Accessibility Features |
Access Token Manipulation |
Access Token Manipulation |
Account Manipulation |
Account Discovery |
Application Deployment Software |
Application Shimming |
Audio Capture |
Automated Exfiltration |
Commonly Used Port |
AppInit DLLs |
Accessibility Features |
Binary Padding |
Brute Force |
Application Window Discovery |
Exploitation of Vulnerability |
Command-Line Interface |
Automated Collection |
Data Compressed |
Communication Through Removable Media |
Application Shimming |
AppInit DLLs |
Bypass User Account Control |
Create Account |
File and Directory Discovery |
Logon Scripts |
Execution through API |
Clipboard Data |
Data Encrypted |
Connection Proxy |
Authentication Package |
Application Shimming |
Code Signing |
Credential Dumping |
Network Service Scanning |
Pass the Hash |
Execution through Module Load |
Data Staged |
Data Transfer Size Limits |
Custom Command and Control Protocol |
Bootkit |
Bypass User Account Control |
Component Firmware |
Credentials in Files |
Network Share Discovery |
Pass the Ticket |
Graphical User Interface |
Data from Local System |
Exfiltration Over Alternative Protocol |
Custom Cryptographic Protocol |
Change Default File Association |
DLL Injection |
Component Object Model Hijacking |
Exploitation of Vulnerability |
Peripheral Device Discovery |
Remote Desktop Protocol |
InstallUtil |
Data from Network Shared Drive |
Exfiltration Over Command and Control Channel |
Data Encoding |
Component Firmware |
DLL Search Order Hijacking |
DLL Injection |
Input Capture |
Permission Groups Discovery |
Remote File Copy |
PowerShell |
Data from Removable Media |
Exfiltration Over Other Network Medium |
Data Obfuscation |
Component Object Model Hijacking |
Exploitation of Vulnerability |
DLL Search Order Hijacking |
Network Sniffing |
Process Discovery |
Remote Services |
Process Hollowing |
Email Collection |
Exfiltration Over Physical Medium |
Fallback Channels |
DLL Search Order Hijacking |
File System Permissions Weakness |
DLL Side-Loading |
Private Keys |
Query Registry |
Replication Through Removable Media |
Regsvcs/Regasm |
Input Capture |
Scheduled Transfer |
Multi-Stage Channels |
External Remote Services |
Local Port Monitor |
[Deobfuscate/Decode Files or Information](Defense Evasion/Deobfuscate_Decode_Files_Or_Information.md) |
Two-Factor Authentication Interception |
Remote System Discovery |
Shared Webroot |
Regsvr32 |
Screen Capture |
|
Multiband Communication |
File System Permissions Weakness |
New Service |
Disabling Security Tools |
|
Security Software Discovery |
Taint Shared Content |
Rundll32 |
Video Capture |
|
Multilayer Encryption |
Hidden Files and Directories |
Path Interception |
Exploitation of Vulnerability |
|
System Information Discovery |
Third-party Software |
Scheduled Task |
|
|
Remote File Copy |
Hypervisor |
Scheduled Task |
File Deletion |
|
System Network Configuration Discovery |
Windows Admin Shares |
Scripting |
|
|
Standard Application Layer Protocol |
Local Port Monitor |
Service Registry Permissions Weakness |
File System Logical Offsets |
|
System Network Connections Discovery |
Windows Remote Management |
Service Execution |
|
|
Standard Cryptographic Protocol |
Logon Scripts |
Valid Accounts |
Hidden Files and Directories |
|
System Owner/User Discovery |
|
Third-party Software |
|
|
Standard Non-Application Layer Protocol |
Modify Existing Service |
Web Shell |
Indicator Blocking |
|
System Service Discovery |
|
Trusted Developer Utilities |
|
|
Uncommonly Used Port |
Netsh Helper DLL |
|
Indicator Removal from Tools |
|
System Time Discovery |
|
Windows Management Instrumentation |
|
|
Web Service |
New Service |
|
Indicator Removal on Host |
|
|
|
Windows Remote Management |
|
|
|
Office Application Startup |
|
Install Root Certificate |
|
|
|
Bitsadmin |
|
|
|
Path Interception |
|
InstallUtil |
|
|
|
|
|
|
|
Redundant Access |
|
Masquerading |
|
|
|
|
|
|
|
Registry Run Keys / Start Folder |
|
Modify Registry |
|
|
|
|
|
|
|
Scheduled Task |
|
NTFS Extended Attributes |
|
|
|
|
|
|
|
Security Support Provider |
|
Network Share Connection Removal |
|
|
|
|
|
|
|
Service Registry Permissions Weakness |
|
Obfuscated Files or Information |
|
|
|
|
|
|
|
Shortcut Modification |
|
Process Hollowing |
|
|
|
|
|
|
|
System Firmware |
|
Redundant Access |
|
|
|
|
|
|
|
Valid Accounts |
|
Regsvcs/Regasm |
|
|
|
|
|
|
|
Web Shell |
|
Regsvr32 |
|
|
|
|
|
|
|
Windows Management Instrumentation Event Subscription |
|
Rootkit |
|
|
|
|
|
|
|
Winlogon Helper DLL |
|
Rundll32 |
|
|
|
|
|
|
|
|
|
Scripting |
|
|
|
|
|
|
|
|
|
Software Packing |
|
|
|
|
|
|
|
|
|
Timestomp |
|
|
|
|
|
|
|
|
|
Trusted Developer Utilities |
|
|
|
|
|
|
|
|
|
Valid Accounts |
|
|
|
|
|
|
|