Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Impact
Drive-by Compromise Command-Line Interface

.bash_profile and .bashrc

Exploitation for Privilege Escalation Binary Padding Bash History

Account Discovery

Application Deployment Software Audio Capture Automated Exfiltration Commonly Used Port Data Destruction
Exploit Public-Facing Application Exploitation for Client Execution Bootkit Setuid and Setgid Clear Command History Brute Force Browser Bookmark Discovery Exploitation of Remote Services Automated Collection Data Compressed Communication Through Removable Media Data Encrypted for Impact
Hardware Additions Graphical User Interface Browser Extensions Sudo Compile After Delivery Credential Dumping File and Directory Discovery

Remote Services

Clipboard Data Data Encrypted Connection Proxy Defacement
Spearphishing Attachment Source Create Account Sudo Caching Disabling Security Tools

Credentials in Files

Network Service Scanning

SSH Hijacking

Data Staged

Data Transfer Size Limits Custom Command and Control Protocol Disk Content Wipe
Spearphishing Link Third-party Software

Kernel Modules and Extensions

  Execution Guardrails Exploitation for Credential Access

Password Policy Discovery

  Data from Information Repositories Exfiltration Over Alternative Protocol Custom Cryptographic Protocol Disk Structure Wipe
Spearphishing via Service


Local Job Scheduling

  Exploitation for Defense Evasion Network Sniffing

Permission Groups Discovery

  Data from Local System Exfiltration Over Command and Control Channel Data Encoding Endpoint Denial of Service
Supply Chain Compromise User Execution

Systemd Service

  File Deletion Private Keys

Process Discovery

  Data from Network Shared Drive Exfiltration Over Other Network Medium Data Obfuscation Firmware Corruption
Trusted Relationship   Web Shell   File Permissions Modification Two-Factor Authentication Interception Remote System Discovery   Data from Removable Media Exfiltration Over Physical Medium Domain Fronting Inhibit System Recovery

System Information Discovery

  Input Capture Scheduled Transfer Domain Generation Algorithms Network Denial of Service
        Hidden Files and Directories  

System Network Configuration Discovery

  Screen Capture   Fallback Channels Resource Hijacking
        Indicator Removal from Tools  

System Network Connections Discovery

      Multi-Stage Channels Runtime Data Manipulation
        Indicator Removal on Host   System Owner/User Discovery       Multi-hop Proxy Stored Data Manipulation
        Install Root Certificate           Multiband Communication Transmitted Data Manipulation
        Masquerading           Multilayer Encryption  
        Obfuscated Files or Information           Remote Access Tools  
        Port Knocking           Remote File Copy  

Process Injection

          Standard Application Layer Protocol  
        Redundant Access           Standard Cryptographic Protocol  
        Rootkit           Standard Non-Application Layer Protocol  
        Scripting           Uncommonly Used Port  

Space after Filename

          Web Service  
        Valid Accounts