| T1156 |
.bash_profile and .bashrc |
mitre_t1156_bash_profile_and_bashrc |
| T1548 |
Abuse Elevation Control Mechanism |
mitre_t1548_abuse_elevation_ctrl_mech |
| T1134 |
Access Token Manipulation |
mitre_t1134_access_token_manip |
| T1015 |
Accessibility Features |
mitre_t1015_accessibility_features |
| T1087 |
Account Discovery |
mitre_t1087_account_discovery |
| T1098 |
Account Manipulation |
mitre_t1098_account_manip |
| T1307 |
Acquire and/or use 3rd party infrastructure services |
mitre_t1307_acquire_and_or_use_3rd_party_infrastructure_services |
| T1329 |
Acquire and/or use 3rd party infrastructure services |
mitre_t1329_acquire_and_or_use_3rd_party_infrastructure_services |
| T1308 |
Acquire and/or use 3rd party software services |
mitre_t1308_acquire_and_or_use_3rd_party_software_services |
| T1330 |
Acquire and/or use 3rd party software services |
mitre_t1330_acquire_and_or_use_3rd_party_software_services |
| T1310 |
Acquire or compromise 3rd party signing certificates |
mitre_t1310_acquire_or_compromise_3rd_party_signing_certificates |
| T1182 |
AppCert DLLs |
mitre_t1182_appcert_dlls |
| T1103 |
AppInit DLLs |
mitre_t1103_appinit_dlls |
| T1155 |
AppleScript |
mitre_t1155_applescript |
| T1017 |
Application Deployment Software |
mitre_t1017_app_deployment_software |
| T1138 |
Application Shimming |
mitre_t1138_app_shimming |
| T1010 |
Application Window Discovery |
mitre_t1010_app_window_discovery |
| T1560 |
Archive Collected Data |
mitre_t1560_archive_collected_data |
| T1123 |
Audio Capture |
mitre_t1123_audio_capture |
| T1131 |
Authentication Package |
mitre_t1131_auth_package |
| T1119 |
Automated Collection |
mitre_t1119_auto_collection |
| T1020 |
Automated Exfiltration |
mitre_t1020_auto_exfil |
| T1139 |
Bash History |
mitre_t1139_bash_history |
| T1009 |
Binary Padding |
mitre_t1009_binary_padding |
| T1197 |
BITS Jobs |
mitre_t1197_bits_jobs |
| T1547 |
Boot or Logon Autostart Execution |
mitre_t1547_boot_or_logon_auto_exec |
| T1067 |
Bootkit |
mitre_t1067_bootkit |
| T1217 |
Browser Bookmark Discovery |
mitre_t1217_browser_bookmark_discovery |
| T1176 |
Browser Extensions |
mitre_t1176_browser_extensions |
| T1110 |
Brute Force |
mitre_t1110_brute_force |
| T1088 |
Bypass User Account Control |
mitre_t1088_bypass_uac |
| T1042 |
Change Default File Association |
mitre_t1042_change_default_file_assoc |
| T1146 |
Clear Command History |
mitre_t1146_clear_cmd_history |
| T1115 |
Clipboard Data |
mitre_t1115_clipboard_data |
| T1191 |
CMSTP |
mitre_t1191_cmstp |
| T1116 |
Code Signing |
mitre_t1116_code_signing |
| T1059 |
Command-Line or Script Interface |
mitre_t1059_cmd_line_or_script_inter |
| T1043 |
Commonly Used Port |
mitre_t1043_common_port |
| T1092 |
Communication Through Removable Media |
mitre_t1092_comm_thru_removable_media |
| T1500 |
Compile After Delivery |
mitre_t1500_compile_after_delivery |
| T1223 |
Compiled HTML File |
mitre_t1223_compiled_html_file |
| T1109 |
Component Firmware |
mitre_t1109_comp_firmware |
| T1175 |
Component Object Model and Distributed COM |
mitre_t1175_distributed_comp_object_model |
| T1122 |
Component Object Model Hijacking |
mitre_t1122_comp_obj_model_hij |
| T1196 |
Control Panel Items |
mitre_t1196_control_panel_items |
| T1136 |
Create Account |
mitre_t1136_create_account |
| T1345 |
Create Custom Payloads |
mitre_t1345_create_custom_payloads |
| T1543 |
Create or Modify System Process |
mitre_t1543_create_or_modify_sys_proc |
| T1003 |
OS Credential Dumping |
mitre_t1003_os_credential_dump |
| T1555 |
Credentials from Password Stores |
mitre_t1555_creds_from_pwd_stores |
| T1503 |
Credentials from Web Browsers |
mitre_t1503_credentials_from_web_browsers |
| T1081 |
Credentials in Files |
mitre_t1081_cred_in_files |
| T1214 |
Credentials in Registry |
mitre_t1214_creds_in_reg |
| T1094 |
Custom Command and Control Protocol |
mitre_t1094_custom_cmd_and_control_proto |
| T1024 |
Custom Cryptographic Protocol |
mitre_t1024_custom_crypto_proto |
| T1002 |
Data Compressed |
mitre_t1002_data_compressed |
| T1485 |
Data Destruction |
mitre_t1485_data_destruction |
| T1132 |
Data Encoding |
mitre_t1132_data_encoding |
| T1022 |
Data Encrypted |
mitre_t1022_data_encrypted |
| T1486 |
Data Encrypted for Impact |
mitre_t1486_data_encrypted_for_impact |
| T1213 |
Data from Information Repositories |
mitre_t1213_data_from_info_repos |
| T1005 |
Data from Local System |
mitre_t1005_data_from_local_sys |
| T1039 |
Data from Network Shared Drive |
mitre_t1039_data_from_network_shared_drive |
| T1025 |
Data from Removable Media |
mitre_t1025_data_from_removable_media |
| T1320 |
Data Hiding |
mitre_t1320_data_hiding |
| T1001 |
Data Obfuscation |
mitre_t1001_data_obfuscation |
| T1565 |
Data Manipulation |
mitre_t1565_data_manip |
| T1074 |
Data Staged |
mitre_t1074_data_staged |
| T1030 |
Data Transfer Size Limits |
mitre_t1030_data_transfer_size_limits |
| T1207 |
Rogue Domain Controller |
mitre_t1207_rogue_domain_controller |
| T1491 |
Defacement |
mitre_t1491_defacement |
| T1140 |
Deobfuscate/Decode Files or Information |
mitre_t1140_deobfuscate_or_decode_files_or_info |
| T1089 |
Disabling Security Tools |
mitre_t1089_disabling_security_tools |
| T1488 |
Disk Content Wipe |
mitre_t1488_disk_content_wipe |
| T1487 |
Disk Structure Wipe |
mitre_t1487_disk_structure_wipe |
| T1561 |
Disk Wipe |
mitre_t1561_disk_wipe |
| T1038 |
DLL Search Order Hijacking |
mitre_t1038_dll_search_order_hij |
| T1073 |
DLL Side-Loading |
mitre_t1073_dll_side_loading |
| T1172 |
Domain Fronting |
mitre_t1172_domain_fronting |
| T1483 |
Domain Generation Algorithms |
mitre_t1483_domain_generation_algorithms |
| T1482 |
Domain Trust Discovery |
mitre_t1482_domain_trust_discovery |
| T1189 |
Drive-by Compromise |
mitre_t1189_drive_by_compromise |
| T1157 |
Dylib Hijacking |
mitre_t1157_dylib_hijacking |
| T1173 |
Dynamic Data Exchange |
mitre_t1173_dynamic_data_exchange |
| T1568 |
Dynamic Resolution |
mitre_t1568_dynamic_resolution |
| T1514 |
Elevated Execution with Prompt |
mitre_t1514_elevated_execution_with_prompt |
| T1114 |
Email Collection |
mitre_t1114_email_collection |
| T1573 |
Encrypted Channel |
mitre_t1573_encrypted_channel |
| T1499 |
Endpoint Denial of Service |
mitre_t1499_endpoint_denial_of_service |
| T1546 |
Event Triggered Execution |
mitre_t1546_event_triggered_exec |
| T1480 |
Execution Guardrails |
mitre_t1480_exec_guardrails |
| T1106 |
Native API |
mitre_t1106_native_api |
| T1129 |
Shared Modules |
mitre_t1129_shared_modules |
| T1048 |
Exfiltration Over Alternative Protocol |
mitre_t1048_exfil_over_alt_proto |
| T1041 |
Exfiltration Over Command and Control Channel |
mitre_t1041_exfil_over_c2 |
| T1011 |
Exfiltration Over Other Network Medium |
mitre_t1011_exfil_over_other_network_medium |
| T1052 |
Exfiltration Over Physical Medium |
mitre_t1052_exfil_over_physical_medium |
| T1190 |
Exploit Public-Facing Application |
mitre_t1190_exploit_public_facing_app |
| T1203 |
Exploitation for Client Execution |
mitre_t1203_exploit_for_client_exec |
| T1212 |
Exploitation for Credential Access |
mitre_t1212_exploit_for_cred_access |
| T1211 |
Exploitation for Defense Evasion |
mitre_t1211_exploit_for_defense_evasion |
| T1068 |
Exploitation for Privilege Escalation |
mitre_t1068_exploit_for_priv_escalation |
| T1210 |
Exploitation of Remote Services |
mitre_t1210_exploit_of_remote_services |
| T1133 |
External Remote Services |
mitre_t1133_external_remote_services |
| T1181 |
Extra Window Memory Injection |
mitre_t1181_extra_window_memory_inject |
| T1008 |
Fallback Channels |
mitre_t1008_fallback_channels |
| T1083 |
File and Directory Discovery |
mitre_t1083_file_and_dir_discovery |
| T1222 |
File and Directory Permissions Modification |
mitre_t1222_file_and_dir_perms_mod |
| T1107 |
File Deletion |
mitre_t1107_file_deletion |
| T1006 |
Direct Volume Access |
mitre_t1006_direct_volume_access |
| T1044 |
File System Permissions Weakness |
mitre_t1044_file_sys_perms_weakness |
| T1495 |
Firmware Corruption |
mitre_t1495_firmware_corruption |
| T1187 |
Forced Authentication |
mitre_t1187_forced_auth |
| T1144 |
Gatekeeper Bypass |
mitre_t1144_gatekeeper_bypass |
| T1061 |
Graphical User Interface |
mitre_t1061_graphical_user_interface |
| T1484 |
Group Policy Modification |
mitre_t1484_group_policy_mod |
| T1200 |
Hardware Additions |
mitre_t1200_hardware_additions |
| T1158 |
Hidden Files and Directories |
mitre_t1158_hidden_files_and_directories |
| T1147 |
Hidden Users |
mitre_t1147_hidden_users |
| T1143 |
Hidden Window |
mitre_t1143_hidden_window |
| T1564 |
Hide Artifacts |
mitre_t1564_hide_artifacts |
| T1574 |
Hijack Execution Flow |
mitre_t1574_hijack_exec_flow |
| T1148 |
HISTCONTROL |
mitre_t1148_histcontrol |
| T1179 |
Hooking |
mitre_t1179_hooking |
| T1062 |
Hypervisor |
mitre_t1062_hypervisor |
| T1183 |
Image File Execution Options Injection |
mitre_t1183_image_file_exec_options_inject |
| T1562 |
Impair Defenses |
mitre_t1562_impair_defenses |
| T1054 |
Indicator Blocking |
mitre_t1054_indicator_blocking |
| T1066 |
Indicator Removal from Tools |
mitre_t1066_indicator_removal_from_tools |
| T1070 |
Indicator Removal on Host |
mitre_t1070_indicator_removal_on_host |
| T1202 |
Indirect Command Execution |
mitre_t1202_indirect_command_execution |
| T1490 |
Inhibit System Recovery |
mitre_t1490_inhibit_sys_recovery |
| T1056 |
Input Capture |
mitre_t1056_input_capture |
| T1141 |
Input Prompt |
mitre_t1141_input_prompt |
| T1130 |
Install Root Certificate |
mitre_t1130_install_root_certificate |
| T1118 |
InstallUtil |
mitre_t1118_installutil |
| T1559 |
Inter-Process Communication |
mitre_t1559_inter_proc_comm |
| T1208 |
Kerberoasting |
mitre_t1208_kerberoasting |
| T1215 |
Kernel Modules and Extensions |
mitre_t1215_kernel_modules_and_extensions |
| T1142 |
Keychain |
mitre_t1142_keychain |
| T1570 |
Lateral Tool Transfer |
mitre_t1570_lateral_tool_transfer |
| T1159 |
Launch Agent |
mitre_t1159_launch_agent |
| T1160 |
Launch Daemon |
mitre_t1160_launch_daemon |
| T1152 |
Launchctl |
mitre_t1152_launchctl |
| T1161 |
LC_LOAD_DYLIB Addition |
mitre_t1161_lc_load_dylib_addition |
| T1149 |
LC_MAIN Hijacking |
mitre_t1149_lc_main_hijacking |
| T1171 |
LLMNR/NBT-NS Poisoning and Relay |
mitre_t1171_llmnr_nbt_ns_poisoning_and_relay |
| T1168 |
Local Job Scheduling |
mitre_t1168_local_job_scheduling |
| T1162 |
Login Item |
mitre_t1162_login_item |
| T1037 |
Logon Scripts |
mitre_t1037_logon_scripts |
| T1177 |
LSASS Driver |
mitre_t1177_lsass_driver |
| T1185 |
Man in the Browser |
mitre_t1185_man_in_the_browser |
| T1557 |
Man-in-the-Middle |
mitre_t1557_man_in_the_middle |
| T1036 |
Masquerading |
mitre_t1036_masquerading |
| T1556 |
Modify Authentication Process |
mitre_t1556_modify_auth_proc |
| T1578 |
Modify Cloud Compute Infrastructure |
mitre_t1578_modify_cloud_compute_infra |
| T1031 |
Modify Existing Service |
mitre_t1031_modify_existing_service |
| T1112 |
Modify Registry |
mitre_t1112_modify_registry |
| T1170 |
Mshta |
mitre_t1170_mshta |
| T1188 |
Multi-hop Proxy |
mitre_t1188_multi_hop_proxy |
| T1104 |
Multi-Stage Channels |
mitre_t1104_multi_stage_channels |
| T1026 |
Multiband Communication |
mitre_t1026_multiband_comm |
| T1079 |
Multilayer Encryption |
mitre_t1079_multilayer_encryption |
| T1128 |
Netsh Helper DLL |
mitre_t1128_netsh_helper_dll |
| T1498 |
Network Denial of Service |
mitre_t1498_network_denial_of_service |
| T1046 |
Network Service Scanning |
mitre_t1046_network_service_scanning |
| T1126 |
Network Share Connection Removal |
mitre_t1126_network_share_connection_removal |
| T1135 |
Network Share Discovery |
mitre_t1135_network_share_discovery |
| T1040 |
Network Sniffing |
mitre_t1040_network_sniffing |
| T1050 |
New Service |
mitre_t1050_new_service |
| T1095 |
Non-Application Layer Protocol |
mitre_t1095_non_app_layer_proto |
| T1571 |
Non-Standard Port |
mitre_t1571_non_std_port |
| T1096 |
NTFS File Attributes |
mitre_t1096_ntfs_file_attrib |
| T1027 |
Obfuscated Files or Information |
mitre_t1027_obfuscate_files_or_info |
| T1137 |
Office Application Startup |
mitre_t1137_office_app_startup |
| T1502 |
Parent PID Spoofing |
mitre_t1502_parent_pid_spoofing |
| T1075 |
Pass the Hash |
mitre_t1075_pass_the_hash |
| T1097 |
Pass the Ticket |
mitre_t1097_pass_the_ticket |
| T1174 |
Password Filter DLL |
mitre_t1174_password_filter_dll |
| T1201 |
Password Policy Discovery |
mitre_t1201_password_policy_discovery |
| T1034 |
Path Interception |
mitre_t1034_path_intercept |
| T1120 |
Peripheral Device Discovery |
mitre_t1120_periph_discovery |
| T1069 |
Permission Groups Discovery |
mitre_t1069_permission_discovery |
| T1566 |
Phishing |
mitre_t1566_phishing |
| T1150 |
Plist Modification |
mitre_t1150_plist_mod |
| T1205 |
Traffic Signaling |
mitre_t1205_traffic_signaling |
| T1013 |
Port Monitors |
mitre_t1013_port_monitors |
| T1086 |
PowerShell |
mitre_t1086_powershell |
| T1504 |
PowerShell Profile |
mitre_t1504_powershell_profile |
| T1542 |
Pre-OS Boot |
mitre_t1542_pre_os_boot |
| T1145 |
Private Keys |
mitre_t1145_private_keys |
| T1057 |
Process Discovery |
mitre_t1057_process_discovery |
| T1186 |
Process Doppelgänging |
mitre_t1186_process_doppelganging |
| T1093 |
Process Hollowing |
mitre_t1093_process_hollowing |
| T1055 |
Process Injection |
mitre_t1055_process_inject |
| T1090 |
Proxy |
mitre_t1090_proxy |
| T1012 |
Query Registry |
mitre_t1012_query_registry |
| T1163 |
Rc.common |
mitre_t1163_rc_common |
| T1164 |
Re-opened Applications |
mitre_t1164_re_opened_apps |
| T1108 |
Redundant Access |
mitre_t1108_redundant_access |
| T1060 |
Registry Run Keys / Startup Folder |
mitre_t1060_reg_run_keys |
| T1121 |
Regsvcs/Regasm |
mitre_t1121_regsvcs_regasm |
| T1117 |
Regsvr32 |
mitre_t1117_regsvr32 |
| T1219 |
Remote Access Software |
mitre_t1219_remote_access_software |
| T1076 |
Remote Desktop Protocol |
mitre_t1076_remote_desktop_proto |
| T1105 |
Ingress Tool Transfer |
mitre_t1105_ingress_tool_transfer |
| T1021 |
Remote Services |
mitre_t1021_remote_services |
| T1563 |
Remote Service Session Hijacking |
mitre_t1563_remote_svc_session_hijack |
| T1018 |
Remote System Discovery |
mitre_t1018_remote_sys_discovery |
| T1091 |
Replication Through Removable Media |
mitre_t1091_replication_thru_removable_media |
| T1496 |
Resource Hijacking |
mitre_t1496_resource_hijacking |
| T1014 |
Rootkit |
mitre_t1014_rootkit |
| T1085 |
Rundll32 |
mitre_t1085_rundll32 |
| T1494 |
Runtime Data Manipulation |
mitre_t1494_runtime_data_manip |
| T1053 |
Scheduled Task or Job |
mitre_t1053_scheduled_task_or_job |
| T1029 |
Scheduled Transfer |
mitre_t1029_scheduled_transfer |
| T1113 |
Screen Capture |
mitre_t1113_screen_cap |
| T1180 |
Screensaver |
mitre_t1180_screensaver |
| T1064 |
Scripting |
mitre_t1064_scripting |
| T1063 |
Security Software Discovery |
mitre_t1063_sec_software_discovery |
| T1101 |
Security Support Provider |
mitre_t1101_security_support_provider |
| T1167 |
Securityd Memory |
mitre_t1167_securityd_memory |
| T1505 |
Server Software Component |
mitre_t1505_server_software_component |
| T1035 |
Service Execution |
mitre_t1035_service_execution |
| T1058 |
Service Registry Permissions Weakness |
mitre_t1058_service_reg_perms_weakness |
| T1489 |
Service Stop |
mitre_t1489_service_stop |
| T1166 |
Setuid and Setgid |
mitre_t1166_setuid_and_setgid |
| T1051 |
Shared Webroot |
mitre_t1051_shared_webroot |
| T1023 |
Shortcut Modification |
mitre_t1023_shortcut_mod |
| T1178 |
SID-History Injection |
mitre_t1178_sid_history_inject |
| T1218 |
Signed Binary Proxy Execution |
mitre_t1218_signed_binary_proxy_exec |
| T1216 |
Signed Script Proxy Execution |
mitre_t1216_signed_script_proxy_exec |
| T1198 |
SIP and Trust Provider Hijacking |
mitre_t1198_sip_and_trust_provider_hijacking |
| T1072 |
Software Deployment Tools |
mitre_t1072_software_deployment_tools |
| T1518 |
Software Discovery |
mitre_t1518_software_discovery |
| T1045 |
Software Packing |
mitre_t1045_software_packaging |
| T1153 |
Source |
mitre_t1153_source |
| T1151 |
Space after Filename |
mitre_t1151_space_after_filename |
| T1193 |
Spearphishing Attachment |
mitre_t1193_spearphishing_attachment |
| T1192 |
Spearphishing Link |
mitre_t1192_spearphishing_link |
| T1194 |
Spearphishing via Service |
mitre_t1194_spearphishing_via_service |
| T1184 |
SSH Hijacking |
mitre_t1184_ssh_hijacking |
| T1071 |
Standard Application Layer Protocol |
mitre_t1071_stnd_app_layer_proto |
| T1032 |
Standard Cryptographic Protocol |
mitre_t1032_stnd_crypt_layer_proto |
| T1165 |
Startup Items |
mitre_t1165_startup_items |
| T1558 |
Steal or Forge Kerberos Tickets |
mitre_t1558_steal_or_forge_kerberos_tickets |
| T1492 |
Stored Data Manipulation |
mitre_t1492_stored_data_manip |
| T1553 |
Subvert Trust Controls |
mitre_t1553_subvert_trust_controls |
| T1169 |
Sudo |
mitre_t1169_sudo |
| T1206 |
Sudo Caching |
mitre_t1206_sudo_caching |
| T1195 |
Supply Chain Compromise |
mitre_t1195_supply_chain_compromise |
| T1019 |
System Firmware |
mitre_t1019_system_firmware |
| T1082 |
System Information Discovery |
mitre_t1082_sys_inf_discovery |
| T1016 |
System Network Configuration Discovery |
mitre_t1016_sys_net_config_discovery |
| T1049 |
System Network Connections Discovery |
mitre_t1049_sys_network_connections_discovery |
| T1033 |
System Owner/User Discovery |
mitre_t1033_sys_owner_or_usr_discovery |
| T1569 |
System Services |
mitre_t1569_sys_svs |
| T1007 |
System Service Discovery |
mitre_t1007_sys_service_discovery |
| T1124 |
System Time Discovery |
mitre_t1124_sys_time_discovery |
| T1501 |
Systemd Service |
mitre_t1501_systemd_service |
| T1080 |
Taint Shared Content |
mitre_t1080_taint_shared_content |
| T1221 |
Template Injection |
mitre_t1221_template_inject |
| T1209 |
Time Providers |
mitre_t1209_time_providers |
| T1099 |
Timestomp |
mitre_t1099_timestomp |
| T1493 |
Transmitted Data Manipulation |
mitre_t1493_transmitted_data_manip |
| T1154 |
Trap |
mitre_t1154_trap |
| T1127 |
Trusted Developer Utilities Proxy Execution |
mitre_t1127_trusted_developer_util_proxy_exec |
| T1199 |
Trusted Relationship |
mitre_t1199_trusted_relationship |
| T1111 |
Two-Factor Authentication Interception |
mitre_t1111_two_factor_auth_intercept |
| T1065 |
Uncommonly Used Port |
mitre_t1065_uncommonly_used_port |
| T1552 |
Unsecured Credentials |
mitre_t1552_unsecure_creds |
| T1550 |
Use Alternate Authentication Material |
mitre_t1550_use_alt_auth_material |
| T1204 |
User Execution |
mitre_t1204_user_execution |
| T1078 |
Valid Accounts |
mitre_t1078_valid_accounts |
| T1125 |
Video Capture |
mitre_t1125_video_capture |
| T1497 |
Virtualization/Sandbox Evasion |
mitre_t1497_virtualization_or_sandbox_evasion |
| T1102 |
Web Service |
mitre_t1102_web_service |
| T1100 |
Web Shell |
mitre_t1100_web_shell |
| T1077 |
Windows Admin Shares |
mitre_t1077_win_admin_shares |
| T1047 |
Windows Management Instrumentation |
mitre_t1047_win_mgmt_instru |
| T1084 |
Windows Management Instrumentation Event Subscription |
mitre_t1084_mgmt_instru_evt_subscription |
| T1028 |
Windows Remote Management |
mitre_t1028_win_remote_mgmt |
| T1004 |
Winlogon Helper DLL |
mitre_t1004_winlogon_helper_dll |
| T1220 |
XSL Script Processing |
mitre_t1220_xsl_script_processing |
