Windows

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Impact
Drive-by Compromise Command-Line Interface

Accessibility Features

Exploitation for Privilege Escalation Access Token Manipulation Account Manipulation

Account Discovery

Application Deployment Software

Audio Capture

Automated Exfiltration Commonly Used Port Data Destruction
Exploit Public-Facing Application Dynamic Data Exchange

AppCert DLLs

Image File Execution Options Injection

BITS Jobs

Brute Force Application Window Discovery Distributed Component Object Model Automated Collection

Data Compressed

Communication Through Removable Media Data Encrypted for Impact
Hardware Additions Execution through API

AppInit DLLs

SID-History Injection Binary Padding

Credential Dumping

Browser Bookmark Discovery Exploitation of Remote Services Clipboard Data Data Encrypted Connection Proxy Defacement
Spearphishing Attachment Execution through Module Load

Application Shimming

 

Bypass User Account Control

Credentials in Files

Domain Trust Discovery

Logon Scripts

Data Staged Data Transfer Size Limits Custom Command and Control Protocol Disk Content Wipe
Spearphishing Link Exploitation for Client Execution

Authentication Package

 

CMSTP

Credentials in Registry File and Directory Discovery Pass the Hash Data from Information Repositories Exfiltration Over Alternative Protocol Custom Cryptographic Protocol Disk Structure Wipe
Spearphishing via Service Graphical User Interface Bootkit   Code Signing Exploitation for Credential Access

Network Service Scanning

Pass the Ticket Data from Local System Exfiltration Over Command and Control Channel Data Encoding Endpoint Denial of Service
Supply Chain Compromise LSASS Driver

Browser Extensions

  Compile After Delivery Forced Authentication

Network Share Discovery

Remote Desktop Protocol

Data from Network Shared Drive Exfiltration Over Other Network Medium Data Obfuscation Firmware Corruption
Trusted Relationship PowerShell

Change Default File Association

  Compiled HTML File Input Prompt Password Policy Discovery

Remote Services

Data from Removable Media Exfiltration Over Physical Medium Domain Fronting

Inhibit System Recovery

 

Scheduled Task

Create Account

  Component Firmware Kerberoasting Peripheral Device Discovery Replication Through Removable Media

Email Collection

Scheduled Transfer Domain Generation Algorithms Network Denial of Service
 

Service Execution

DLL Search Order Hijacking

 

Component Object Model Hijacking

LLMNR/NBT-NS Poisoning and Relay Permission Groups Discovery Shared Webroot Input Capture   Fallback Channels Resource Hijacking
  Third-party Software External Remote Services  

Control Panel Items

Network Sniffing

Process Discovery

Taint Shared Content Man in the Browser   Multi-Stage Channels Runtime Data Manipulation
  User Execution File System Permissions Weakness   DCShadow

Password Filter DLL

Query Registry

Windows Admin Shares

Screen Capture   Multi-hop Proxy

Service Stop

 

Windows Management Instrumentation

Hooking   DLL Side-Loading Private Keys

Remote System Discovery

  Video Capture   Multiband Communication Stored Data Manipulation
 

Windows Remote Management

Hypervisor  

Deobfuscate/Decode Files or Information

Two-Factor Authentication Interception

Security Software Discovery

      Multilayer Encryption Transmitted Data Manipulation
   

Modify Existing Service

 

Disabling Security Tools

 

System Information Discovery

      Remote Access Tools  
   

Netsh Helper DLL

  Execution Guardrails  

System Network Configuration Discovery

      Remote File Copy  
    New Service   Exploitation for Defense Evasion  

System Network Connections Discovery

      Standard Application Layer Protocol  
   

Office Application Startup

  Extra Window Memory Injection  

System Owner/User Discovery

      Standard Cryptographic Protocol  
    Path Interception  

File Deletion

  System Service Discovery       Standard Non-Application Layer Protocol  
   

Port Monitors

 

File Permissions Modification

 

System Time Discovery

      Uncommonly Used Port  
   

Registry Run Keys / Startup Folder

  File System Logical Offsets           Web Service  
   

Screensaver

  Group Policy Modification              
   

Security Support Provider

 

Hidden Files and Directories

             
    Service Registry Permissions Weakness   Indicator Blocking              
    Shortcut Modification   Indicator Removal from Tools              
    System Firmware  

Indicator Removal on Host

             
   

Time Providers

 

Indirect Command Execution

             
    Web Shell  

Install Root Certificate

             
    Windows Management Instrumentation Event Subscription  

InstallUtil

             
   

Winlogon Helper DLL

 

Masquerading

             
        Modify Registry              
       

Mshta

             
       

NTFS File Attributes

             
       

Network Share Connection Removal

             
        Obfuscated Files or Information              
        Process Doppelgänging              
       

Process Hollowing

             
       

Process Injection

             
        Redundant Access              
        Regsvcs/Regasm              
       

Regsvr32

             
        Rootkit              
        Rundll32              
        SIP and Trust Provider Hijacking              
        Scripting              
        Signed Binary Proxy Execution              
       

Signed Script Proxy Execution

             
        Software Packing              
        Template Injection              
        Timestomp              
        Trusted Developer Utilities              
        Valid Accounts              
        Virtualization/Sandbox Evasion              
        XSL Script Processing