=	Supply Chain Compromise ₍₃₎
	Compromise Software Dependencies and Development Tools Compromise Software Supply Chain Compromise Hardware Supply Chain

Trusted Relationship

=	Valid Accounts ₍₃₎
	Default Accounts Domain Accounts Local Accounts

=	Command and Scripting Interpreter ₍₆₎
	PowerShell Windows Command Shell Visual Basic Python JavaScript AutoHotKey & AutoIT

Exploitation for Client Execution

=	Inter-Process Communication ₍₂₎
	Component Object Model Dynamic Data Exchange

Native API

=	Scheduled Task/Job ₍₂₎
	At Scheduled Task

Shared Modules

Software Deployment Tools

=	System Services ₍₁₎
	Service Execution

=	User Execution ₍₂₎
	Malicious Link Malicious File

Windows Management Instrumentation

=	Account Manipulation ₍₂₎
	Additional Email Delegate Permissions Device Registration

BITS Jobs

=	Boot or Logon Autostart Execution ₍₁₀₎
	Registry Run Keys / Startup Folder Authentication Package Time Providers Winlogon Helper DLL Security Support Provider LSASS Driver Shortcut Modification Port Monitors Print Processors Active Setup

=	Boot or Logon Initialization Scripts ₍₂₎
	Logon Script (Windows) Network Logon Script

Browser Extensions

Compromise Host Software Binary

=	Create Account ₍₂₎
	Local Account Domain Account

=	Create or Modify System Process ₍₁₎
	Windows Service

=	Event Triggered Execution ₍₁₂₎
	Change Default File Association Screensaver Windows Management Instrumentation Event Subscription Netsh Helper DLL Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Image File Execution Options Injection PowerShell Profile Component Object Model Hijacking Installer Packages

External Remote Services

=	Hijack Execution Flow ₍₁₁₎
	DLL Search Order Hijacking DLL Side-Loading Executable Installer File Permissions Weakness Path Interception by PATH Environment Variable Path Interception by Search Order Hijacking Path Interception by Unquoted Path Services File Permissions Weakness Services Registry Permissions Weakness COR_PROFILER KernelCallbackTable AppDomainManager

=	Modify Authentication Process ₍₆₎
	Domain Controller Authentication Password Filter DLL Reversible Encryption Multi-Factor Authentication Hybrid Identity Network Provider DLL

=	Office Application Startup ₍₆₎
	Office Template Macros Office Test Outlook Forms Outlook Home Page Outlook Rules Add-ins

Power Settings

=	Pre-OS Boot ₍₃₎
	System Firmware Component Firmware Bootkit

=	Scheduled Task/Job ₍₂₎
	At Scheduled Task

=	Server Software Component ₍₅₎
	SQL Stored Procedures Transport Agent Web Shell IIS Components Terminal Services DLL

=	Traffic Signaling ₍₂₎
	Port Knocking Socket Filters

=	Valid Accounts ₍₃₎
	Default Accounts Domain Accounts Local Accounts

=	Abuse Elevation Control Mechanism ₍₁₎
	Bypass User Account Control

=	Access Token Manipulation ₍₅₎
	Token Impersonation/Theft Create Process with Token Make and Impersonate Token Parent PID Spoofing SID-History Injection

=	Account Manipulation ₍₂₎
	Additional Email Delegate Permissions Device Registration

=	Boot or Logon Autostart Execution ₍₁₀₎
	Registry Run Keys / Startup Folder Authentication Package Time Providers Winlogon Helper DLL Security Support Provider LSASS Driver Shortcut Modification Port Monitors Print Processors Active Setup

=	Boot or Logon Initialization Scripts ₍₂₎
	Logon Script (Windows) Network Logon Script

=	Create or Modify System Process ₍₁₎
	Windows Service

=	Domain or Tenant Policy Modification ₍₂₎
	Group Policy Modification Trust Modification

Escape to Host

=	Event Triggered Execution ₍₁₂₎
	Change Default File Association Screensaver Windows Management Instrumentation Event Subscription Netsh Helper DLL Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Image File Execution Options Injection PowerShell Profile Component Object Model Hijacking Installer Packages

Exploitation for Privilege Escalation

=	Hijack Execution Flow ₍₁₁₎
	DLL Search Order Hijacking DLL Side-Loading Executable Installer File Permissions Weakness Path Interception by PATH Environment Variable Path Interception by Search Order Hijacking Path Interception by Unquoted Path Services File Permissions Weakness Services Registry Permissions Weakness COR_PROFILER KernelCallbackTable AppDomainManager

=	Process Injection ₍₉₎
	Dynamic-link Library Injection Portable Executable Injection Thread Execution Hijacking Asynchronous Procedure Call Thread Local Storage Extra Window Memory Injection Process Hollowing Process Doppelgänging ListPlanting

=	Scheduled Task/Job ₍₂₎
	At Scheduled Task

=	Valid Accounts ₍₃₎
	Default Accounts Domain Accounts Local Accounts

=	Abuse Elevation Control Mechanism ₍₁₎
	Bypass User Account Control

=	Access Token Manipulation ₍₅₎
	Token Impersonation/Theft Create Process with Token Make and Impersonate Token Parent PID Spoofing SID-History Injection

BITS Jobs

Debugger Evasion

Deobfuscate/Decode Files or Information

Direct Volume Access

=	Domain or Tenant Policy Modification ₍₂₎
	Group Policy Modification Trust Modification

=	Execution Guardrails ₍₁₎
	Environmental Keying

Exploitation for Defense Evasion

=	File and Directory Permissions Modification ₍₁₎
	Windows File and Directory Permissions Modification

=	Hide Artifacts ₍₁₁₎
	Hidden Files and Directories Hidden Users Hidden Window NTFS File Attributes Hidden File System Run Virtual Instance VBA Stomping Email Hiding Rules Process Argument Spoofing Ignore Process Interrupts File/Path Exclusions

=	Hijack Execution Flow ₍₁₁₎
	DLL Search Order Hijacking DLL Side-Loading Executable Installer File Permissions Weakness Path Interception by PATH Environment Variable Path Interception by Search Order Hijacking Path Interception by Unquoted Path Services File Permissions Weakness Services Registry Permissions Weakness COR_PROFILER KernelCallbackTable AppDomainManager

=	Impair Defenses ₍₈₎
	Disable or Modify Tools Disable Windows Event Logging Impair Command History Logging Disable or Modify System Firewall Indicator Blocking Safe Mode Boot Downgrade Attack Spoof Security Alerting

Impersonation

=	Indicator Removal ₍₈₎
	Clear Windows Event Logs Clear Command History File Deletion Network Share Connection Removal Timestomp Clear Network Connection History and Configurations Clear Mailbox Data Clear Persistence

Indirect Command Execution

=	Masquerading ₍₇₎
	Invalid Code Signature Right-to-Left Override Rename System Utilities Masquerade Task or Service Match Legitimate Name or Location Double File Extension Masquerade File Type

=	Modify Authentication Process ₍₆₎
	Domain Controller Authentication Password Filter DLL Reversible Encryption Multi-Factor Authentication Hybrid Identity Network Provider DLL

Modify Registry

=	Obfuscated Files or Information ₍₁₃₎
	Binary Padding Software Packing Steganography Compile After Delivery Indicator Removal from Tools HTML Smuggling Dynamic API Resolution Stripped Payloads Embedded Payloads Command Obfuscation Fileless Storage LNK Icon Smuggling Encrypted/Encoded File

=	Pre-OS Boot ₍₃₎
	System Firmware Component Firmware Bootkit

=	Process Injection ₍₉₎
	Dynamic-link Library Injection Portable Executable Injection Thread Execution Hijacking Asynchronous Procedure Call Thread Local Storage Extra Window Memory Injection Process Hollowing Process Doppelgänging ListPlanting

Reflective Code Loading

Rogue Domain Controller

Rootkit

=	Subvert Trust Controls ₍₅₎
	Code Signing SIP and Trust Provider Hijacking Install Root Certificate Mark-of-the-Web Bypass Code Signing Policy Modification

=	System Binary Proxy Execution ₍₁₄₎
	Compiled HTML File Control Panel CMSTP InstallUtil Mshta Msiexec Odbcconf Regsvcs/Regasm Regsvr32 Rundll32 Verclsid Mavinject MMC Electron Applications

=	System Script Proxy Execution ₍₂₎
	PubPrn SyncAppvPublishingServer

Template Injection

=	Traffic Signaling ₍₂₎
	Port Knocking Socket Filters

=	Trusted Developer Utilities Proxy Execution ₍₁₎
	MSBuild

=	Use Alternate Authentication Material ₍₂₎
	Pass the Hash Pass the Ticket

=	Valid Accounts ₍₃₎
	Default Accounts Domain Accounts Local Accounts

=	Virtualization/Sandbox Evasion ₍₃₎
	System Checks User Activity Based Checks Time Based Evasion

XSL Script Processing

=	Adversary-in-the-Middle ₍₃₎
	LLMNR/NBT-NS Poisoning and SMB Relay ARP Cache Poisoning DHCP Spoofing

=	Brute Force ₍₄₎
	Password Guessing Password Cracking Password Spraying Credential Stuffing

=	Credentials from Password Stores ₍₃₎
	Credentials from Web Browsers Windows Credential Manager Password Managers

Exploitation for Credential Access

Forced Authentication

=	Forge Web Credentials ₍₂₎
	Web Cookies SAML Tokens

=	Input Capture ₍₄₎
	Keylogging GUI Input Capture Web Portal Capture Credential API Hooking

=	Modify Authentication Process ₍₆₎
	Domain Controller Authentication Password Filter DLL Reversible Encryption Multi-Factor Authentication Hybrid Identity Network Provider DLL

Multi-Factor Authentication Interception

Multi-Factor Authentication Request Generation

Network Sniffing

=	OS Credential Dumping ₍₆₎
	LSASS Memory Security Account Manager NTDS LSA Secrets Cached Domain Credentials DCSync

Steal or Forge Authentication Certificates

=	Steal or Forge Kerberos Tickets ₍₄₎
	Golden Ticket Silver Ticket Kerberoasting AS-REP Roasting

Steal Web Session Cookie

=	Unsecured Credentials ₍₄₎
	Credentials In Files Credentials in Registry Private Keys Group Policy Preferences

=	Account Discovery ₍₃₎
	Local Account Domain Account Email Account

Application Window Discovery

Browser Information Discovery

Debugger Evasion

Device Driver Discovery

Domain Trust Discovery

File and Directory Discovery

Group Policy Discovery

Log Enumeration

Network Service Discovery

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

=	Permission Groups Discovery ₍₂₎
	Local Groups Domain Groups

Process Discovery

Query Registry

Remote System Discovery

=	Software Discovery ₍₁₎
	Security Software Discovery

System Information Discovery

=	System Location Discovery ₍₁₎
	System Language Discovery

=	System Network Configuration Discovery ₍₂₎
	Internet Connection Discovery Wi-Fi Discovery

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

=	Virtualization/Sandbox Evasion ₍₃₎
	System Checks User Activity Based Checks Time Based Evasion

Exploitation of Remote Services

Internal Spearphishing

Lateral Tool Transfer

=	Remote Service Session Hijacking ₍₁₎
	RDP Hijacking

=	Remote Services ₍₅₎
	Remote Desktop Protocol SMB/Windows Admin Shares Distributed Component Object Model VNC Windows Remote Management

Replication Through Removable Media

Software Deployment Tools

Taint Shared Content

=	Use Alternate Authentication Material ₍₂₎
	Pass the Hash Pass the Ticket

=	Adversary-in-the-Middle ₍₃₎
	LLMNR/NBT-NS Poisoning and SMB Relay ARP Cache Poisoning DHCP Spoofing

=	Archive Collected Data ₍₃₎
	Archive via Utility Archive via Library Archive via Custom Method

Audio Capture

Automated Collection

Browser Session Hijacking

Clipboard Data

=	Data from Information Repositories ₍₁₎
	Sharepoint

Data from Local System

Data from Network Shared Drive

Data from Removable Media

=	Data Staged ₍₂₎
	Local Data Staging Remote Data Staging

=	Email Collection ₍₃₎
	Local Email Collection Remote Email Collection Email Forwarding Rule

=	Input Capture ₍₄₎
	Keylogging GUI Input Capture Web Portal Capture Credential API Hooking

Screen Capture

Video Capture

=	Application Layer Protocol ₍₄₎
	Web Protocols File Transfer Protocols Mail Protocols DNS

Communication Through Removable Media

Content Injection

=	Data Encoding ₍₂₎
	Standard Encoding Non-Standard Encoding

=	Data Obfuscation ₍₃₎
	Junk Data Steganography Protocol Impersonation

=	Dynamic Resolution ₍₃₎
	Fast Flux DNS Domain Generation Algorithms DNS Calculation

=	Encrypted Channel ₍₂₎
	Symmetric Cryptography Asymmetric Cryptography

Fallback Channels

Hide Infrastructure

Ingress Tool Transfer

Multi-Stage Channels

Non-Application Layer Protocol

Non-Standard Port

Protocol Tunneling

=	Proxy ₍₄₎
	Internal Proxy External Proxy Multi-hop Proxy Domain Fronting

Remote Access Software

=	Traffic Signaling ₍₂₎
	Port Knocking Socket Filters

=	Web Service ₍₃₎
	Dead Drop Resolver Bidirectional Communication One-Way Communication

Automated Exfiltration

Data Transfer Size Limits

=	Exfiltration Over Alternative Protocol ₍₃₎
	Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration Over Unencrypted Non-C2 Protocol

Exfiltration Over C2 Channel

=	Exfiltration Over Other Network Medium ₍₁₎
	Exfiltration Over Bluetooth

=	Exfiltration Over Physical Medium ₍₁₎
	Exfiltration over USB

=	Exfiltration Over Web Service ₍₄₎
	Exfiltration to Code Repository Exfiltration to Cloud Storage Exfiltration to Text Storage Sites Exfiltration Over Webhook

Scheduled Transfer

Account Access Removal

Data Destruction

Data Encrypted for Impact

=	Data Manipulation ₍₃₎
	Stored Data Manipulation Transmitted Data Manipulation Runtime Data Manipulation

=	Defacement ₍₂₎
	Internal Defacement External Defacement

=	Disk Wipe ₍₂₎
	Disk Content Wipe Disk Structure Wipe

=	Endpoint Denial of Service ₍₄₎
	OS Exhaustion Flood Service Exhaustion Flood Application Exhaustion Flood Application or System Exploitation

Financial Theft

Firmware Corruption

Inhibit System Recovery

=	Network Denial of Service ₍₂₎
	Direct Network Flood Reflection Amplification

Resource Hijacking

Service Stop

System Shutdown/Reboot