Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Impact
Drive-by Compromise Command-Line Interface

Accessibility Features

Exploitation for Privilege Escalation Access Token Manipulation Account Manipulation

Account Discovery

Application Deployment Software

Audio Capture

Automated Exfiltration Commonly Used Port Data Destruction
Exploit Public-Facing Application

Dynamic Data Exchange

AppCert DLLs

Image File Execution Options Injection


Brute Force Application Window Discovery Distributed Component Object Model Automated Collection

Data Compressed

Communication Through Removable Media Data Encrypted for Impact
Hardware Additions Execution through API

AppInit DLLs

SID-History Injection Binary Padding

Credential Dumping

Browser Bookmark Discovery Exploitation of Remote Services Clipboard Data Data Encrypted Connection Proxy Defacement
Spearphishing Attachment Execution through Module Load

Application Shimming


Bypass User Account Control

Credentials in Files

Domain Trust Discovery

Logon Scripts

Data Staged

Data Transfer Size Limits Custom Command and Control Protocol Disk Content Wipe
Spearphishing Link Exploitation for Client Execution

Authentication Package



Credentials in Registry File and Directory Discovery Pass the Hash Data from Information Repositories Exfiltration Over Alternative Protocol Custom Cryptographic Protocol Disk Structure Wipe
Spearphishing via Service Graphical User Interface Bootkit   Code Signing Exploitation for Credential Access

Network Service Scanning

Pass the Ticket Data from Local System Exfiltration Over Command and Control Channel Data Encoding Endpoint Denial of Service
Supply Chain Compromise LSASS Driver

Browser Extensions

  Compile After Delivery Forced Authentication

Network Share Discovery

Remote Desktop Protocol

Data from Network Shared Drive Exfiltration Over Other Network Medium Data Obfuscation Firmware Corruption
Trusted Relationship PowerShell

Change Default File Association


Compiled HTML File

Input Prompt Password Policy Discovery

Remote Services

Data from Removable Media Exfiltration Over Physical Medium Domain Fronting

Inhibit System Recovery


Scheduled Task

Create Account

  Component Firmware Kerberoasting Peripheral Device Discovery Replication Through Removable Media

Email Collection

Scheduled Transfer Domain Generation Algorithms Network Denial of Service

Service Execution

DLL Search Order Hijacking


Component Object Model Hijacking

LLMNR/NBT-NS Poisoning and Relay Permission Groups Discovery Shared Webroot Input Capture   Fallback Channels Resource Hijacking
  Third-party Software External Remote Services  

Control Panel Items

Network Sniffing

Process Discovery

Taint Shared Content Man in the Browser   Multi-Stage Channels Runtime Data Manipulation

User Execution

File System Permissions Weakness   DCShadow

Password Filter DLL

Query Registry

Windows Admin Shares

Screen Capture   Multi-hop Proxy

Service Stop


Windows Management Instrumentation

Hooking   DLL Side-Loading Private Keys

Remote System Discovery

  Video Capture   Multiband Communication Stored Data Manipulation

Windows Remote Management


Deobfuscate/Decode Files or Information

Two-Factor Authentication Interception

Security Software Discovery

      Multilayer Encryption Transmitted Data Manipulation

Modify Existing Service


Disabling Security Tools


System Information Discovery

      Remote Access Tools  

Netsh Helper DLL

  Execution Guardrails  

System Network Configuration Discovery

      Remote File Copy  
    New Service   Exploitation for Defense Evasion  

System Network Connections Discovery


Standard Application Layer Protocol


Office Application Startup

  Extra Window Memory Injection  

System Owner/User Discovery

      Standard Cryptographic Protocol  
    Path Interception   File Deletion   System Service Discovery       Standard Non-Application Layer Protocol  

Port Monitors


File Permissions Modification


System Time Discovery

      Uncommonly Used Port  

Registry Run Keys / Startup Folder

  File System Logical Offsets           Web Service  


  Group Policy Modification              

Security Support Provider


Hidden Files and Directories

    Service Registry Permissions Weakness   Indicator Blocking              
    Shortcut Modification   Indicator Removal from Tools              
    System Firmware  

Indicator Removal on Host


Time Providers


Indirect Command Execution

    Web Shell  

Install Root Certificate

    Windows Management Instrumentation Event Subscription  



Winlogon Helper DLL




Modify Registry




NTFS File Attributes


Network Share Connection Removal

        Obfuscated Files or Information              
        Process Doppelgänging              

Process Hollowing


Process Injection

        Redundant Access              


        SIP and Trust Provider Hijacking              
        Signed Binary Proxy Execution              

Signed Script Proxy Execution

        Software Packing              

Template Injection

        Trusted Developer Utilities              
        Valid Accounts              
        Virtualization/Sandbox Evasion              
        XSL Script Processing