MITRE ATT&CK Enterprise v19.1

T1595 Active Scanning 3 subtechniques 2 covered

• T1595.001 Scanning IP Blocks
• T1595.002 Vulnerability Scanning
• T1595.003 Wordlist Scanning

T1592 Gather Victim Host Information 4 subtechniques

• T1592.001 Hardware
• T1592.002 Software
• T1592.003 Firmware
• T1592.004 Client Configurations

T1589 Gather Victim Identity Information 3 subtechniques

• T1589.001 Credentials
• T1589.002 Email Addresses
• T1589.003 Employee Names

T1590 Gather Victim Network Information 6 subtechniques

• T1590.001 Domain Properties
• T1590.002 DNS
• T1590.003 Network Trust Dependencies
• T1590.004 Network Topology
• T1590.005 IP Addresses
• T1590.006 Network Security Appliances

T1591 Gather Victim Org Information 4 subtechniques

• T1591.001 Determine Physical Locations
• T1591.002 Business Relationships
• T1591.003 Identify Business Tempo
• T1591.004 Identify Roles

T1598 Phishing for Information 4 subtechniques

• T1598.001 Spearphishing Service
• T1598.002 Spearphishing Attachment
• T1598.003 Spearphishing Link
• T1598.004 Spearphishing Voice

T1682 Query Public AI Services

T1597 Search Closed Sources 2 subtechniques

• T1597.001 Threat Intel Vendors
• T1597.002 Purchase Technical Data

T1596 Search Open Technical Databases 5 subtechniques

• T1596.001 DNS/Passive DNS
• T1596.002 WHOIS
• T1596.003 Digital Certificates
• T1596.004 CDNs
• T1596.005 Scan Databases

T1593 Search Open Websites/Domains 3 subtechniques

• T1593.001 Social Media
• T1593.002 Search Engines
• T1593.003 Code Repositories

T1681 Search Threat Vendor Data

T1594 Search Victim-Owned Websites

T1650 Acquire Access

T1583 Acquire Infrastructure 8 subtechniques

• T1583.001 Domains
• T1583.002 DNS Server
• T1583.003 Virtual Private Server
• T1583.004 Server
• T1583.005 Botnet
• T1583.006 Web Services
• T1583.007 Serverless
• T1583.008 Malvertising

T1586 Compromise Accounts 3 subtechniques

• T1586.001 Social Media Accounts
• T1586.002 Email Accounts
• T1586.003 Cloud Accounts

T1584 Compromise Infrastructure 8 subtechniques

• T1584.001 Domains
• T1584.002 DNS Server
• T1584.003 Virtual Private Server
• T1584.004 Server
• T1584.005 Botnet
• T1584.006 Web Services
• T1584.007 Serverless
• T1584.008 Network Devices

T1587 Develop Capabilities 4 subtechniques

• T1587.001 Malware
• T1587.002 Code Signing Certificates
• T1587.003 Digital Certificates
• T1587.004 Exploits

T1585 Establish Accounts 3 subtechniques

• T1585.001 Social Media Accounts
• T1585.002 Email Accounts
• T1585.003 Cloud Accounts

T1683 Generate Content 2 subtechniques

• T1683.001 Written Content
• T1683.002 Audio-Visual Content

T1588 Obtain Capabilities 7 subtechniques

• T1588.001 Malware
• T1588.002 Tool
• T1588.003 Code Signing Certificates
• T1588.004 Digital Certificates
• T1588.005 Exploits
• T1588.006 Vulnerabilities
• T1588.007 Artificial Intelligence

T1608 Stage Capabilities 6 subtechniques

• T1608.001 Upload Malware
• T1608.002 Upload Tool
• T1608.003 Install Digital Certificate
• T1608.004 Drive-by Target
• T1608.005 Link Target
• T1608.006 SEO Poisoning

T1659 Content Injection

T1189 Drive-by Compromise

T1190 Exploit Public-Facing Application

T1133 External Remote Services

T1200 Hardware Additions

T1566 Phishing 4 subtechniques

• T1566.001 Spearphishing Attachment
• T1566.002 Spearphishing Link
• T1566.003 Spearphishing via Service
• T1566.004 Spearphishing Voice

T1091 Replication Through Removable Media

T1195 Supply Chain Compromise 3 subtechniques

• T1195.001 Compromise Software Dependencies and Development Tools
• T1195.002 Compromise Software Supply Chain
• T1195.003 Compromise Hardware Supply Chain

T1199 Trusted Relationship

T1078 Valid Accounts 4 subtechniques

• T1078.001 Default Accounts
• T1078.002 Domain Accounts
• T1078.003 Local Accounts
• T1078.004 Cloud Accounts

T1669 Wi-Fi Networks

T1197 BITS Jobs

T1651 Cloud Administration Command

T1059 Command and Scripting Interpreter 13 subtechniques

• T1059.001 PowerShell
• T1059.002 AppleScript
• T1059.003 Windows Command Shell
• T1059.004 Unix Shell
• T1059.005 Visual Basic
• T1059.006 Python
• T1059.007 JavaScript
• T1059.008 Network Device CLI
• T1059.009 Cloud API
• T1059.010 AutoHotKey & AutoIT
• T1059.011 Lua
• T1059.012 Hypervisor CLI
• T1059.013 Container CLI/API

T1609 Container Administration Command

T1610 Deploy Container

T1675 ESXi Administration Command

T1203 Exploitation for Client Execution

T1574 Hijack Execution Flow 12 subtechniques

• T1574.001 DLL
• T1574.004 Dylib Hijacking
• T1574.005 Executable Installer File Permissions Weakness
• T1574.006 Dynamic Linker Hijacking
• T1574.007 Path Interception by PATH Environment Variable
• T1574.008 Path Interception by Search Order Hijacking
• T1574.009 Path Interception by Unquoted Path
• T1574.010 Services File Permissions Weakness
• T1574.011 Services Registry Permissions Weakness
• T1574.012 COR_PROFILER
• T1574.013 KernelCallbackTable
• T1574.014 AppDomainManager

T1674 Input Injection

T1559 Inter-Process Communication 3 subtechniques

• T1559.001 Component Object Model
• T1559.002 Dynamic Data Exchange
• T1559.003 XPC Services

T1106 Native API

T1677 Poisoned Pipeline Execution

T1053 Scheduled Task/Job 5 subtechniques

• T1053.002 At
• T1053.003 Cron
• T1053.005 Scheduled Task
• T1053.006 Systemd Timers
• T1053.007 Container Orchestration Job

T1648 Serverless Execution

T1129 Shared Modules

T1072 Software Deployment Tools

T1569 System Services 3 subtechniques

• T1569.001 Launchctl
• T1569.002 Service Execution
• T1569.003 Systemctl

T1127 Trusted Developer Utilities Proxy Execution 3 subtechniques

• T1127.001 MSBuild
• T1127.002 ClickOnce
• T1127.003 JamPlus

T1204 User Execution 5 subtechniques

• T1204.001 Malicious Link
• T1204.002 Malicious File
• T1204.003 Malicious Image
• T1204.004 Malicious Copy and Paste
• T1204.005 Malicious Library

T1047 Windows Management Instrumentation

T1098 Account Manipulation 7 subtechniques

• T1098.001 Additional Cloud Credentials
• T1098.002 Additional Email Delegate Permissions
• T1098.003 Additional Cloud Roles
• T1098.004 SSH Authorized Keys
• T1098.005 Device Registration
• T1098.006 Additional Container Cluster Roles
• T1098.007 Additional Local or Domain Groups

T1197 BITS Jobs

T1547 Boot or Logon Autostart Execution 14 subtechniques

• T1547.001 Registry Run Keys / Startup Folder
• T1547.002 Authentication Package
• T1547.003 Time Providers
• T1547.004 Winlogon Helper DLL
• T1547.005 Security Support Provider
• T1547.006 Kernel Modules and Extensions
• T1547.007 Re-opened Applications
• T1547.008 LSASS Driver
• T1547.009 Shortcut Modification
• T1547.010 Port Monitors
• T1547.012 Print Processors
• T1547.013 XDG Autostart Entries
• T1547.014 Active Setup
• T1547.015 Login Items

T1037 Boot or Logon Initialization Scripts 5 subtechniques

• T1037.001 Logon Script (Windows)
• T1037.002 Login Hook
• T1037.003 Network Logon Script
• T1037.004 RC Scripts
• T1037.005 Startup Items

T1671 Cloud Application Integration

T1554 Compromise Host Software Binary

T1136 Create Account 3 subtechniques

• T1136.001 Local Account
• T1136.002 Domain Account
• T1136.003 Cloud Account

T1543 Create or Modify System Process 5 subtechniques

• T1543.001 Launch Agent
• T1543.002 Systemd Service
• T1543.003 Windows Service
• T1543.004 Launch Daemon
• T1543.005 Container Service

T1546 Event Triggered Execution 18 subtechniques

• T1546.001 Change Default File Association
• T1546.002 Screensaver
• T1546.003 Windows Management Instrumentation Event Subscription
• T1546.004 Unix Shell Configuration Modification
• T1546.005 Trap
• T1546.006 LC_LOAD_DYLIB Addition
• T1546.007 Netsh Helper DLL
• T1546.008 Accessibility Features
• T1546.009 AppCert DLLs
• T1546.010 AppInit DLLs
• T1546.011 Application Shimming
• T1546.012 Image File Execution Options Injection
• T1546.013 PowerShell Profile
• T1546.014 Emond
• T1546.015 Component Object Model Hijacking
• T1546.016 Installer Packages
• T1546.017 Udev Rules
• T1546.018 Python Startup Hooks

T1668 Exclusive Control

T1133 External Remote Services

T1525 Implant Internal Image

T1556 Modify Authentication Process 9 subtechniques

• T1556.001 Domain Controller Authentication
• T1556.002 Password Filter DLL
• T1556.003 Pluggable Authentication Modules
• T1556.004 Network Device Authentication
• T1556.005 Reversible Encryption
• T1556.006 Multi-Factor Authentication
• T1556.007 Hybrid Identity
• T1556.008 Network Provider DLL
• T1556.009 Conditional Access Policies

T1112 Modify Registry

T1137 Office Application Startup 6 subtechniques

• T1137.001 Office Template Macros
• T1137.002 Office Test
• T1137.003 Outlook Forms
• T1137.004 Outlook Home Page
• T1137.005 Outlook Rules
• T1137.006 Add-ins

T1653 Power Settings

T1542 Pre-OS Boot 5 subtechniques

• T1542.001 System Firmware
• T1542.002 Component Firmware
• T1542.003 Bootkit
• T1542.004 ROMMONkit
• T1542.005 TFTP Boot

T1053 Scheduled Task/Job 5 subtechniques

• T1053.002 At
• T1053.003 Cron
• T1053.005 Scheduled Task
• T1053.006 Systemd Timers
• T1053.007 Container Orchestration Job

T1505 Server Software Component 6 subtechniques

• T1505.001 SQL Stored Procedures
• T1505.002 Transport Agent
• T1505.003 Web Shell
• T1505.004 IIS Components
• T1505.005 Terminal Services DLL
• T1505.006 vSphere Installation Bundles

T1176 Software Extensions 2 subtechniques

• T1176.001 Browser Extensions
• T1176.002 IDE Extensions

T1205 Traffic Signaling 2 subtechniques

• T1205.001 Port Knocking
• T1205.002 Socket Filters

T1078 Valid Accounts 4 subtechniques

• T1078.001 Default Accounts
• T1078.002 Domain Accounts
• T1078.003 Local Accounts
• T1078.004 Cloud Accounts

T1548 Abuse Elevation Control Mechanism 6 subtechniques

• T1548.001 Setuid and Setgid
• T1548.002 Bypass User Account Control
• T1548.003 Sudo and Sudo Caching
• T1548.004 Elevated Execution with Prompt
• T1548.005 Temporary Elevated Cloud Access
• T1548.006 TCC Manipulation

T1134 Access Token Manipulation 5 subtechniques

• T1134.001 Token Impersonation/Theft
• T1134.002 Create Process with Token
• T1134.003 Make and Impersonate Token
• T1134.004 Parent PID Spoofing
• T1134.005 SID-History Injection

T1098 Account Manipulation 7 subtechniques

• T1098.001 Additional Cloud Credentials
• T1098.002 Additional Email Delegate Permissions
• T1098.003 Additional Cloud Roles
• T1098.004 SSH Authorized Keys
• T1098.005 Device Registration
• T1098.006 Additional Container Cluster Roles
• T1098.007 Additional Local or Domain Groups

T1547 Boot or Logon Autostart Execution 14 subtechniques

• T1547.001 Registry Run Keys / Startup Folder
• T1547.002 Authentication Package
• T1547.003 Time Providers
• T1547.004 Winlogon Helper DLL
• T1547.005 Security Support Provider
• T1547.006 Kernel Modules and Extensions
• T1547.007 Re-opened Applications
• T1547.008 LSASS Driver
• T1547.009 Shortcut Modification
• T1547.010 Port Monitors
• T1547.012 Print Processors
• T1547.013 XDG Autostart Entries
• T1547.014 Active Setup
• T1547.015 Login Items

T1037 Boot or Logon Initialization Scripts 5 subtechniques

• T1037.001 Logon Script (Windows)
• T1037.002 Login Hook
• T1037.003 Network Logon Script
• T1037.004 RC Scripts
• T1037.005 Startup Items

T1543 Create or Modify System Process 5 subtechniques

• T1543.001 Launch Agent
• T1543.002 Systemd Service
• T1543.003 Windows Service
• T1543.004 Launch Daemon
• T1543.005 Container Service

T1484 Domain or Tenant Policy Modification 2 subtechniques

• T1484.001 Group Policy Modification
• T1484.002 Trust Modification

T1611 Escape to Host

T1546 Event Triggered Execution 18 subtechniques

• T1546.001 Change Default File Association
• T1546.002 Screensaver
• T1546.003 Windows Management Instrumentation Event Subscription
• T1546.004 Unix Shell Configuration Modification
• T1546.005 Trap
• T1546.006 LC_LOAD_DYLIB Addition
• T1546.007 Netsh Helper DLL
• T1546.008 Accessibility Features
• T1546.009 AppCert DLLs
• T1546.010 AppInit DLLs
• T1546.011 Application Shimming
• T1546.012 Image File Execution Options Injection
• T1546.013 PowerShell Profile
• T1546.014 Emond
• T1546.015 Component Object Model Hijacking
• T1546.016 Installer Packages
• T1546.017 Udev Rules
• T1546.018 Python Startup Hooks

T1068 Exploitation for Privilege Escalation

T1055 Process Injection 12 subtechniques

• T1055.001 Dynamic-link Library Injection
• T1055.002 Portable Executable Injection
• T1055.003 Thread Execution Hijacking
• T1055.004 Asynchronous Procedure Call
• T1055.005 Thread Local Storage
• T1055.008 Ptrace System Calls
• T1055.009 Proc Memory
• T1055.011 Extra Window Memory Injection
• T1055.012 Process Hollowing
• T1055.013 Process Doppelgänging
• T1055.014 VDSO Hijacking
• T1055.015 ListPlanting

T1053 Scheduled Task/Job 5 subtechniques

• T1053.002 At
• T1053.003 Cron
• T1053.005 Scheduled Task
• T1053.006 Systemd Timers
• T1053.007 Container Orchestration Job

T1078 Valid Accounts 4 subtechniques

• T1078.001 Default Accounts
• T1078.002 Domain Accounts
• T1078.003 Local Accounts
• T1078.004 Cloud Accounts

T1134 Access Token Manipulation 5 subtechniques

• T1134.001 Token Impersonation/Theft
• T1134.002 Create Process with Token
• T1134.003 Make and Impersonate Token
• T1134.004 Parent PID Spoofing
• T1134.005 SID-History Injection

T1197 BITS Jobs

T1612 Build Image on Host

T1622 Debugger Evasion

T1678 Delay Execution

T1140 Deobfuscate/Decode Files or Information

T1006 Direct Volume Access

T1480 Execution Guardrails 2 subtechniques

• T1480.001 Environmental Keying
• T1480.002 Mutual Exclusion

T1211 Exploitation for Stealth

T1564 Hide Artifacts 14 subtechniques

• T1564.001 Hidden Files and Directories
• T1564.002 Hidden Users
• T1564.003 Hidden Window
• T1564.004 NTFS File Attributes
• T1564.005 Hidden File System
• T1564.006 Run Virtual Instance
• T1564.007 VBA Stomping
• T1564.008 Email Hiding Rules
• T1564.009 Resource Forking
• T1564.010 Process Argument Spoofing
• T1564.011 Ignore Process Interrupts
• T1564.012 File/Path Exclusions
• T1564.013 Bind Mounts
• T1564.014 Extended Attributes

T1574 Hijack Execution Flow 12 subtechniques

• T1574.001 DLL
• T1574.004 Dylib Hijacking
• T1574.005 Executable Installer File Permissions Weakness
• T1574.006 Dynamic Linker Hijacking
• T1574.007 Path Interception by PATH Environment Variable
• T1574.008 Path Interception by Search Order Hijacking
• T1574.009 Path Interception by Unquoted Path
• T1574.010 Services File Permissions Weakness
• T1574.011 Services Registry Permissions Weakness
• T1574.012 COR_PROFILER
• T1574.013 KernelCallbackTable
• T1574.014 AppDomainManager

T1070 Indicator Removal 8 subtechniques

• T1070.003 Clear Command History
• T1070.004 File Deletion
• T1070.005 Network Share Connection Removal
• T1070.006 Timestomp
• T1070.007 Clear Network Connection History and Configurations
• T1070.008 Clear Mailbox Data
• T1070.009 Clear Persistence
• T1070.010 Relocate Malware

T1202 Indirect Command Execution

T1036 Masquerading 12 subtechniques

• T1036.001 Invalid Code Signature
• T1036.002 Right-to-Left Override
• T1036.003 Rename Legitimate Utilities
• T1036.004 Masquerade Task or Service
• T1036.005 Match Legitimate Resource Name or Location
• T1036.006 Space after Filename
• T1036.007 Double File Extension
• T1036.008 Masquerade File Type
• T1036.009 Break Process Trees
• T1036.010 Masquerade Account Name
• T1036.011 Overwrite Process Arguments
• T1036.012 Browser Fingerprint

T1027 Obfuscated Files or Information 18 subtechniques

• T1027.001 Binary Padding
• T1027.002 Software Packing
• T1027.003 Steganography
• T1027.004 Compile After Delivery
• T1027.005 Indicator Removal from Tools
• T1027.006 HTML Smuggling
• T1027.007 Dynamic API Resolution
• T1027.008 Stripped Payloads
• T1027.009 Embedded Payloads
• T1027.010 Command Obfuscation
• T1027.011 Fileless Storage
• T1027.012 LNK Icon Smuggling
• T1027.013 Encrypted/Encoded File
• T1027.014 Polymorphic Code
• T1027.015 Compression
• T1027.016 Junk Code Insertion
• T1027.017 SVG Smuggling
• T1027.018 Invisible Unicode

T1542 Pre-OS Boot 5 subtechniques

• T1542.001 System Firmware
• T1542.002 Component Firmware
• T1542.003 Bootkit
• T1542.004 ROMMONkit
• T1542.005 TFTP Boot

T1055 Process Injection 12 subtechniques

• T1055.001 Dynamic-link Library Injection
• T1055.002 Portable Executable Injection
• T1055.003 Thread Execution Hijacking
• T1055.004 Asynchronous Procedure Call
• T1055.005 Thread Local Storage
• T1055.008 Ptrace System Calls
• T1055.009 Proc Memory
• T1055.011 Extra Window Memory Injection
• T1055.012 Process Hollowing
• T1055.013 Process Doppelgänging
• T1055.014 VDSO Hijacking
• T1055.015 ListPlanting

T1620 Reflective Code Loading

T1014 Rootkit

T1679 Selective Exclusion

T1684 Social Engineering 2 subtechniques

• T1684.001 Impersonation
• T1684.002 Email Spoofing

T1218 System Binary Proxy Execution 14 subtechniques

• T1218.001 Compiled HTML File
• T1218.002 Control Panel
• T1218.003 CMSTP
• T1218.004 InstallUtil
• T1218.005 Mshta
• T1218.007 Msiexec
• T1218.008 Odbcconf
• T1218.009 Regsvcs/Regasm
• T1218.010 Regsvr32
• T1218.011 Rundll32
• T1218.012 Verclsid
• T1218.013 Mavinject
• T1218.014 MMC
• T1218.015 Electron Applications

T1216 System Script Proxy Execution 2 subtechniques

• T1216.001 PubPrn
• T1216.002 SyncAppvPublishingServer

T1221 Template Injection

T1205 Traffic Signaling 2 subtechniques

• T1205.001 Port Knocking
• T1205.002 Socket Filters

T1127 Trusted Developer Utilities Proxy Execution 3 subtechniques

• T1127.001 MSBuild
• T1127.002 ClickOnce
• T1127.003 JamPlus

T1535 Unused/Unsupported Cloud Regions

T1078 Valid Accounts 4 subtechniques

• T1078.001 Default Accounts
• T1078.002 Domain Accounts
• T1078.003 Local Accounts
• T1078.004 Cloud Accounts

T1497 Virtualization/Sandbox Evasion 3 subtechniques

• T1497.001 System Checks
• T1497.002 User Activity Based Checks
• T1497.003 Time Based Checks

T1220 XSL Script Processing

T1686 Disable or Modify System Firewall 3 subtechniques

• T1686.001 Cloud Firewall
• T1686.002 Network Device Firewall
• T1686.003 Windows Host Firewall

T1685 Disable or Modify Tools 6 subtechniques

• T1685.001 Disable or Modify Windows Event Log
• T1685.002 Disable or Modify Cloud Log
• T1685.003 Modify or Spoof Tool UI
• T1685.004 Disable or Modify Linux Audit System Log
• T1685.005 Clear Windows Event Logs
• T1685.006 Clear Linux or Mac System Logs

T1484 Domain or Tenant Policy Modification 2 subtechniques

• T1484.001 Group Policy Modification
• T1484.002 Trust Modification

T1689 Downgrade Attack

T1687 Exploitation for Defense Impairment

T1222 File and Directory Permissions Modification 2 subtechniques

• T1222.001 Windows Permissions
• T1222.002 Linux and Mac Permissions

T1556 Modify Authentication Process 9 subtechniques

• T1556.001 Domain Controller Authentication
• T1556.002 Password Filter DLL
• T1556.003 Pluggable Authentication Modules
• T1556.004 Network Device Authentication
• T1556.005 Reversible Encryption
• T1556.006 Multi-Factor Authentication
• T1556.007 Hybrid Identity
• T1556.008 Network Provider DLL
• T1556.009 Conditional Access Policies

T1578 Modify Cloud Compute Infrastructure 5 subtechniques

• T1578.001 Create Snapshot
• T1578.002 Create Cloud Instance
• T1578.003 Delete Cloud Instance
• T1578.004 Revert Cloud Instance
• T1578.005 Modify Cloud Compute Configurations

T1666 Modify Cloud Resource Hierarchy

T1112 Modify Registry

T1601 Modify System Image 2 subtechniques

• T1601.001 Patch System Image
• T1601.002 Downgrade System Image

T1599 Network Boundary Bridging 1 subtechniques

• T1599.001 Network Address Translation Traversal

T1647 Plist File Modification

T1690 Prevent Command History Logging

T1207 Rogue Domain Controller

T1688 Safe Mode Boot

T1553 Subvert Trust Controls 6 subtechniques

• T1553.001 Gatekeeper Bypass
• T1553.002 Code Signing
• T1553.003 SIP and Trust Provider Hijacking
• T1553.004 Install Root Certificate
• T1553.005 Mark-of-the-Web Bypass
• T1553.006 Code Signing Policy Modification

T1600 Weaken Encryption 2 subtechniques

• T1600.001 Reduce Key Space
• T1600.002 Disable Crypto Hardware

T1557 Adversary-in-the-Middle 4 subtechniques

• T1557.001 Name Resolution Poisoning and SMB Relay
• T1557.002 ARP Cache Poisoning
• T1557.003 DHCP Spoofing
• T1557.004 Evil Twin

T1110 Brute Force 4 subtechniques

• T1110.001 Password Guessing
• T1110.002 Password Cracking
• T1110.003 Password Spraying
• T1110.004 Credential Stuffing

T1555 Credentials from Password Stores 6 subtechniques

• T1555.001 Keychain
• T1555.002 Securityd Memory
• T1555.003 Credentials from Web Browsers
• T1555.004 Windows Credential Manager
• T1555.005 Password Managers
• T1555.006 Cloud Secrets Management Stores

T1212 Exploitation for Credential Access

T1187 Forced Authentication

T1606 Forge Web Credentials 2 subtechniques

• T1606.001 Web Cookies
• T1606.002 SAML Tokens

T1056 Input Capture 4 subtechniques

• T1056.001 Keylogging
• T1056.002 GUI Input Capture
• T1056.003 Web Portal Capture
• T1056.004 Credential API Hooking

T1556 Modify Authentication Process 9 subtechniques

• T1556.001 Domain Controller Authentication
• T1556.002 Password Filter DLL
• T1556.003 Pluggable Authentication Modules
• T1556.004 Network Device Authentication
• T1556.005 Reversible Encryption
• T1556.006 Multi-Factor Authentication
• T1556.007 Hybrid Identity
• T1556.008 Network Provider DLL
• T1556.009 Conditional Access Policies

T1111 Multi-Factor Authentication Interception

T1621 Multi-Factor Authentication Request Generation

T1040 Network Sniffing

T1003 OS Credential Dumping 8 subtechniques

• T1003.001 LSASS Memory
• T1003.002 Security Account Manager
• T1003.003 NTDS
• T1003.004 LSA Secrets
• T1003.005 Cached Domain Credentials
• T1003.006 DCSync
• T1003.007 Proc Filesystem
• T1003.008 /etc/passwd and /etc/shadow

T1528 Steal Application Access Token

T1649 Steal or Forge Authentication Certificates

T1558 Steal or Forge Kerberos Tickets 5 subtechniques

• T1558.001 Golden Ticket
• T1558.002 Silver Ticket
• T1558.003 Kerberoasting
• T1558.004 AS-REP Roasting
• T1558.005 Ccache Files

T1539 Steal Web Session Cookie

T1552 Unsecured Credentials 8 subtechniques

• T1552.001 Credentials In Files
• T1552.002 Credentials in Registry
• T1552.003 Shell History
• T1552.004 Private Keys
• T1552.005 Cloud Instance Metadata API
• T1552.006 Group Policy Preferences
• T1552.007 Container API
• T1552.008 Chat Messages

T1087 Account Discovery 4 subtechniques

• T1087.001 Local Account
• T1087.002 Domain Account
• T1087.003 Email Account
• T1087.004 Cloud Account

T1010 Application Window Discovery

T1217 Browser Information Discovery

T1580 Cloud Infrastructure Discovery

T1538 Cloud Service Dashboard

T1526 Cloud Service Discovery

T1619 Cloud Storage Object Discovery

T1613 Container and Resource Discovery

T1622 Debugger Evasion

T1652 Device Driver Discovery

T1482 Domain Trust Discovery

T1083 File and Directory Discovery

T1615 Group Policy Discovery

T1680 Local Storage Discovery

T1654 Log Enumeration

T1046 Network Service Discovery

T1135 Network Share Discovery

T1040 Network Sniffing

T1201 Password Policy Discovery

T1120 Peripheral Device Discovery

T1069 Permission Groups Discovery 3 subtechniques

• T1069.001 Local Groups
• T1069.002 Domain Groups
• T1069.003 Cloud Groups

T1057 Process Discovery

T1012 Query Registry

T1018 Remote System Discovery

T1518 Software Discovery 2 subtechniques

• T1518.001 Security Software Discovery
• T1518.002 Backup Software Discovery

T1082 System Information Discovery

T1614 System Location Discovery 1 subtechniques

• T1614.001 System Language Discovery

T1016 System Network Configuration Discovery 2 subtechniques

• T1016.001 Internet Connection Discovery
• T1016.002 Wi-Fi Discovery

T1049 System Network Connections Discovery

T1033 System Owner/User Discovery

T1007 System Service Discovery

T1124 System Time Discovery

T1673 Virtual Machine Discovery

T1497 Virtualization/Sandbox Evasion 3 subtechniques

• T1497.001 System Checks
• T1497.002 User Activity Based Checks
• T1497.003 Time Based Checks

T1210 Exploitation of Remote Services

T1534 Internal Spearphishing

T1570 Lateral Tool Transfer

T1563 Remote Service Session Hijacking 2 subtechniques

• T1563.001 SSH Hijacking
• T1563.002 RDP Hijacking

T1021 Remote Services 8 subtechniques

• T1021.001 Remote Desktop Protocol
• T1021.002 SMB/Windows Admin Shares
• T1021.003 Distributed Component Object Model
• T1021.004 SSH
• T1021.005 VNC
• T1021.006 Windows Remote Management
• T1021.007 Cloud Services
• T1021.008 Direct Cloud VM Connections

T1091 Replication Through Removable Media

T1072 Software Deployment Tools

T1080 Taint Shared Content

T1550 Use Alternate Authentication Material 4 subtechniques

• T1550.001 Application Access Token
• T1550.002 Pass the Hash
• T1550.003 Pass the Ticket
• T1550.004 Web Session Cookie

T1557 Adversary-in-the-Middle 4 subtechniques

• T1557.001 Name Resolution Poisoning and SMB Relay
• T1557.002 ARP Cache Poisoning
• T1557.003 DHCP Spoofing
• T1557.004 Evil Twin

T1560 Archive Collected Data 3 subtechniques

• T1560.001 Archive via Utility
• T1560.002 Archive via Library
• T1560.003 Archive via Custom Method

T1123 Audio Capture

T1119 Automated Collection

T1185 Browser Session Hijacking

T1115 Clipboard Data

T1530 Data from Cloud Storage

T1602 Data from Configuration Repository 2 subtechniques

• T1602.001 SNMP (MIB Dump)
• T1602.002 Network Device Configuration Dump

T1213 Data from Information Repositories 6 subtechniques

• T1213.001 Confluence
• T1213.002 Sharepoint
• T1213.003 Code Repositories
• T1213.004 Customer Relationship Management Software
• T1213.005 Messaging Applications
• T1213.006 Databases

T1005 Data from Local System

T1039 Data from Network Shared Drive

T1025 Data from Removable Media

T1074 Data Staged 2 subtechniques

• T1074.001 Local Data Staging
• T1074.002 Remote Data Staging

T1114 Email Collection 3 subtechniques

• T1114.001 Local Email Collection
• T1114.002 Remote Email Collection
• T1114.003 Email Forwarding Rule

T1056 Input Capture 4 subtechniques

• T1056.001 Keylogging
• T1056.002 GUI Input Capture
• T1056.003 Web Portal Capture
• T1056.004 Credential API Hooking

T1113 Screen Capture

T1125 Video Capture

T1071 Application Layer Protocol 5 subtechniques

• T1071.001 Web Protocols
• T1071.002 File Transfer Protocols
• T1071.003 Mail Protocols
• T1071.004 DNS
• T1071.005 Publish/Subscribe Protocols

T1092 Communication Through Removable Media

T1659 Content Injection

T1132 Data Encoding 2 subtechniques

• T1132.001 Standard Encoding
• T1132.002 Non-Standard Encoding

T1001 Data Obfuscation 3 subtechniques

• T1001.001 Junk Data
• T1001.002 Steganography
• T1001.003 Protocol or Service Impersonation

T1568 Dynamic Resolution 3 subtechniques

• T1568.001 Fast Flux DNS
• T1568.002 Domain Generation Algorithms
• T1568.003 DNS Calculation

T1573 Encrypted Channel 2 subtechniques

• T1573.001 Symmetric Cryptography
• T1573.002 Asymmetric Cryptography

T1008 Fallback Channels

T1665 Hide Infrastructure

T1105 Ingress Tool Transfer

T1104 Multi-Stage Channels

T1095 Non-Application Layer Protocol

T1571 Non-Standard Port

T1572 Protocol Tunneling

T1090 Proxy 4 subtechniques

• T1090.001 Internal Proxy
• T1090.002 External Proxy
• T1090.003 Multi-hop Proxy
• T1090.004 Domain Fronting

T1219 Remote Access Tools 3 subtechniques

• T1219.001 IDE Tunneling
• T1219.002 Remote Desktop Software
• T1219.003 Remote Access Hardware

T1205 Traffic Signaling 2 subtechniques

• T1205.001 Port Knocking
• T1205.002 Socket Filters

T1102 Web Service 3 subtechniques

• T1102.001 Dead Drop Resolver
• T1102.002 Bidirectional Communication
• T1102.003 One-Way Communication

T1020 Automated Exfiltration 1 subtechniques

• T1020.001 Traffic Duplication

T1030 Data Transfer Size Limits

T1048 Exfiltration Over Alternative Protocol 3 subtechniques

• T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
• T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
• T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol

T1041 Exfiltration Over C2 Channel

T1011 Exfiltration Over Other Network Medium 1 subtechniques

• T1011.001 Exfiltration Over Bluetooth

T1052 Exfiltration Over Physical Medium 1 subtechniques

• T1052.001 Exfiltration over USB

T1567 Exfiltration Over Web Service 4 subtechniques

• T1567.001 Exfiltration to Code Repository
• T1567.002 Exfiltration to Cloud Storage
• T1567.003 Exfiltration to Text Storage Sites
• T1567.004 Exfiltration Over Webhook

T1029 Scheduled Transfer

T1537 Transfer Data to Cloud Account

T1531 Account Access Removal

T1485 Data Destruction 1 subtechniques

• T1485.001 Lifecycle-Triggered Deletion

T1486 Data Encrypted for Impact

T1565 Data Manipulation 3 subtechniques

• T1565.001 Stored Data Manipulation
• T1565.002 Transmitted Data Manipulation
• T1565.003 Runtime Data Manipulation

T1491 Defacement 2 subtechniques

• T1491.001 Internal Defacement
• T1491.002 External Defacement

T1561 Disk Wipe 2 subtechniques

• T1561.001 Disk Content Wipe
• T1561.002 Disk Structure Wipe

T1667 Email Bombing

T1499 Endpoint Denial of Service 4 subtechniques

• T1499.001 OS Exhaustion Flood
• T1499.002 Service Exhaustion Flood
• T1499.003 Application Exhaustion Flood
• T1499.004 Application or System Exploitation

T1657 Financial Theft

T1495 Firmware Corruption

T1490 Inhibit System Recovery

T1498 Network Denial of Service 2 subtechniques

• T1498.001 Direct Network Flood
• T1498.002 Reflection Amplification

T1496 Resource Hijacking 4 subtechniques

• T1496.001 Compute Hijacking
• T1496.002 Bandwidth Hijacking
• T1496.003 SMS Pumping
• T1496.004 Cloud Service Hijacking

T1489 Service Stop

T1529 System Shutdown/Reboot