Drive-by Compromise | AppleScript | .bash_profile and .bashrc | Access Token Manipulation | Access Token Manipulation | Account Manipulation | Account Discovery | AppleScript | Audio Capture | Commonly Used Port | Automated Exfiltration | Data Destruction |
Exploit Public-Facing Application | CMSTP | Accessibility Features | Accessibility Features | Binary Padding | Bash History | Application Window Discovery | Application Deployment Software | Automated Collection | Communication Through Removable Media | Data Compressed | Data Encrypted for Impact |
External Remote Services | Command-Line Interface | Account Manipulation | AppCert DLLs | BITS Jobs | Brute Force | Browser Bookmark Discovery | Distributed Component Object Model | Clipboard Data | Connection Proxy | Data Encrypted | Defacement |
Hardware Additions | Compiled HTML File | AppCert DLLs | AppInit DLLs | Bypass User Account Control | Credential Dumping | Domain Trust Discovery | Exploitation of Remote Services | Data from Information Repositories | Custom Command and Control Protocol | Data Transfer Size Limits | Disk Content Wipe |
Replication Through Removable Media | Control Panel Items | AppInit DLLs | Application Shimming | Clear Command History | Credentials in Files | File and Directory Discovery | Logon Scripts | Data from Local System | Custom Cryptographic Protocol | Exfiltration Over Alternative Protocol | Disk Structure Wipe |
Spearphishing Attachment | Dynamic Data Exchange | Application Shimming | Bypass User Account Control | CMSTP | Credentials in Registry | Network Service Scanning | Pass the Hash | Data from Network Shared Drive | Data Encoding | Exfiltration Over Command and Control Channel | Endpoint Denial of Service |
Spearphishing Link | Execution through API | Authentication Package | DLL Search Order Hijacking | Code Signing | Exploitation for Credential Access | Network Share Discovery | Pass the Ticket | Data from Removable Media | Data Obfuscation | Exfiltration Over Other Network Medium | Firmware Corruption |
Spearphishing via Service | Execution through Module Load | BITS Jobs | Dylib Hijacking | Compile After Delivery | Forced Authentication | Network Sniffing | Remote Desktop Protocol | Data Staged | Domain Fronting | Exfiltration Over Physical Medium | Inhibit System Recovery |
Supply Chain Compromise | Exploitation for Client Execution | Bootkit | Exploitation for Privilege Escalation | Compiled HTML File | Hooking | Password Policy Discovery | Remote File Copy | Email Collection | Domain Generation Algorithms | Scheduled Transfer | Network Denial of Service |
Trusted Relationship | Graphical User Interface | Browser Extensions | Extra Window Memory Injection | Component Firmware | Input Capture | Peripheral Device Discovery | Remote Services | Input Capture | Fallback Channels | Resource Hijacking |
Valid Accounts | InstallUtil | Change Default File Association | File System Permissions Weakness | Component Object Model Hijacking | Input Prompt | Permission Groups Discovery | Replication Through Removable Media | Man in the Browser | Multi-hop Proxy | Runtime Data Manipulation |
Launchctl | Component Firmware | Hooking | Control Panel Items | Kerberoasting | Process Discovery | Shared Webroot | Screen Capture | Multi-Stage Channels | Service Stop |
Local Job Scheduling | Component Object Model Hijacking | Image File Execution Options Injection | DCShadow | Keychain | Query Registry | SSH Hijacking | Video Capture | Multiband Communication | Stored Data Manipulation |
LSASS Driver | Create Account | Launch Daemon | Deobfuscate/Decode Files or Information | LLMNR/NBT-NS Poisoning and Relay | Remote System Discovery | Taint Shared Content | Multilayer Encryption | Transmitted Data Manipulation |
Mshta | DLL Search Order Hijacking | New Service | Disabling Security Tools | Network Sniffing | Security Software Discovery | Third-party Software | Port Knocking |
PowerShell | Dylib Hijacking | Path Interception | DLL Search Order Hijacking | Password Filter DLL | System Information Discovery | Windows Admin Shares | Remote Access Tools |
Regsvcs/Regasm | External Remote Services | Plist Modification | DLL Side-Loading | Private Keys | System Network Configuration Discovery | Windows Remote Management | Remote File Copy |
Regsvr32 | File System Permissions Weakness | Port Monitors | Execution Guardrails | Securityd Memory | System Network Connections Discovery | Standard Application Layer Protocol |
Rundll32 | Hidden Files and Directories | Process Injection | Exploitation for Defense Evasion | Two-Factor Authentication Interception | System Owner/User Discovery | Standard Cryptographic Protocol |
Scheduled Task | Hooking | Scheduled Task | Extra Window Memory Injection | System Service Discovery | Standard Non-Application Layer Protocol |
Scripting | Hypervisor | Service Registry Permissions Weakness | File Deletion | System Time Discovery | Uncommonly Used Port |
Service Execution | Image File Execution Options Injection | Setuid and Setgid | File Permissions Modification | Virtualization/Sandbox Evasion | Web Service |
Signed Binary Proxy Execution | Kernel Modules and Extensions | SID-History Injection | File System Logical Offsets |
Signed Script Proxy Execution | Launch Agent | Startup Items | Gatekeeper Bypass |
Source | Launch Daemon | Sudo | Group Policy Modification |
Space after Filename | Launchctl | Sudo Caching | Hidden Files and Directories |
Third-party Software | LC_LOAD_DYLIB Addition | Valid Accounts | Hidden Users |
Trap | Local Job Scheduling |