Drive-by Compromise |
AppleScript |
.bash_profile and .bashrc
|
Exploitation for Privilege Escalation |
Access Token Manipulation |
Account Manipulation |
Account Discovery
|
Application Deployment Software |
Audio Capture
|
Automated Exfiltration |
Commonly Used Port |
Data Destruction |
Exploit Public-Facing Application |
Command-Line Interface |
Accessibility Features
|
Image File Execution Options Injection
|
BITS Jobs
|
Bash History |
Application Window Discovery |
Distributed Component Object Model |
Automated Collection |
Data Compressed
|
Communication Through Removable Media |
Data Encrypted for Impact |
Hardware Additions |
Dynamic Data Exchange
|
AppCert DLLs
|
SID-History Injection |
Binary Padding |
Brute Force |
Browser Bookmark Discovery |
Exploitation of Remote Services |
Clipboard Data
|
Data Encrypted |
Connection Proxy |
Defacement |
Spearphishing Attachment |
Execution through API |
AppInit DLLs
|
Setuid and Setgid |
Bypass User Account Control
|
Credential Dumping
|
Domain Trust Discovery
|
Logon Scripts
|
Data Staged
|
Data Transfer Size Limits |
Custom Command and Control Protocol |
Disk Content Wipe |
Spearphishing Link |
Execution through Module Load |
Application Shimming
|
Sudo |
CMSTP
|
Credentials in Files
|
File and Directory Discovery |
Pass the Hash |
Data from Information Repositories |
Exfiltration Over Alternative Protocol |
Custom Cryptographic Protocol |
Disk Structure Wipe |
Spearphishing via Service |
Exploitation for Client Execution |
Authentication Package
|
Sudo Caching |
Clear Command History |
Credentials in Registry |
Network Service Scanning
|
Pass the Ticket |
Data from Local System |
Exfiltration Over Command and Control Channel |
Data Encoding |
Endpoint Denial of Service |
Supply Chain Compromise |
Graphical User Interface |
Bootkit |
|
Code Signing |
Exploitation for Credential Access |
Network Share Discovery
|
Remote Desktop Protocol
|
Data from Network Shared Drive |
Exfiltration Over Other Network Medium |
Data Obfuscation |
Firmware Corruption |
Trusted Relationship |
LSASS Driver |
Browser Extensions
|
|
Compile After Delivery |
Forced Authentication |
Password Policy Discovery
|
Remote Services
|
Data from Removable Media |
Exfiltration Over Physical Medium |
Domain Fronting |
Inhibit System Recovery
|
|
PowerShell |
Change Default File Association
|
|
Compiled HTML File
|
Input Prompt |
Peripheral Device Discovery |
Replication Through Removable Media |
Email Collection
|
Scheduled Transfer |
Domain Generation Algorithms |
Network Denial of Service |
|
Scheduled Task
|
Create Account
|
|
Component Firmware |
Kerberoasting |
Permission Groups Discovery
|
SSH Hijacking |
Input Capture |
|
Fallback Channels |
Resource Hijacking |
|
Service Execution
|
DLL Search Order Hijacking
|
|
Component Object Model Hijacking
|
Keychain |
Process Discovery
|
Shared Webroot |
Man in the Browser |
|
Multi-Stage Channels |
Runtime Data Manipulation |
|
Source |
Dylib Hijacking |
|
Control Panel Items
|
LLMNR/NBT-NS Poisoning and Relay |
Query Registry |
Taint Shared Content |
Screen Capture |
|
Multi-hop Proxy |
Service Stop
|
|
Third-party Software |
External Remote Services |
|
DCShadow |
Network Sniffing |
Remote System Discovery
|
Windows Admin Shares
|
Video Capture |
|
Multiband Communication |
Stored Data Manipulation |
|
Trap
|
File System Permissions Weakness |
|
DLL Side-Loading |
Password Filter DLL
|
Security Software Discovery
|
|
|
|
Multilayer Encryption |
Transmitted Data Manipulation |
|
User Execution
|
Hooking |
|
Deobfuscate/Decode Files or Information
|
Private Keys |
System Information Discovery
|
|
|
|
Remote Access Tools |
|
|
Windows Management Instrumentation
|
Hypervisor |
|
Disabling Security Tools
|
Securityd Memory |
System Network Configuration Discovery
|
|
|
|
Remote File Copy |
|
|
Windows Remote Management
|
Kernel Modules and Extensions
|
|
Execution Guardrails |
Two-Factor Authentication Interception |
System Network Connections Discovery
|
|
|
|
Standard Application Layer Protocol
|
|
|
|
LC_LOAD_DYLIB Addition |
|
Exploitation for Defense Evasion |
|
System Owner/User Discovery
|
|
|
|
Standard Cryptographic Protocol |
|
|
|
Launch Agent
|
|
Extra Window Memory Injection |
|
System Service Discovery |
|
|
|
Standard Non-Application Layer Protocol |
|
|
|
Launch Daemon
|
|
File Deletion |
|
System Time Discovery
|
|
|
|
Uncommonly Used Port |
|
|
|
Local Job Scheduling
|
|
File Permissions Modification
|
|
|
|
|
|
Web Service |
|
|
|
Login Item |
|
File System Logical Offsets |
|
|
|
|
|
|
|
|
|
Modify Existing Service
|
|
Gatekeeper Bypass
|
|
|
|
|
|
|
|
|
|
Netsh Helper DLL
|
|
Group Policy Modification |
|
|
|
|
|
|
|
|
|
New Service |
|
HISTCONTROL |
|
|
|
|
|
|
|
|
|
Office Application Startup
|
|
Hidden Files and Directories
|
|
|
|
|
|
|
|
|
|
Path Interception |
|
Hidden Users |
|
|
|
|
|
|
|
|
|
Port Monitors
|
|
Hidden Window |
|
|
|
|
|
|
|
|
|
Rc.common
|
|
Indicator Blocking |
|
|
|
|
|
|
|
|
|
Re-opened Applications
|
|
Indicator Removal from Tools |
|
|
|
|
|
|
|
|
|
Registry Run Keys / Startup Folder
|
|
Indicator Removal on Host
|
|
|
|
|
|
|
|
|
|
Screensaver
|
|
Indirect Command Execution
|
|
|
|
|
|
|
|
|
|
Security Support Provider
|
|
Install Root Certificate
|
|
|
|
|
|
|
|
|
|
Service Registry Permissions Weakness |
|
InstallUtil
|
|
|
|
|
|
|
|
|
|
Shortcut Modification |
|
LC_MAIN Hijacking |
|
|
|
|
|
|
|
|
|
Startup Items |
|
Launchctl |
|
|
|
|
|
|
|
|
|
System Firmware |
|
Masquerading
|
|
|
|
|
|
|
|
|
|
Systemd Service
|
|
Modify Registry
|
|
|
|
|
|
|
|
|
|
Time Providers
|
|
Mshta
|
|
|
|
|
|
|
|
|
|
Web Shell |
|
NTFS File Attributes
|
|
|
|
|
|
|
|
|
|
Windows Management Instrumentation Event Subscription |
|
Network Share Connection Removal
|
|
|
|
|
|
|
|
|
|
Winlogon Helper DLL
|
|
Obfuscated Files or Information |
|
|
|
|
|
|
|
|
|
|
|
Plist Modification
|
|
|
|
|
|
|
|
|
|
|
|
Port Knocking |
|
|
|
|
|
|
|
|
|
|
|
Process Doppelgänging |
|
|
|
|
|
|
|
|
|
|
|
Process Hollowing
|
|
|
|
|
|
|
|
|
|
|
|
Process Injection
|
|
|
|
|
|
|
|
|
|
|
|
Redundant Access |
|
|
|
|
|
|
|
|
|
|
|
Regsvcs/Regasm |
|
|
|
|
|
|
|
|
|
|
|
Regsvr32
|
|
|
|
|
|
|
|
|
|
|
|
Rootkit |
|
|
|
|
|
|
|
|
|
|
|
Rundll32 |
|
|
|
|
|
|
|
|
|
|
|
SIP and Trust Provider Hijacking |
|
|
|
|
|
|
|
|
|
|
|
Scripting |
|
|
|
|
|
|
|
|
|
|
|
Signed Binary Proxy Execution |
|
|
|
|
|
|
|
|
|
|
|
Signed Script Proxy Execution
|
|
|
|
|
|
|
|
|
|
|
|
Software Packing |
|
|
|
|
|
|
|
|
|
|
|
Space after Filename
|
|
|
|
|
|
|
|
|
|
|
|
Template Injection
|
|
|
|
|
|
|
|
|
|
|
|
Timestomp |
|
|
|
|
|
|
|
|
|
|
|
Trusted Developer Utilities |
|
|
|
|
|
|
|
|
|
|
|
Valid Accounts |
|
|
|
|
|
|
|
|
|
|
|
Virtualization/Sandbox Evasion |
|
|
|
|
|
|
|
|
|
|
|
XSL Script Processing |
|
|
|
|
|
|
|