Windows

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Impact
Drive-by Compromise	Command-Line Interface	Accessibility Features Image Debuggers for Accessibility Features	Exploitation for Privilege Escalation	Access Token Manipulation	Account Manipulation	Account Discovery Account Discovery via Built-In Tools Discovery and Enumeration of System Information via Rundll32	Application Deployment Software	Audio Capture Audio Capture via PowerShell Audio Capture via SoundRecorder	Automated Exfiltration	Commonly Used Port	Data Destruction
Exploit Public-Facing Application	Dynamic Data Exchange Executable Written and Executed by Microsoft Office Applications	AppCert DLLs AppCert DLLs Registry Modification	Image File Execution Options Injection Image Debuggers for Accessibility Features	BITS Jobs Suspicious Bitsadmin Job via bitsadmin.exe Suspicious Bitsadmin Job via PowerShell	Brute Force	Application Window Discovery	Distributed Component Object Model	Automated Collection	Data Compressed Command-Line Creation of a RAR file	Communication Through Removable Media	Data Encrypted for Impact
Hardware Additions	Execution through API	AppInit DLLs Persistence via AppInit DLL	SID-History Injection	Binary Padding	Credential Dumping Suspicious Process Loading Credential Vault DLL Credential Enumeration via Credential Vault CLI LSASS Memory Dumping AD Dumping via Ntdsutil.exe LSASS Memory Dumping via ProcDump.exe SAM Dumping via Reg.exe	Browser Bookmark Discovery	Exploitation of Remote Services	Clipboard Data	Data Encrypted	Connection Proxy	Defacement
Spearphishing Attachment	Execution through Module Load	Application Shimming Installing Custom Shim Databases		Bypass User Account Control Bypass UAC via CMSTP	Credentials in Files Searching for Passwords in Files	Domain Trust Discovery Domain Trust Discovery via Nltest.exe Domain Trust Discovery	Logon Scripts Modification of Logon Scripts from Registry	Data Staged WMI Execution with Command Line Redirection	Data Transfer Size Limits	Custom Command and Control Protocol	Disk Content Wipe
Spearphishing Link	Exploitation for Client Execution	Authentication Package LSA Authentication Package		CMSTP Execution via cmstp.exe Bypass UAC via CMSTP	Credentials in Registry	File and Directory Discovery	Pass the Hash	Data from Information Repositories	Exfiltration Over Alternative Protocol	Custom Cryptographic Protocol	Disk Structure Wipe
Spearphishing via Service	Graphical User Interface	Bootkit		Code Signing	Exploitation for Credential Access	Network Service Scanning Network Service Scanning via Port	Pass the Ticket	Data from Local System	Exfiltration Over Command and Control Channel	Data Encoding	Endpoint Denial of Service
Supply Chain Compromise	LSASS Driver	Browser Extensions Suspicious File Creation via Browser Extensions		Compile After Delivery	Forced Authentication	Network Share Discovery Enumeration of Local Shares Enumeration of Remote Shares	Remote Desktop Protocol Remote Desktop Protocol Hijack	Data from Network Shared Drive	Exfiltration Over Other Network Medium	Data Obfuscation	Firmware Corruption
Trusted Relationship	PowerShell	Change Default File Association Change Default File Association		Compiled HTML File HH.exe execution	Input Prompt	Password Policy Discovery	Remote Services Remote Terminal Sessions	Data from Removable Media	Exfiltration Over Physical Medium	Domain Fronting	Inhibit System Recovery Modification of Boot Configuration Volume Shadow Copy Deletion via VssAdmin Volume Shadow Copy Deletion via WMIC
	Scheduled Task Creation of Scheduled Task with schtasks.exe	Create Account User Account Creation		Component Firmware	Kerberoasting	Peripheral Device Discovery	Replication Through Removable Media	Email Collection Access of Outlook Email Archives	Scheduled Transfer	Domain Generation Algorithms	Network Denial of Service
	Service Execution Execution of Existing Service via Command	DLL Search Order Hijacking DLL Search Order Hijacking with known programs		Component Object Model Hijacking COM Hijack via Script Object	LLMNR/NBT-NS Poisoning and Relay	Permission Groups Discovery	Shared Webroot	Input Capture		Fallback Channels	Resource Hijacking
	Third-party Software	External Remote Services		Control Panel Items Control Panel Items	Network Sniffing	Process Discovery Process Discovery via Windows Tools	Taint Shared Content	Man in the Browser		Multi-Stage Channels	Runtime Data Manipulation
	User Execution Executable Written and Executed by Microsoft Office Applications	File System Permissions Weakness		DCShadow	Password Filter DLL Registration of a Password Filter DLL	Query Registry	Windows Admin Shares Mounting Hidden Shares Mounting Windows Hidden Shares with net.exe	Screen Capture		Multi-hop Proxy	Service Stop Service Stop or Disable with sc.exe Stopping Services with net.exe
	Windows Management Instrumentation WMI Execution via Microsoft Office Application Remote Execution via WMIC	Hooking		DLL Side-Loading	Private Keys	Remote System Discovery Windows Network Enumeration Remote System Discovery Commands		Video Capture		Multiband Communication	Stored Data Manipulation
	Windows Remote Management Incoming Remote PowerShell Sessions	Hypervisor		Deobfuscate/Decode Files or Information Encoding or Decoding Files via CertUtil	Two-Factor Authentication Interception	Security Software Discovery Process Discovery via Windows Tools				Multilayer Encryption	Transmitted Data Manipulation
		Modify Existing Service Service Path Modification with sc.exe		Disabling Security Tools Unload Sysmon Filter Driver with fltmc.exe		System Information Discovery Enumeration of System Information System Information Discovery				Remote Access Tools
		Netsh Helper DLL Persistence via NetSh Key		Execution Guardrails		System Network Configuration Discovery Discovery of Network Environment via Built-in Tools				Remote File Copy
		New Service		Exploitation for Defense Evasion		System Network Connections Discovery Enumeration of Mounted Shares				Standard Application Layer Protocol Non-browser processes making DNS requests to Dynamic DNS Providers
		Office Application Startup Office Application Startup via Template File Modification Office Application Startup via Template Registry Modification		Extra Window Memory Injection		System Owner/User Discovery System Owner and User Discovery Discovery and Enumeration of System Information via Rundll32				Standard Cryptographic Protocol
		Path Interception		File Deletion		System Service Discovery				Standard Non-Application Layer Protocol
		Port Monitors Installation of Port Monitor		File Permissions Modification Windows File Permissions Modification		System Time Discovery Discovery of a Remote System’s Time				Uncommonly Used Port
		Registry Run Keys / Startup Folder Startup Folder Execution via VBScript Startup Folder Persistence with Shortcut/VBScript Files Registry Persistence via Run Keys Registry Persistence via Shell Folders		File System Logical Offsets						Web Service
		Screensaver Persistence via Screensaver		Group Policy Modification
		Security Support Provider Installation of Security Support Provider		Hidden Files and Directories Adding the Hidden File Attribute with via attrib.exe
		Service Registry Permissions Weakness		Indicator Blocking
		Shortcut Modification		Indicator Removal from Tools
		System Firmware		Indicator Removal on Host Delete Volume USN Journal with fsutil Host Artifact Deletion Clearing Windows Event Logs with wevtutil
		Time Providers Installation of Time Providers		Indirect Command Execution Indirect Command Execution
		Web Shell		Install Root Certificate Root Certificate Install
		Windows Management Instrumentation Event Subscription		InstallUtil InstallUtil Execution
		Winlogon Helper DLL Registration of Winlogon Helper DLL		Masquerading Processes Running with Unusual Extensions
				Modify Registry Suspicious MS Office Registry Modifications
				Mshta Mshta Descendant of Microsoft Office Mshta Network Connections
				NTFS File Attributes Suspicious ADS File Creation
				Network Share Connection Removal Disconnecting from Network Shares with net.exe
				Obfuscated Files or Information
				Process Doppelgänging
				Process Hollowing Unusual Child Process
				Process Injection Unusual Child Process
				Redundant Access
				Regsvcs/Regasm
				Regsvr32 Suspicious Script Object Execution
				Rootkit
				Rundll32
				SIP and Trust Provider Hijacking
				Scripting
				Signed Binary Proxy Execution
				Signed Script Proxy Execution Proxied Execution via Signed Scripts
				Software Packing
				Template Injection MS Office Template Injection
				Timestomp
				Trusted Developer Utilities
				Valid Accounts
				Virtualization/Sandbox Evasion
				XSL Script Processing