History Injection, Access Token Manipulation
SID-History Injection, Access Token Manipulation
Access Token Manipulation, SID-History Injection
SID-History Injection, Access Token Manipulation
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, SSH
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Component Object Model Hijacking, Event Triggered Execution
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Component Object Model Hijacking, Event Triggered Execution
Web Service
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Protocol Tunneling, Proxy, Web Service
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Private Keys, Unsecured Credentials
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Pre-OS Boot, Registry Run Keys / Startup Folder
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Browser Session Hijacking
Browser Session Hijacking
Browser Session Hijacking
Browser Session Hijacking
Hide Artifacts, NTFS File Attributes
Hide Artifacts, NTFS File Attributes
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Hide Artifacts, NTFS File Attributes
Container API
Container API
Container API
Container API
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Change Default File Association, Event Triggered Execution
Change Default File Association, Event Triggered Execution
Change Default File Association
Exploitation for Client Execution
Exploitation for Client Execution
Exploitation for Client Execution
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Exfiltration Over C2 Channel
Exfiltration Over C2 Channel
Exfiltration Over C2 Channel
Pre-OS Boot, Registry Run Keys / Startup Folder
System Firmware, Pre-OS Boot
TFTP Boot, Pre-OS Boot
Application Shimming, Event Triggered Execution
Application Shimming, Event Triggered Execution
Application Shimming, Event Triggered Execution
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
System Binary Proxy Execution, CMSTP
System Binary Proxy Execution, CMSTP
System Binary Proxy Execution, CMSTP
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Windows Management Instrumentation Event Subscription
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Services, Distributed Component Object Model, MMC
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Compromise Software Supply Chain, Supply Chain Compromise
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
At, Scheduled Task/Job
At, Scheduled Task/Job
Scheduled Task/Job, At
Credentials from Password Stores, Credentials from Web Browsers
Credentials from Password Stores, Credentials from Web Browsers
Credentials from Web Browsers, Credentials from Password Stores
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Systemd Timers, Scheduled Task/Job
Setuid and Setgid, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Setuid and Setgid, Abuse Elevation Control Mechanism
Rootkit, Exploitation for Privilege Escalation
System Information Discovery, Rootkit
Rootkit, Exploitation for Privilege Escalation
Digital Certificates
Network Sniffing
Digital Certificates
Digital Certificates
Protocol Impersonation
Network Sniffing
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Clipboard Data
Clipboard Data
Process Injection, Portable Executable Injection
Process Injection, Portable Executable Injection
Process Injection, Portable Executable Injection
Access Token Manipulation, Token Impersonation/Theft
Token Impersonation/Theft, Access Token Manipulation
Token Impersonation/Theft, Access Token Manipulation
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
Mail Protocols, Application Layer Protocol
DCSync, OS Credential Dumping
DCSync, OS Credential Dumping
OS Credential Dumping, DCSync, Rogue Domain Controller
Credentials in Registry, Unsecured Credentials
Credentials in Registry, Unsecured Credentials
Credentials in Registry, Unsecured Credentials
Compromise Software Supply Chain
Compromise Software Supply Chain
Compromise Software Supply Chain
Automated Collection
Automated Collection
Automated Collection
Time Based Evasion, Virtualization/Sandbox Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Time Based Evasion, Virtualization/Sandbox Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Exploitation for Credential Access
Exploitation for Credential Access
Exploitation for Credential Access
File and Directory Discovery
File and Directory Discovery
File and Directory Discovery
Fileless Storage, Obfuscated Files or Information
Obfuscated Files or Information, Fileless Storage
PowerShell, Ingress Tool Transfer, Fileless Storage
SIP and Trust Provider Hijacking
SIP and Trust Provider Hijacking
SIP and Trust Provider Hijacking
Hide Artifacts, NTFS File Attributes
Hide Artifacts, NTFS File Attributes
Hide Artifacts, NTFS File Attributes
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Use Alternate Authentication Material, Pass the Ticket
Use Alternate Authentication Material, Pass the Ticket
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Proxy, Non-Application Layer Protocol
Non-Application Layer Protocol
Email Collection, Local Email Collection
Email Collection, Local Email Collection
Exploitation for Client Execution
Exploitation for Client Execution
Exploitation of Remote Services
Exploit Public-Facing Application
Services Registry Permissions Weakness
Services Registry Permissions Weakness, Hijack Execution Flow
Launch Agent, Create or Modify System Process
Launch Agent, Create or Modify System Process
Deobfuscate/Decode Files or Information
Deobfuscate/Decode Files or Information
Cloud Infrastructure Discovery
Cloud Infrastructure Discovery, Brute Force
Defacement
Print Processors, Boot or Logon Autostart Execution
Print Processors, Boot or Logon Autostart Execution
Security Account Manager, OS Credential Dumping
Security Account Manager, OS Credential Dumping
Trusted Relationship
Trusted Relationship
OS Credential Dumping
Forced Authentication
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Compromise Client Software Binary
Compromise Client Software Binary
XSL Script Processing
XSL Script Processing
Install Root Certificate, Subvert Trust Controls
Install Root Certificate, Subvert Trust Controls
Install Root Certificate, Subvert Trust Controls
Install Root Certificate, Subvert Trust Controls
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Valid Accounts, Domain Accounts
Unix Shell Configuration Modification, Event Triggered Execution
Unix Shell Configuration Modification, Event Triggered Execution
Boot or Logon Initialization Scripts, Logon Script (Windows)
RC Scripts, Boot or Logon Initialization Scripts
Credentials, Gather Victim Identity Information
Gather Victim Identity Information, Email Addresses
Obfuscated Files or Information, Indicator Removal from Tools
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Valid Accounts, Local Accounts
Local Accounts, Credentials In Files
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
IP Addresses, Gather Victim Network Information
Gather Victim Network Information, IP Addresses
IP Addresses, Gather Victim Network Information
Gather Victim Network Information, IP Addresses
Phishing, Spearphishing Attachment
System Binary Proxy Execution
Image File Execution Options Injection, Event Triggered Execution
Image File Execution Options Injection
Protocol Tunneling, SSH
Encrypted Channel
Encrypted Channel
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Domain Generation Algorithms
Domain Generation Algorithms
Drive-by Compromise
Drive-by Compromise
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Unencrypted Non-C2 Protocol
RDP Hijacking
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Parent PID Spoofing, Access Token Manipulation
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Right-to-Left Override, Masquerading
Right-to-Left Override, Masquerading
Application or System Exploitation
Application or System Exploitation
Internal Proxy, Proxy
Internal Proxy, Proxy
Disk Structure Wipe, Disk Wipe
Disk Structure Wipe, Disk Wipe
Disk Structure Wipe, Disk Wipe
Disk Structure Wipe, Disk Wipe
Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell
Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell
Exploit Public-Facing Application, External Remote Services
Server Software Component, Web Shell
Account Manipulation, Additional Cloud Credentials
Account Manipulation, Additional Cloud Credentials
Network Service Discovery
Network Service Discovery
Domain Policy Modification, Domain Trust Modification
Domain Policy Modification, Domain Trust Modification
Abuse Elevation Control Mechanism, Indirect Command Execution
Abuse Elevation Control Mechanism, Indirect Command Execution
Exploit Public-Facing Application
Exploit Public-Facing Application
Phishing, Modify Registry
Network Denial of Service, Reflection Amplification
Web Protocols
File Transfer Protocols, Application Layer Protocol
Spearphishing via Service
Software Deployment Tools
Phishing
Exploit Public-Facing Application
Use Alternate Authentication Material, Pass the Hash
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
TFTP Boot, Pre-OS Boot
Data Staged
Cloud Groups, Account Manipulation, Permission Groups Discovery
Data from Local System
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Forced Authentication
System Binary Proxy Execution, Control Panel
Verclsid, System Binary Proxy Execution
Command and Scripting Interpreter, Component Object Model
Compile After Delivery, Obfuscated Files or Information
RC Scripts, Boot or Logon Initialization Scripts
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Dynamic Linker Hijacking, Hijack Execution Flow
/etc/passwd and /etc/shadow, OS Credential Dumping
Exploitation for Privilege Escalation
Gather Victim Identity Information, Email Addresses
Steal or Forge Kerberos Tickets, Golden Ticket
Network Denial of Service
Exploit Public-Facing Application, External Remote Services
Drive-by Compromise
Exploit Public-Facing Application, External Remote Services
Local Accounts, Credentials In Files
Command and Scripting Interpreter
Network Sniffing
Protocol Impersonation
Digital Certificates
Process Injection
Server Software Component, Exploit Public-Facing Application, External Remote Services
Mavinject, System Binary Proxy Execution
System Time Discovery
Endpoint Denial of Service
Account Discovery
GUI Input Capture, Input Capture
GUI Input Capture, Input Capture
Credentials, Gather Victim Identity Information
Spearphishing Attachment, Phishing, Malicious Link, User Execution
System Script Proxy Execution, System Binary Proxy Execution
Drive-by Compromise
Drive-by Compromise
Exploitation of Remote Services
Exploitation of Remote Services
Drive-by Compromise
Exploit Public-Facing Application, External Remote Services
Exfiltration Over Web Service
Security Support Provider, Boot or Logon Autostart Execution
Cached Domain Credentials, OS Credential Dumping
Password Managers
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Endpoint Denial of Service
Drive-by Compromise
Drive-by Compromise
Drive-by Compromise
Exploit Public-Facing Application, External Remote Services
Web Session Cookie, Cloud Service Dashboard
Lateral Tool Transfer
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Masquerade Task or Service, Masquerading
Event Triggered Execution, Accessibility Features
Boot or Logon Initialization Scripts, Logon Script (Windows)
System Firmware, Pre-OS Boot
Event Triggered Execution, Screensaver
Exploitation for Privilege Escalation
DLL Side-Loading, Hijack Execution Flow
Time Providers, Boot or Logon Autostart Execution
Port Monitors, Boot or Logon Autostart Execution
Active Setup, Boot or Logon Autostart Execution
Drive-by Compromise
Abuse Elevation Control Mechanism
HTML Smuggling
Malicious File, Masquerade File Type
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Application, External Remote Services
Mark-of-the-Web Bypass
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Ingress Tool Transfer
Application or System Exploitation
File and Directory Discovery
Replication Through Removable Media
Proxy, Multi-hop Proxy
Exploitation for Privilege Escalation
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
Hidden Window, Run Virtual Instance
Plist File Modification
Path Interception by Unquoted Path, Hijack Execution Flow
Hardware, Gather Victim Host Information
Container Orchestration Job
LSA Secrets
Process Discovery
Create Process with Token, Access Token Manipulation
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Exploit Public-Facing Application
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Endpoint Denial of Service
Endpoint Denial of Service
Abuse Elevation Control Mechanism
Exploit Public-Facing Application
Abuse Elevation Control Mechanism, Indirect Command Execution
Abuse Elevation Control Mechanism, Indirect Command Execution
Abuse Elevation Control Mechanism, Indirect Command Execution
Abuse Elevation Control Mechanism, Indirect Command Execution
Abuse Elevation Control Mechanism, Indirect Command Execution
Abuse Elevation Control Mechanism, Indirect Command Execution
Abuse Elevation Control Mechanism, Indirect Command Execution
Abuse Elevation Control Mechanism, Indirect Command Execution
Exploit Public-Facing Application
Exploit Public-Facing Application
Exploit Public-Facing Application
System Network Configuration Discovery, Internet Connection Discovery
Modify Cloud Compute Configurations
Exploit Public-Facing Application
Exploit Public-Facing Application
Log Enumeration
Log Enumeration
Valid Accounts
File and Directory Discovery
Modify Registry