MITRE ATT&CK Techniques

• T1001 — Data Obfuscation
• T1001.001 — Junk Data
• T1001.002 — Steganography
• T1001.003 — Protocol or Service Impersonation
• T1002 — Data Compressed
• T1003 — OS Credential Dumping
• T1003.001 — LSASS Memory
• T1003.002 — Security Account Manager
• T1003.003 — NTDS
• T1003.004 — LSA Secrets
• T1003.005 — Cached Domain Credentials
• T1003.006 — DCSync
• T1003.007 — Proc Filesystem
• T1003.008 — /etc/passwd and /etc/shadow
• T1004 — Winlogon Helper DLL
• T1005 — Data from Local System
• T1006 — Direct Volume Access
• T1007 — System Service Discovery
• T1008 — Fallback Channels
• T1009 — Binary Padding
• T1010 — Application Window Discovery
• T1011 — Exfiltration Over Other Network Medium
• T1011.001 — Exfiltration Over Bluetooth
• T1012 — Query Registry
• T1013 — Port Monitors
• T1014 — Rootkit
• T1015 — Accessibility Features
• T1016 — System Network Configuration Discovery
• T1016.001 — Internet Connection Discovery
• T1016.002 — Wi-Fi Discovery
• T1017 — Application Deployment Software
• T1018 — Remote System Discovery
• T1019 — System Firmware
• T1020 — Automated Exfiltration
• T1020.001 — Traffic Duplication
• T1021 — Remote Services
• T1021.001 — Remote Desktop Protocol
• T1021.002 — SMB/Windows Admin Shares
• T1021.003 — Distributed Component Object Model
• T1021.004 — SSH
• T1021.005 — VNC
• T1021.006 — Windows Remote Management
• T1021.007 — Cloud Services
• T1021.008 — Direct Cloud VM Connections
• T1022 — Data Encrypted
• T1023 — Shortcut Modification
• T1024 — Custom Cryptographic Protocol
• T1025 — Data from Removable Media
• T1026 — Multiband Communication
• T1027 — Obfuscated Files or Information
• T1027.001 — Binary Padding
• T1027.002 — Software Packing
• T1027.003 — Steganography
• T1027.004 — Compile After Delivery
• T1027.005 — Indicator Removal from Tools
• T1027.006 — HTML Smuggling
• T1027.007 — Dynamic API Resolution
• T1027.008 — Stripped Payloads
• T1027.009 — Embedded Payloads
• T1027.010 — Command Obfuscation
• T1027.011 — Fileless Storage
• T1027.012 — LNK Icon Smuggling
• T1027.013 — Encrypted/Encoded File
• T1027.014 — Polymorphic Code
• T1027.015 — Compression
• T1027.016 — Junk Code Insertion
• T1027.017 — SVG Smuggling
• T1028 — Windows Remote Management
• T1029 — Scheduled Transfer
• T1030 — Data Transfer Size Limits
• T1031 — Modify Existing Service
• T1032 — Standard Cryptographic Protocol
• T1033 — System Owner/User Discovery
• T1034 — Path Interception
• T1035 — Service Execution
• T1036 — Masquerading
• T1036.001 — Invalid Code Signature
• T1036.002 — Right-to-Left Override
• T1036.003 — Rename Legitimate Utilities
• T1036.004 — Masquerade Task or Service
• T1036.005 — Match Legitimate Resource Name or Location
• T1036.006 — Space after Filename
• T1036.007 — Double File Extension
• T1036.008 — Masquerade File Type
• T1036.009 — Break Process Trees
• T1036.010 — Masquerade Account Name
• T1036.011 — Overwrite Process Arguments
• T1037 — Boot or Logon Initialization Scripts
• T1037.001 — Logon Script (Windows)
• T1037.002 — Login Hook
• T1037.003 — Network Logon Script
• T1037.004 — RC Scripts
• T1037.005 — Startup Items
• T1038 — DLL Search Order Hijacking
• T1039 — Data from Network Shared Drive
• T1040 — Network Sniffing
• T1041 — Exfiltration Over C2 Channel
• T1042 — Change Default File Association
• T1043 — Commonly Used Port
• T1044 — File System Permissions Weakness
• T1045 — Software Packing
• T1046 — Network Service Discovery
• T1047 — Windows Management Instrumentation
• T1048 — Exfiltration Over Alternative Protocol
• T1048.001 — Exfiltration Over Symmetric Encrypted Non-C2 Protocol
• T1048.002 — Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
• T1048.003 — Exfiltration Over Unencrypted Non-C2 Protocol
• T1049 — System Network Connections Discovery
• T1050 — New Service
• T1051 — Shared Webroot
• T1052 — Exfiltration Over Physical Medium
• T1052.001 — Exfiltration over USB
• T1053 — Scheduled Task/Job
• T1053.001 — At (Linux)
• T1053.002 — At
• T1053.003 — Cron
• T1053.004 — Launchd
• T1053.005 — Scheduled Task
• T1053.006 — Systemd Timers
• T1053.007 — Container Orchestration Job
• T1054 — Indicator Blocking
• T1055 — Process Injection
• T1055.001 — Dynamic-link Library Injection
• T1055.002 — Portable Executable Injection
• T1055.003 — Thread Execution Hijacking
• T1055.004 — Asynchronous Procedure Call
• T1055.005 — Thread Local Storage
• T1055.008 — Ptrace System Calls
• T1055.009 — Proc Memory
• T1055.011 — Extra Window Memory Injection
• T1055.012 — Process Hollowing
• T1055.013 — Process Doppelgänging
• T1055.014 — VDSO Hijacking
• T1055.015 — ListPlanting
• T1056 — Input Capture
• T1056.001 — Keylogging
• T1056.002 — GUI Input Capture
• T1056.003 — Web Portal Capture
• T1056.004 — Credential API Hooking
• T1057 — Process Discovery
• T1058 — Service Registry Permissions Weakness
• T1059 — Command and Scripting Interpreter
• T1059.001 — PowerShell
• T1059.002 — AppleScript
• T1059.003 — Windows Command Shell
• T1059.004 — Unix Shell
• T1059.005 — Visual Basic
• T1059.006 — Python
• T1059.007 — JavaScript
• T1059.008 — Network Device CLI
• T1059.009 — Cloud API
• T1059.010 — AutoHotKey & AutoIT
• T1059.011 — Lua
• T1059.012 — Hypervisor CLI
• T1060 — Registry Run Keys / Startup Folder
• T1061 — Graphical User Interface
• T1062 — Hypervisor
• T1063 — Security Software Discovery
• T1064 — Scripting
• T1065 — Uncommonly Used Port
• T1066 — Indicator Removal from Tools
• T1067 — Bootkit
• T1068 — Exploitation for Privilege Escalation
• T1069 — Permission Groups Discovery
• T1069.001 — Local Groups
• T1069.002 — Domain Groups
• T1069.003 — Cloud Groups
• T1070 — Indicator Removal
• T1070.001 — Clear Windows Event Logs
• T1070.002 — Clear Linux or Mac System Logs
• T1070.003 — Clear Command History
• T1070.004 — File Deletion
• T1070.005 — Network Share Connection Removal
• T1070.006 — Timestomp
• T1070.007 — Clear Network Connection History and Configurations
• T1070.008 — Clear Mailbox Data
• T1070.009 — Clear Persistence
• T1070.010 — Relocate Malware
• T1071 — Application Layer Protocol
• T1071.001 — Web Protocols
• T1071.002 — File Transfer Protocols
• T1071.003 — Mail Protocols
• T1071.004 — DNS
• T1071.005 — Publish/Subscribe Protocols
• T1072 — Software Deployment Tools
• T1073 — DLL Side-Loading
• T1074 — Data Staged
• T1074.001 — Local Data Staging
• T1074.002 — Remote Data Staging
• T1075 — Pass the Hash
• T1076 — Remote Desktop Protocol
• T1077 — Windows Admin Shares
• T1078 — Valid Accounts
• T1078.001 — Default Accounts
• T1078.002 — Domain Accounts
• T1078.003 — Local Accounts
• T1078.004 — Cloud Accounts
• T1079 — Multilayer Encryption
• T1080 — Taint Shared Content
• T1081 — Credentials in Files
• T1082 — System Information Discovery
• T1083 — File and Directory Discovery
• T1084 — Windows Management Instrumentation Event Subscription
• T1085 — Rundll32
• T1086 — PowerShell
• T1087 — Account Discovery
• T1087.001 — Local Account
• T1087.002 — Domain Account
• T1087.003 — Email Account
• T1087.004 — Cloud Account
• T1088 — Bypass User Account Control
• T1089 — Disabling Security Tools
• T1090 — Proxy
• T1090.001 — Internal Proxy
• T1090.002 — External Proxy
• T1090.003 — Multi-hop Proxy
• T1090.004 — Domain Fronting
• T1091 — Replication Through Removable Media
• T1092 — Communication Through Removable Media
• T1093 — Process Hollowing
• T1094 — Custom Command and Control Protocol
• T1095 — Non-Application Layer Protocol
• T1096 — NTFS File Attributes
• T1097 — Pass the Ticket
• T1098 — Account Manipulation
• T1098.001 — Additional Cloud Credentials
• T1098.002 — Additional Email Delegate Permissions
• T1098.003 — Additional Cloud Roles
• T1098.004 — SSH Authorized Keys
• T1098.005 — Device Registration
• T1098.006 — Additional Container Cluster Roles
• T1098.007 — Additional Local or Domain Groups
• T1099 — Timestomp
• T1100 — Web Shell
• T1101 — Security Support Provider
• T1102 — Web Service
• T1102.001 — Dead Drop Resolver
• T1102.002 — Bidirectional Communication
• T1102.003 — One-Way Communication
• T1103 — AppInit DLLs
• T1104 — Multi-Stage Channels
• T1105 — Ingress Tool Transfer
• T1106 — Native API
• T1107 — File Deletion
• T1108 — Redundant Access
• T1109 — Component Firmware
• T1110 — Brute Force
• T1110.001 — Password Guessing
• T1110.002 — Password Cracking
• T1110.003 — Password Spraying
• T1110.004 — Credential Stuffing
• T1111 — Multi-Factor Authentication Interception
• T1112 — Modify Registry
• T1113 — Screen Capture
• T1114 — Email Collection
• T1114.001 — Local Email Collection
• T1114.002 — Remote Email Collection
• T1114.003 — Email Forwarding Rule
• T1115 — Clipboard Data
• T1116 — Code Signing
• T1117 — Regsvr32
• T1118 — InstallUtil
• T1119 — Automated Collection
• T1120 — Peripheral Device Discovery
• T1121 — Regsvcs/Regasm
• T1122 — Component Object Model Hijacking
• T1123 — Audio Capture
• T1124 — System Time Discovery
• T1125 — Video Capture
• T1126 — Network Share Connection Removal
• T1127 — Trusted Developer Utilities Proxy Execution
• T1127.001 — MSBuild
• T1127.002 — ClickOnce
• T1127.003 — JamPlus
• T1128 — Netsh Helper DLL
• T1129 — Shared Modules
• T1130 — Install Root Certificate
• T1131 — Authentication Package
• T1132 — Data Encoding
• T1132.001 — Standard Encoding
• T1132.002 — Non-Standard Encoding
• T1133 — External Remote Services
• T1134 — Access Token Manipulation
• T1134.001 — Token Impersonation/Theft
• T1134.002 — Create Process with Token
• T1134.003 — Make and Impersonate Token
• T1134.004 — Parent PID Spoofing
• T1134.005 — SID-History Injection
• T1135 — Network Share Discovery
• T1136 — Create Account
• T1136.001 — Local Account
• T1136.002 — Domain Account
• T1136.003 — Cloud Account
• T1137 — Office Application Startup
• T1137.001 — Office Template Macros
• T1137.002 — Office Test
• T1137.003 — Outlook Forms
• T1137.004 — Outlook Home Page
• T1137.005 — Outlook Rules
• T1137.006 — Add-ins
• T1138 — Application Shimming
• T1139 — Bash History
• T1140 — Deobfuscate/Decode Files or Information
• T1141 — Input Prompt
• T1142 — Keychain
• T1143 — Hidden Window
• T1144 — Gatekeeper Bypass
• T1145 — Private Keys
• T1146 — Clear Command History
• T1147 — Hidden Users
• T1148 — HISTCONTROL
• T1149 — LC_MAIN Hijacking
• T1150 — Plist Modification
• T1151 — Space after Filename
• T1152 — Launchctl
• T1153 — Source
• T1154 — Trap
• T1155 — AppleScript
• T1156 — Malicious Shell Modification
• T1157 — Dylib Hijacking
• T1158 — Hidden Files and Directories
• T1159 — Launch Agent
• T1160 — Launch Daemon
• T1161 — LC_LOAD_DYLIB Addition
• T1162 — Login Item
• T1163 — Rc.common
• T1164 — Re-opened Applications
• T1165 — Startup Items
• T1166 — Setuid and Setgid
• T1167 — Securityd Memory
• T1168 — Local Job Scheduling
• T1169 — Sudo
• T1170 — Mshta
• T1171 — LLMNR/NBT-NS Poisoning and Relay
• T1172 — Domain Fronting
• T1173 — Dynamic Data Exchange
• T1174 — Password Filter DLL
• T1175 — Component Object Model and Distributed COM
• T1176 — Software Extensions
• T1176.001 — Browser Extensions
• T1176.002 — IDE Extensions
• T1177 — LSASS Driver
• T1178 — SID-History Injection
• T1179 — Hooking
• T1180 — Screensaver
• T1181 — Extra Window Memory Injection
• T1182 — AppCert DLLs
• T1183 — Image File Execution Options Injection
• T1184 — SSH Hijacking
• T1185 — Browser Session Hijacking
• T1186 — Process Doppelgänging
• T1187 — Forced Authentication
• T1188 — Multi-hop Proxy
• T1189 — Drive-by Compromise
• T1190 — Exploit Public-Facing Application
• T1191 — CMSTP
• T1192 — Spearphishing Link
• T1193 — Spearphishing Attachment
• T1194 — Spearphishing via Service
• T1195 — Supply Chain Compromise
• T1195.001 — Compromise Software Dependencies and Development Tools
• T1195.002 — Compromise Software Supply Chain
• T1195.003 — Compromise Hardware Supply Chain
• T1196 — Control Panel Items
• T1197 — BITS Jobs
• T1198 — SIP and Trust Provider Hijacking
• T1199 — Trusted Relationship
• T1200 — Hardware Additions
• T1201 — Password Policy Discovery
• T1202 — Indirect Command Execution
• T1203 — Exploitation for Client Execution
• T1204 — User Execution
• T1204.001 — Malicious Link
• T1204.002 — Malicious File
• T1204.003 — Malicious Image
• T1204.004 — Malicious Copy and Paste
• T1205 — Traffic Signaling
• T1205.001 — Port Knocking
• T1205.002 — Socket Filters
• T1206 — Sudo Caching
• T1207 — Rogue Domain Controller
• T1208 — Kerberoasting
• T1209 — Time Providers
• T1210 — Exploitation of Remote Services
• T1211 — Exploitation for Defense Evasion
• T1212 — Exploitation for Credential Access
• T1213 — Data from Information Repositories
• T1213.001 — Confluence
• T1213.002 — Sharepoint
• T1213.003 — Code Repositories
• T1213.004 — Customer Relationship Management Software
• T1213.005 — Messaging Applications
• T1214 — Credentials in Registry
• T1215 — Kernel Modules and Extensions
• T1216 — System Script Proxy Execution
• T1216.001 — PubPrn
• T1216.002 — SyncAppvPublishingServer
• T1217 — Browser Information Discovery
• T1218 — System Binary Proxy Execution
• T1218.001 — Compiled HTML File
• T1218.002 — Control Panel
• T1218.003 — CMSTP
• T1218.004 — InstallUtil
• T1218.005 — Mshta
• T1218.007 — Msiexec
• T1218.008 — Odbcconf
• T1218.009 — Regsvcs/Regasm
• T1218.010 — Regsvr32
• T1218.011 — Rundll32
• T1218.012 — Verclsid
• T1218.013 — Mavinject
• T1218.014 — MMC
• T1218.015 — Electron Applications
• T1219 — Remote Access Tools
• T1219.001 — IDE Tunneling
• T1219.002 — Remote Desktop Software
• T1219.003 — Remote Access Hardware
• T1220 — XSL Script Processing
• T1221 — Template Injection
• T1222 — File and Directory Permissions Modification
• T1222.001 — Windows File and Directory Permissions Modification
• T1222.002 — Linux and Mac File and Directory Permissions Modification
• T1223 — Compiled HTML File
• T1480 — Execution Guardrails
• T1480.001 — Environmental Keying
• T1480.002 — Mutual Exclusion
• T1482 — Domain Trust Discovery
• T1483 — Domain Generation Algorithms
• T1484 — Domain or Tenant Policy Modification
• T1484.001 — Group Policy Modification
• T1484.002 — Trust Modification
• T1485 — Data Destruction
• T1485.001 — Lifecycle-Triggered Deletion
• T1486 — Data Encrypted for Impact
• T1487 — Disk Structure Wipe
• T1488 — Disk Content Wipe
• T1489 — Service Stop
• T1490 — Inhibit System Recovery
• T1491 — Defacement
• T1491.001 — Internal Defacement
• T1491.002 — External Defacement
• T1492 — Stored Data Manipulation
• T1493 — Transmitted Data Manipulation
• T1494 — Runtime Data Manipulation
• T1495 — Firmware Corruption
• T1496 — Resource Hijacking
• T1496.001 — Compute Hijacking
• T1496.002 — Bandwidth Hijacking
• T1496.003 — SMS Pumping
• T1496.004 — Cloud Service Hijacking
• T1497 — Virtualization/Sandbox Evasion
• T1497.001 — System Checks
• T1497.002 — User Activity Based Checks
• T1497.003 — Time Based Evasion
• T1498 — Network Denial of Service
• T1498.001 — Direct Network Flood
• T1498.002 — Reflection Amplification
• T1499 — Endpoint Denial of Service
• T1499.001 — OS Exhaustion Flood
• T1499.002 — Service Exhaustion Flood
• T1499.003 — Application Exhaustion Flood
• T1499.004 — Application or System Exploitation
• T1500 — Compile After Delivery
• T1501 — Systemd Service
• T1502 — Parent PID Spoofing
• T1503 — Credentials from Web Browsers
• T1504 — PowerShell Profile
• T1505 — Server Software Component
• T1505.001 — SQL Stored Procedures
• T1505.002 — Transport Agent
• T1505.003 — Web Shell
• T1505.004 — IIS Components
• T1505.005 — Terminal Services DLL
• T1505.006 — vSphere Installation Bundles
• T1506 — Web Session Cookie
• T1514 — Elevated Execution with Prompt
• T1518 — Software Discovery
• T1518.001 — Security Software Discovery
• T1519 — Emond
• T1522 — Cloud Instance Metadata API
• T1525 — Implant Internal Image
• T1526 — Cloud Service Discovery
• T1527 — Application Access Token
• T1528 — Steal Application Access Token
• T1529 — System Shutdown/Reboot
• T1530 — Data from Cloud Storage
• T1531 — Account Access Removal
• T1534 — Internal Spearphishing
• T1535 — Unused/Unsupported Cloud Regions
• T1536 — Revert Cloud Instance
• T1537 — Transfer Data to Cloud Account
• T1538 — Cloud Service Dashboard
• T1539 — Steal Web Session Cookie
• T1542 — Pre-OS Boot
• T1542.001 — System Firmware
• T1542.002 — Component Firmware
• T1542.003 — Bootkit
• T1542.004 — ROMMONkit
• T1542.005 — TFTP Boot
• T1543 — Create or Modify System Process
• T1543.001 — Launch Agent
• T1543.002 — Systemd Service
• T1543.003 — Windows Service
• T1543.004 — Launch Daemon
• T1543.005 — Container Service
• T1546 — Event Triggered Execution
• T1546.001 — Change Default File Association
• T1546.002 — Screensaver
• T1546.003 — Windows Management Instrumentation Event Subscription
• T1546.004 — Unix Shell Configuration Modification
• T1546.005 — Trap
• T1546.006 — LC_LOAD_DYLIB Addition
• T1546.007 — Netsh Helper DLL
• T1546.008 — Accessibility Features
• T1546.009 — AppCert DLLs
• T1546.010 — AppInit DLLs
• T1546.011 — Application Shimming
• T1546.012 — Image File Execution Options Injection
• T1546.013 — PowerShell Profile
• T1546.014 — Emond
• T1546.015 — Component Object Model Hijacking
• T1546.016 — Installer Packages
• T1546.017 — Udev Rules
• T1547 — Boot or Logon Autostart Execution
• T1547.001 — Registry Run Keys / Startup Folder
• T1547.002 — Authentication Package
• T1547.003 — Time Providers
• T1547.004 — Winlogon Helper DLL
• T1547.005 — Security Support Provider
• T1547.006 — Kernel Modules and Extensions
• T1547.007 — Re-opened Applications
• T1547.008 — LSASS Driver
• T1547.009 — Shortcut Modification
• T1547.010 — Port Monitors
• T1547.011 — Plist Modification
• T1547.012 — Print Processors
• T1547.013 — XDG Autostart Entries
• T1547.014 — Active Setup
• T1547.015 — Login Items
• T1548 — Abuse Elevation Control Mechanism
• T1548.001 — Setuid and Setgid
• T1548.002 — Bypass User Account Control
• T1548.003 — Sudo and Sudo Caching
• T1548.004 — Elevated Execution with Prompt
• T1548.005 — Temporary Elevated Cloud Access
• T1548.006 — TCC Manipulation
• T1550 — Use Alternate Authentication Material
• T1550.001 — Application Access Token
• T1550.002 — Pass the Hash
• T1550.003 — Pass the Ticket
• T1550.004 — Web Session Cookie
• T1552 — Unsecured Credentials
• T1552.001 — Credentials In Files
• T1552.002 — Credentials in Registry
• T1552.003 — Bash History
• T1552.004 — Private Keys
• T1552.005 — Cloud Instance Metadata API
• T1552.006 — Group Policy Preferences
• T1552.007 — Container API
• T1552.008 — Chat Messages
• T1553 — Subvert Trust Controls
• T1553.001 — Gatekeeper Bypass
• T1553.002 — Code Signing
• T1553.003 — SIP and Trust Provider Hijacking
• T1553.004 — Install Root Certificate
• T1553.005 — Mark-of-the-Web Bypass
• T1553.006 — Code Signing Policy Modification
• T1554 — Compromise Host Software Binary
• T1555 — Credentials from Password Stores
• T1555.001 — Keychain
• T1555.002 — Securityd Memory
• T1555.003 — Credentials from Web Browsers
• T1555.004 — Windows Credential Manager
• T1555.005 — Password Managers
• T1555.006 — Cloud Secrets Management Stores
• T1556 — Modify Authentication Process
• T1556.001 — Domain Controller Authentication
• T1556.002 — Password Filter DLL
• T1556.003 — Pluggable Authentication Modules
• T1556.004 — Network Device Authentication
• T1556.005 — Reversible Encryption
• T1556.006 — Multi-Factor Authentication
• T1556.007 — Hybrid Identity
• T1556.008 — Network Provider DLL
• T1556.009 — Conditional Access Policies
• T1557 — Adversary-in-the-Middle
• T1557.001 — LLMNR/NBT-NS Poisoning and SMB Relay
• T1557.002 — ARP Cache Poisoning
• T1557.003 — DHCP Spoofing
• T1557.004 — Evil Twin
• T1558 — Steal or Forge Kerberos Tickets
• T1558.001 — Golden Ticket
• T1558.002 — Silver Ticket
• T1558.003 — Kerberoasting
• T1558.004 — AS-REP Roasting
• T1558.005 — Ccache Files
• T1559 — Inter-Process Communication
• T1559.001 — Component Object Model
• T1559.002 — Dynamic Data Exchange
• T1559.003 — XPC Services
• T1560 — Archive Collected Data
• T1560.001 — Archive via Utility
• T1560.002 — Archive via Library
• T1560.003 — Archive via Custom Method
• T1561 — Disk Wipe
• T1561.001 — Disk Content Wipe
• T1561.002 — Disk Structure Wipe
• T1562 — Impair Defenses
• T1562.001 — Disable or Modify Tools
• T1562.002 — Disable Windows Event Logging
• T1562.003 — Impair Command History Logging
• T1562.004 — Disable or Modify System Firewall
• T1562.006 — Indicator Blocking
• T1562.007 — Disable or Modify Cloud Firewall
• T1562.008 — Disable or Modify Cloud Logs
• T1562.009 — Safe Mode Boot
• T1562.010 — Downgrade Attack
• T1562.011 — Spoof Security Alerting
• T1562.012 — Disable or Modify Linux Audit System
• T1563 — Remote Service Session Hijacking
• T1563.001 — SSH Hijacking
• T1563.002 — RDP Hijacking
• T1564 — Hide Artifacts
• T1564.001 — Hidden Files and Directories
• T1564.002 — Hidden Users
• T1564.003 — Hidden Window
• T1564.004 — NTFS File Attributes
• T1564.005 — Hidden File System
• T1564.006 — Run Virtual Instance
• T1564.007 — VBA Stomping
• T1564.008 — Email Hiding Rules
• T1564.009 — Resource Forking
• T1564.010 — Process Argument Spoofing
• T1564.011 — Ignore Process Interrupts
• T1564.012 — File/Path Exclusions
• T1564.013 — Bind Mounts
• T1564.014 — Extended Attributes
• T1565 — Data Manipulation
• T1565.001 — Stored Data Manipulation
• T1565.002 — Transmitted Data Manipulation
• T1565.003 — Runtime Data Manipulation
• T1566 — Phishing
• T1566.001 — Spearphishing Attachment
• T1566.002 — Spearphishing Link
• T1566.003 — Spearphishing via Service
• T1566.004 — Spearphishing Voice
• T1567 — Exfiltration Over Web Service
• T1567.001 — Exfiltration to Code Repository
• T1567.002 — Exfiltration to Cloud Storage
• T1567.003 — Exfiltration to Text Storage Sites
• T1567.004 — Exfiltration Over Webhook
• T1568 — Dynamic Resolution
• T1568.001 — Fast Flux DNS
• T1568.002 — Domain Generation Algorithms
• T1568.003 — DNS Calculation
• T1569 — System Services
• T1569.001 — Launchctl
• T1569.002 — Service Execution
• T1569.003 — Systemctl
• T1570 — Lateral Tool Transfer
• T1571 — Non-Standard Port
• T1572 — Protocol Tunneling
• T1573 — Encrypted Channel
• T1573.001 — Symmetric Cryptography
• T1573.002 — Asymmetric Cryptography
• T1574 — Hijack Execution Flow
• T1574.001 — DLL
• T1574.002 — DLL Side-Loading
• T1574.004 — Dylib Hijacking
• T1574.005 — Executable Installer File Permissions Weakness
• T1574.006 — Dynamic Linker Hijacking
• T1574.007 — Path Interception by PATH Environment Variable
• T1574.008 — Path Interception by Search Order Hijacking
• T1574.009 — Path Interception by Unquoted Path
• T1574.010 — Services File Permissions Weakness
• T1574.011 — Services Registry Permissions Weakness
• T1574.012 — COR_PROFILER
• T1574.013 — KernelCallbackTable
• T1574.014 — AppDomainManager
• T1578 — Modify Cloud Compute Infrastructure
• T1578.001 — Create Snapshot
• T1578.002 — Create Cloud Instance
• T1578.003 — Delete Cloud Instance
• T1578.004 — Revert Cloud Instance
• T1578.005 — Modify Cloud Compute Configurations
• T1580 — Cloud Infrastructure Discovery
• T1583 — Acquire Infrastructure
• T1583.001 — Domains
• T1583.002 — DNS Server
• T1583.003 — Virtual Private Server
• T1583.004 — Server
• T1583.005 — Botnet
• T1583.006 — Web Services
• T1583.007 — Serverless
• T1583.008 — Malvertising
• T1584 — Compromise Infrastructure
• T1584.001 — Domains
• T1584.002 — DNS Server
• T1584.003 — Virtual Private Server
• T1584.004 — Server
• T1584.005 — Botnet
• T1584.006 — Web Services
• T1584.007 — Serverless
• T1584.008 — Network Devices
• T1585 — Establish Accounts
• T1585.001 — Social Media Accounts
• T1585.002 — Email Accounts
• T1585.003 — Cloud Accounts
• T1586 — Compromise Accounts
• T1586.001 — Social Media Accounts
• T1586.002 — Email Accounts
• T1586.003 — Cloud Accounts
• T1587 — Develop Capabilities
• T1587.001 — Malware
• T1587.002 — Code Signing Certificates
• T1587.003 — Digital Certificates
• T1587.004 — Exploits
• T1588 — Obtain Capabilities
• T1588.001 — Malware
• T1588.002 — Tool
• T1588.003 — Code Signing Certificates
• T1588.004 — Digital Certificates
• T1588.005 — Exploits
• T1588.006 — Vulnerabilities
• T1588.007 — Artificial Intelligence
• T1589 — Gather Victim Identity Information
• T1589.001 — Credentials
• T1589.002 — Email Addresses
• T1589.003 — Employee Names
• T1590 — Gather Victim Network Information
• T1590.001 — Domain Properties
• T1590.002 — DNS
• T1590.003 — Network Trust Dependencies
• T1590.004 — Network Topology
• T1590.005 — IP Addresses
• T1590.006 — Network Security Appliances
• T1591 — Gather Victim Org Information
• T1591.001 — Determine Physical Locations
• T1591.002 — Business Relationships
• T1591.003 — Identify Business Tempo
• T1591.004 — Identify Roles
• T1592 — Gather Victim Host Information
• T1592.001 — Hardware
• T1592.002 — Software
• T1592.003 — Firmware
• T1592.004 — Client Configurations
• T1593 — Search Open Websites/Domains
• T1593.001 — Social Media
• T1593.002 — Search Engines
• T1593.003 — Code Repositories
• T1594 — Search Victim-Owned Websites
• T1595 — Active Scanning
• T1595.001 — Scanning IP Blocks
• T1595.002 — Vulnerability Scanning
• T1595.003 — Wordlist Scanning
• T1596 — Search Open Technical Databases
• T1596.001 — DNS/Passive DNS
• T1596.002 — WHOIS
• T1596.003 — Digital Certificates
• T1596.004 — CDNs
• T1596.005 — Scan Databases
• T1597 — Search Closed Sources
• T1597.001 — Threat Intel Vendors
• T1597.002 — Purchase Technical Data
• T1598 — Phishing for Information
• T1598.001 — Spearphishing Service
• T1598.002 — Spearphishing Attachment
• T1598.003 — Spearphishing Link
• T1598.004 — Spearphishing Voice
• T1599 — Network Boundary Bridging
• T1599.001 — Network Address Translation Traversal
• T1600 — Weaken Encryption
• T1600.001 — Reduce Key Space
• T1600.002 — Disable Crypto Hardware
• T1601 — Modify System Image
• T1601.001 — Patch System Image
• T1601.002 — Downgrade System Image
• T1602 — Data from Configuration Repository
• T1602.001 — SNMP (MIB Dump)
• T1602.002 — Network Device Configuration Dump
• T1606 — Forge Web Credentials
• T1606.001 — Web Cookies
• T1606.002 — SAML Tokens
• T1608 — Stage Capabilities
• T1608.001 — Upload Malware
• T1608.002 — Upload Tool
• T1608.003 — Install Digital Certificate
• T1608.004 — Drive-by Target
• T1608.005 — Link Target
• T1608.006 — SEO Poisoning
• T1609 — Container Administration Command
• T1610 — Deploy Container
• T1611 — Escape to Host
• T1612 — Build Image on Host
• T1613 — Container and Resource Discovery
• T1614 — System Location Discovery
• T1614.001 — System Language Discovery
• T1615 — Group Policy Discovery
• T1619 — Cloud Storage Object Discovery
• T1620 — Reflective Code Loading
• T1621 — Multi-Factor Authentication Request Generation
• T1622 — Debugger Evasion
• T1647 — Plist File Modification
• T1648 — Serverless Execution
• T1649 — Steal or Forge Authentication Certificates
• T1650 — Acquire Access
• T1651 — Cloud Administration Command
• T1652 — Device Driver Discovery
• T1653 — Power Settings
• T1654 — Log Enumeration
• T1656 — Impersonation
• T1657 — Financial Theft
• T1659 — Content Injection
• T1665 — Hide Infrastructure
• T1666 — Modify Cloud Resource Hierarchy
• T1667 — Email Bombing
• T1668 — Exclusive Control
• T1669 — Wi-Fi Networks
• T1671 — Cloud Application Integration
• T1672 — Email Spoofing
• T1673 — Virtual Machine Discovery
• T1674 — Input Injection
• T1675 — ESXi Administration Command