T1156 |
.bash_profile and .bashrc |
mitre_t1156_bash_profile_and_bashrc |
T1548 |
Abuse Elevation Control Mechanism |
mitre_t1548_abuse_elevation_ctrl_mech |
T1134 |
Access Token Manipulation |
mitre_t1134_access_token_manip |
T1015 |
Accessibility Features |
mitre_t1015_accessibility_features |
T1087 |
Account Discovery |
mitre_t1087_account_discovery |
T1098 |
Account Manipulation |
mitre_t1098_account_manip |
T1307 |
Acquire and/or use 3rd party infrastructure services |
mitre_t1307_acquire_and_or_use_3rd_party_infrastructure_services |
T1329 |
Acquire and/or use 3rd party infrastructure services |
mitre_t1329_acquire_and_or_use_3rd_party_infrastructure_services |
T1308 |
Acquire and/or use 3rd party software services |
mitre_t1308_acquire_and_or_use_3rd_party_software_services |
T1330 |
Acquire and/or use 3rd party software services |
mitre_t1330_acquire_and_or_use_3rd_party_software_services |
T1310 |
Acquire or compromise 3rd party signing certificates |
mitre_t1310_acquire_or_compromise_3rd_party_signing_certificates |
T1182 |
AppCert DLLs |
mitre_t1182_appcert_dlls |
T1103 |
AppInit DLLs |
mitre_t1103_appinit_dlls |
T1155 |
AppleScript |
mitre_t1155_applescript |
T1017 |
Application Deployment Software |
mitre_t1017_app_deployment_software |
T1138 |
Application Shimming |
mitre_t1138_app_shimming |
T1010 |
Application Window Discovery |
mitre_t1010_app_window_discovery |
T1560 |
Archive Collected Data |
mitre_t1560_archive_collected_data |
T1123 |
Audio Capture |
mitre_t1123_audio_capture |
T1131 |
Authentication Package |
mitre_t1131_auth_package |
T1119 |
Automated Collection |
mitre_t1119_auto_collection |
T1020 |
Automated Exfiltration |
mitre_t1020_auto_exfil |
T1139 |
Bash History |
mitre_t1139_bash_history |
T1009 |
Binary Padding |
mitre_t1009_binary_padding |
T1197 |
BITS Jobs |
mitre_t1197_bits_jobs |
T1547 |
Boot or Logon Autostart Execution |
mitre_t1547_boot_or_logon_auto_exec |
T1067 |
Bootkit |
mitre_t1067_bootkit |
T1217 |
Browser Bookmark Discovery |
mitre_t1217_browser_bookmark_discovery |
T1176 |
Browser Extensions |
mitre_t1176_browser_extensions |
T1110 |
Brute Force |
mitre_t1110_brute_force |
T1088 |
Bypass User Account Control |
mitre_t1088_bypass_uac |
T1042 |
Change Default File Association |
mitre_t1042_change_default_file_assoc |
T1146 |
Clear Command History |
mitre_t1146_clear_cmd_history |
T1115 |
Clipboard Data |
mitre_t1115_clipboard_data |
T1191 |
CMSTP |
mitre_t1191_cmstp |
T1116 |
Code Signing |
mitre_t1116_code_signing |
T1059 |
Command-Line or Script Interface |
mitre_t1059_cmd_line_or_script_inter |
T1043 |
Commonly Used Port |
mitre_t1043_common_port |
T1092 |
Communication Through Removable Media |
mitre_t1092_comm_thru_removable_media |
T1500 |
Compile After Delivery |
mitre_t1500_compile_after_delivery |
T1223 |
Compiled HTML File |
mitre_t1223_compiled_html_file |
T1109 |
Component Firmware |
mitre_t1109_comp_firmware |
T1175 |
Component Object Model and Distributed COM |
mitre_t1175_distributed_comp_object_model |
T1122 |
Component Object Model Hijacking |
mitre_t1122_comp_obj_model_hij |
T1196 |
Control Panel Items |
mitre_t1196_control_panel_items |
T1136 |
Create Account |
mitre_t1136_create_account |
T1345 |
Create Custom Payloads |
mitre_t1345_create_custom_payloads |
T1543 |
Create or Modify System Process |
mitre_t1543_create_or_modify_sys_proc |
T1003 |
OS Credential Dumping |
mitre_t1003_os_credential_dump |
T1555 |
Credentials from Password Stores |
mitre_t1555_creds_from_pwd_stores |
T1503 |
Credentials from Web Browsers |
mitre_t1503_credentials_from_web_browsers |
T1081 |
Credentials in Files |
mitre_t1081_cred_in_files |
T1214 |
Credentials in Registry |
mitre_t1214_creds_in_reg |
T1094 |
Custom Command and Control Protocol |
mitre_t1094_custom_cmd_and_control_proto |
T1024 |
Custom Cryptographic Protocol |
mitre_t1024_custom_crypto_proto |
T1002 |
Data Compressed |
mitre_t1002_data_compressed |
T1485 |
Data Destruction |
mitre_t1485_data_destruction |
T1132 |
Data Encoding |
mitre_t1132_data_encoding |
T1022 |
Data Encrypted |
mitre_t1022_data_encrypted |
T1486 |
Data Encrypted for Impact |
mitre_t1486_data_encrypted_for_impact |
T1213 |
Data from Information Repositories |
mitre_t1213_data_from_info_repos |
T1005 |
Data from Local System |
mitre_t1005_data_from_local_sys |
T1039 |
Data from Network Shared Drive |
mitre_t1039_data_from_network_shared_drive |
T1025 |
Data from Removable Media |
mitre_t1025_data_from_removable_media |
T1320 |
Data Hiding |
mitre_t1320_data_hiding |
T1001 |
Data Obfuscation |
mitre_t1001_data_obfuscation |
T1565 |
Data Manipulation |
mitre_t1565_data_manip |
T1074 |
Data Staged |
mitre_t1074_data_staged |
T1030 |
Data Transfer Size Limits |
mitre_t1030_data_transfer_size_limits |
T1207 |
Rogue Domain Controller |
mitre_t1207_rogue_domain_controller |
T1491 |
Defacement |
mitre_t1491_defacement |
T1140 |
Deobfuscate/Decode Files or Information |
mitre_t1140_deobfuscate_or_decode_files_or_info |
T1089 |
Disabling Security Tools |
mitre_t1089_disabling_security_tools |
T1488 |
Disk Content Wipe |
mitre_t1488_disk_content_wipe |
T1487 |
Disk Structure Wipe |
mitre_t1487_disk_structure_wipe |
T1561 |
Disk Wipe |
mitre_t1561_disk_wipe |
T1038 |
DLL Search Order Hijacking |
mitre_t1038_dll_search_order_hij |
T1073 |
DLL Side-Loading |
mitre_t1073_dll_side_loading |
T1172 |
Domain Fronting |
mitre_t1172_domain_fronting |
T1483 |
Domain Generation Algorithms |
mitre_t1483_domain_generation_algorithms |
T1482 |
Domain Trust Discovery |
mitre_t1482_domain_trust_discovery |
T1189 |
Drive-by Compromise |
mitre_t1189_drive_by_compromise |
T1157 |
Dylib Hijacking |
mitre_t1157_dylib_hijacking |
T1173 |
Dynamic Data Exchange |
mitre_t1173_dynamic_data_exchange |
T1568 |
Dynamic Resolution |
mitre_t1568_dynamic_resolution |
T1514 |
Elevated Execution with Prompt |
mitre_t1514_elevated_execution_with_prompt |
T1114 |
Email Collection |
mitre_t1114_email_collection |
T1573 |
Encrypted Channel |
mitre_t1573_encrypted_channel |
T1499 |
Endpoint Denial of Service |
mitre_t1499_endpoint_denial_of_service |
T1546 |
Event Triggered Execution |
mitre_t1546_event_triggered_exec |
T1480 |
Execution Guardrails |
mitre_t1480_exec_guardrails |
T1106 |
Native API |
mitre_t1106_native_api |
T1129 |
Shared Modules |
mitre_t1129_shared_modules |
T1048 |
Exfiltration Over Alternative Protocol |
mitre_t1048_exfil_over_alt_proto |
T1041 |
Exfiltration Over Command and Control Channel |
mitre_t1041_exfil_over_c2 |
T1011 |
Exfiltration Over Other Network Medium |
mitre_t1011_exfil_over_other_network_medium |
T1052 |
Exfiltration Over Physical Medium |
mitre_t1052_exfil_over_physical_medium |
T1190 |
Exploit Public-Facing Application |
mitre_t1190_exploit_public_facing_app |
T1203 |
Exploitation for Client Execution |
mitre_t1203_exploit_for_client_exec |
T1212 |
Exploitation for Credential Access |
mitre_t1212_exploit_for_cred_access |
T1211 |
Exploitation for Defense Evasion |
mitre_t1211_exploit_for_defense_evasion |
T1068 |
Exploitation for Privilege Escalation |
mitre_t1068_exploit_for_priv_escalation |
T1210 |
Exploitation of Remote Services |
mitre_t1210_exploit_of_remote_services |
T1133 |
External Remote Services |
mitre_t1133_external_remote_services |
T1181 |
Extra Window Memory Injection |
mitre_t1181_extra_window_memory_inject |
T1008 |
Fallback Channels |
mitre_t1008_fallback_channels |
T1083 |
File and Directory Discovery |
mitre_t1083_file_and_dir_discovery |
T1222 |
File and Directory Permissions Modification |
mitre_t1222_file_and_dir_perms_mod |
T1107 |
File Deletion |
mitre_t1107_file_deletion |
T1006 |
Direct Volume Access |
mitre_t1006_direct_volume_access |
T1044 |
File System Permissions Weakness |
mitre_t1044_file_sys_perms_weakness |
T1495 |
Firmware Corruption |
mitre_t1495_firmware_corruption |
T1187 |
Forced Authentication |
mitre_t1187_forced_auth |
T1144 |
Gatekeeper Bypass |
mitre_t1144_gatekeeper_bypass |
T1061 |
Graphical User Interface |
mitre_t1061_graphical_user_interface |
T1484 |
Group Policy Modification |
mitre_t1484_group_policy_mod |
T1200 |
Hardware Additions |
mitre_t1200_hardware_additions |
T1158 |
Hidden Files and Directories |
mitre_t1158_hidden_files_and_directories |
T1147 |
Hidden Users |
mitre_t1147_hidden_users |
T1143 |
Hidden Window |
mitre_t1143_hidden_window |
T1564 |
Hide Artifacts |
mitre_t1564_hide_artifacts |
T1574 |
Hijack Execution Flow |
mitre_t1574_hijack_exec_flow |
T1148 |
HISTCONTROL |
mitre_t1148_histcontrol |
T1179 |
Hooking |
mitre_t1179_hooking |
T1062 |
Hypervisor |
mitre_t1062_hypervisor |
T1183 |
Image File Execution Options Injection |
mitre_t1183_image_file_exec_options_inject |
T1562 |
Impair Defenses |
mitre_t1562_impair_defenses |
T1054 |
Indicator Blocking |
mitre_t1054_indicator_blocking |
T1066 |
Indicator Removal from Tools |
mitre_t1066_indicator_removal_from_tools |
T1070 |
Indicator Removal on Host |
mitre_t1070_indicator_removal_on_host |
T1202 |
Indirect Command Execution |
mitre_t1202_indirect_command_execution |
T1490 |
Inhibit System Recovery |
mitre_t1490_inhibit_sys_recovery |
T1056 |
Input Capture |
mitre_t1056_input_capture |
T1141 |
Input Prompt |
mitre_t1141_input_prompt |
T1130 |
Install Root Certificate |
mitre_t1130_install_root_certificate |
T1118 |
InstallUtil |
mitre_t1118_installutil |
T1559 |
Inter-Process Communication |
mitre_t1559_inter_proc_comm |
T1208 |
Kerberoasting |
mitre_t1208_kerberoasting |
T1215 |
Kernel Modules and Extensions |
mitre_t1215_kernel_modules_and_extensions |
T1142 |
Keychain |
mitre_t1142_keychain |
T1570 |
Lateral Tool Transfer |
mitre_t1570_lateral_tool_transfer |
T1159 |
Launch Agent |
mitre_t1159_launch_agent |
T1160 |
Launch Daemon |
mitre_t1160_launch_daemon |
T1152 |
Launchctl |
mitre_t1152_launchctl |
T1161 |
LC_LOAD_DYLIB Addition |
mitre_t1161_lc_load_dylib_addition |
T1149 |
LC_MAIN Hijacking |
mitre_t1149_lc_main_hijacking |
T1171 |
LLMNR/NBT-NS Poisoning and Relay |
mitre_t1171_llmnr_nbt_ns_poisoning_and_relay |
T1168 |
Local Job Scheduling |
mitre_t1168_local_job_scheduling |
T1162 |
Login Item |
mitre_t1162_login_item |
T1037 |
Logon Scripts |
mitre_t1037_logon_scripts |
T1177 |
LSASS Driver |
mitre_t1177_lsass_driver |
T1185 |
Man in the Browser |
mitre_t1185_man_in_the_browser |
T1557 |
Man-in-the-Middle |
mitre_t1557_man_in_the_middle |
T1036 |
Masquerading |
mitre_t1036_masquerading |
T1556 |
Modify Authentication Process |
mitre_t1556_modify_auth_proc |
T1578 |
Modify Cloud Compute Infrastructure |
mitre_t1578_modify_cloud_compute_infra |
T1031 |
Modify Existing Service |
mitre_t1031_modify_existing_service |
T1112 |
Modify Registry |
mitre_t1112_modify_registry |
T1170 |
Mshta |
mitre_t1170_mshta |
T1188 |
Multi-hop Proxy |
mitre_t1188_multi_hop_proxy |
T1104 |
Multi-Stage Channels |
mitre_t1104_multi_stage_channels |
T1026 |
Multiband Communication |
mitre_t1026_multiband_comm |
T1079 |
Multilayer Encryption |
mitre_t1079_multilayer_encryption |
T1128 |
Netsh Helper DLL |
mitre_t1128_netsh_helper_dll |
T1498 |
Network Denial of Service |
mitre_t1498_network_denial_of_service |
T1046 |
Network Service Scanning |
mitre_t1046_network_service_scanning |
T1126 |
Network Share Connection Removal |
mitre_t1126_network_share_connection_removal |
T1135 |
Network Share Discovery |
mitre_t1135_network_share_discovery |
T1040 |
Network Sniffing |
mitre_t1040_network_sniffing |
T1050 |
New Service |
mitre_t1050_new_service |
T1095 |
Non-Application Layer Protocol |
mitre_t1095_non_app_layer_proto |
T1571 |
Non-Standard Port |
mitre_t1571_non_std_port |
T1096 |
NTFS File Attributes |
mitre_t1096_ntfs_file_attrib |
T1027 |
Obfuscated Files or Information |
mitre_t1027_obfuscate_files_or_info |
T1137 |
Office Application Startup |
mitre_t1137_office_app_startup |
T1502 |
Parent PID Spoofing |
mitre_t1502_parent_pid_spoofing |
T1075 |
Pass the Hash |
mitre_t1075_pass_the_hash |
T1097 |
Pass the Ticket |
mitre_t1097_pass_the_ticket |
T1174 |
Password Filter DLL |
mitre_t1174_password_filter_dll |
T1201 |
Password Policy Discovery |
mitre_t1201_password_policy_discovery |
T1034 |
Path Interception |
mitre_t1034_path_intercept |
T1120 |
Peripheral Device Discovery |
mitre_t1120_periph_discovery |
T1069 |
Permission Groups Discovery |
mitre_t1069_permission_discovery |
T1566 |
Phishing |
mitre_t1566_phishing |
T1150 |
Plist Modification |
mitre_t1150_plist_mod |
T1205 |
Traffic Signaling |
mitre_t1205_traffic_signaling |
T1013 |
Port Monitors |
mitre_t1013_port_monitors |
T1086 |
PowerShell |
mitre_t1086_powershell |
T1504 |
PowerShell Profile |
mitre_t1504_powershell_profile |
T1542 |
Pre-OS Boot |
mitre_t1542_pre_os_boot |
T1145 |
Private Keys |
mitre_t1145_private_keys |
T1057 |
Process Discovery |
mitre_t1057_process_discovery |
T1186 |
Process Doppelgänging |
mitre_t1186_process_doppelganging |
T1093 |
Process Hollowing |
mitre_t1093_process_hollowing |
T1055 |
Process Injection |
mitre_t1055_process_inject |
T1090 |
Proxy |
mitre_t1090_proxy |
T1012 |
Query Registry |
mitre_t1012_query_registry |
T1163 |
Rc.common |
mitre_t1163_rc_common |
T1164 |
Re-opened Applications |
mitre_t1164_re_opened_apps |
T1108 |
Redundant Access |
mitre_t1108_redundant_access |
T1060 |
Registry Run Keys / Startup Folder |
mitre_t1060_reg_run_keys |
T1121 |
Regsvcs/Regasm |
mitre_t1121_regsvcs_regasm |
T1117 |
Regsvr32 |
mitre_t1117_regsvr32 |
T1219 |
Remote Access Software |
mitre_t1219_remote_access_software |
T1076 |
Remote Desktop Protocol |
mitre_t1076_remote_desktop_proto |
T1105 |
Ingress Tool Transfer |
mitre_t1105_ingress_tool_transfer |
T1021 |
Remote Services |
mitre_t1021_remote_services |
T1563 |
Remote Service Session Hijacking |
mitre_t1563_remote_svc_session_hijack |
T1018 |
Remote System Discovery |
mitre_t1018_remote_sys_discovery |
T1091 |
Replication Through Removable Media |
mitre_t1091_replication_thru_removable_media |
T1496 |
Resource Hijacking |
mitre_t1496_resource_hijacking |
T1014 |
Rootkit |
mitre_t1014_rootkit |
T1085 |
Rundll32 |
mitre_t1085_rundll32 |
T1494 |
Runtime Data Manipulation |
mitre_t1494_runtime_data_manip |
T1053 |
Scheduled Task or Job |
mitre_t1053_scheduled_task_or_job |
T1029 |
Scheduled Transfer |
mitre_t1029_scheduled_transfer |
T1113 |
Screen Capture |
mitre_t1113_screen_cap |
T1180 |
Screensaver |
mitre_t1180_screensaver |
T1064 |
Scripting |
mitre_t1064_scripting |
T1063 |
Security Software Discovery |
mitre_t1063_sec_software_discovery |
T1101 |
Security Support Provider |
mitre_t1101_security_support_provider |
T1167 |
Securityd Memory |
mitre_t1167_securityd_memory |
T1505 |
Server Software Component |
mitre_t1505_server_software_component |
T1035 |
Service Execution |
mitre_t1035_service_execution |
T1058 |
Service Registry Permissions Weakness |
mitre_t1058_service_reg_perms_weakness |
T1489 |
Service Stop |
mitre_t1489_service_stop |
T1166 |
Setuid and Setgid |
mitre_t1166_setuid_and_setgid |
T1051 |
Shared Webroot |
mitre_t1051_shared_webroot |
T1023 |
Shortcut Modification |
mitre_t1023_shortcut_mod |
T1178 |
SID-History Injection |
mitre_t1178_sid_history_inject |
T1218 |
Signed Binary Proxy Execution |
mitre_t1218_signed_binary_proxy_exec |
T1216 |
Signed Script Proxy Execution |
mitre_t1216_signed_script_proxy_exec |
T1198 |
SIP and Trust Provider Hijacking |
mitre_t1198_sip_and_trust_provider_hijacking |
T1072 |
Software Deployment Tools |
mitre_t1072_software_deployment_tools |
T1518 |
Software Discovery |
mitre_t1518_software_discovery |
T1045 |
Software Packing |
mitre_t1045_software_packaging |
T1153 |
Source |
mitre_t1153_source |
T1151 |
Space after Filename |
mitre_t1151_space_after_filename |
T1193 |
Spearphishing Attachment |
mitre_t1193_spearphishing_attachment |
T1192 |
Spearphishing Link |
mitre_t1192_spearphishing_link |
T1194 |
Spearphishing via Service |
mitre_t1194_spearphishing_via_service |
T1184 |
SSH Hijacking |
mitre_t1184_ssh_hijacking |
T1071 |
Standard Application Layer Protocol |
mitre_t1071_stnd_app_layer_proto |
T1032 |
Standard Cryptographic Protocol |
mitre_t1032_stnd_crypt_layer_proto |
T1165 |
Startup Items |
mitre_t1165_startup_items |
T1558 |
Steal or Forge Kerberos Tickets |
mitre_t1558_steal_or_forge_kerberos_tickets |
T1492 |
Stored Data Manipulation |
mitre_t1492_stored_data_manip |
T1553 |
Subvert Trust Controls |
mitre_t1553_subvert_trust_controls |
T1169 |
Sudo |
mitre_t1169_sudo |
T1206 |
Sudo Caching |
mitre_t1206_sudo_caching |
T1195 |
Supply Chain Compromise |
mitre_t1195_supply_chain_compromise |
T1019 |
System Firmware |
mitre_t1019_system_firmware |
T1082 |
System Information Discovery |
mitre_t1082_sys_inf_discovery |
T1016 |
System Network Configuration Discovery |
mitre_t1016_sys_net_config_discovery |
T1049 |
System Network Connections Discovery |
mitre_t1049_sys_network_connections_discovery |
T1033 |
System Owner/User Discovery |
mitre_t1033_sys_owner_or_usr_discovery |
T1569 |
System Services |
mitre_t1569_sys_svs |
T1007 |
System Service Discovery |
mitre_t1007_sys_service_discovery |
T1124 |
System Time Discovery |
mitre_t1124_sys_time_discovery |
T1501 |
Systemd Service |
mitre_t1501_systemd_service |
T1080 |
Taint Shared Content |
mitre_t1080_taint_shared_content |
T1221 |
Template Injection |
mitre_t1221_template_inject |
T1209 |
Time Providers |
mitre_t1209_time_providers |
T1099 |
Timestomp |
mitre_t1099_timestomp |
T1493 |
Transmitted Data Manipulation |
mitre_t1493_transmitted_data_manip |
T1154 |
Trap |
mitre_t1154_trap |
T1127 |
Trusted Developer Utilities Proxy Execution |
mitre_t1127_trusted_developer_util_proxy_exec |
T1199 |
Trusted Relationship |
mitre_t1199_trusted_relationship |
T1111 |
Two-Factor Authentication Interception |
mitre_t1111_two_factor_auth_intercept |
T1065 |
Uncommonly Used Port |
mitre_t1065_uncommonly_used_port |
T1552 |
Unsecured Credentials |
mitre_t1552_unsecure_creds |
T1550 |
Use Alternate Authentication Material |
mitre_t1550_use_alt_auth_material |
T1204 |
User Execution |
mitre_t1204_user_execution |
T1078 |
Valid Accounts |
mitre_t1078_valid_accounts |
T1125 |
Video Capture |
mitre_t1125_video_capture |
T1497 |
Virtualization/Sandbox Evasion |
mitre_t1497_virtualization_or_sandbox_evasion |
T1102 |
Web Service |
mitre_t1102_web_service |
T1100 |
Web Shell |
mitre_t1100_web_shell |
T1077 |
Windows Admin Shares |
mitre_t1077_win_admin_shares |
T1047 |
Windows Management Instrumentation |
mitre_t1047_win_mgmt_instru |
T1084 |
Windows Management Instrumentation Event Subscription |
mitre_t1084_mgmt_instru_evt_subscription |
T1028 |
Windows Remote Management |
mitre_t1028_win_remote_mgmt |
T1004 |
Winlogon Helper DLL |
mitre_t1004_winlogon_helper_dll |
T1220 |
XSL Script Processing |
mitre_t1220_xsl_script_processing |