Technique Prevalence

MITRE

Most prevalent techniques for Windows OS according to MITRE:

Rank	ID	Technique	Tactic
1	T1047	Windows Management Instrumentation	Execution
2	T1059	Command and Scripting Interpreter	Execution
3	T1053	Scheduled Task/Job	Execution, Persistence, Privilege Escalation
4	T1562	Impair Defenses	Defense Evasion
5	T1021	Remote Services	Lateral Movement
6	T1003	OS Credential Dumping	Credential Access
7	T1543	Create or Modify System Process	Persistence, Privilege Escalation
8	T1574	Hijack Execution Flow	Defense Evasion, Persistence, Privilege Escalation
9	T1548	Abuse Elevation Control Mechanism	Defense Evasion, Privilege Escalation
10	T1055	Process Injection	Defense Evasion, Privilege Escalation
11	T1105	Ingress Tool Transfer	Command and Control
12	T1036	Masquerading	Defense Evasion
13	T1090	Proxy	Command and Control
14	T1218	Signed Binary Proxy Execution	Defense Evasion
15	T1027	Obfuscated Files or Information	Defense Evasion
16	T1078	Valid Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
17	T1204	User Execution	Execution
18	T1219	Remote Access Software	Command and Control
19	T1569	System Services	Execution
20	T1190	Exploit Public-Facing Application	Initial Access
21	T1547	Boot or Logon Autostart Execution	Persistence, Privilege Escalation
22	T1552	Unsecured Credentials	Credential Access
23	T1095	Non-Application Layer Protocol	Command and Control
24	T1112	Modify Registry	Defense Evasion
25	T1074	Data Staged	Collection
26	T1071	Application Layer Protocol	Command and Control
27	T1068	Exploitation for Privilege Escalation	Privilege Escalation
28	T1070	Indicator Removal on Host	Defense Evasion
29	T1189	Drive-by Compromise	Initial Access
30	T1482	Domain Trust Discovery	Discovery
31	T1560	Archive Collected Data	Collection
32	T1557	Adversary-in-the-Middle	Collection, Credential Access
33	T1559	Inter-Process Communication	Execution
34	T1570	Lateral Tool Transfer	Lateral Movement
35	T1210	Exploitation of Remote Services	Lateral Movement
36	T1555	Credentials from Password Stores	Credential Access
37	T1048	Exfiltration Over Alternative Protocol	Exfiltration
38	T1072	Software Deployment Tools	Execution, Lateral Movement
39	T1564	Hide Artifacts	Defense Evasion
40	T1110	Brute Force	Credential Access
41	T1213	Data from Information Repositories	Collection
42	T1136	Create Account	Persistence
43	T1197	BITS Jobs	Defense Evasion, Persistence
44	T1497	Virtualization/Sandbox Evasion	Defense Evasion, Discovery
45	T1222	File and Directory Permissions Modification	Defense Evasion
46	T1106	Native API	Execution
47	T1546	Event Triggered Execution	Persistence, Privilege Escalation
48	T1046	Network Service Scanning	Discovery
49	T1012	Query Registry	Discovery
50	T1040	Network Sniffing	Credential Access, Discovery
51	T1133	External Remote Services	Initial Access, Persistence
52	T1558	Steal or Forge Kerberos Tickets	Credential Access
53	T1484	Domain Policy Modification	Defense Evasion, Privilege Escalation
54	T1495	Firmware Corruption	Impact
55	T1490	Inhibit System Recovery	Impact
56	T1571	Non-Standard Port	Command and Control
57	T1563	Remote Service Session Hijacking	Lateral Movement
58	T1489	Service Stop	Impact
59	T1539	Steal Web Session Cookie	Credential Access
60	T1220	XSL Script Processing	Defense Evasion
61	T1566	Phishing	Initial Access
62	T1018	Remote System Discovery	Discovery
63	T1033	System Owner/User Discovery	Discovery
64	T1104	Multi-Stage Channels	Command and Control
65	T1542	Pre-OS Boot	Defense Evasion, Persistence
66	T1572	Protocol Tunneling	Command and Control
67	T1203	Exploitation for Client Execution	Execution
68	T1553	Subvert Trust Controls	Defense Evasion
69	T1554	Compromise Client Software Binary	Persistence
70	T1098	Account Manipulation	Persistence, Privilege Escalation
71	T1134	Access Token Manipulation	Defense Evasion, Privilege Escalation
72	T1137	Office Application Startup	Persistence
73	T1211	Exploitation for Defense Evasion	Defense Evasion
74	T1102	Web Service	Command and Control
75	T1491	Defacement	Impact
76	T1005	Data from Local System	Collection
77	T1082	System Information Discovery	Discovery
78	T1049	System Network Connections Discovery	Discovery
79	T1056	Input Capture	Collection, Credential Access
80	T1052	Exfiltration Over Physical Medium	Exfiltration
81	T1221	Template Injection	Defense Evasion
82	T1195	Supply Chain Compromise	Initial Access
83	T1011	Exfiltration Over Other Network Medium	Exfiltration
84	T1037	Boot or Logon Initialization Scripts	Persistence, Privilege Escalation
85	T1176	Browser Extensions	Persistence
86	T1550	Use Alternate Authentication Material	Defense Evasion, Lateral Movement
87	T1020	Automated Exfiltration	Exfiltration
88	T1606	Forge Web Credentials	Credential Access
89	T1534	Internal Spearphishing	Lateral Movement
90	T1039	Data from Network Shared Drive	Collection
91	T1132	Data Encoding	Command and Control
92	T1505	Server Software Component	Persistence
93	T1556	Modify Authentication Process	Credential Access, Defense Evasion, Persistence
94	T1041	Exfiltration Over C2 Channel	Exfiltration
95	T1199	Trusted Relationship	Initial Access
96	T1573	Encrypted Channel	Command and Control
97	T1025	Data from Removable Media	Collection
98	T1565	Data Manipulation	Impact
99	T1496	Resource Hijacking	Impact
100	T1486	Data Encrypted for Impact	Impact
101	T1205	Traffic Signaling	Command and Control, Defense
102	T1080	Taint Shared Content	Evasion, Persistence
103	T1091	Replication Through Removable Media	Initial Access, Lateral Movement
104	T1135	Network Share Discovery	Discovery
105	T1212	Exploitation for Credential Access	Credential Access
106	T1216	Signed Script Proxy Execution	Defense Evasion
107	T1114	Email Collection	Collection
108	T1518	Software Discovery	Discovery
109	T1498	Network Denial of Service	Impact
110	T1069	Permission Groups Discovery	Discovery
111	T1087	Account Discovery	Discovery
112	T1127	Trusted Developer Utilities Proxy Execution	Defense Evasion
113	T1123	Audio Capture	Collection
114	T1083	File and Directory Discovery	Discovery
115	T1140	Deobfuscate/Decode Files or Information	Defense Evasion
116	T1111	Two-Factor Authentication Interception	Credential Access
117	T1113	Screen Capture	Collection
118	T1207	Rogue Domain Controller	Defense Evasion
119	T1124	System Time Discovery	Discovery
120	T1531	Account Access Removal	Impact
121	T1119	Automated Collection	Collection
122	T1480	Execution Guardrails	Defense Evasion
123	T1006	Direct Volume Access	Defense Evasion
124	T1185	Browser Session Hijacking	Collection
125	T1567	Exfiltration Over Web Service	Exfiltration
126	T1001	Data Obfuscation	Command and Control
127	T1568	Dynamic Resolution	Command and Control
128	T1057	Process Discovery	Discovery
129	T1485	Data Destruction	Impact
130	T1092	Communication Through Removable Media	Command and Control
131	T1202	Indirect Command Execution	Defense Evasion
132	T1561	Disk Wipe	Impact
133	T1499	Endpoint Denial of Service	Impact
134	T1008	Fallback Channels	Command and Control
135	T1030	Data Transfer Size Limits	Exfiltration
136	T1029	Scheduled Transfer	Exfiltration
137	T1016	System Network Configuration Discovery	Discovery
138	T1129	Shared Modules	Execution
139	T1187	Forced Authentication	Credential Access
140	T1007	System Service Discovery	Discovery
141	T1120	Peripheral Device Discovery	Discovery
142	T1115	Clipboard Data	Collection
143	T1010	Application Window Discovery	Discovery
144	T1125	Video Capture	Collection
145	T1014	Rootkit	Defense Evasion
146	T1217	Browser Bookmark Discovery	Discovery
147	T1529	System Shutdown/Reboot	Impact
148	T1200	Hardware Additions	Initial Access
149	T1201	Password Policy Discovery	Discovery
150	T1611	Escape to Host	Privilege Escalation

Rank

Technique

Tactic

T1047

Windows Management Instrumentation

Execution

T1059

Command and Scripting Interpreter

Execution

T1053

Scheduled Task/Job

Execution, Persistence, Privilege Escalation

T1562

Impair Defenses

Defense Evasion

T1021

Remote Services

Lateral Movement

T1003

OS Credential Dumping

Credential Access

T1543

Create or Modify System Process

Persistence, Privilege Escalation

T1574

Hijack Execution Flow

Defense Evasion, Persistence, Privilege Escalation

T1548

Abuse Elevation Control Mechanism

Defense Evasion, Privilege Escalation

T1055

Process Injection

Defense Evasion, Privilege Escalation

T1105

Ingress Tool Transfer

Command and Control

T1036

Masquerading

Defense Evasion

T1090

Proxy

Command and Control

T1218

Signed Binary Proxy Execution

Defense Evasion

T1027

Obfuscated Files or Information

Defense Evasion

T1078

Valid Accounts

Defense Evasion, Initial Access, Persistence, Privilege Escalation

T1204

User Execution

Execution

T1219

Remote Access Software

Command and Control

T1569

System Services

Execution

T1190

Exploit Public-Facing Application

Initial Access

T1547

Boot or Logon Autostart Execution

Persistence, Privilege Escalation

T1552

Unsecured Credentials

Credential Access

T1095

Non-Application Layer Protocol

Command and Control

T1112

Modify Registry

Defense Evasion

T1074

Data Staged

Collection

T1071

Application Layer Protocol

Command and Control

T1068

Exploitation for Privilege Escalation

Privilege Escalation

T1070

Indicator Removal on Host

Defense Evasion

T1189

Drive-by Compromise

Initial Access

T1482

Domain Trust Discovery

Discovery

T1560

Archive Collected Data

Collection

T1557

Adversary-in-the-Middle

Collection, Credential Access

T1559

Inter-Process Communication

Execution

T1570

Lateral Tool Transfer

Lateral Movement

T1210

Exploitation of Remote Services

Lateral Movement

T1555

Credentials from Password Stores

Credential Access

T1048

Exfiltration Over Alternative Protocol

Exfiltration

T1072

Software Deployment Tools

Execution, Lateral Movement

T1564

Hide Artifacts

Defense Evasion

T1110

Brute Force

Credential Access

T1213

Data from Information Repositories

Collection

T1136

Create Account

Persistence

T1197

BITS Jobs

Defense Evasion, Persistence

T1497

Virtualization/Sandbox Evasion

Defense Evasion, Discovery

T1222

File and Directory Permissions Modification

Defense Evasion

T1106

Native API

Execution

T1546

Event Triggered Execution

Persistence, Privilege Escalation

T1046

Network Service Scanning

Discovery

T1012

Query Registry

Discovery

T1040

Network Sniffing

Credential Access, Discovery

T1133

External Remote Services

Initial Access, Persistence

T1558

Steal or Forge Kerberos Tickets

Credential Access

T1484

Domain Policy Modification

Defense Evasion, Privilege Escalation

T1495

Firmware Corruption

Impact

T1490

Inhibit System Recovery

Impact

T1571

Non-Standard Port

Command and Control

T1563

Remote Service Session Hijacking

Lateral Movement

T1489

Service Stop

Impact

T1539

Steal Web Session Cookie

Credential Access

T1220

XSL Script Processing

Defense Evasion

T1566

Phishing

Initial Access

T1018

Remote System Discovery

Discovery

T1033

System Owner/User Discovery

Discovery

T1104

Multi-Stage Channels

Command and Control

T1542

Pre-OS Boot

Defense Evasion, Persistence

T1572

Protocol Tunneling

Command and Control

T1203

Exploitation for Client Execution

Execution

T1553

Subvert Trust Controls

Defense Evasion

T1554

Compromise Client Software Binary

Persistence

T1098

Account Manipulation

Persistence, Privilege Escalation

T1134

Access Token Manipulation

Defense Evasion, Privilege Escalation

T1137

Office Application Startup

Persistence

T1211

Exploitation for Defense Evasion

Defense Evasion

T1102

Web Service

Command and Control

T1491

Defacement

Impact

T1005

Data from Local System

Collection

T1082

System Information Discovery

Discovery

T1049

System Network Connections Discovery

Discovery

T1056

Input Capture

Collection, Credential Access

T1052

Exfiltration Over Physical Medium

Exfiltration

T1221

Template Injection

Defense Evasion

T1195

Supply Chain Compromise

Initial Access

T1011

Exfiltration Over Other Network Medium

Exfiltration

T1037

Boot or Logon Initialization Scripts

Persistence, Privilege Escalation

T1176

Browser Extensions

Persistence

T1550

Use Alternate Authentication Material

Defense Evasion, Lateral Movement

T1020

Automated Exfiltration

Exfiltration

T1606

Forge Web Credentials

Credential Access

T1534

Internal Spearphishing

Lateral Movement

T1039

Data from Network Shared Drive

Collection

T1132

Data Encoding

Command and Control

T1505

Server Software Component

Persistence

T1556

Modify Authentication Process

Credential Access, Defense Evasion, Persistence

T1041

Exfiltration Over C2 Channel

Exfiltration

T1199

Trusted Relationship

Initial Access

T1573

Encrypted Channel

Command and Control

T1025

Data from Removable Media

Collection

T1565

Data Manipulation

Impact

T1496

Resource Hijacking

Impact

100

T1486

Data Encrypted for Impact

Impact

101

T1205

Traffic Signaling

Command and Control, Defense

102

T1080

Taint Shared Content

Evasion, Persistence

103

T1091

Replication Through Removable Media

Initial Access, Lateral Movement

104

T1135

Network Share Discovery

Discovery

105

T1212

Exploitation for Credential Access

Credential Access

106

T1216

Signed Script Proxy Execution

Defense Evasion

107

T1114

Email Collection

Collection

108

T1518

Software Discovery

Discovery

109

T1498

Network Denial of Service

Impact

110

T1069

Permission Groups Discovery

Discovery

111

T1087

Account Discovery

Discovery

112

T1127

Trusted Developer Utilities Proxy Execution

Defense Evasion

113

T1123

Audio Capture

Collection

114

T1083

File and Directory Discovery

Discovery

115

T1140

Deobfuscate/Decode Files or Information

Defense Evasion

116

T1111

Two-Factor Authentication Interception

Credential Access

117

T1113

Screen Capture

Collection

118

T1207

Rogue Domain Controller

Defense Evasion

119

T1124

System Time Discovery

Discovery

120

T1531

Account Access Removal

Impact

121

T1119

Automated Collection

Collection

122

T1480

Execution Guardrails

Defense Evasion

123

T1006

Direct Volume Access

Defense Evasion

124

T1185

Browser Session Hijacking

Collection

125

T1567

Exfiltration Over Web Service

Exfiltration

126

T1001

Data Obfuscation

Command and Control

127

T1568

Dynamic Resolution

Command and Control

128

T1057

Process Discovery

Discovery

129

T1485

Data Destruction

Impact

130

T1092

Communication Through Removable Media

Command and Control

131

T1202

Indirect Command Execution

Defense Evasion

132

T1561

Disk Wipe

Impact

133

T1499

Endpoint Denial of Service

Impact

134

T1008

Fallback Channels

Command and Control

135

T1030

Data Transfer Size Limits

Exfiltration

136

T1029

Scheduled Transfer

Exfiltration

137

T1016

System Network Configuration Discovery

Discovery

138

T1129

Shared Modules

Execution

139

T1187

Forced Authentication

Credential Access

140

T1007

System Service Discovery

Discovery

141

T1120

Peripheral Device Discovery

Discovery

142

T1115

Clipboard Data

Collection

143

T1010

Application Window Discovery

Discovery

144

T1125

Video Capture

Collection

145

T1014

Rootkit

Defense Evasion

146

T1217

Browser Bookmark Discovery

Discovery

147

T1529

System Shutdown/Reboot

Impact

148

T1200

Hardware Additions

Initial Access

149

T1201

Password Policy Discovery

Discovery

150

T1611

Escape to Host

Privilege Escalation

Threat Reports

Most prevalent techniques and sub-techniques based on an analysis of over 750 threat intelligence reports:

Count	ID	Technique	Tactic
345	T1105	Ingress Tool Transfer	Command and Control
310	T1082	System Information Discovery	Discovery
280	T1071.001	Application Layer Protocol: Web Protocols	Command and Control
267	T1059.003	Command and Scripting Interpreter: Windows Command Shell	Execution
237	T1083	File and Directory Discovery	Discovery
213	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Persistence, Privilege Escalation
208	T1070.004	Indicator Removal: File Deletion	Defense Evasion
207	T1057	Process Discovery	Discovery
202	T1140	Deobfuscate/Decode Files or Information	Defense Evasion
190	T1016	System Network Configuration Discovery	Discovery
187	T1204.002	User Execution: Malicious File	Execution
179	T1566.001	Phishing: Spearphishing Attachment	Initial Access
166	T1059.001	Command and Scripting Interpreter: PowerShell	Execution
161	T1033	System Owner/User Discovery	Discovery
138	T1005	Data from Local System	Collection
136	T1113	Screen Capture	Collection
135	T1056.001	Input Capture: Keylogging	Collection, Credential Access
134	T1036.005	Masquerading: Match Legitimate Name or Location	Defense Evasion
131	T1106	Native API	Execution
128	T1053.005	Scheduled Task/Job: Scheduled Task	Execution, Persistence, Privilege Escalation
126	T1112	Modify Registry	Defense Evasion
124	T1573.001	Encrypted Channel: Symmetric Cryptography	Command and Control
118	T1059.005	Command and Scripting Interpreter: Visual Basic	Execution
113	T1041	Exfiltration Over C2 Channel	Exfiltration
99	T1543.003	Create or Modify System Process: Windows Service	Persistence, Privilege Escalation
94	T1518.001	Software Discovery: Security Software Discovery	Discovery
91	T1047	Windows Management Instrumentation	Execution
85	T1012	Query Registry	Discovery
84	T1132.001	Data Encoding: Standard Encoding	Command and Control
79	T1204.001	User Execution: Malicious Link	Execution
76	T1566.002	Phishing: Spearphishing Link	Initial Access
74	T1074.001	Data Staged: Local Data Staging	Collection
72	T1027.002	Obfuscated Files or Information: Software Packing	Defense Evasion
72	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	Credential Access
68	T1049	System Network Connections Discovery	Discovery
68	T1218.011	System Binary Proxy Execution: Rundll32	Defense Evasion
68	T1562.001	Impair Defenses: Disable or Modify Tools	Defense Evasion
66	T1203	Exploitation for Client Execution	Execution
64	T1588.002	Obtain Capabilities: Tool	Resource Development
63	T1124	System Time Discovery	Discovery
59	T1016.002	System Network Configuration Discovery: Wi-Fi Discovery	Discovery
58	T1095	Non-Application Layer Protocol	Command and Control
56	T1036.004	Masquerading: Masquerade Task or Service	Defense Evasion
54	T1003.001	OS Credential Dumping: LSASS Memory	Credential Access
52	T1055.001	Process Injection: Dynamic-link Library Injection	Defense Evasion, Privilege Escalation
49	T1574.002	Hijack Execution Flow: DLL Side-Loading	Defense Evasion, Persistence, Privilege Escalation
48	T1486	Data Encrypted for Impact	Impact
48	T1553.002	Subvert Trust Controls: Code Signing	Defense Evasion
48	T1573.002	Encrypted Channel: Asymmetric Cryptography	Command and Control
47	T1560.001	Archive Collected Data: Archive via Utility	Collection
47	T1569.002	System Services: Service Execution	Execution
46	T1007	System Service Discovery	Discovery
46	T1059.007	Command and Scripting Interpreter: JavaScript	Execution
46	T1497.001	Virtualization/Sandbox Evasion: System Checks	Defense Evasion, Discovery
45	T1071.004	Application Layer Protocol: DNS	Command and Control
44	T1189	Drive-by Compromise	Initial Access
43	T1102.002	Web Service: Bidirectional Communication	Command and Control
43	T1120	Peripheral Device Discovery	Discovery
42	T1119	Automated Collection	Collection
42	T1135	Network Share Discovery	Discovery
41	T1046	Network Service Discovery	Discovery
41	T1070.006	Indicator Removal: Timestomp	Defense Evasion
41	T1087.001	Account Discovery: Local Account	Discovery
41	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	Defense Evasion, Privilege Escalation
41	T1564.001	Hide Artifacts: Hidden Files and Directories	Defense Evasion
40	T1008	Fallback Channels	Command and Control
38	T1583.001	Acquire Infrastructure: Domains	Resource Development
37	T1021.001	Remote Services: Remote Desktop Protocol	Lateral Movement
36	T1059.006	Command and Scripting Interpreter: Python	Execution
36	T1571	Non-Standard Port	Command and Control
35	T1021.002	Remote Services: SMB/Windows Admin Shares	Lateral Movement
35	T1059.004	Command and Scripting Interpreter: Unix Shell	Execution
35	T1125	Video Capture	Collection
34	T1055.012	Process Injection: Process Hollowing	Defense Evasion, Privilege Escalation
33	T1027.001	Obfuscated Files or Information: Binary Padding	Defense Evasion
33	T1190	Exploit Public-Facing Application	Initial Access
32	T1115	Clipboard Data	Collection
32	T1560.003	Archive Collected Data: Archive via Custom Method	Collection
31	T1497.003	Virtualization/Sandbox Evasion: Time Based Evasion	Impact
30	T1068	Exploitation for Privilege Escalation	Privilege Escalation
30	T1490	Inhibit System Recovery	Impact
30	T1547.009	Boot or Logon Autostart Execution: Shortcut Modification	Persistence, Privilege Escalation
30	T1564.003	Hide Artifacts: Hidden Window	Defense Evasion
29	T1133	External Remote Services	Initial Access, Persistence
29	T1489	Service Stop	Impact
28	T1562.004	Impair Defenses: Disable or Modify System Firewall	Defense Evasion
27	T1087.002	Account Discovery: Domain Account	Discovery
27	T1123	Audio Capture	Collection
27	T1218.010	System Binary Proxy Execution: Regsvr32	Defense Evasion
27	T1485	Data Destruction	Impact
26	T1025	Data from Removable Media	Collection
26	T1505.003	Server Software Component: Web Shell	Persistence
25	T1010	Application Window Discovery	Discovery
24	T1090.002	Proxy: External Proxy	Command and Control
24	T1210	Exploitation of Remote Services	Lateral Movement
24	T1552.001	Unsecured Credentials: Credentials In Files	Credential Access
23	T1568.002	Dynamic Resolution: Domain Generation Algorithms	Command and Control
22	T1048.003	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol	Exfiltration
22	T1070.001	Indicator Removal: Clear Windows Event Logs	Defense Evasion
22	T1218.005	System Binary Proxy Execution: Mshta	Defense Evasion
22	T1567.002	Exfiltration Over Web Service: Exfiltration to Cloud Storage	Exfiltration
20	T1027.003	Obfuscated Files or Information: Steganography	Defense Evasion
20	T1091	Replication Through Removable Media	Initial Access, Lateral Movement
20	T1574.001	Hijack Execution Flow: DLL Search Order Hijacking	Defense Evasion, Persistence, Privilege Escalation
19	T1071.003	Application Layer Protocol: Mail Protocols	Command and Control
19	T1102.001	Web Service: Dead Drop Resolver	Command and Control
19	T1614.001	System Location Discovery: System Language Discovery	Discovery
18	T1018	Remote System Discovery	Discovery
18	T1069.001	Permission Groups Discovery: Local Groups	Discovery
18	T1090.001	Proxy: Internal Proxy	Command and Control
18	T1136.001	Create Account: Local Account	Persistence
18	T1219	Remote Access Software	Command and Control
17	T1014	Rootkit	Defense Evasion
17	T1218.007	System Binary Proxy Execution: Msiexec	Defense Evasion
17	T1559.002	Inter-Process Communication: Dynamic Data Exchange	Execution
17	T1570	Lateral Tool Transfer	Lateral Movement
17	T1583.006	Acquire Infrastructure: Web Services	Resource Development
16	T1071.002	Application Layer Protocol: File Transfer Protocols	Command and Control
16	T1078.002	Valid Accounts: Domain Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
16	T1114.002	Email Collection: Remote Email Collection	Collection
16	T1185	Browser Session Hijacking	Collection
16	T1543.001	Create or Modify System Process: Launch Agent	Persistence, Privilege Escalation
16	T1572	Protocol Tunneling	Command and Control
16	T1598.003	Phishing for Information: Spearphishing Link	Reconnaissance
15	T1029	Scheduled Transfer	Exfiltration
15	T1069.002	Permission Groups Discovery: Domain Groups	Discovery
15	T1559.001	Inter-Process Communication: Component Object Model	Execution
14	T1027.005	Obfuscated Files or Information: Indicator Removal from Tools	Defense Evasion
14	T1053.003	Scheduled Task/Job: Cron	Execution, Persistence, Privilege Escalation
14	T1129	Shared Modules	Execution
14	T1529	System Shutdown/Reboot	Impact
14	T1561.002	Disk Wipe: Disk Structure Wipe	Impact
14	T1589.002	Gather Victim Identity Information: Email Addresses	Reconnaissance
14	T1608.001	Stage Capabilities: Upload Malware	Resource Development
13	T1001.001	Data Obfuscation: Junk Data	Command and Control
13	T1001.003	Data Obfuscation: Protocol Impersonation	Command and Control
13	T1003.002	OS Credential Dumping: Security Account Manager	Credential Access
13	T1003.004	OS Credential Dumping: LSA Secrets	Credential Access
13	T1021.004	Remote Services: SSH	Lateral Movement
13	T1090.003	Proxy: Multi-hop Proxy	Command and Control
13	T1110.003	Brute Force: Password Spraying	Credential Access
13	T1587.001	Develop Capabilities: Malware	Resource Development
12	T1003.003	OS Credential Dumping: NTDS	Credential Access
12	T1040	Network Sniffing	Credential Access, Discovery
12	T1195.002	Supply Chain Compromise: Compromise Software Supply Chain	Initial Access
12	T1199	Trusted Relationship	Initial Access
12	T1496	Resource Hijacking	Impact
12	T1546.003	Event Triggered Execution: Windows Management Instrumentation Event Subscription	Persistence, Privilege Escalation
12	T1560.002	Archive Collected Data: Archive via Library	Collection
12	T1585.002	Establish Accounts: Email Accounts	Resource Development
11	T1030	Data Transfer Size Limits	Exfiltration
11	T1039	Data from Network Shared Drive	Collection
11	T1078.003	Valid Accounts: Local Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
11	T1110.001	Brute Force: Password Guessing	Credential Access
11	T1114.001	Email Collection: Local Email Collection	Collection
11	T1134.001	Access Token Manipulation: Token Impersonation/Theft	Defense Evasion, Privilege Escalation
11	T1134.002	Access Token Manipulation: Create Process with Token	Defense Evasion, Privilege Escalation
11	T1197	BITS Jobs	Defense Evasion, Persistence
11	T1217	Browser Information Discovery	Discovery
11	T1221	Template Injection	Defense Evasion
11	T1539	Steal Web Session Cookie	Credential Access
11	T1564.004	Hide Artifacts: NTFS File Attributes	Defense Evasion
10	T1087.003	Account Discovery: Email Account	Discovery
10	T1104	Multi-Stage Channels	Command and Control
10	T1543.004	Create or Modify System Process: Launch Daemon	Persistence, Privilege Escalation
10	T1552.004	Unsecured Credentials: Private Keys	Credential Access
10	T1585.001	Establish Accounts: Social Media Accounts	Resource Development
9	T1001.002	Data Obfuscation: Steganography	Command and Control
9	T1016.001	System Network Configuration Discovery: Internet Connection Discovery	Discovery
9	T1021.005	Remote Services: VNC	Lateral Movement
9	T1074.002	Data Staged: Remote Data Staging	Collection
9	T1080	Taint Shared Content	Lateral Movement
9	T1222.002	File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification	Defense Evasion
9	T1546.015	Event Triggered Execution: Component Object Model Hijacking	Persistence, Privilege Escalation
9	T1566.003	Phishing: Spearphishing via Service	Initial Access
9	T1584.001	Compromise Infrastructure: Domains	Resource Development
9	T1595.002	Active Scanning: Vulnerability Scanning	Reconnaissance
8	T1055.004	Process Injection: Asynchronous Procedure Call	Defense Evasion, Privilege Escalation
8	T1056.004	Input Capture: Credential API Hooking	Collection, Credential Access
8	T1070.009	Indicator Removal: Clear Persistence	Defense Evasion
8	T1132.002	Data Encoding: Non-Standard Encoding	Command and Control
8	T1222.001	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	Defense Evasion
8	T1482	Domain Trust Discovery	Discovery
8	T1547.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	Persistence, Privilege Escalation
8	T1555.004	Credentials from Password Stores: Windows Credential Manager	Credential Access
8	T1584.004	Compromise Infrastructure: Server	Resource Development
8	T1588.001	Obtain Capabilities: Malware	Resource Development
7	T1003.005	OS Credential Dumping: Cached Domain Credentials	Credential Access
7	T1027.004	Obfuscated Files or Information: Compile After Delivery	Defense Evasion
7	T1052.001	Exfiltration Over Physical Medium: Exfiltration over USB	Exfiltration
7	T1055.002	Process Injection: Portable Executable Injection	Defense Evasion, Privilege Escalation
7	T1218.001	System Binary Proxy Execution: Compiled HTML File	Defense Evasion
7	T1542.003	Pre-OS Boot: Bootkit	Defense Evasion, Persistence
7	T1550.002	Use Alternate Authentication Material: Pass the Hash	Defense Evasion, Lateral Movement
7	T1553.001	Subvert Trust Controls: Gatekeeper Bypass	Defense Evasion
7	T1620	Reflective Code Loading	Defense Evasion
7	T1622	Debugger Evasion	Defense Evasion, Discovery
6	T1037.001	Boot or Logon Initialization Scripts: Logon Script (Windows)	Persistence, Privilege Escalation
6	T1070.003	Indicator Removal: Clear Command History	Defense Evasion
6	T1078.004	Valid Accounts: Cloud Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
6	T1586.002	Compromise Accounts: Email Accounts	Resource Development
6	T1589.001	Gather Victim Identity Information: Credentials	Reconnaissance
6	T1598.002	Phishing for Information: Spearphishing Attachment	Reconnaissance
5	T1021.006	Remote Services: Windows Remote Management	Lateral Movement
5	T1027.009	Obfuscated Files or Information: Embedded Payloads	Defense Evasion
5	T1036.001	Masquerading: Invalid Code Signature	Defense Evasion
5	T1036.002	Masquerading: Right-to-Left Override	Defense Evasion
5	T1098.004	Account Manipulation: SSH Authorized Keys	Persistence, Privilege Escalation
5	T1102.003	Web Service: One-Way Communication	Command and Control
5	T1136.002	Create Account: Domain Account	Persistence
5	T1480.001	Execution Guardrails: Environmental Keying	Defense Evasion
5	T1534	Internal Spearphishing	Lateral Movement
5	T1543.002	Create or Modify System Process: Systemd Service	Persistence, Privilege Escalation
5	T1552.002	Unsecured Credentials: Credentials in Registry	Credential Access
5	T1554	Compromise Host Software Binary	Persistence
5	T1565.002	Data Manipulation: Transmitted Data Manipulation	Impact
5	T1569.001	System Services: Launchctl	Execution
5	T1574.006	Hijack Execution Flow: Dynamic Linker Hijacking	Defense Evasion, Persistence, Privilege Escalation
5	T1583.003	Acquire Infrastructure: Virtual Private Server	Resource Development
5	T1583.004	Acquire Infrastructure: Server	Resource Development
5	T1588.003	Obtain Capabilities: Code Signing Certificates	Resource Development
5	T1594	Search Victim-Owned Websites	Reconnaissance
4	T1003.006	OS Credential Dumping: DCSync	Credential Access
4	T1036.003	Masquerading: Rename System Utilities	Defense Evasion
4	T1036.007	Masquerading: Double File Extension	Defense Evasion
4	T1053.002	Scheduled Task/Job: At	Execution, Persistence, Privilege Escalation
4	T1110.002	Brute Force: Password Cracking	Credential Access
4	T1111	Multi-Factor Authentication Interception	Credential Access
4	T1187	Forced Authentication	Credential Access
4	T1218.004	System Binary Proxy Execution: InstallUtil	Defense Evasion
4	T1220	XSL Script Processing	Defense Evasion
4	T1484.001	Domain or Tenant Policy Modification: Group Policy Modification	Defense Evasion, Privilege Escalation
4	T1497.002	Virtualization/Sandbox Evasion: User Activity Based Checks	Defense Evasion, Discovery
4	T1531	Account Access Removal	Impact
4	T1546.008	Event Triggered Execution: Accessibility Features	Persistence, Privilege Escalation
4	T1546.010	Event Triggered Execution: AppInit DLLs	Persistence, Privilege Escalation
4	T1553.006	Subvert Trust Controls: Code Signing Policy Modification	Defense Evasion
4	T1555.005	Credentials from Password Stores: Password Managers	Credential Access
4	T1561.001	Disk Wipe: Disk Content Wipe	Impact
4	T1564.005	Hide Artifacts: Hidden File System	Defense Evasion
4	T1568.001	Dynamic Resolution: Fast Flux DNS	Command and Control
4	T1588.004	Obtain Capabilities: Digital Certificates	Resource Development
4	T1591.004	Gather Victim Org Information: Identify Roles	Reconnaissance
4	T1608.004	Stage Capabilities: Drive-by Target	Resource Development
4	T1611	Escape to Host	Privilege Escalation
3	T1027.007	Obfuscated Files or Information: Dynamic API Resolution	Defense Evasion
3	T1037.004	Boot or Logon Initialization Scripts: RC Scripts	Persistence, Privilege Escalation
3	T1055.003	Process Injection: Thread Execution Hijacking	Defense Evasion, Privilege Escalation
3	T1055.013	Process Injection: Process Doppelgänging	Defense Evasion, Privilege Escalation
3	T1059.002	Command and Scripting Interpreter: AppleScript	Execution
3	T1070.002	Indicator Removal: Clear Linux or Mac System Logs	Defense Evasion
3	T1072	Software Deployment Tools	Execution, Lateral Movement
3	T1098.002	Account Manipulation: Additional Email Delegate Permissions	Persistence, Privilege Escalation
3	T1110.004	Brute Force: Credential Stuffing	Credential Access
3	T1114.003	Email Collection: Email Forwarding Rule	Collection
3	T1176	Browser Extensions	Persistence
3	T1201	Password Policy Discovery	Discovery
3	T1213.002	Data from Information Repositories: Sharepoint	Collection
3	T1218.002	System Binary Proxy Execution: Control Panel	Defense Evasion
3	T1491.001	Defacement: Internal Defacement	Impact
3	T1505.004	Server Software Component: IIS Components	Persistence
3	T1546.011	Event Triggered Execution: Application Shimming	Persistence, Privilege Escalation
3	T1546.012	Event Triggered Execution: Image File Execution Options Injection	Persistence, Privilege Escalation
3	T1547.012	Boot or Logon Autostart Execution: Print Processors	Persistence, Privilege Escalation
3	T1547.015	Boot or Logon Autostart Execution: Login Items	Persistence, Privilege Escalation
3	T1550.001	Use Alternate Authentication Material: Application Access Token	Defense Evasion, Lateral Movement
3	T1550.003	Use Alternate Authentication Material: Pass the Ticket	Defense Evasion, Lateral Movement
3	T1553.004	Subvert Trust Controls: Install Root Certificate	Defense Evasion
3	T1555.001	Credentials from Password Stores: Keychain	Credential Access
3	T1558.003	Steal or Forge Kerberos Tickets: Kerberoasting	Credential Access
3	T1562.002	Impair Defenses: Disable Windows Event Logging	Defense Evasion
3	T1562.006	Impair Defenses: Indicator Blocking	Defense Evasion
3	T1564.002	Hide Artifacts: Hidden Users	Defense Evasion
3	T1564.006	Hide Artifacts: Run Virtual Instance	Defense Evasion
3	T1589.003	Gather Victim Identity Information: Employee Names	Reconnaissance
3	T1591.002	Gather Victim Org Information: Business Relationships	Reconnaissance
3	T1593.001	Search Open Websites/Domains: Social Media	Reconnaissance
3	T1609	Container Administration Command	Execution
3	T1610	Deploy Container	Defense Evasion, Execution
2	T1027.006	Obfuscated Files or Information: HTML Smuggling	Defense Evasion
2	T1048.002	Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Exfiltration
2	T1056.002	Input Capture: GUI Input Capture	Collection, Credential Access
2	T1070.005	Indicator Removal: Network Share Connection Removal	Defense Evasion
2	T1070.008	Indicator Removal: Clear Mailbox Data	Defense Evasion
2	T1078.001	Valid Accounts: Default Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
2	T1087.004	Account Discovery: Cloud Account	Discovery
2	T1092	Communication Through Removable Media	Command and Control
2	T1098.003	Account Manipulation: Additional Cloud Roles	Persistence, Privilege Escalation
2	T1134.004	Access Token Manipulation: Parent PID Spoofing	Defense Evasion, Privilege Escalation
2	T1136.003	Create Account: Cloud Account	Persistence
2	T1137.001	Office Application Startup: Office Template Macros	Persistence
2	T1137.006	Office Application Startup: Add-ins	Persistence
2	T1202	Indirect Command Execution	Defense Evasion
2	T1218.003	System Binary Proxy Execution: CMSTP	Defense Evasion
2	T1218.008	System Binary Proxy Execution: Odbcconf	Defense Evasion
2	T1495	Firmware Corruption	Impact
2	T1505.001	Server Software Component: SQL Stored Procedures	Persistence
2	T1542.002	Pre-OS Boot: Component Firmware	Defense Evasion, Persistence
2	T1546.004	Event Triggered Execution: Unix Shell Configuration Modification	Persistence, Privilege Escalation
2	T1547.006	Boot or Logon Autostart Execution: Kernel Modules and Extensions	Persistence, Privilege Escalation
2	T1547.013	Boot or Logon Autostart Execution: XDG Autostart Entries	Persistence, Privilege Escalation
2	T1548.001	Abuse Elevation Control Mechanism: Setuid and Setgid	Defense Evasion, Privilege Escalation
2	T1550.004	Use Alternate Authentication Material: Web Session Cookie	Defense Evasion, Lateral Movement
2	T1552.006	Unsecured Credentials: Group Policy Preferences	Credential Access
2	T1556.003	Modify Authentication Process: Pluggable Authentication Modules	Credential Access, Defense Evasion, Persistence
2	T1557.001	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay	Collection, Credential Access
2	T1563.002	Remote Service Session Hijacking: RDP Hijacking	Lateral Movement
2	T1565.001	Data Manipulation: Stored Data Manipulation	Impact
2	T1583.002	Acquire Infrastructure: DNS Server	Resource Development
2	T1584.005	Compromise Infrastructure: Botnet	Resource Development
2	T1587.002	Develop Capabilities: Code Signing Certificates	Resource Development
2	T1587.003	Develop Capabilities: Digital Certificates	Resource Development
2	T1590.001	Gather Victim Network Information: Domain Properties	Reconnaissance
2	T1590.005	Gather Victim Network Information: IP Addresses	Reconnaissance
2	T1592.002	Gather Victim Host Information: Software	Reconnaissance
2	T1608.002	Stage Capabilities: Upload Tool	Resource Development
2	T1608.005	Stage Capabilities: Link Target	Resource Development
2	T1615	Group Policy Discovery	Discovery
1	T1027.008	Obfuscated Files or Information: Stripped Payloads	Defense Evasion
1	T1037.005	Boot or Logon Initialization Scripts: Startup Items	Persistence, Privilege Escalation
1	T1055.005	Process Injection: Thread Local Storage	Defense Evasion, Privilege Escalation
1	T1055.015	Process Injection: ListPlanting	Defense Evasion, Privilege Escalation
1	T1056.003	Input Capture: Web Portal Capture	Collection, Credential Access
1	T1069.003	Permission Groups Discovery: Cloud Groups	Discovery
1	T1070.007	Indicator Removal: Clear Network Connection History and Configurations	Defense Evasion
1	T1090.004	Proxy: Domain Fronting	Command and Control
1	T1098.001	Account Manipulation: Additional Cloud Credentials	Persistence, Privilege Escalation
1	T1098.005	Account Manipulation: Device Registration	Persistence, Privilege Escalation
1	T1127.001	Trusted Developer Utilities Proxy Execution: MSBuild	Defense Evasion
1	T1134.003	Access Token Manipulation: Make and Impersonate Token	Defense Evasion, Privilege Escalation
1	T1134.005	Access Token Manipulation: SID-History Injection	Defense Evasion, Privilege Escalation
1	T1195.001	Supply Chain Compromise: Compromise Software Dependencies and Development Tools	Initial Access
1	T1200	Hardware Additions	Initial Access
1	T1204.003	User Execution: Malicious Image	Execution
1	T1205.001	Traffic Signaling: Port Knocking	Command and Control, Defense Evasion, Persistence
1	T1205.002	Traffic Signaling: Socket Filters	Command and Control, Defense Evasion, Persistence
1	T1207	Rogue Domain Controller	Defense Evasion
1	T1211	Exploitation for Defense Evasion	Defense Evasion
1	T1213.001	Data from Information Repositories: Confluence	Collection
1	T1213.003	Data from Information Repositories: Code Repositories	Collection
1	T1218.009	System Binary Proxy Execution: Regsvcs/Regasm	Defense Evasion
1	T1484.002	Domain or Tenant Policy Modification: Trust Modification	Defense Evasion, Privilege Escalation
1	T1491.002	Defacement: External Defacement	Impact
1	T1499.004	Endpoint Denial of Service: Application or System Exploitation	Impact
1	T1505.002	Server Software Component: Transport Agent	Persistence
1	T1526	Cloud Service Discovery	Discovery
1	T1528	Steal Application Access Token	Credential Access
1	T1530	Data from Cloud Storage	Collection
1	T1542.001	Pre-OS Boot: System Firmware	Defense Evasion, Persistence
1	T1546.001	Event Triggered Execution: Change Default File Association	Persistence, Privilege Escalation
1	T1546.002	Event Triggered Execution: Screensaver	Persistence, Privilege Escalation
1	T1546.013	Event Triggered Execution: PowerShell Profile	Persistence, Privilege Escalation
1	T1546.016	Event Triggered Execution: Installer Packages	Persistence, Privilege Escalation
1	T1547.002	Boot or Logon Autostart Execution: Authentication Package	Persistence, Privilege Escalation
1	T1547.008	Boot or Logon Autostart Execution: LSASS Driver	Persistence, Privilege Escalation
1	T1548.003	Abuse Elevation Control Mechanism: Sudo and Sudo Caching	Defense Evasion, Privilege Escalation
1	T1548.004	Abuse Elevation Control Mechanism: Elevated Execution with Prompt	Defense Evasion, Privilege Escalation
1	T1552.003	Unsecured Credentials: Bash History	Credential Access
1	T1552.005	Unsecured Credentials: Cloud Instance Metadata API	Credential Access
1	T1553.005	Subvert Trust Controls: Mark-of-the-Web Bypass	Defense Evasion
1	T1556.002	Modify Authentication Process: Password Filter DLL	Credential Access, Defense Evasion, Persistence
1	T1556.004	Modify Authentication Process: Network Device Authentication	Credential Access, Defense Evasion, Persistence
1	T1557.002	Adversary-in-the-Middle: ARP Cache Poisoning	Collection, Credential Access
1	T1558.001	Steal or Forge Kerberos Tickets: Golden Ticket	Credential Access
1	T1562.003	Impair Defenses: Impair Command History Logging	Defense Evasion
1	T1564.009	Hide Artifacts: Resource Forking	Defense Evasion
1	T1564.010	Hide Artifacts: Process Argument Spoofing	Defense Evasion
1	T1565.003	Data Manipulation: Runtime Data Manipulation	Impact
1	T1568.003	Dynamic Resolution: DNS Calculation	Command and Control
1	T1574.010	Hijack Execution Flow: Services File Permissions Weakness	Defense Evasion, Persistence, Privilege Escalation
1	T1574.012	Hijack Execution Flow: COR_PROFILER	Defense Evasion, Persistence, Privilege Escalation
1	T1574.013	Hijack Execution Flow: KernelCallbackTable	Defense Evasion, Persistence, Privilege Escalation
1	T1578.002	Modify Cloud Compute Infrastructure: Create Cloud Instance	Defense Evasion
1	T1578.003	Modify Cloud Compute Infrastructure: Delete Cloud Instance	Defense Evasion
1	T1584.003	Compromise Infrastructure: Virtual Private Server	Resource Development
1	T1584.006	Compromise Infrastructure: Web Services	Resource Development
1	T1586.001	Compromise Accounts: Social Media Accounts	Resource Development
1	T1588.005	Obtain Capabilities: Exploits	Resource Development
1	T1588.006	Obtain Capabilities: Vulnerabilities	Resource Development
1	T1592.004	Gather Victim Host Information: Client Configurations	Reconnaissance
1	T1593.002	Search Open Websites/Domains: Search Engines	Reconnaissance
1	T1593.003	Search Open Websites/Domains: Code Repositories	Reconnaissance
1	T1595.003	Active Scanning: Wordlist Scanning	Reconnaissance
1	T1597.002	Search Closed Sources: Purchase Technical Data	Reconnaissance
1	T1601.001	Modify System Image: Patch System Image	Defense Evasion
1	T1606.001	Forge Web Credentials: Web Cookies	Credential Access
1	T1613	Container and Resource Discovery	Discovery
1	T1621	Multi-Factor Authentication Request Generation	Credential Access
1	T1647	Plist File Modification	Defense Evasion
1	T1649	Steal or Forge Authentication Certificates	Credential Access

Count

Technique

Tactic

345

T1105

Ingress Tool Transfer

Command and Control

310

T1082

System Information Discovery

Discovery

280

T1071.001

Application Layer Protocol: Web Protocols

Command and Control

267

T1059.003

Command and Scripting Interpreter: Windows Command Shell

Execution

237

T1083

File and Directory Discovery

Discovery

213

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Persistence, Privilege Escalation

208

T1070.004

Indicator Removal: File Deletion

Defense Evasion

207

T1057

Process Discovery

Discovery

202

T1140

Deobfuscate/Decode Files or Information

Defense Evasion

190

T1016

System Network Configuration Discovery

Discovery

187

T1204.002

User Execution: Malicious File

Execution

179

T1566.001

Phishing: Spearphishing Attachment

Initial Access

166

T1059.001

Command and Scripting Interpreter: PowerShell

Execution

161

T1033

System Owner/User Discovery

Discovery

138

T1005

Data from Local System

Collection

136

T1113

Screen Capture

Collection

135

T1056.001

Input Capture: Keylogging

Collection, Credential Access

134

T1036.005

Masquerading: Match Legitimate Name or Location

Defense Evasion

131

T1106

Native API

Execution

128

T1053.005

Scheduled Task/Job: Scheduled Task

Execution, Persistence, Privilege Escalation

126

T1112

Modify Registry

Defense Evasion

124

T1573.001

Encrypted Channel: Symmetric Cryptography

Command and Control

118

T1059.005

Command and Scripting Interpreter: Visual Basic

Execution

113

T1041

Exfiltration Over C2 Channel

Exfiltration

T1543.003

Create or Modify System Process: Windows Service

Persistence, Privilege Escalation

T1518.001

Software Discovery: Security Software Discovery

Discovery

T1047

Windows Management Instrumentation

Execution

T1012

Query Registry

Discovery

T1132.001

Data Encoding: Standard Encoding

Command and Control

T1204.001

User Execution: Malicious Link

Execution

T1566.002

Phishing: Spearphishing Link

Initial Access

T1074.001

Data Staged: Local Data Staging

Collection

T1027.002

Obfuscated Files or Information: Software Packing

Defense Evasion

T1555.003

Credentials from Password Stores: Credentials from Web Browsers

Credential Access

T1049

System Network Connections Discovery

Discovery

T1218.011

System Binary Proxy Execution: Rundll32

Defense Evasion

T1562.001

Impair Defenses: Disable or Modify Tools

Defense Evasion

T1203

Exploitation for Client Execution

Execution

T1588.002

Obtain Capabilities: Tool

Resource Development

T1124

System Time Discovery

Discovery

T1016.002

System Network Configuration Discovery: Wi-Fi Discovery

Discovery

T1095

Non-Application Layer Protocol

Command and Control

T1036.004

Masquerading: Masquerade Task or Service

Defense Evasion

T1003.001

OS Credential Dumping: LSASS Memory

Credential Access

T1055.001

Process Injection: Dynamic-link Library Injection

Defense Evasion, Privilege Escalation

T1574.002

Hijack Execution Flow: DLL Side-Loading

Defense Evasion, Persistence, Privilege Escalation

T1486

Data Encrypted for Impact

Impact

T1553.002

Subvert Trust Controls: Code Signing

Defense Evasion

T1573.002

Encrypted Channel: Asymmetric Cryptography

Command and Control

T1560.001

Archive Collected Data: Archive via Utility

Collection

T1569.002

System Services: Service Execution

Execution

T1007

System Service Discovery

Discovery

T1059.007

Command and Scripting Interpreter: JavaScript

Execution

T1497.001

Virtualization/Sandbox Evasion: System Checks

Defense Evasion, Discovery

T1071.004

Application Layer Protocol: DNS

Command and Control

T1189

Drive-by Compromise

Initial Access

T1102.002

Web Service: Bidirectional Communication

Command and Control

T1120

Peripheral Device Discovery

Discovery

T1119

Automated Collection

Collection

T1135

Network Share Discovery

Discovery

T1046

Network Service Discovery

Discovery

T1070.006

Indicator Removal: Timestomp

Defense Evasion

T1087.001

Account Discovery: Local Account

Discovery

T1548.002

Abuse Elevation Control Mechanism: Bypass User Account Control

Defense Evasion, Privilege Escalation

T1564.001

Hide Artifacts: Hidden Files and Directories

Defense Evasion

T1008

Fallback Channels

Command and Control

T1583.001

Acquire Infrastructure: Domains

Resource Development

T1021.001

Remote Services: Remote Desktop Protocol

Lateral Movement

T1059.006

Command and Scripting Interpreter: Python

Execution

T1571

Non-Standard Port

Command and Control

T1021.002

Remote Services: SMB/Windows Admin Shares

Lateral Movement

T1059.004

Command and Scripting Interpreter: Unix Shell

Execution

T1125

Video Capture

Collection

T1055.012

Process Injection: Process Hollowing

Defense Evasion, Privilege Escalation

T1027.001

Obfuscated Files or Information: Binary Padding

Defense Evasion

T1190

Exploit Public-Facing Application

Initial Access

T1115

Clipboard Data

Collection

T1560.003

Archive Collected Data: Archive via Custom Method

Collection

T1497.003

Virtualization/Sandbox Evasion: Time Based Evasion

Impact

T1068

Exploitation for Privilege Escalation

Privilege Escalation

T1490

Inhibit System Recovery

Impact

T1547.009

Boot or Logon Autostart Execution: Shortcut Modification

Persistence, Privilege Escalation

T1564.003

Hide Artifacts: Hidden Window

Defense Evasion

T1133

External Remote Services

Initial Access, Persistence

T1489

Service Stop

Impact

T1562.004

Impair Defenses: Disable or Modify System Firewall

Defense Evasion

T1087.002

Account Discovery: Domain Account

Discovery

T1123

Audio Capture

Collection

T1218.010

System Binary Proxy Execution: Regsvr32

Defense Evasion

T1485

Data Destruction

Impact

T1025

Data from Removable Media

Collection

T1505.003

Server Software Component: Web Shell

Persistence

T1010

Application Window Discovery

Discovery

T1090.002

Proxy: External Proxy

Command and Control

T1210

Exploitation of Remote Services

Lateral Movement

T1552.001

Unsecured Credentials: Credentials In Files

Credential Access

T1568.002

Dynamic Resolution: Domain Generation Algorithms

Command and Control

T1048.003

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Exfiltration

T1070.001

Indicator Removal: Clear Windows Event Logs

Defense Evasion

T1218.005

System Binary Proxy Execution: Mshta

Defense Evasion

T1567.002

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration

T1027.003

Obfuscated Files or Information: Steganography

Defense Evasion

T1091

Replication Through Removable Media

Initial Access, Lateral Movement

T1574.001

Hijack Execution Flow: DLL Search Order Hijacking

Defense Evasion, Persistence, Privilege Escalation

T1071.003

Application Layer Protocol: Mail Protocols

Command and Control

T1102.001

Web Service: Dead Drop Resolver

Command and Control

T1614.001

System Location Discovery: System Language Discovery

Discovery

T1018

Remote System Discovery

Discovery

T1069.001

Permission Groups Discovery: Local Groups

Discovery

T1090.001

Proxy: Internal Proxy

Command and Control

T1136.001

Create Account: Local Account

Persistence

T1219

Remote Access Software

Command and Control

T1014

Rootkit

Defense Evasion

T1218.007

System Binary Proxy Execution: Msiexec

Defense Evasion

T1559.002

Inter-Process Communication: Dynamic Data Exchange

Execution

T1570

Lateral Tool Transfer

Lateral Movement

T1583.006

Acquire Infrastructure: Web Services

Resource Development

T1071.002

Application Layer Protocol: File Transfer Protocols

Command and Control

T1078.002

Valid Accounts: Domain Accounts

Defense Evasion, Initial Access, Persistence, Privilege Escalation

T1114.002

Email Collection: Remote Email Collection

Collection

T1185

Browser Session Hijacking

Collection

T1543.001

Create or Modify System Process: Launch Agent

Persistence, Privilege Escalation

T1572

Protocol Tunneling

Command and Control

T1598.003

Phishing for Information: Spearphishing Link

Reconnaissance

T1029

Scheduled Transfer

Exfiltration

T1069.002

Permission Groups Discovery: Domain Groups

Discovery

T1559.001

Inter-Process Communication: Component Object Model

Execution

T1027.005

Obfuscated Files or Information: Indicator Removal from Tools

Defense Evasion

T1053.003

Scheduled Task/Job: Cron

Execution, Persistence, Privilege Escalation

T1129

Shared Modules

Execution

T1529

System Shutdown/Reboot

Impact

T1561.002

Disk Wipe: Disk Structure Wipe

Impact

T1589.002

Gather Victim Identity Information: Email Addresses

Reconnaissance

T1608.001

Stage Capabilities: Upload Malware

Resource Development

T1001.001

Data Obfuscation: Junk Data

Command and Control

T1001.003

Data Obfuscation: Protocol Impersonation

Command and Control

T1003.002

OS Credential Dumping: Security Account Manager

Credential Access

T1003.004

OS Credential Dumping: LSA Secrets

Credential Access

T1021.004

Remote Services: SSH

Lateral Movement

T1090.003

Proxy: Multi-hop Proxy

Command and Control

T1110.003

Brute Force: Password Spraying

Credential Access

T1587.001

Develop Capabilities: Malware

Resource Development

T1003.003

OS Credential Dumping: NTDS

Credential Access

T1040

Network Sniffing

Credential Access, Discovery

T1195.002

Supply Chain Compromise: Compromise Software Supply Chain

Initial Access

T1199

Trusted Relationship

Initial Access

T1496

Resource Hijacking

Impact

T1546.003

Event Triggered Execution: Windows Management Instrumentation Event Subscription

Persistence, Privilege Escalation

T1560.002

Archive Collected Data: Archive via Library

Collection

T1585.002

Establish Accounts: Email Accounts

Resource Development

T1030

Data Transfer Size Limits

Exfiltration

T1039

Data from Network Shared Drive

Collection

T1078.003

Valid Accounts: Local Accounts

Defense Evasion, Initial Access, Persistence, Privilege Escalation

T1110.001

Brute Force: Password Guessing

Credential Access

T1114.001

Email Collection: Local Email Collection

Collection

T1134.001

Access Token Manipulation: Token Impersonation/Theft

Defense Evasion, Privilege Escalation

T1134.002

Access Token Manipulation: Create Process with Token

Defense Evasion, Privilege Escalation

T1197

BITS Jobs

Defense Evasion, Persistence

T1217

Browser Information Discovery

Discovery

T1221

Template Injection

Defense Evasion

T1539

Steal Web Session Cookie

Credential Access

T1564.004

Hide Artifacts: NTFS File Attributes

Defense Evasion

T1087.003

Account Discovery: Email Account

Discovery

T1104

Multi-Stage Channels

Command and Control

T1543.004

Create or Modify System Process: Launch Daemon

Persistence, Privilege Escalation

T1552.004

Unsecured Credentials: Private Keys

Credential Access

T1585.001

Establish Accounts: Social Media Accounts

Resource Development

T1001.002

Data Obfuscation: Steganography

Command and Control

T1016.001

System Network Configuration Discovery: Internet Connection Discovery

Discovery

T1021.005

Remote Services: VNC

Lateral Movement

T1074.002

Data Staged: Remote Data Staging

Collection

T1080

Taint Shared Content

Lateral Movement

T1222.002

File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

Defense Evasion

T1546.015

Event Triggered Execution: Component Object Model Hijacking

Persistence, Privilege Escalation

T1566.003

Phishing: Spearphishing via Service

Initial Access

T1584.001

Compromise Infrastructure: Domains

Resource Development

T1595.002

Active Scanning: Vulnerability Scanning

Reconnaissance

T1055.004

Process Injection: Asynchronous Procedure Call

Defense Evasion, Privilege Escalation

T1056.004

Input Capture: Credential API Hooking

Collection, Credential Access

T1070.009

Indicator Removal: Clear Persistence

Defense Evasion

T1132.002

Data Encoding: Non-Standard Encoding

Command and Control

T1222.001

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Defense Evasion

T1482

Domain Trust Discovery

Discovery

T1547.004

Boot or Logon Autostart Execution: Winlogon Helper DLL

Persistence, Privilege Escalation

T1555.004

Credentials from Password Stores: Windows Credential Manager

Credential Access

T1584.004

Compromise Infrastructure: Server

Resource Development

T1588.001

Obtain Capabilities: Malware

Resource Development

T1003.005

OS Credential Dumping: Cached Domain Credentials

Credential Access

T1027.004

Obfuscated Files or Information: Compile After Delivery

Defense Evasion

T1052.001

Exfiltration Over Physical Medium: Exfiltration over USB

Exfiltration

T1055.002

Process Injection: Portable Executable Injection

Defense Evasion, Privilege Escalation

T1218.001

System Binary Proxy Execution: Compiled HTML File

Defense Evasion

T1542.003

Pre-OS Boot: Bootkit

Defense Evasion, Persistence

T1550.002

Use Alternate Authentication Material: Pass the Hash

Defense Evasion, Lateral Movement

T1553.001

Subvert Trust Controls: Gatekeeper Bypass

Defense Evasion

T1620

Reflective Code Loading

Defense Evasion

T1622

Debugger Evasion

Defense Evasion, Discovery

T1037.001

Boot or Logon Initialization Scripts: Logon Script (Windows)

Persistence, Privilege Escalation

T1070.003

Indicator Removal: Clear Command History

Defense Evasion

T1078.004

Valid Accounts: Cloud Accounts

Defense Evasion, Initial Access, Persistence, Privilege Escalation

T1586.002

Compromise Accounts: Email Accounts

Resource Development

T1589.001

Gather Victim Identity Information: Credentials

Reconnaissance

T1598.002

Phishing for Information: Spearphishing Attachment

Reconnaissance

T1021.006

Remote Services: Windows Remote Management

Lateral Movement

T1027.009

Obfuscated Files or Information: Embedded Payloads

Defense Evasion

T1036.001

Masquerading: Invalid Code Signature

Defense Evasion

T1036.002

Masquerading: Right-to-Left Override

Defense Evasion

T1098.004

Account Manipulation: SSH Authorized Keys

Persistence, Privilege Escalation

T1102.003

Web Service: One-Way Communication

Command and Control

T1136.002

Create Account: Domain Account

Persistence

T1480.001

Execution Guardrails: Environmental Keying

Defense Evasion

T1534

Internal Spearphishing

Lateral Movement

T1543.002

Create or Modify System Process: Systemd Service

Persistence, Privilege Escalation

T1552.002

Unsecured Credentials: Credentials in Registry

Credential Access

T1554

Compromise Host Software Binary

Persistence

T1565.002

Data Manipulation: Transmitted Data Manipulation

Impact

T1569.001

System Services: Launchctl

Execution

T1574.006

Hijack Execution Flow: Dynamic Linker Hijacking

Defense Evasion, Persistence, Privilege Escalation

T1583.003

Acquire Infrastructure: Virtual Private Server

Resource Development

T1583.004

Acquire Infrastructure: Server

Resource Development

T1588.003

Obtain Capabilities: Code Signing Certificates

Resource Development

T1594

Search Victim-Owned Websites

Reconnaissance

T1003.006

OS Credential Dumping: DCSync

Credential Access

T1036.003

Masquerading: Rename System Utilities

Defense Evasion

T1036.007

Masquerading: Double File Extension

Defense Evasion

T1053.002

Scheduled Task/Job: At

Execution, Persistence, Privilege Escalation

T1110.002

Brute Force: Password Cracking

Credential Access

T1111

Multi-Factor Authentication Interception

Credential Access

T1187

Forced Authentication

Credential Access

T1218.004

System Binary Proxy Execution: InstallUtil

Defense Evasion

T1220

XSL Script Processing

Defense Evasion

T1484.001

Domain or Tenant Policy Modification: Group Policy Modification

Defense Evasion, Privilege Escalation

T1497.002

Virtualization/Sandbox Evasion: User Activity Based Checks

Defense Evasion, Discovery

T1531

Account Access Removal

Impact

T1546.008

Event Triggered Execution: Accessibility Features

Persistence, Privilege Escalation

T1546.010

Event Triggered Execution: AppInit DLLs

Persistence, Privilege Escalation

T1553.006

Subvert Trust Controls: Code Signing Policy Modification

Defense Evasion

T1555.005

Credentials from Password Stores: Password Managers

Credential Access

T1561.001

Disk Wipe: Disk Content Wipe

Impact

T1564.005

Hide Artifacts: Hidden File System

Defense Evasion

T1568.001

Dynamic Resolution: Fast Flux DNS

Command and Control

T1588.004

Obtain Capabilities: Digital Certificates

Resource Development

T1591.004

Gather Victim Org Information: Identify Roles

Reconnaissance

T1608.004

Stage Capabilities: Drive-by Target

Resource Development

T1611

Escape to Host

Privilege Escalation

T1027.007

Obfuscated Files or Information: Dynamic API Resolution

Defense Evasion

T1037.004

Boot or Logon Initialization Scripts: RC Scripts

Persistence, Privilege Escalation

T1055.003

Process Injection: Thread Execution Hijacking

Defense Evasion, Privilege Escalation

T1055.013

Process Injection: Process Doppelgänging

Defense Evasion, Privilege Escalation

T1059.002

Command and Scripting Interpreter: AppleScript

Execution

T1070.002

Indicator Removal: Clear Linux or Mac System Logs

Defense Evasion

T1072

Software Deployment Tools

Execution, Lateral Movement

T1098.002

Account Manipulation: Additional Email Delegate Permissions

Persistence, Privilege Escalation

T1110.004

Brute Force: Credential Stuffing

Credential Access

T1114.003

Email Collection: Email Forwarding Rule

Collection

T1176

Browser Extensions

Persistence

T1201

Password Policy Discovery

Discovery

T1213.002

Data from Information Repositories: Sharepoint

Collection

T1218.002

System Binary Proxy Execution: Control Panel

Defense Evasion

T1491.001

Defacement: Internal Defacement

Impact

T1505.004

Server Software Component: IIS Components

Persistence

T1546.011

Event Triggered Execution: Application Shimming

Persistence, Privilege Escalation

T1546.012

Event Triggered Execution: Image File Execution Options Injection

Persistence, Privilege Escalation

T1547.012

Boot or Logon Autostart Execution: Print Processors

Persistence, Privilege Escalation

T1547.015

Boot or Logon Autostart Execution: Login Items

Persistence, Privilege Escalation

T1550.001

Use Alternate Authentication Material: Application Access Token

Defense Evasion, Lateral Movement

T1550.003

Use Alternate Authentication Material: Pass the Ticket

Defense Evasion, Lateral Movement

T1553.004

Subvert Trust Controls: Install Root Certificate

Defense Evasion

T1555.001

Credentials from Password Stores: Keychain

Credential Access

T1558.003

Steal or Forge Kerberos Tickets: Kerberoasting

Credential Access

T1562.002

Impair Defenses: Disable Windows Event Logging

Defense Evasion

T1562.006

Impair Defenses: Indicator Blocking

Defense Evasion

T1564.002

Hide Artifacts: Hidden Users

Defense Evasion

T1564.006

Hide Artifacts: Run Virtual Instance

Defense Evasion

T1589.003

Gather Victim Identity Information: Employee Names

Reconnaissance

T1591.002

Gather Victim Org Information: Business Relationships

Reconnaissance

T1593.001

Search Open Websites/Domains: Social Media

Reconnaissance

T1609

Container Administration Command

Execution

T1610

Deploy Container

Defense Evasion, Execution

T1027.006

Obfuscated Files or Information: HTML Smuggling

Defense Evasion

T1048.002

Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Exfiltration

T1056.002

Input Capture: GUI Input Capture

Collection, Credential Access

T1070.005

Indicator Removal: Network Share Connection Removal

Defense Evasion

T1070.008

Indicator Removal: Clear Mailbox Data

Defense Evasion

T1078.001

Valid Accounts: Default Accounts

Defense Evasion, Initial Access, Persistence, Privilege Escalation

T1087.004

Account Discovery: Cloud Account

Discovery

T1092

Communication Through Removable Media

Command and Control

T1098.003

Account Manipulation: Additional Cloud Roles

Persistence, Privilege Escalation

T1134.004

Access Token Manipulation: Parent PID Spoofing

Defense Evasion, Privilege Escalation

T1136.003

Create Account: Cloud Account

Persistence

T1137.001

Office Application Startup: Office Template Macros

Persistence

T1137.006

Office Application Startup: Add-ins

Persistence

T1202

Indirect Command Execution

Defense Evasion

T1218.003

System Binary Proxy Execution: CMSTP

Defense Evasion

T1218.008

System Binary Proxy Execution: Odbcconf

Defense Evasion

T1495

Firmware Corruption

Impact

T1505.001

Server Software Component: SQL Stored Procedures

Persistence

T1542.002

Pre-OS Boot: Component Firmware

Defense Evasion, Persistence

T1546.004

Event Triggered Execution: Unix Shell Configuration Modification

Persistence, Privilege Escalation

T1547.006

Boot or Logon Autostart Execution: Kernel Modules and Extensions

Persistence, Privilege Escalation

T1547.013

Boot or Logon Autostart Execution: XDG Autostart Entries

Persistence, Privilege Escalation

T1548.001

Abuse Elevation Control Mechanism: Setuid and Setgid

Defense Evasion, Privilege Escalation

T1550.004

Use Alternate Authentication Material: Web Session Cookie

Defense Evasion, Lateral Movement

T1552.006

Unsecured Credentials: Group Policy Preferences

Credential Access

T1556.003

Modify Authentication Process: Pluggable Authentication Modules

Credential Access, Defense Evasion, Persistence

T1557.001

Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Collection, Credential Access

T1563.002

Remote Service Session Hijacking: RDP Hijacking

Lateral Movement

T1565.001

Data Manipulation: Stored Data Manipulation

Impact

T1583.002

Acquire Infrastructure: DNS Server

Resource Development

T1584.005

Compromise Infrastructure: Botnet

Resource Development

T1587.002

Develop Capabilities: Code Signing Certificates

Resource Development

T1587.003

Develop Capabilities: Digital Certificates

Resource Development

T1590.001

Gather Victim Network Information: Domain Properties

Reconnaissance

T1590.005

Gather Victim Network Information: IP Addresses

Reconnaissance

T1592.002

Gather Victim Host Information: Software

Reconnaissance

T1608.002

Stage Capabilities: Upload Tool

Resource Development

T1608.005

Stage Capabilities: Link Target

Resource Development

T1615

Group Policy Discovery

Discovery

T1027.008

Obfuscated Files or Information: Stripped Payloads

Defense Evasion

T1037.005

Boot or Logon Initialization Scripts: Startup Items

Persistence, Privilege Escalation

T1055.005

Process Injection: Thread Local Storage

Defense Evasion, Privilege Escalation

T1055.015

Process Injection: ListPlanting

Defense Evasion, Privilege Escalation

T1056.003

Input Capture: Web Portal Capture

Collection, Credential Access

T1069.003

Permission Groups Discovery: Cloud Groups

Discovery

T1070.007

Indicator Removal: Clear Network Connection History and Configurations

Defense Evasion

T1090.004

Proxy: Domain Fronting

Command and Control

T1098.001

Account Manipulation: Additional Cloud Credentials

Persistence, Privilege Escalation

T1098.005

Account Manipulation: Device Registration

Persistence, Privilege Escalation

T1127.001

Trusted Developer Utilities Proxy Execution: MSBuild

Defense Evasion

T1134.003

Access Token Manipulation: Make and Impersonate Token

Defense Evasion, Privilege Escalation

T1134.005

Access Token Manipulation: SID-History Injection

Defense Evasion, Privilege Escalation

T1195.001

Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Initial Access

T1200

Hardware Additions

Initial Access

T1204.003

User Execution: Malicious Image

Execution

T1205.001

Traffic Signaling: Port Knocking

Command and Control, Defense Evasion, Persistence

T1205.002

Traffic Signaling: Socket Filters

Command and Control, Defense Evasion, Persistence

T1207

Rogue Domain Controller

Defense Evasion

T1211

Exploitation for Defense Evasion

Defense Evasion

T1213.001

Data from Information Repositories: Confluence

Collection

T1213.003

Data from Information Repositories: Code Repositories

Collection

T1218.009

System Binary Proxy Execution: Regsvcs/Regasm

Defense Evasion

T1484.002

Domain or Tenant Policy Modification: Trust Modification

Defense Evasion, Privilege Escalation

T1491.002

Defacement: External Defacement

Impact

T1499.004

Endpoint Denial of Service: Application or System Exploitation

Impact

T1505.002

Server Software Component: Transport Agent

Persistence

T1526

Cloud Service Discovery

Discovery

T1528

Steal Application Access Token

Credential Access

T1530

Data from Cloud Storage

Collection

T1542.001

Pre-OS Boot: System Firmware

Defense Evasion, Persistence

T1546.001

Event Triggered Execution: Change Default File Association

Persistence, Privilege Escalation

T1546.002

Event Triggered Execution: Screensaver

Persistence, Privilege Escalation

T1546.013

Event Triggered Execution: PowerShell Profile

Persistence, Privilege Escalation

T1546.016

Event Triggered Execution: Installer Packages

Persistence, Privilege Escalation

T1547.002

Boot or Logon Autostart Execution: Authentication Package

Persistence, Privilege Escalation

T1547.008

Boot or Logon Autostart Execution: LSASS Driver

Persistence, Privilege Escalation

T1548.003

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Defense Evasion, Privilege Escalation

T1548.004

Abuse Elevation Control Mechanism: Elevated Execution with Prompt

Defense Evasion, Privilege Escalation

T1552.003

Unsecured Credentials: Bash History

Credential Access

T1552.005

Unsecured Credentials: Cloud Instance Metadata API

Credential Access

T1553.005

Subvert Trust Controls: Mark-of-the-Web Bypass

Defense Evasion

T1556.002

Modify Authentication Process: Password Filter DLL

Credential Access, Defense Evasion, Persistence

T1556.004

Modify Authentication Process: Network Device Authentication

Credential Access, Defense Evasion, Persistence

T1557.002

Adversary-in-the-Middle: ARP Cache Poisoning

Collection, Credential Access

T1558.001

Steal or Forge Kerberos Tickets: Golden Ticket

Credential Access

T1562.003

Impair Defenses: Impair Command History Logging

Defense Evasion

T1564.009

Hide Artifacts: Resource Forking

Defense Evasion

T1564.010

Hide Artifacts: Process Argument Spoofing

Defense Evasion

T1565.003

Data Manipulation: Runtime Data Manipulation

Impact

T1568.003

Dynamic Resolution: DNS Calculation

Command and Control

T1574.010

Hijack Execution Flow: Services File Permissions Weakness

Defense Evasion, Persistence, Privilege Escalation

T1574.012

Hijack Execution Flow: COR_PROFILER

Defense Evasion, Persistence, Privilege Escalation

T1574.013

Hijack Execution Flow: KernelCallbackTable

Defense Evasion, Persistence, Privilege Escalation

T1578.002

Modify Cloud Compute Infrastructure: Create Cloud Instance

Defense Evasion

T1578.003

Modify Cloud Compute Infrastructure: Delete Cloud Instance

Defense Evasion

T1584.003

Compromise Infrastructure: Virtual Private Server

Resource Development

T1584.006

Compromise Infrastructure: Web Services

Resource Development

T1586.001

Compromise Accounts: Social Media Accounts

Resource Development

T1588.005

Obtain Capabilities: Exploits

Resource Development

T1588.006

Obtain Capabilities: Vulnerabilities

Resource Development

T1592.004

Gather Victim Host Information: Client Configurations

Reconnaissance

T1593.002

Search Open Websites/Domains: Search Engines

Reconnaissance

T1593.003

Search Open Websites/Domains: Code Repositories

Reconnaissance

T1595.003

Active Scanning: Wordlist Scanning

Reconnaissance

T1597.002

Search Closed Sources: Purchase Technical Data

Reconnaissance

T1601.001

Modify System Image: Patch System Image

Defense Evasion

T1606.001

Forge Web Credentials: Web Cookies

Credential Access

T1613

Container and Resource Discovery

Discovery

T1621

Multi-Factor Authentication Request Generation

Credential Access

T1647

Plist File Modification

Defense Evasion

T1649

Steal or Forge Authentication Certificates

Credential Access

Red Canary

Since 2019 Red Canary has been publishing Threat Detection Reports which list the top 10 to 15 techniques for that year. Below are the techniques that have appeared in such rankings sorted by frequency:

Count	Technique
6	Rundll32
5	Obfuscated Files or Information
5	PowerShell
5	Process Injection
5	Windows Management Instrumentation
4	Ingress Tool Transfer
4	Rename System Utilities
4	Scheduled Task
4	Service Execution
3	LSASS Memory
3	Mshta
3	Windows Command Shell
2	Accessibility Features
2	Credential Dumping
2	Deobfuscate/Decode Files or Information
2	Disable or Modify Tools
2	DLL Search Order Hijacking
2	Masquerading
2	Spearphishing Attachment
2	Windows Admin Shares
1	Account Discovery
1	Background Intelligence Transfer Service (BITS)
1	Bypass User Account Control
1	Clear Command History
1	Cloud Accounts
1	Connection Proxy
1	Data Compressed
1	Data Staged
1	Domain Trust Discovery
1	Email Forwarding Rule
1	Exfiltration Over Alternative Protocol
1	Exploitation for Privilege Escalation
1	File and Directory Discovery
1	Indicator Removal on Host
1	InstallUtil
1	Match Legitimate Name or Location
1	OS Credential Dumping
1	Pass the Ticket
1	Permission Groups Discovery
1	Process Hollowing
1	Registry Run Keys / Start Folder
1	Regsvcs/Regasm
1	Regsvr32
1	Signed Binary Proxy Execution
1	Trusted Developer Utilities
1	Web Shell
1	Windows Remote Management
1	Windows Service

PreviousPlaybooks NextLOLBINS

Last updated 24 days ago