- Abuse Elevation Control Mechanism
- Access Token Manipulation
- Accessibility Features
- Account Discovery
- Account Manipulation
- Add-ins
- Aikido
- AP
- AppCert DLLs
- AppInit DLLs
- AppleScript
- Application Layer Protocol
- Application or System Exploitation
- Application Shimming
- Application Window Discovery
- Archive Collected Data
- Archive via Utility
- At
- Audio Capture
- Automated Collection
- Automated Exfiltration
- Windows Remote Management
- Backdoor
- Bash History
- Binary Padding
- BITS Jobs
- Boot or Logon Autostart Execution
- Boot or Logon Initialization Scripts
- Bootkit
- Browser Bookmark Discovery
- Brute Force
- Bypass User Account Control
- Cached Domain Credentials
- Change Default File Association
- Clear Command History
- Clear Linux or Mac System Logs
- Clear Windows Event Logs
- Clipboard Data
- CMSTP
- Code Signing
- Collection
- command
- Command and Control
- Command and Scripting Interpreter
- Command and Scripting Interpreter: PowerShell
- Command Execution
- Command-Line Interface
- Compile After Delivery
- Compiled HTML File
- Component Object Model
- Component Object Model Hijacking
- Compromise Client Software Binary
- Compromise Infrastructure
- Compromise Software Dependencies and Development Tools
- Control Panel
- COR_PROFILER
- CrackMapExec
- Create Account
- Create or Modify System Process
- Create Process with Token
- Credential Access
- Credential API Hooking
- Credential Dumping via Mimikatz
- Credentials from Password Stores
- Credentials from Web Browsers
- Credentials In Files
- Credentials in Registry
- Cron
- cve.2019.1378
- cve.2019.14287
- Data Compressed
- Data Destruction
- Data Encrypted for Impact
- Data from Local System
- Data from Network Shared Drive
- Data from Removable Media
- Data Manipulation
- Data Transfer Size Limits
- DCSync
- Default Accounts
- Defense Evasion
- Deobfuscate/Decode Files or Information
- Develop Capabilities
- Disable or Modify System Firewall
- Disable or Modify Tools
- Disable Windows Event Logging
- Discovery
- Disk Wipe
- Distributed Component Object Model
- DLL Search Order Hijacking
- DLL Side-Loading
- DNS
- Domain Account
- Domain Accounts
- Domain Groups
- Domain Policy Modification
- Domain Trust Discovery
- DoS
- Dynamic-link Library Injection
- Email Collection
- Emond
- Enumeration
- evasion
- Event Triggered Execution
- Execution
- Exfiltration
- Exfiltration Over Alternative Protocol
- Exfiltration Over C2 Channel
- Exfiltration Over Unencrypted Non-C2 Protocol
- Exfiltration Over Web Service
- Exfiltration to Cloud Storage
- Exfiltration to Code Repository
- Exploit Public-Facing Application
- Exploitation for Client Execution
- Exploitation for Credential Access
- Exploitation for Defense Evasion
- Exploitation for Privilege Escalation
- Exploitation of Remote Services
- External Remote Services
- Fallback Channels
- File and Directory Discovery
- File and Directory Permissions Modification
- File Deletion
- Forced Authentication
- Gatekeeper Bypass
- Gather Victim Identity Information
- Gather Victim Network Information
- Generic
- Golden Ticket
- Group Policy Modification
- Group Policy Preferences
- GUI Input Capture
- Hardware Additions
- Hidden Files and Directories
- Hidden Window
- Hide Artifacts
- Hijack Execution Flow
- IIS Components
- Image File Execution Options Injection
- Impact
- Impair Defenses
- Indicator Removal
- Indicator Removal from Tools
- Indicator Removal on Host
- Indirect Command Execution
- Ingress Tool Transfer
- Inhibit System Recovery
- Initial Access
- Input Capture
- Install Root Certificate
- InstallCore
- InstallUtil
- Inter-Process Communication
- JavaScript
- Kerberoasting
- Kernel Modules and Extensions
- Keychain
- Keylogger
- Keylogging
- Lateral Movement
- Lateral Tool Transfer
- LLMNR/NBT-NS Poisoning and SMB Relay
- Local Account
- Local Accounts
- Local Data Staging
- Local Email Collection
- Local Groups
- Logon Script (Windows)
- lolbas
- LSA Secrets
- LSASS Driver
- LSASS Memory
- Malicious File
- Malicious Link
- Malware
- Masquerade Task or Service
- Masquerading
- Match Legitimate Name or Location
- Mimikatz
- miner
- Modify Authentication Process
- Modify Registry
- MSBuild
- Mshta
- Msiexec
- Multi-Stage Channels
- Native API
- Netsh Helper DLL
- Network Address Translation Traversal
- Network Denial of Service
- Network Service Discovery
- Network Share Connection Removal
- Network Share Discovery
- Network Sniffing
- Non-Application Layer Protocol
- Non-Standard Port
- NTDS
- NTFS File Attributes
- Obfuscated Files or Information
- Odbcconf
- Office Application Startup
- Office Test
- OS Credential Dumping
- Outlook Forms
- Pass the Hash
- Pass the Ticket
- Password Filter DLL
- Password Guessing
- Password Policy Discovery
- Password Spraying
- Path Interception by Search Order Hijacking
- Peripheral Device Discovery
- Permission Groups Discovery
- Persistance
- Persistence
- Phishing
- Port Monitors
- Portable Executable Injection
- PowerShell
- PowerShell Profile
- Private Keys
- Privilege Escalation
- Proc Filesystem
- Process
- Process Discovery
- Process Hollowing
- Process Injection
- Program Download
- Protocol Impersonation
- Protocol Tunneling
- Proxy
- PsExec
- Python
- Query Registry
- ransomware
- RAT
- RDP
- RDP Connection Detection
- RDP Hijacking
- Reconnaissance
- Reflective Code Loading
- Registry Run Keys
- Registry Run Keys / Startup Folder
- Regsvcs/Regasm
- Regsvr32
- Remote Access Software
- Remote Desktop Protocol
- Remote Service Session Hijacking
- Remote Services
- Remote System Discovery
- Rename System Utilities
- Resource Hijacking
- Rogue Domain Controller
- Rootkit
- Run Virtual Instance
- Rundll32
- Scheduled Task
- Scheduled Task/Job
- Scheduled Transfer
- Screen Capture
- Screensaver
- script
- Scripting
- Security Account Manager
- Security Software Discovery
- Security Support Provider
- Service Execution
- Service Registry Permissions Weakness
- Service Stop
- Services File Permissions Weakness
- Services Registry Permissions Weakness
- Shortcut Modification
- SMB/Windows Admin Shares
- smtp
- Software Discovery
- Software Packing
- Spearphishing Attachment
- SQL Stored Procedures
- SSH
- Stage Capabilities
- Standard Encoding
- Standard Enconding
- Startup Folder
- Startup Items
- Steal or Forge Kerberos Tickets
- Stealer
- Steganography
- Stored Data Manipulation
- Subvert Trust Controls
- Sudo and Sudo Caching
- Supply Chain Compromise
- sysmon
- SYSTEM
- System Binary Proxy Execution
- System Checks
- System Information Discovery
- System Network Configuration Discovery
- System Network Connections Discovery
- System Owner/User Discovery
- System Script Proxy Execution
- System Service Discovery
- System Services
- System Shutdown/Reboot
- System Time Discovery
- Thread Execution Hijacking
- Timestomp
- Token Impersonation/Theft
- Tool
- Traffic Signaling
- Transport Agent
- Trojan
- Trusted Developer Utilities Proxy Execution
- Unix Shell
- User Account Creation
- User Execution
- Valid Accounts
- Video Capture
- Visual Basic
- Web Protocols
- Web Service
- Web Services
- Web Shell
- Windows Admin Shares
- Windows Command Shell
- Windows Credential Editor
- Windows Credential Manager
- Windows File and Directory Permissions Modification
- Windows Management Instrumentation
- Windows Management Instrumentation Event Subscription
- Windows Remote Management
- Windows Service
- Winlogon Helper DLL
- wireless
- XSL Script Processing