Download as xlsx, pdf, or txt
Download as xlsx, pdf, or txt
You are on page 1of 12

Reconnaissance Resource Development Initial Access

Active Scanning Acquire Access Content Injection


Gather Victim Host Information Acquire Infrastructure Drive-by Compromise
Gather Victim Identity Information Compromise Accounts Exploit Public-Facing Application
Gather Victim Network Information Compromise Infrastructure External Remote Services
Gather Victim Org Information Develop Capabilities Hardware Additions
Phishing for Information Establish Accounts Phishing
Search Closed Sources Obtain Capabilities Replication Through Removable Media
Search Open Technical Databases Stage Capabilities Supply Chain Compromise
Search Open Websites/Domains Trusted Relationship
Search Victim-Owned Websites Valid Accounts
Initial Access Execution
Cloud Administration Command
Command and Scripting Interpreter AppleScript
Cloud API
JavaScript
Network Device CLI
PowerShell
ovable Media Python
Unix Shell
Visual Basic
Cloud Accounts Windows Command Shell
Default Accounts Container Administration Command
Domain Accounts Deploy Container
Local Accounts Exploitation for Client Execution
Inter-Process Communication
Native API
Scheduled Task/Job
Serverless Execution
Shared Modules
Software Deployment Tools
System Services Launchctl
Service Execution
User Execution
Windows Management Instrumentation
Persistence Privilege Escalation
Account Manipulation Abuse Elevation Control Mechanism
BITS Jobs
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Browser Extensions
Compromise Client Software Binary Access Token Manipulation
Create Account
Create or Modify System Process Launch Agent
Launch Daemon
Systemd Service
Windows Service Account Manipulation
Event Triggered Execution Boot or Logon Autostart Execution
External Remote Services Boot or Logon Initialization Scripts
Hijack Execution Flow Create or Modify System Process
Implant Internal Image
Modify Authentication Process
Office Application Startup Add-ins
Office Template Macros Domain Policy Modification
Office Test Escape to Host
Outlook Forms Event Triggered Execution
Outlook Home Page Exploitation for Privilege Escalation
Outlook Rules Hijack Execution Flow
Power Settings Process Injection
Pre-OS Boot
Scheduled Task/Job
Server Software Component
Traffic Signaling
Valid Accounts Cloud Accounts
Default Accounts
Domain Accounts
Local Accounts

Scheduled Task/Job
Valid Accounts
Privilege Escalation Defense Evasion
Bypass User Account Control Abuse Elevation Control Mechanism Bypass User Account Control
Elevated Execution with Prompt Elevated Execution with Prompt
Setuid and Setgid Setuid and Setgid
Sudo and Sudo Caching Sudo and Sudo Caching
Temporary Elevated Cloud Access Temporary Elevated Cloud Access
Create Process with Token Access Token Manipulation Create Process with Token
Make and Impersonate Token Make and Impersonate Token
Parent PID Spoofing Parent PID Spoofing
SID-History Injection SID-History Injection
Token Impersonation/Theft Token Impersonation/Theft
BITS Jobs
Build Image on Host
Debugger Evasion
Launch Agent Deobfuscate/Decode Files or Information
Launch Daemon Deploy Container
Systemd Service Direct Volume Access
Windows Service Domain Policy Modification
Execution Guardrails
Exploitation for Defense Evasion
File and Directory Permissions Modification
e Escalation Hide Artifacts Email Hiding Rules
Hidden File System
Asynchronous Procedure Call Hidden Files and Directories
Dynamic-link Library Injection Hidden Users
Extra Window Memory Injection Hidden Window
ListPlanting Ignore Process Interrupts
Portable Executable Injection NTFS File Attributes
Proc Memory Process Argument Spoofing
Process Doppelgänging Resource Forking
Process Hollowing Run Virtual Instance
Ptrace System Calls VBA Stomping
Thread Execution Hijacking Hijack Execution Flow
Thread Local Storage Impair Defenses Disable or Modify Cloud Firewall
VDSO Hijacking Disable or Modify Cloud Logs
Disable or Modify Linux Audit System
Cloud Accounts Disable or Modify System Firewall
Default Accounts Disable or Modify Tools
Domain Accounts Disable Windows Event Logging
Local Accounts Downgrade Attack
Impair Command History Logging
Indicator Blocking
Safe Mode Boot
Spoof Security Alerting
Impersonation
Indicator Removal Clear Command History
Clear Linux or Mac System Logs
Clear Mailbox Data
Clear Network Connection History and Configuratio
Clear Persistence
Clear Windows Event Logs
File Deletion
Network Share Connection Removal
Timestomp
Indirect Command Execution
Masquerading
Modify Authentication Process
Modify Cloud Compute Infrastructure
Modify Registry
Modify System Image
Network Boundary Bridging
Obfuscated Files or Information Binary Padding
Command Obfuscation
Compile After Delivery
Dynamic API Resolution
Embedded Payloads
Fileless Storage
HTML Smuggling
Indicator Removal from Tools
LNK Icon Smuggling
Software Packing
Steganography
Stripped Payloads
Plist File Modification
Pre-OS Boot
Process Injection Asynchronous Procedure Call
Dynamic-link Library Injection
Extra Window Memory Injection
ListPlanting
Portable Executable Injection
Proc Memory
Process Doppelgänging
Process Hollowing
Ptrace System Calls
Thread Execution Hijacking
Thread Local Storage
VDSO Hijacking
Reflective Code Loading
Rogue Domain Controller
Rootkit
Subvert Trust Controls Code Signing
Code Signing Policy Modification
Gatekeeper Bypass
Install Root Certificate
Mark-of-the-Web Bypass
SIP and Trust Provider Hijacking
System Binary Proxy Execution CMSTP
Compiled HTML File
Control Panel
InstallUtil
Mavinject
MMC
Mshta
Msiexec
Odbcconf
Regsvcs/Regasm
Regsvr32
Rundll32
Verclsid
System Script Proxy Execution
Template Injection
Traffic Signaling
Trusted Developer Utilities Proxy Execution
Unused/Unsupported Cloud Regions
Use Alternate Authentication MateriaApplication Access Token
Pass the Hash
Pass the Ticket
Web Session Cookie
Valid Accounts Cloud Accounts
Default Accounts
Domain Accounts
Local Accounts
Virtualization/Sandbox Evasion
Weaken Encryption
XSL Script Processing
Credential Access Discovery
Adversary-in-the-Middle Account Discovery
Brute Force
Credentials from Password Stores
Exploitation for Credential Access
Forced Authentication Application Window Discovery
Forge Web Credentials Browser Information Discovery
Input Capture Credential API Hooking Cloud Infrastructure Discovery
GUI Input Capture Cloud Service Dashboard
Keylogging Cloud Service Discovery
Web Portal Capture Cloud Storage Object Discovery
Modify Authentication Process Container and Resource Discovery
Multi-Factor Authentication Interception Debugger Evasion
Multi-Factor Authentication Request Generation Device Driver Discovery
Network Sniffing Domain Trust Discovery
OS Credential Dumping /etc/passwd and /etc/shadow File and Directory Discovery
Cached Domain Credentials Group Policy Discovery
DCSync Log Enumeration
LSA Secrets Network Service Discovery
LSASS Memory Network Share Discovery
NTDS Network Sniffing
Proc Filesystem Password Policy Discovery
Security Account Manager Peripheral Device Discovery
Steal Application Access Token Permission Groups Discovery
Steal or Forge Authentication Certificates
Steal or Forge Kerberos Tickets
Steal Web Session Cookie Process Discovery
Unsecured Credentials Query Registry
Remote System Discovery
Software Discovery
System Information Discovery
System Location Discovery
System Network Configuration Discovery
System Network Connections Discovery
System Owner/User Discovery
udit System System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
n History and Configurations
Discovery Lateral Movement
Cloud Account Exploitation of Remote Services
Domain Account Internal Spearphishing
Email Account Lateral Tool Transfer
Local Account Remote Service Session Hijacking
Remote Services Cloud Services
Direct Cloud VM Connections
Distributed Component Object Mode
Remote Desktop Protocol
SMB/Windows Admin Shares
SSH
VNC
Windows Remote Management
Replication Through Removable Media
Software Deployment Tools
Taint Shared Content
Use Alternate Authentication MateriaApplication Access Token
Pass the Hash
Pass the Ticket
Web Session Cookie

Cloud Groups
Domain Groups
Local Groups

uration Discovery
tions Discovery
Collection Command and Control
Adversary-in-the-Middle Application Layer Protocol
Archive Collected Data
Audio Capture
Automated Collection
Browser Session Hijacking Communication Through Removable Media
Clipboard Data Content Injection
Data from Cloud Storage Data Encoding
Data from Configuration Repository
Data from Information Repositories Data Obfuscation
Data from Local System
Data from Network Shared Drive
Data from Removable Media Dynamic Resolution
Data Staged Encrypted Channel
Email Collection
Input Capture Credential API Hooking Fallback Channels
GUI Input Capture Ingress Tool Transfer
Keylogging Multi-Stage Channels
Web Portal Capture Non-Application Layer Protocol
Screen Capture Non-Standard Port
Video Capture Protocol Tunneling
Proxy

Remote Access Software


Traffic Signaling
Web Service
Command and Control Exfiltration Impact
DNS Automated Exfiltration Account Access Removal
File Transfer Protocols Data Transfer Size Limits Data Destruction
Mail Protocols Exfiltration Over Alternative Protocol Data Encrypted for Impact
Web Protocols Exfiltration Over C2 Channel Data Manipulation
Removable Media Exfiltration Over Other Network MedDefacement
Exfiltration Over Physical Medium Disk Wipe
Non-Standard Encoding Exfiltration Over Web Service Endpoint Denial of Service
Standard Encoding Scheduled Transfer Financial Theft
Junk Data Transfer Data to Cloud Account Firmware Corruption
Protocol Impersonation Inhibit System Recovery
Steganography Network Denial of Service
Resource Hijacking
Asymmetric Cryptography Service Stop
Symmetric Cryptography System Shutdown/Reboot

Domain Fronting
External Proxy
Internal Proxy
Multi-hop Proxy

You might also like