Technique Prevalence
MITRE
Most prevalent techniques for Windows OS according to MITRE:
Rank | ID | Technique | Tactic |
---|---|---|---|
1 | T1047 | Windows Management Instrumentation | Execution |
2 | T1059 | Command and Scripting Interpreter | Execution |
3 | T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
4 | T1562 | Impair Defenses | Defense Evasion |
5 | T1021 | Remote Services | Lateral Movement |
6 | T1003 | OS Credential Dumping | Credential Access |
7 | T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
8 | T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
9 | T1548 | Abuse Elevation Control Mechanism | Defense Evasion, Privilege Escalation |
10 | T1055 | Process Injection | Defense Evasion, Privilege Escalation |
11 | T1105 | Ingress Tool Transfer | Command and Control |
12 | T1036 | Masquerading | Defense Evasion |
13 | T1090 | Proxy | Command and Control |
14 | T1218 | Signed Binary Proxy Execution | Defense Evasion |
15 | T1027 | Obfuscated Files or Information | Defense Evasion |
16 | T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
17 | T1204 | User Execution | Execution |
18 | T1219 | Remote Access Software | Command and Control |
19 | T1569 | System Services | Execution |
20 | T1190 | Exploit Public-Facing Application | Initial Access |
21 | T1547 | Boot or Logon Autostart Execution | Persistence, Privilege Escalation |
22 | T1552 | Unsecured Credentials | Credential Access |
23 | T1095 | Non-Application Layer Protocol | Command and Control |
24 | T1112 | Modify Registry | Defense Evasion |
25 | T1074 | Data Staged | Collection |
26 | T1071 | Application Layer Protocol | Command and Control |
27 | T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
28 | T1070 | Indicator Removal on Host | Defense Evasion |
29 | T1189 | Drive-by Compromise | Initial Access |
30 | T1482 | Domain Trust Discovery | Discovery |
31 | T1560 | Archive Collected Data | Collection |
32 | T1557 | Adversary-in-the-Middle | Collection, Credential Access |
33 | T1559 | Inter-Process Communication | Execution |
34 | T1570 | Lateral Tool Transfer | Lateral Movement |
35 | T1210 | Exploitation of Remote Services | Lateral Movement |
36 | T1555 | Credentials from Password Stores | Credential Access |
37 | T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
38 | T1072 | Software Deployment Tools | Execution, Lateral Movement |
39 | T1564 | Hide Artifacts | Defense Evasion |
40 | T1110 | Brute Force | Credential Access |
41 | T1213 | Data from Information Repositories | Collection |
42 | T1136 | Create Account | Persistence |
43 | T1197 | BITS Jobs | Defense Evasion, Persistence |
44 | T1497 | Virtualization/Sandbox Evasion | Defense Evasion, Discovery |
45 | T1222 | File and Directory Permissions Modification | Defense Evasion |
46 | T1106 | Native API | Execution |
47 | T1546 | Event Triggered Execution | Persistence, Privilege Escalation |
48 | T1046 | Network Service Scanning | Discovery |
49 | T1012 | Query Registry | Discovery |
50 | T1040 | Network Sniffing | Credential Access, Discovery |
51 | T1133 | External Remote Services | Initial Access, Persistence |
52 | T1558 | Steal or Forge Kerberos Tickets | Credential Access |
53 | T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
54 | T1495 | Firmware Corruption | Impact |
55 | T1490 | Inhibit System Recovery | Impact |
56 | T1571 | Non-Standard Port | Command and Control |
57 | T1563 | Remote Service Session Hijacking | Lateral Movement |
58 | T1489 | Service Stop | Impact |
59 | T1539 | Steal Web Session Cookie | Credential Access |
60 | T1220 | XSL Script Processing | Defense Evasion |
61 | T1566 | Phishing | Initial Access |
62 | T1018 | Remote System Discovery | Discovery |
63 | T1033 | System Owner/User Discovery | Discovery |
64 | T1104 | Multi-Stage Channels | Command and Control |
65 | T1542 | Pre-OS Boot | Defense Evasion, Persistence |
66 | T1572 | Protocol Tunneling | Command and Control |
67 | T1203 | Exploitation for Client Execution | Execution |
68 | T1553 | Subvert Trust Controls | Defense Evasion |
69 | T1554 | Compromise Client Software Binary | Persistence |
70 | T1098 | Account Manipulation | Persistence, Privilege Escalation |
71 | T1134 | Access Token Manipulation | Defense Evasion, Privilege Escalation |
72 | T1137 | Office Application Startup | Persistence |
73 | T1211 | Exploitation for Defense Evasion | Defense Evasion |
74 | T1102 | Web Service | Command and Control |
75 | T1491 | Defacement | Impact |
76 | T1005 | Data from Local System | Collection |
77 | T1082 | System Information Discovery | Discovery |
78 | T1049 | System Network Connections Discovery | Discovery |
79 | T1056 | Input Capture | Collection, Credential Access |
80 | T1052 | Exfiltration Over Physical Medium | Exfiltration |
81 | T1221 | Template Injection | Defense Evasion |
82 | T1195 | Supply Chain Compromise | Initial Access |
83 | T1011 | Exfiltration Over Other Network Medium | Exfiltration |
84 | T1037 | Boot or Logon Initialization Scripts | Persistence, Privilege Escalation |
85 | T1176 | Browser Extensions | Persistence |
86 | T1550 | Use Alternate Authentication Material | Defense Evasion, Lateral Movement |
87 | T1020 | Automated Exfiltration | Exfiltration |
88 | T1606 | Forge Web Credentials | Credential Access |
89 | T1534 | Internal Spearphishing | Lateral Movement |
90 | T1039 | Data from Network Shared Drive | Collection |
91 | T1132 | Data Encoding | Command and Control |
92 | T1505 | Server Software Component | Persistence |
93 | T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
94 | T1041 | Exfiltration Over C2 Channel | Exfiltration |
95 | T1199 | Trusted Relationship | Initial Access |
96 | T1573 | Encrypted Channel | Command and Control |
97 | T1025 | Data from Removable Media | Collection |
98 | T1565 | Data Manipulation | Impact |
99 | T1496 | Resource Hijacking | Impact |
100 | T1486 | Data Encrypted for Impact | Impact |
101 | T1205 | Traffic Signaling | Command and Control, Defense |
102 | T1080 | Taint Shared Content | Evasion, Persistence |
103 | T1091 | Replication Through Removable Media | Initial Access, Lateral Movement |
104 | T1135 | Network Share Discovery | Discovery |
105 | T1212 | Exploitation for Credential Access | Credential Access |
106 | T1216 | Signed Script Proxy Execution | Defense Evasion |
107 | T1114 | Email Collection | Collection |
108 | T1518 | Software Discovery | Discovery |
109 | T1498 | Network Denial of Service | Impact |
110 | T1069 | Permission Groups Discovery | Discovery |
111 | T1087 | Account Discovery | Discovery |
112 | T1127 | Trusted Developer Utilities Proxy Execution | Defense Evasion |
113 | T1123 | Audio Capture | Collection |
114 | T1083 | File and Directory Discovery | Discovery |
115 | T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
116 | T1111 | Two-Factor Authentication Interception | Credential Access |
117 | T1113 | Screen Capture | Collection |
118 | T1207 | Rogue Domain Controller | Defense Evasion |
119 | T1124 | System Time Discovery | Discovery |
120 | T1531 | Account Access Removal | Impact |
121 | T1119 | Automated Collection | Collection |
122 | T1480 | Execution Guardrails | Defense Evasion |
123 | T1006 | Direct Volume Access | Defense Evasion |
124 | T1185 | Browser Session Hijacking | Collection |
125 | T1567 | Exfiltration Over Web Service | Exfiltration |
126 | T1001 | Data Obfuscation | Command and Control |
127 | T1568 | Dynamic Resolution | Command and Control |
128 | T1057 | Process Discovery | Discovery |
129 | T1485 | Data Destruction | Impact |
130 | T1092 | Communication Through Removable Media | Command and Control |
131 | T1202 | Indirect Command Execution | Defense Evasion |
132 | T1561 | Disk Wipe | Impact |
133 | T1499 | Endpoint Denial of Service | Impact |
134 | T1008 | Fallback Channels | Command and Control |
135 | T1030 | Data Transfer Size Limits | Exfiltration |
136 | T1029 | Scheduled Transfer | Exfiltration |
137 | T1016 | System Network Configuration Discovery | Discovery |
138 | T1129 | Shared Modules | Execution |
139 | T1187 | Forced Authentication | Credential Access |
140 | T1007 | System Service Discovery | Discovery |
141 | T1120 | Peripheral Device Discovery | Discovery |
142 | T1115 | Clipboard Data | Collection |
143 | T1010 | Application Window Discovery | Discovery |
144 | T1125 | Video Capture | Collection |
145 | T1014 | Rootkit | Defense Evasion |
146 | T1217 | Browser Bookmark Discovery | Discovery |
147 | T1529 | System Shutdown/Reboot | Impact |
148 | T1200 | Hardware Additions | Initial Access |
149 | T1201 | Password Policy Discovery | Discovery |
150 | T1611 | Escape to Host | Privilege Escalation |
Threat Reports
Most prevalent techniques and sub-techniques based on an analysis of over 750 threat intelligence reports:
Count | ID | Technique | Tactic |
---|---|---|---|
345 | T1105 | Ingress Tool Transfer | Command and Control |
310 | T1082 | System Information Discovery | Discovery |
280 | T1071.001 | Application Layer Protocol: Web Protocols | Command and Control |
267 | T1059.003 | Command and Scripting Interpreter: Windows Command Shell | Execution |
237 | T1083 | File and Directory Discovery | Discovery |
213 | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Persistence, Privilege Escalation |
208 | T1070.004 | Indicator Removal: File Deletion | Defense Evasion |
207 | T1057 | Process Discovery | Discovery |
202 | T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
190 | T1016 | System Network Configuration Discovery | Discovery |
187 | T1204.002 | User Execution: Malicious File | Execution |
179 | T1566.001 | Phishing: Spearphishing Attachment | Initial Access |
166 | T1059.001 | Command and Scripting Interpreter: PowerShell | Execution |
161 | T1033 | System Owner/User Discovery | Discovery |
138 | T1005 | Data from Local System | Collection |
136 | T1113 | Screen Capture | Collection |
135 | T1056.001 | Input Capture: Keylogging | Collection, Credential Access |
134 | T1036.005 | Masquerading: Match Legitimate Name or Location | Defense Evasion |
131 | T1106 | Native API | Execution |
128 | T1053.005 | Scheduled Task/Job: Scheduled Task | Execution, Persistence, Privilege Escalation |
126 | T1112 | Modify Registry | Defense Evasion |
124 | T1573.001 | Encrypted Channel: Symmetric Cryptography | Command and Control |
118 | T1059.005 | Command and Scripting Interpreter: Visual Basic | Execution |
113 | T1041 | Exfiltration Over C2 Channel | Exfiltration |
99 | T1543.003 | Create or Modify System Process: Windows Service | Persistence, Privilege Escalation |
94 | T1518.001 | Software Discovery: Security Software Discovery | Discovery |
91 | T1047 | Windows Management Instrumentation | Execution |
85 | T1012 | Query Registry | Discovery |
84 | T1132.001 | Data Encoding: Standard Encoding | Command and Control |
79 | T1204.001 | User Execution: Malicious Link | Execution |
76 | T1566.002 | Phishing: Spearphishing Link | Initial Access |
74 | T1074.001 | Data Staged: Local Data Staging | Collection |
72 | T1027.002 | Obfuscated Files or Information: Software Packing | Defense Evasion |
72 | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | Credential Access |
68 | T1049 | System Network Connections Discovery | Discovery |
68 | T1218.011 | System Binary Proxy Execution: Rundll32 | Defense Evasion |
68 | T1562.001 | Impair Defenses: Disable or Modify Tools | Defense Evasion |
66 | T1203 | Exploitation for Client Execution | Execution |
64 | T1588.002 | Obtain Capabilities: Tool | Resource Development |
63 | T1124 | System Time Discovery | Discovery |
59 | T1016.002 | System Network Configuration Discovery: Wi-Fi Discovery | Discovery |
58 | T1095 | Non-Application Layer Protocol | Command and Control |
56 | T1036.004 | Masquerading: Masquerade Task or Service | Defense Evasion |
54 | T1003.001 | OS Credential Dumping: LSASS Memory | Credential Access |
52 | T1055.001 | Process Injection: Dynamic-link Library Injection | Defense Evasion, Privilege Escalation |
49 | T1574.002 | Hijack Execution Flow: DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
48 | T1486 | Data Encrypted for Impact | Impact |
48 | T1553.002 | Subvert Trust Controls: Code Signing | Defense Evasion |
48 | T1573.002 | Encrypted Channel: Asymmetric Cryptography | Command and Control |
47 | T1560.001 | Archive Collected Data: Archive via Utility | Collection |
47 | T1569.002 | System Services: Service Execution | Execution |
46 | T1007 | System Service Discovery | Discovery |
46 | T1059.007 | Command and Scripting Interpreter: JavaScript | Execution |
46 | T1497.001 | Virtualization/Sandbox Evasion: System Checks | Defense Evasion, Discovery |
45 | T1071.004 | Application Layer Protocol: DNS | Command and Control |
44 | T1189 | Drive-by Compromise | Initial Access |
43 | T1102.002 | Web Service: Bidirectional Communication | Command and Control |
43 | T1120 | Peripheral Device Discovery | Discovery |
42 | T1119 | Automated Collection | Collection |
42 | T1135 | Network Share Discovery | Discovery |
41 | T1046 | Network Service Discovery | Discovery |
41 | T1070.006 | Indicator Removal: Timestomp | Defense Evasion |
41 | T1087.001 | Account Discovery: Local Account | Discovery |
41 | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | Defense Evasion, Privilege Escalation |
41 | T1564.001 | Hide Artifacts: Hidden Files and Directories | Defense Evasion |
40 | T1008 | Fallback Channels | Command and Control |
38 | T1583.001 | Acquire Infrastructure: Domains | Resource Development |
37 | T1021.001 | Remote Services: Remote Desktop Protocol | Lateral Movement |
36 | T1059.006 | Command and Scripting Interpreter: Python | Execution |
36 | T1571 | Non-Standard Port | Command and Control |
35 | T1021.002 | Remote Services: SMB/Windows Admin Shares | Lateral Movement |
35 | T1059.004 | Command and Scripting Interpreter: Unix Shell | Execution |
35 | T1125 | Video Capture | Collection |
34 | T1055.012 | Process Injection: Process Hollowing | Defense Evasion, Privilege Escalation |
33 | T1027.001 | Obfuscated Files or Information: Binary Padding | Defense Evasion |
33 | T1190 | Exploit Public-Facing Application | Initial Access |
32 | T1115 | Clipboard Data | Collection |
32 | T1560.003 | Archive Collected Data: Archive via Custom Method | Collection |
31 | T1497.003 | Virtualization/Sandbox Evasion: Time Based Evasion | Impact |
30 | T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
30 | T1490 | Inhibit System Recovery | Impact |
30 | T1547.009 | Boot or Logon Autostart Execution: Shortcut Modification | Persistence, Privilege Escalation |
30 | T1564.003 | Hide Artifacts: Hidden Window | Defense Evasion |
29 | T1133 | External Remote Services | Initial Access, Persistence |
29 | T1489 | Service Stop | Impact |
28 | T1562.004 | Impair Defenses: Disable or Modify System Firewall | Defense Evasion |
27 | T1087.002 | Account Discovery: Domain Account | Discovery |
27 | T1123 | Audio Capture | Collection |
27 | T1218.010 | System Binary Proxy Execution: Regsvr32 | Defense Evasion |
27 | T1485 | Data Destruction | Impact |
26 | T1025 | Data from Removable Media | Collection |
26 | T1505.003 | Server Software Component: Web Shell | Persistence |
25 | T1010 | Application Window Discovery | Discovery |
24 | T1090.002 | Proxy: External Proxy | Command and Control |
24 | T1210 | Exploitation of Remote Services | Lateral Movement |
24 | T1552.001 | Unsecured Credentials: Credentials In Files | Credential Access |
23 | T1568.002 | Dynamic Resolution: Domain Generation Algorithms | Command and Control |
22 | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
22 | T1070.001 | Indicator Removal: Clear Windows Event Logs | Defense Evasion |
22 | T1218.005 | System Binary Proxy Execution: Mshta | Defense Evasion |
22 | T1567.002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage | Exfiltration |
20 | T1027.003 | Obfuscated Files or Information: Steganography | Defense Evasion |
20 | T1091 | Replication Through Removable Media | Initial Access, Lateral Movement |
20 | T1574.001 | Hijack Execution Flow: DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
19 | T1071.003 | Application Layer Protocol: Mail Protocols | Command and Control |
19 | T1102.001 | Web Service: Dead Drop Resolver | Command and Control |
19 | T1614.001 | System Location Discovery: System Language Discovery | Discovery |
18 | T1018 | Remote System Discovery | Discovery |
18 | T1069.001 | Permission Groups Discovery: Local Groups | Discovery |
18 | T1090.001 | Proxy: Internal Proxy | Command and Control |
18 | T1136.001 | Create Account: Local Account | Persistence |
18 | T1219 | Remote Access Software | Command and Control |
17 | T1014 | Rootkit | Defense Evasion |
17 | T1218.007 | System Binary Proxy Execution: Msiexec | Defense Evasion |
17 | T1559.002 | Inter-Process Communication: Dynamic Data Exchange | Execution |
17 | T1570 | Lateral Tool Transfer | Lateral Movement |
17 | T1583.006 | Acquire Infrastructure: Web Services | Resource Development |
16 | T1071.002 | Application Layer Protocol: File Transfer Protocols | Command and Control |
16 | T1078.002 | Valid Accounts: Domain Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
16 | T1114.002 | Email Collection: Remote Email Collection | Collection |
16 | T1185 | Browser Session Hijacking | Collection |
16 | T1543.001 | Create or Modify System Process: Launch Agent | Persistence, Privilege Escalation |
16 | T1572 | Protocol Tunneling | Command and Control |
16 | T1598.003 | Phishing for Information: Spearphishing Link | Reconnaissance |
15 | T1029 | Scheduled Transfer | Exfiltration |
15 | T1069.002 | Permission Groups Discovery: Domain Groups | Discovery |
15 | T1559.001 | Inter-Process Communication: Component Object Model | Execution |
14 | T1027.005 | Obfuscated Files or Information: Indicator Removal from Tools | Defense Evasion |
14 | T1053.003 | Scheduled Task/Job: Cron | Execution, Persistence, Privilege Escalation |
14 | T1129 | Shared Modules | Execution |
14 | T1529 | System Shutdown/Reboot | Impact |
14 | T1561.002 | Disk Wipe: Disk Structure Wipe | Impact |
14 | T1589.002 | Gather Victim Identity Information: Email Addresses | Reconnaissance |
14 | T1608.001 | Stage Capabilities: Upload Malware | Resource Development |
13 | T1001.001 | Data Obfuscation: Junk Data | Command and Control |
13 | T1001.003 | Data Obfuscation: Protocol Impersonation | Command and Control |
13 | T1003.002 | OS Credential Dumping: Security Account Manager | Credential Access |
13 | T1003.004 | OS Credential Dumping: LSA Secrets | Credential Access |
13 | T1021.004 | Remote Services: SSH | Lateral Movement |
13 | T1090.003 | Proxy: Multi-hop Proxy | Command and Control |
13 | T1110.003 | Brute Force: Password Spraying | Credential Access |
13 | T1587.001 | Develop Capabilities: Malware | Resource Development |
12 | T1003.003 | OS Credential Dumping: NTDS | Credential Access |
12 | T1040 | Network Sniffing | Credential Access, Discovery |
12 | T1195.002 | Supply Chain Compromise: Compromise Software Supply Chain | Initial Access |
12 | T1199 | Trusted Relationship | Initial Access |
12 | T1496 | Resource Hijacking | Impact |
12 | T1546.003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription | Persistence, Privilege Escalation |
12 | T1560.002 | Archive Collected Data: Archive via Library | Collection |
12 | T1585.002 | Establish Accounts: Email Accounts | Resource Development |
11 | T1030 | Data Transfer Size Limits | Exfiltration |
11 | T1039 | Data from Network Shared Drive | Collection |
11 | T1078.003 | Valid Accounts: Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
11 | T1110.001 | Brute Force: Password Guessing | Credential Access |
11 | T1114.001 | Email Collection: Local Email Collection | Collection |
11 | T1134.001 | Access Token Manipulation: Token Impersonation/Theft | Defense Evasion, Privilege Escalation |
11 | T1134.002 | Access Token Manipulation: Create Process with Token | Defense Evasion, Privilege Escalation |
11 | T1197 | BITS Jobs | Defense Evasion, Persistence |
11 | T1217 | Browser Information Discovery | Discovery |
11 | T1221 | Template Injection | Defense Evasion |
11 | T1539 | Steal Web Session Cookie | Credential Access |
11 | T1564.004 | Hide Artifacts: NTFS File Attributes | Defense Evasion |
10 | T1087.003 | Account Discovery: Email Account | Discovery |
10 | T1104 | Multi-Stage Channels | Command and Control |
10 | T1543.004 | Create or Modify System Process: Launch Daemon | Persistence, Privilege Escalation |
10 | T1552.004 | Unsecured Credentials: Private Keys | Credential Access |
10 | T1585.001 | Establish Accounts: Social Media Accounts | Resource Development |
9 | T1001.002 | Data Obfuscation: Steganography | Command and Control |
9 | T1016.001 | System Network Configuration Discovery: Internet Connection Discovery | Discovery |
9 | T1021.005 | Remote Services: VNC | Lateral Movement |
9 | T1074.002 | Data Staged: Remote Data Staging | Collection |
9 | T1080 | Taint Shared Content | Lateral Movement |
9 | T1222.002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification | Defense Evasion |
9 | T1546.015 | Event Triggered Execution: Component Object Model Hijacking | Persistence, Privilege Escalation |
9 | T1566.003 | Phishing: Spearphishing via Service | Initial Access |
9 | T1584.001 | Compromise Infrastructure: Domains | Resource Development |
9 | T1595.002 | Active Scanning: Vulnerability Scanning | Reconnaissance |
8 | T1055.004 | Process Injection: Asynchronous Procedure Call | Defense Evasion, Privilege Escalation |
8 | T1056.004 | Input Capture: Credential API Hooking | Collection, Credential Access |
8 | T1070.009 | Indicator Removal: Clear Persistence | Defense Evasion |
8 | T1132.002 | Data Encoding: Non-Standard Encoding | Command and Control |
8 | T1222.001 | File and Directory Permissions Modification: Windows File and Directory Permissions Modification | Defense Evasion |
8 | T1482 | Domain Trust Discovery | Discovery |
8 | T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL | Persistence, Privilege Escalation |
8 | T1555.004 | Credentials from Password Stores: Windows Credential Manager | Credential Access |
8 | T1584.004 | Compromise Infrastructure: Server | Resource Development |
8 | T1588.001 | Obtain Capabilities: Malware | Resource Development |
7 | T1003.005 | OS Credential Dumping: Cached Domain Credentials | Credential Access |
7 | T1027.004 | Obfuscated Files or Information: Compile After Delivery | Defense Evasion |
7 | T1052.001 | Exfiltration Over Physical Medium: Exfiltration over USB | Exfiltration |
7 | T1055.002 | Process Injection: Portable Executable Injection | Defense Evasion, Privilege Escalation |
7 | T1218.001 | System Binary Proxy Execution: Compiled HTML File | Defense Evasion |
7 | T1542.003 | Pre-OS Boot: Bootkit | Defense Evasion, Persistence |
7 | T1550.002 | Use Alternate Authentication Material: Pass the Hash | Defense Evasion, Lateral Movement |
7 | T1553.001 | Subvert Trust Controls: Gatekeeper Bypass | Defense Evasion |
7 | T1620 | Reflective Code Loading | Defense Evasion |
7 | T1622 | Debugger Evasion | Defense Evasion, Discovery |
6 | T1037.001 | Boot or Logon Initialization Scripts: Logon Script (Windows) | Persistence, Privilege Escalation |
6 | T1070.003 | Indicator Removal: Clear Command History | Defense Evasion |
6 | T1078.004 | Valid Accounts: Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
6 | T1586.002 | Compromise Accounts: Email Accounts | Resource Development |
6 | T1589.001 | Gather Victim Identity Information: Credentials | Reconnaissance |
6 | T1598.002 | Phishing for Information: Spearphishing Attachment | Reconnaissance |
5 | T1021.006 | Remote Services: Windows Remote Management | Lateral Movement |
5 | T1027.009 | Obfuscated Files or Information: Embedded Payloads | Defense Evasion |
5 | T1036.001 | Masquerading: Invalid Code Signature | Defense Evasion |
5 | T1036.002 | Masquerading: Right-to-Left Override | Defense Evasion |
5 | T1098.004 | Account Manipulation: SSH Authorized Keys | Persistence, Privilege Escalation |
5 | T1102.003 | Web Service: One-Way Communication | Command and Control |
5 | T1136.002 | Create Account: Domain Account | Persistence |
5 | T1480.001 | Execution Guardrails: Environmental Keying | Defense Evasion |
5 | T1534 | Internal Spearphishing | Lateral Movement |
5 | T1543.002 | Create or Modify System Process: Systemd Service | Persistence, Privilege Escalation |
5 | T1552.002 | Unsecured Credentials: Credentials in Registry | Credential Access |
5 | T1554 | Compromise Host Software Binary | Persistence |
5 | T1565.002 | Data Manipulation: Transmitted Data Manipulation | Impact |
5 | T1569.001 | System Services: Launchctl | Execution |
5 | T1574.006 | Hijack Execution Flow: Dynamic Linker Hijacking | Defense Evasion, Persistence, Privilege Escalation |
5 | T1583.003 | Acquire Infrastructure: Virtual Private Server | Resource Development |
5 | T1583.004 | Acquire Infrastructure: Server | Resource Development |
5 | T1588.003 | Obtain Capabilities: Code Signing Certificates | Resource Development |
5 | T1594 | Search Victim-Owned Websites | Reconnaissance |
4 | T1003.006 | OS Credential Dumping: DCSync | Credential Access |
4 | T1036.003 | Masquerading: Rename System Utilities | Defense Evasion |
4 | T1036.007 | Masquerading: Double File Extension | Defense Evasion |
4 | T1053.002 | Scheduled Task/Job: At | Execution, Persistence, Privilege Escalation |
4 | T1110.002 | Brute Force: Password Cracking | Credential Access |
4 | T1111 | Multi-Factor Authentication Interception | Credential Access |
4 | T1187 | Forced Authentication | Credential Access |
4 | T1218.004 | System Binary Proxy Execution: InstallUtil | Defense Evasion |
4 | T1220 | XSL Script Processing | Defense Evasion |
4 | T1484.001 | Domain or Tenant Policy Modification: Group Policy Modification | Defense Evasion, Privilege Escalation |
4 | T1497.002 | Virtualization/Sandbox Evasion: User Activity Based Checks | Defense Evasion, Discovery |
4 | T1531 | Account Access Removal | Impact |
4 | T1546.008 | Event Triggered Execution: Accessibility Features | Persistence, Privilege Escalation |
4 | T1546.010 | Event Triggered Execution: AppInit DLLs | Persistence, Privilege Escalation |
4 | T1553.006 | Subvert Trust Controls: Code Signing Policy Modification | Defense Evasion |
4 | T1555.005 | Credentials from Password Stores: Password Managers | Credential Access |
4 | T1561.001 | Disk Wipe: Disk Content Wipe | Impact |
4 | T1564.005 | Hide Artifacts: Hidden File System | Defense Evasion |
4 | T1568.001 | Dynamic Resolution: Fast Flux DNS | Command and Control |
4 | T1588.004 | Obtain Capabilities: Digital Certificates | Resource Development |
4 | T1591.004 | Gather Victim Org Information: Identify Roles | Reconnaissance |
4 | T1608.004 | Stage Capabilities: Drive-by Target | Resource Development |
4 | T1611 | Escape to Host | Privilege Escalation |
3 | T1027.007 | Obfuscated Files or Information: Dynamic API Resolution | Defense Evasion |
3 | T1037.004 | Boot or Logon Initialization Scripts: RC Scripts | Persistence, Privilege Escalation |
3 | T1055.003 | Process Injection: Thread Execution Hijacking | Defense Evasion, Privilege Escalation |
3 | T1055.013 | Process Injection: Process Doppelgänging | Defense Evasion, Privilege Escalation |
3 | T1059.002 | Command and Scripting Interpreter: AppleScript | Execution |
3 | T1070.002 | Indicator Removal: Clear Linux or Mac System Logs | Defense Evasion |
3 | T1072 | Software Deployment Tools | Execution, Lateral Movement |
3 | T1098.002 | Account Manipulation: Additional Email Delegate Permissions | Persistence, Privilege Escalation |
3 | T1110.004 | Brute Force: Credential Stuffing | Credential Access |
3 | T1114.003 | Email Collection: Email Forwarding Rule | Collection |
3 | T1176 | Browser Extensions | Persistence |
3 | T1201 | Password Policy Discovery | Discovery |
3 | T1213.002 | Data from Information Repositories: Sharepoint | Collection |
3 | T1218.002 | System Binary Proxy Execution: Control Panel | Defense Evasion |
3 | T1491.001 | Defacement: Internal Defacement | Impact |
3 | T1505.004 | Server Software Component: IIS Components | Persistence |
3 | T1546.011 | Event Triggered Execution: Application Shimming | Persistence, Privilege Escalation |
3 | T1546.012 | Event Triggered Execution: Image File Execution Options Injection | Persistence, Privilege Escalation |
3 | T1547.012 | Boot or Logon Autostart Execution: Print Processors | Persistence, Privilege Escalation |
3 | T1547.015 | Boot or Logon Autostart Execution: Login Items | Persistence, Privilege Escalation |
3 | T1550.001 | Use Alternate Authentication Material: Application Access Token | Defense Evasion, Lateral Movement |
3 | T1550.003 | Use Alternate Authentication Material: Pass the Ticket | Defense Evasion, Lateral Movement |
3 | T1553.004 | Subvert Trust Controls: Install Root Certificate | Defense Evasion |
3 | T1555.001 | Credentials from Password Stores: Keychain | Credential Access |
3 | T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | Credential Access |
3 | T1562.002 | Impair Defenses: Disable Windows Event Logging | Defense Evasion |
3 | T1562.006 | Impair Defenses: Indicator Blocking | Defense Evasion |
3 | T1564.002 | Hide Artifacts: Hidden Users | Defense Evasion |
3 | T1564.006 | Hide Artifacts: Run Virtual Instance | Defense Evasion |
3 | T1589.003 | Gather Victim Identity Information: Employee Names | Reconnaissance |
3 | T1591.002 | Gather Victim Org Information: Business Relationships | Reconnaissance |
3 | T1593.001 | Search Open Websites/Domains: Social Media | Reconnaissance |
3 | T1609 | Container Administration Command | Execution |
3 | T1610 | Deploy Container | Defense Evasion, Execution |
2 | T1027.006 | Obfuscated Files or Information: HTML Smuggling | Defense Evasion |
2 | T1048.002 | Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
2 | T1056.002 | Input Capture: GUI Input Capture | Collection, Credential Access |
2 | T1070.005 | Indicator Removal: Network Share Connection Removal | Defense Evasion |
2 | T1070.008 | Indicator Removal: Clear Mailbox Data | Defense Evasion |
2 | T1078.001 | Valid Accounts: Default Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
2 | T1087.004 | Account Discovery: Cloud Account | Discovery |
2 | T1092 | Communication Through Removable Media | Command and Control |
2 | T1098.003 | Account Manipulation: Additional Cloud Roles | Persistence, Privilege Escalation |
2 | T1134.004 | Access Token Manipulation: Parent PID Spoofing | Defense Evasion, Privilege Escalation |
2 | T1136.003 | Create Account: Cloud Account | Persistence |
2 | T1137.001 | Office Application Startup: Office Template Macros | Persistence |
2 | T1137.006 | Office Application Startup: Add-ins | Persistence |
2 | T1202 | Indirect Command Execution | Defense Evasion |
2 | T1218.003 | System Binary Proxy Execution: CMSTP | Defense Evasion |
2 | T1218.008 | System Binary Proxy Execution: Odbcconf | Defense Evasion |
2 | T1495 | Firmware Corruption | Impact |
2 | T1505.001 | Server Software Component: SQL Stored Procedures | Persistence |
2 | T1542.002 | Pre-OS Boot: Component Firmware | Defense Evasion, Persistence |
2 | T1546.004 | Event Triggered Execution: Unix Shell Configuration Modification | Persistence, Privilege Escalation |
2 | T1547.006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions | Persistence, Privilege Escalation |
2 | T1547.013 | Boot or Logon Autostart Execution: XDG Autostart Entries | Persistence, Privilege Escalation |
2 | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | Defense Evasion, Privilege Escalation |
2 | T1550.004 | Use Alternate Authentication Material: Web Session Cookie | Defense Evasion, Lateral Movement |
2 | T1552.006 | Unsecured Credentials: Group Policy Preferences | Credential Access |
2 | T1556.003 | Modify Authentication Process: Pluggable Authentication Modules | Credential Access, Defense Evasion, Persistence |
2 | T1557.001 | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay | Collection, Credential Access |
2 | T1563.002 | Remote Service Session Hijacking: RDP Hijacking | Lateral Movement |
2 | T1565.001 | Data Manipulation: Stored Data Manipulation | Impact |
2 | T1583.002 | Acquire Infrastructure: DNS Server | Resource Development |
2 | T1584.005 | Compromise Infrastructure: Botnet | Resource Development |
2 | T1587.002 | Develop Capabilities: Code Signing Certificates | Resource Development |
2 | T1587.003 | Develop Capabilities: Digital Certificates | Resource Development |
2 | T1590.001 | Gather Victim Network Information: Domain Properties | Reconnaissance |
2 | T1590.005 | Gather Victim Network Information: IP Addresses | Reconnaissance |
2 | T1592.002 | Gather Victim Host Information: Software | Reconnaissance |
2 | T1608.002 | Stage Capabilities: Upload Tool | Resource Development |
2 | T1608.005 | Stage Capabilities: Link Target | Resource Development |
2 | T1615 | Group Policy Discovery | Discovery |
1 | T1027.008 | Obfuscated Files or Information: Stripped Payloads | Defense Evasion |
1 | T1037.005 | Boot or Logon Initialization Scripts: Startup Items | Persistence, Privilege Escalation |
1 | T1055.005 | Process Injection: Thread Local Storage | Defense Evasion, Privilege Escalation |
1 | T1055.015 | Process Injection: ListPlanting | Defense Evasion, Privilege Escalation |
1 | T1056.003 | Input Capture: Web Portal Capture | Collection, Credential Access |
1 | T1069.003 | Permission Groups Discovery: Cloud Groups | Discovery |
1 | T1070.007 | Indicator Removal: Clear Network Connection History and Configurations | Defense Evasion |
1 | T1090.004 | Proxy: Domain Fronting | Command and Control |
1 | T1098.001 | Account Manipulation: Additional Cloud Credentials | Persistence, Privilege Escalation |
1 | T1098.005 | Account Manipulation: Device Registration | Persistence, Privilege Escalation |
1 | T1127.001 | Trusted Developer Utilities Proxy Execution: MSBuild | Defense Evasion |
1 | T1134.003 | Access Token Manipulation: Make and Impersonate Token | Defense Evasion, Privilege Escalation |
1 | T1134.005 | Access Token Manipulation: SID-History Injection | Defense Evasion, Privilege Escalation |
1 | T1195.001 | Supply Chain Compromise: Compromise Software Dependencies and Development Tools | Initial Access |
1 | T1200 | Hardware Additions | Initial Access |
1 | T1204.003 | User Execution: Malicious Image | Execution |
1 | T1205.001 | Traffic Signaling: Port Knocking | Command and Control, Defense Evasion, Persistence |
1 | T1205.002 | Traffic Signaling: Socket Filters | Command and Control, Defense Evasion, Persistence |
1 | T1207 | Rogue Domain Controller | Defense Evasion |
1 | T1211 | Exploitation for Defense Evasion | Defense Evasion |
1 | T1213.001 | Data from Information Repositories: Confluence | Collection |
1 | T1213.003 | Data from Information Repositories: Code Repositories | Collection |
1 | T1218.009 | System Binary Proxy Execution: Regsvcs/Regasm | Defense Evasion |
1 | T1484.002 | Domain or Tenant Policy Modification: Trust Modification | Defense Evasion, Privilege Escalation |
1 | T1491.002 | Defacement: External Defacement | Impact |
1 | T1499.004 | Endpoint Denial of Service: Application or System Exploitation | Impact |
1 | T1505.002 | Server Software Component: Transport Agent | Persistence |
1 | T1526 | Cloud Service Discovery | Discovery |
1 | T1528 | Steal Application Access Token | Credential Access |
1 | T1530 | Data from Cloud Storage | Collection |
1 | T1542.001 | Pre-OS Boot: System Firmware | Defense Evasion, Persistence |
1 | T1546.001 | Event Triggered Execution: Change Default File Association | Persistence, Privilege Escalation |
1 | T1546.002 | Event Triggered Execution: Screensaver | Persistence, Privilege Escalation |
1 | T1546.013 | Event Triggered Execution: PowerShell Profile | Persistence, Privilege Escalation |
1 | T1546.016 | Event Triggered Execution: Installer Packages | Persistence, Privilege Escalation |
1 | T1547.002 | Boot or Logon Autostart Execution: Authentication Package | Persistence, Privilege Escalation |
1 | T1547.008 | Boot or Logon Autostart Execution: LSASS Driver | Persistence, Privilege Escalation |
1 | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
1 | T1548.004 | Abuse Elevation Control Mechanism: Elevated Execution with Prompt | Defense Evasion, Privilege Escalation |
1 | T1552.003 | Unsecured Credentials: Bash History | Credential Access |
1 | T1552.005 | Unsecured Credentials: Cloud Instance Metadata API | Credential Access |
1 | T1553.005 | Subvert Trust Controls: Mark-of-the-Web Bypass | Defense Evasion |
1 | T1556.002 | Modify Authentication Process: Password Filter DLL | Credential Access, Defense Evasion, Persistence |
1 | T1556.004 | Modify Authentication Process: Network Device Authentication | Credential Access, Defense Evasion, Persistence |
1 | T1557.002 | Adversary-in-the-Middle: ARP Cache Poisoning | Collection, Credential Access |
1 | T1558.001 | Steal or Forge Kerberos Tickets: Golden Ticket | Credential Access |
1 | T1562.003 | Impair Defenses: Impair Command History Logging | Defense Evasion |
1 | T1564.009 | Hide Artifacts: Resource Forking | Defense Evasion |
1 | T1564.010 | Hide Artifacts: Process Argument Spoofing | Defense Evasion |
1 | T1565.003 | Data Manipulation: Runtime Data Manipulation | Impact |
1 | T1568.003 | Dynamic Resolution: DNS Calculation | Command and Control |
1 | T1574.010 | Hijack Execution Flow: Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
1 | T1574.012 | Hijack Execution Flow: COR_PROFILER | Defense Evasion, Persistence, Privilege Escalation |
1 | T1574.013 | Hijack Execution Flow: KernelCallbackTable | Defense Evasion, Persistence, Privilege Escalation |
1 | T1578.002 | Modify Cloud Compute Infrastructure: Create Cloud Instance | Defense Evasion |
1 | T1578.003 | Modify Cloud Compute Infrastructure: Delete Cloud Instance | Defense Evasion |
1 | T1584.003 | Compromise Infrastructure: Virtual Private Server | Resource Development |
1 | T1584.006 | Compromise Infrastructure: Web Services | Resource Development |
1 | T1586.001 | Compromise Accounts: Social Media Accounts | Resource Development |
1 | T1588.005 | Obtain Capabilities: Exploits | Resource Development |
1 | T1588.006 | Obtain Capabilities: Vulnerabilities | Resource Development |
1 | T1592.004 | Gather Victim Host Information: Client Configurations | Reconnaissance |
1 | T1593.002 | Search Open Websites/Domains: Search Engines | Reconnaissance |
1 | T1593.003 | Search Open Websites/Domains: Code Repositories | Reconnaissance |
1 | T1595.003 | Active Scanning: Wordlist Scanning | Reconnaissance |
1 | T1597.002 | Search Closed Sources: Purchase Technical Data | Reconnaissance |
1 | T1601.001 | Modify System Image: Patch System Image | Defense Evasion |
1 | T1606.001 | Forge Web Credentials: Web Cookies | Credential Access |
1 | T1613 | Container and Resource Discovery | Discovery |
1 | T1621 | Multi-Factor Authentication Request Generation | Credential Access |
1 | T1647 | Plist File Modification | Defense Evasion |
1 | T1649 | Steal or Forge Authentication Certificates | Credential Access |
Red Canary
Since 2019 Red Canary has been publishing Threat Detection Reports which list the top 10 to 15 techniques for that year. Below are the techniques that have appeared in such rankings sorted by frequency:
Count | Technique |
---|---|
6 | Rundll32 |
5 | Obfuscated Files or Information |
5 | PowerShell |
5 | Process Injection |
5 | Windows Management Instrumentation |
4 | Ingress Tool Transfer |
4 | Rename System Utilities |
4 | Scheduled Task |
4 | Service Execution |
3 | LSASS Memory |
3 | Mshta |
3 | Windows Command Shell |
2 | Accessibility Features |
2 | Credential Dumping |
2 | Deobfuscate/Decode Files or Information |
2 | Disable or Modify Tools |
2 | DLL Search Order Hijacking |
2 | Masquerading |
2 | Spearphishing Attachment |
2 | Windows Admin Shares |
1 | Account Discovery |
1 | Background Intelligence Transfer Service (BITS) |
1 | Bypass User Account Control |
1 | Clear Command History |
1 | Cloud Accounts |
1 | Connection Proxy |
1 | Data Compressed |
1 | Data Staged |
1 | Domain Trust Discovery |
1 | Email Forwarding Rule |
1 | Exfiltration Over Alternative Protocol |
1 | Exploitation for Privilege Escalation |
1 | File and Directory Discovery |
1 | Indicator Removal on Host |
1 | InstallUtil |
1 | Match Legitimate Name or Location |
1 | OS Credential Dumping |
1 | Pass the Ticket |
1 | Permission Groups Discovery |
1 | Process Hollowing |
1 | Registry Run Keys / Start Folder |
1 | Regsvcs/Regasm |
1 | Regsvr32 |
1 | Signed Binary Proxy Execution |
1 | Trusted Developer Utilities |
1 | Web Shell |
1 | Windows Remote Management |
1 | Windows Service |
Last updated