Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Impact Data Obfuscation Data Compression Credential Dumping Winlogon Helper DLL Data from Local System File System Logical System Service Discovery Fallback Channels Binary Padding Window Discovery Network Exfiltration Query Registry Port Monitors Rootkit Accessibility Features System Network Configuration Discovery Application Deployment Software Remote System Discovery System Firmware Automated Exfiltration Remote Services Data Encrypted Shortcut Modification Custom Cryptographic Data from Removable Media Multiband Communication Obfuscated Files or Information Windows Remote Management Scheduled Transfer Data Transfer Size Limits Modify Existing Service Standard Cryptographic Protocol System Owner/User Discovery Path Interception Service Execution Masquerading Logon Scripts DLL Search Order Hijacking Data from Network Shared Drive Network Sniffing Exfiltration Over C2C Change Default File Association Commonly Used Port File System Permissions Weakness Software Packing Network Service Scanning Windows Management Instrumentation Exfiltration Over Alternative Protocol System Network Connections Discovery New Service Shared Webroot Exfiltration Over Physical Medium Scheduled Task Indicator Blocking Process Injection Input Capture Process Discovery Service Registry Permissions Weakness Command-Line Interface Registry Run Keys / Startup Folder Graphical User Interface Hypervisor Security Software Discovery Scripting Uncommonly Used Port Indicator Removal from Tools Bootkit Exploitation for Privilege Escalation Permission Groups Discovery Indicator Removal | File Deletion Standard Application Layer Protocol Third-party Software DLL Side-Loading Data Staged Pass the Hash Remote Desktop Protocol Windows Admin Shares Valid Accounts Multilayer Encryption Taint Shared Content Credentials in Files System Information Discovery File and Directory Discovery WMI Event Subscription Rundll32 PowerShell Account Discovery Bypass User Account Control Disabling Security Tools Connection Proxy Replication Through Removable Media Communication Through Removable Media Process Hollowing Custom C2C Protocol Standard Non-Application Layer Protocol NTFS File Attributes Pass the Ticket Account Manipulation Timestomp Web Shell Security Support Provider Web Service AppInit DLLs Multi-Stage Channels Remote File Copy Execution through API File Deletion Redundant Access Component Firmware Brute Force Two-Factor Authentication Interception Modify Registry Screen Capture Email Collection Clipboard Data Code Signing Regsvr32 InstallUtil Automated Collection Peripheral Device Discovery Regsvcs/Regasm Component Object Model Hijacking Audio Capture System Time Discovery Video Capture Network Share Connection Removal Trusted Developer Utilities Netsh Helper DLL Execution through Module Load Install Root Certificate Authentication Package Data Encoding External Remote Services Access Token Manipulation Network Share Discovery Create Account Office Application Startup Application Shimming Bash History Deobfuscate/Decode Files or Information Input Prompt Keychain Hidden Window Gatekeeper Bypass Private Keys Clear Command History Hidden Users HISTCONTROL LC_MAIN Hijacking Plist Modification Space after Filename Launchctl Source Trap AppleScript .bash_profile and .bashrc Dylib Hijacking Hidden Files and Directories Launch Agent Launch Daemon LC_LOAD_DYLIB Addition Login Item Local Job Scheduling Sudo Mshta LLMNR/NBT-NS Poisoning and Relay Domain Fronting Dynamic Data Exchange Password Filter DLL Distributed Component Object Model Browser Extensions LSASS Driver SID-History Injection Hooking Screensaver Extra Window Memory Injection AppCert DLLs Image File Execution Options Injection SSH Hijacking Man in the Browser Process Doppelgaenging Forced Authentication Multi-hop Proxy Drive-by Compromise Exploit Public-Facing Application CMSTP Spearphishing Link Spearphishing Attachment Spearphishing via Service Supply Chain Compromise Control Panel Items BITS Jobs SIP and Trust Provider Hijacking Trusted Relationship Hardware Additions Password Policy Discovery Indirect Command Execution Exploitation for Client Execution User Execution Port Knocking Sudo Caching DCShadow Kerberoasting Time Providers Exploitation of Remote Services Exploitation for Defense Evasion Exploitation for Credential Access Data from Information Repositories Credentials in Registry Kernel Modules and Extensions Signed Script Proxy Execution Browser Bookmark Discovery Signed Binary Proxy Execution Remote Access Tools Template Injection File Permissions Modification Compiled HTML File Execution Guardrails Domain Trust Discovery Domain Generation Algorithms Group Policy Modification Data Destruction Data Encrypted for Impact Disk Structure Wipe Disk Content Wipe Service Stop Inhibit System Recovery Defacement Stored Data Manipulation Transmitted Data Manipulation Runtime Data Manipulation Firmware Corruption Resource Hijacking Sandbox Evasion Network Denial of Service Endpoint Denial of Service Compile After Delivery System Service System Shutdown/Reboot Data from Local System Create or Modify System Process Startup Folder Subvert Trust Controls Archive Collected Data System Services Lateral Tool Transfer Hijack Execution Flow Reconnaissance Reflective Code Loading