Chains
TTPs
Blog
Login
Tactics & Techniques
Resource Development
Obtain Capabilities
Obtain Capabilities: Tool
Stage Capabilities
Stage Capabilities: Upload Malware
Stage Capabilities: Upload Tool
Initial Access
Exploit Public-Facing Application
Supply Chain Compromise
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Supply Chain Compromise: Compromise Software Supply Chain
Phishing
Phishing: Spearphishing Attachment
Defense Evasion
Query Registry
Obfuscated Files or Information
Obfuscated Files or Information: Steganography
Obfuscated Files or Information: Compile After Delivery
Process Injection
Process Injection: Portable Executable Injection
Indicator Removal on Host
Modify Registry
Deobfuscate/Decode Files or Information
Signed Binary Proxy Execution
Signed Binary Proxy Execution: Mshta
File and Directory Permissions Modification
Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism: Bypass User Account Control
Subvert Trust Controls
Subvert Trust Controls: Mark-of-the-Web Bypass
Impair Defenses
Impair Defenses: Disable or Modify Tools
Disable Windows Event Logging
Hijack Execution Flow
Hijack Execution Flow: DLL Side-Loading
Command And Control
Application Layer Protocol
Application Layer Protocol: Web Protocols
Web Service
Web Service: Bidirectional Communication
Multi-Stage Channels
Ingress Tool Transfer
Traffic Signaling
Traffic Signaling: Port Knocking
Remote Access Software
Discovery
System Service Discovery
Query Registry
System Network Configuration Discovery
Remote System Discovery
System Owner/User Discovery
Network Service Scanning
Windows Management Instrumentation
System Network Connections Discovery
Process Discovery
Permission Groups Discovery
Data Staged
Data Staged: Local Data Staging
System Information Discovery
File and Directory Discovery
Account Discovery
Account Discovery: Domain Account
Modify Registry
Network Share Discovery
Domain Trust Discovery
Software Discovery
Impair Defenses
Impair Defenses: Disable or Modify Tools
Cloud Infrastructure Discovery
Container and Resource Discovery
System Location Discovery
Collection
Data from Local System
Input Capture
Input Capture: Keylogging
Data Staged
Data Staged: Local Data Staging
Screen Capture
Email Collection
Email Collection: Local Email Collection
Video Capture
Archive via Custom Method
Archive via Custom Method
Persistence
Scheduled Task/Job
Scheduled Task/Job: Cron
Create Account
Create Account: Local Account
Create or Modify System Process
Create or Modify System Process: Launch Agent
Event Triggered Execution
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Event Triggered Execution: Unix Shell Configuration Modification
Event Triggered Execution: Netsh Helper DLL
Boot or Logon Autostart Execution
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Boot or Logon Autostart Execution: Security Support Provider
Boot or Logon Autostart Execution: Shortcut Modification
Compromise Client Software Binary
Credential Access
CISA-AA22-216A
OS Credential Dumping: DCSync
Unsecured Credentials
Unsecured Credentials: Private Keys
Unsecured Credentials: Group Policy Preferences
Credentials from Password Stores
Credentials from Password Stores
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets: Kerberoasting
Steal or Forge Kerberos Tickets: AS-REP Roasting
Privilege Escalation
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism: Setuid and Setgid
Abuse Elevation Control Mechanism: Elevated Execution with Prompt
Escape to Host
Lateral Movement
Remote Services
Remote Services: SMB/Windows Admin Shares
Remote Services: SSH
Exploitation of Remote Services
Use Alternate Authentication Material
Lateral Tool Transfer
Execution
Windows Management Instrumentation
Scheduled Task/Job
Scheduled Task/Job: Cron
Command and Scripting Interpreter
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: Unix Shell
Command and Scripting Interpreter: Python
Command and Scripting Interpreter: JavaScript
Native API
User Execution
User Execution: Malicious File
Execution Guardrails
Hijack Execution Flow
Hijack Execution Flow: Dylib Hijacking
Exfiltration
Transfer Data to Cloud Account
Archive Collected Data
Archive Collected Data
Exfiltration Over Web Service
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Impact
Audio Capture
Data Destruction
Data Encrypted for Impact
Service Stop
Inhibit System Recovery
Defacement
Defacement: Internal Defacement
Resource Hijacking
System Shutdown/Reboot
Disk Wipe
Disk Wipe: Disk Structure Wipe