Linux¶

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Impact
Drive-by Compromise	Command-Line Interface	.bash_profile and .bashrc Modifications of .bash_profile and .bashrc	Exploitation for Privilege Escalation	Binary Padding	Bash History	Account Discovery Account Discovery via Built-In Tools	Application Deployment Software	Audio Capture	Automated Exfiltration	Commonly Used Port	Data Destruction
Exploit Public-Facing Application	Exploitation for Client Execution	Bootkit	Setuid and Setgid	Clear Command History	Brute Force	Browser Bookmark Discovery	Exploitation of Remote Services	Automated Collection	Data Compressed	Communication Through Removable Media	Data Encrypted for Impact
Hardware Additions	Graphical User Interface	Browser Extensions	Sudo	Compile After Delivery	Credential Dumping	File and Directory Discovery	Remote Services Remote Terminal Sessions	Clipboard Data	Data Encrypted	Connection Proxy	Defacement
Spearphishing Attachment	Source	Create Account	Sudo Caching	Disabling Security Tools	Credentials in Files Searching for Passwords in Files	Network Service Scanning Network Service Scanning via Port	SSH Hijacking	Data Staged Creation of an Archive with Common Archivers	Data Transfer Size Limits	Custom Command and Control Protocol	Disk Content Wipe
Spearphishing Link	Third-party Software	Kernel Modules and Extensions Creation of Kernel Module		Execution Guardrails	Exploitation for Credential Access	Password Policy Discovery Password Policy Enumeration		Data from Information Repositories	Exfiltration Over Alternative Protocol	Custom Cryptographic Protocol	Disk Structure Wipe
Spearphishing via Service	Trap Trap Signals Usage	Local Job Scheduling Local Job Scheduling Paths Local Job Scheduling Process		Exploitation for Defense Evasion	Network Sniffing	Permission Groups Discovery Discovery of Domain Groups		Data from Local System	Exfiltration Over Command and Control Channel	Data Encoding	Endpoint Denial of Service
Supply Chain Compromise	User Execution	Systemd Service Creation or Modification of Systemd Service		File Deletion	Private Keys	Process Discovery Process Discovery via Built-In Applications		Data from Network Shared Drive	Exfiltration Over Other Network Medium	Data Obfuscation	Firmware Corruption
Trusted Relationship		Web Shell		File Permissions Modification	Two-Factor Authentication Interception	Remote System Discovery		Data from Removable Media	Exfiltration Over Physical Medium	Domain Fronting	Inhibit System Recovery
				HISTCONTROL		System Information Discovery Enumeration of System Information		Input Capture	Scheduled Transfer	Domain Generation Algorithms	Network Denial of Service
				Hidden Files and Directories		System Network Configuration Discovery Discovery of Network Environment via Built-in Tools		Screen Capture		Fallback Channels	Resource Hijacking
				Indicator Removal from Tools		System Network Connections Discovery System Network Connections Discovery				Multi-Stage Channels	Runtime Data Manipulation
				Indicator Removal on Host		System Owner/User Discovery				Multi-hop Proxy	Stored Data Manipulation
				Install Root Certificate						Multiband Communication	Transmitted Data Manipulation
				Masquerading						Multilayer Encryption
				Obfuscated Files or Information						Remote Access Tools
				Port Knocking						Remote File Copy
				Process Injection Modification of ld.so.preload						Standard Application Layer Protocol
				Redundant Access						Standard Cryptographic Protocol
				Rootkit						Standard Non-Application Layer Protocol
				Scripting						Uncommonly Used Port
				Space after Filename Processes with Trailing Spaces						Web Service
				Timestomp
				Valid Accounts