From 1343b1cbb2e175cf070d374199fa58085c8067b3 Mon Sep 17 00:00:00 2001 From: Lex <86126040+alexiacrumpton@users.noreply.github.com> Date: Mon, 8 Jan 2024 19:33:52 -0500 Subject: [PATCH] Update index.md spacing issue fixed --- docs/coverage/index.md | 11827 ++++++++++++++++++++------------------- 1 file changed, 5914 insertions(+), 5913 deletions(-) diff --git a/docs/coverage/index.md b/docs/coverage/index.md index 14c1f792..eda33a1f 100644 --- a/docs/coverage/index.md +++ b/docs/coverage/index.md @@ -1,5921 +1,5922 @@ --- - title: Analytic Coverage Comparison - --- +title: Analytic Coverage Comparison +--- - Generated on: January 08, 2024 +Generated on: January 08, 2024 - A cross-walk of CAR, [Sigma](https://github.com/SigmaHQ/sigma), [Elastic Detection](https://github.com/elastic/detection-rules), and [Splunk Security Content](https://github.com/splunk/security_content/tree/develop/detections) rules in terms of their coverage of ATT&CK Techniques and Sub-techniques. Note that some analytics may have coverage for multiple techniques, so there is not necessarily a 1:1 correlation between the number of hits in this table for a technique/sub-technique and the number of analytics in each repository. The below table is current as of the Generated On date at the top of this page. +A cross-walk of CAR, [Sigma](https://github.com/SigmaHQ/sigma), [Elastic Detection](https://github.com/elastic/detection-rules), and [Splunk Security Content](https://github.com/splunk/security_content/tree/develop/detections) rules in terms of their coverage of ATT&CK Techniques and Sub-techniques. Note that some analytics may have coverage for multiple techniques, so there is not necessarily a 1:1 correlation between the number of hits in this table for a technique/sub-technique and the number of analytics in each repository. The below table is current as of the Generated On date at the top of this page. - * \# CAR: the number of CAR analytics that contain coverage for the technique/sub-technique. - * \# Sigma: the number of Sigma rules that contain coverage for the technique/sub-technique. - * \# ES: the number of ES detection rules that contain coverage for the technique/sub-technique. - * \# Splunk: the number of Splunk detections rules that contain coverage for the technique/sub-technique. - * \# Total: the total number of analytics between CAR/Sigma/ES/Splunk that contain coverage for the technique-sub-technique. +* \# CAR: the number of CAR analytics that contain coverage for the technique/sub-technique. +* \# Sigma: the number of Sigma rules that contain coverage for the technique/sub-technique. +* \# ES: the number of ES detection rules that contain coverage for the technique/sub-technique. +* \# Splunk: the number of Splunk detections rules that contain coverage for the technique/sub-technique. +* \# Total: the total number of analytics between CAR/Sigma/ES/Splunk that contain coverage for the technique-sub-technique. - This table is sortable, so feel free to click on any column to sort by its values. Clicking on each of the CAR/Sigma/ES/Splunk results will search the corresponding repository for the analytics that contain coverage for the technique/sub-technique. +This table is sortable, so feel free to click on any column to sort by its values. Clicking on each of the CAR/Sigma/ES/Splunk results will search the corresponding repository for the analytics that contain coverage for the technique/sub-technique. - This data is also available as: +This data is also available as: - * A [CSV file](/coverage/analytic_coverage_01_08_2024.csv). - * Separate ATT&CK Navigator Layers: - * [CAR Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/car_analytic_coverage_01_08_2024.json). - * [Sigma Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/es_analytic_coverage_01_08_2024.json). - * [ES Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/es_analytic_coverage_01_08_2024.json). - * [Splunk Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/splunk_analytic_coverage_01_08_2024.json). - - Technique ID - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +* A [CSV file](/coverage/analytic_coverage_01_08_2024.csv). +* Separate ATT&CK Navigator Layers: +* [CAR Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/car_analytic_coverage_01_08_2024.json). +* [Sigma Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/es_analytic_coverage_01_08_2024.json). +* [ES Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/es_analytic_coverage_01_08_2024.json). +* [Splunk Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/splunk_analytic_coverage_01_08_2024.json). + + +
Technique NameSub-technique Name# CAR# Sigma# ES# Splunk# Total
T1001Data Obfuscationn/a00000
T1001.001Data ObfuscationJunk Data00000
T1001.002Data ObfuscationSteganography00000
T1001.003Data ObfuscationProtocol Impersonation03014
T1003OS Credential Dumpingn/a023343693
T1003.001OS Credential DumpingLSASS Memory5751014104
T1003.002OS Credential DumpingSecurity Account Manager1285943
T1003.003OS Credential DumpingNTDS2191830
T1003.004OS Credential DumpingLSA Secrets0121013
T1003.005OS Credential DumpingCached Domain Credentials08019
T1003.006OS Credential DumpingDCSync08008
T1003.007OS Credential DumpingProc Filesystem00000
T1003.008OS Credential Dumping/etc/passwd and /etc/shadow00112
T1005Data from Local Systemn/a072110
T1006Direct Volume Accessn/a01102
T1007System Service Discoveryn/a23005
T1008Fallback Channelsn/a02002
T1010Application Window Discoveryn/a11002
T1011Exfiltration Over Other Network Mediumn/a00000
T1011.001Exfiltration Over Other Network MediumExfiltration Over Bluetooth00000
T1012Query Registryn/a3101216
T1014Rootkitn/a01034
T1016System Network Configuration Discoveryn/a283417
T1016.001System Network Configuration DiscoveryInternet Connection Discovery00011
T1018Remote System Discoveryn/a11541838
T1020Automated Exfiltrationn/a051612
T1020.001Automated ExfiltrationTraffic Duplication00011
T1021Remote Servicesn/a13342462
T1021.001Remote ServicesRemote Desktop Protocol3141927
T1021.002Remote ServicesSMB/Windows Admin Shares5336549
T1021.003Remote ServicesDistributed Component Object Model190515
T1021.004Remote ServicesSSH01124
T1021.005Remote ServicesVNC01001
T1021.006Remote ServicesWindows Remote Management390618
T1025Data from Removable Median/a00000
T1026Multiband Communicationn/a00000
T1027Obfuscated Files or Informationn/a0837898
T1027.001Obfuscated Files or InformationBinary Padding03003
T1027.002Obfuscated Files or InformationSoftware Packing01001
T1027.003Obfuscated Files or InformationSteganography05005
T1027.004Obfuscated Files or InformationCompile After Delivery05218
T1027.005Obfuscated Files or InformationIndicator Removal from Tools04026
T1027.006Obfuscated Files or InformationHTML Smuggling00101
T1029Scheduled Transfern/a10001
T1030Data Transfer Size Limitsn/a02002
T1033System Owner/User Discoveryn/a22541041
T1034Path Interceptionn/a00000
T1036Masqueradingn/a127162771
T1036.001MasqueradingInvalid Code Signature00000
T1036.002MasqueradingRight-to-Left Override00000
T1036.003MasqueradingRename System Utilities12122246
T1036.004MasqueradingMasquerade Task or Service02013
T1036.005MasqueradingMatch Legitimate Name or Location191112
T1036.006MasqueradingSpace after Filename01102
T1036.007MasqueradingDouble File Extension02103
T1037Boot or Logon Initialization Scriptsn/a00527
T1037.001Boot or Logon Initialization ScriptsLogon Script (Windows)22015
T1037.002Boot or Logon Initialization ScriptsLogin Hook00000
T1037.003Boot or Logon Initialization ScriptsNetwork Logon Script00000
T1037.004Boot or Logon Initialization ScriptsRC Scripts00213
T1037.005Boot or Logon Initialization ScriptsStartup Items01001
T1039Data from Network Shared Driven/a12014
T1040Network Sniffingn/a182112
T1041Exfiltration Over C2 Channeln/a03014
T1043Commonly Used Portn/a00000
T1046Network Service Discoveryn/a2111014
T1047Windows Management Instrumentationn/a34051462
T1048Exfiltration Over Alternative Protocoln/a076922
T1048.001Exfiltration Over Alternative ProtocolExfiltration Over Symmetric Encrypted Non-C2 Protocol01001
T1048.002Exfiltration Over Alternative ProtocolExfiltration Over Asymmetric Encrypted Non-C2 Protocol00000
T1048.003Exfiltration Over Alternative ProtocolExfiltration Over Unencrypted Non-C2 Protocol0140923
T1049System Network Connections Discoveryn/a181616
T1051Shared Webrootn/a00000
T1052Exfiltration Over Physical Mediumn/a00000
T1052.001Exfiltration Over Physical MediumExfiltration over USB00000
T1053Scheduled Task/Jobn/a011192858
T1053.002Scheduled Task/JobAt380314
T1053.003Scheduled Task/JobCron065617
T1053.004Scheduled Task/JobLaunchd00000
T1053.005Scheduled Task/JobScheduled Task63891568
T1053.006Scheduled Task/JobSystemd Timers00033
T1053.007Scheduled Task/JobContainer Orchestration Job00000
T1055Process Injectionn/a023132662
T1055.001Process InjectionDynamic-link Library Injection280414
T1055.002Process InjectionPortable Executable Injection00022
T1055.003Process InjectionThread Execution Hijacking02002
T1055.004Process InjectionAsynchronous Procedure Call00000
T1055.005Process InjectionThread Local Storage00000
T1055.008Process InjectionPtrace System Calls00000
T1055.009Process InjectionProc Memory00000
T1055.011Process InjectionExtra Window Memory Injection00000
T1055.012Process InjectionProcess Hollowing12205
T1055.013Process InjectionProcess Doppelgänging00000
T1055.014Process InjectionVDSO Hijacking00000
T1055.015Process InjectionListPlanting00000
T1056Input Capturen/a00213
T1056.001Input CaptureKeylogging02002
T1056.002Input CaptureGUI Input Capture03115
T1056.003Input CaptureWeb Portal Capture00000
T1056.004Input CaptureCredential API Hooking00000
T1057Process Discoveryn/a25209
T1059Command and Scripting Interpretern/a1516457173
T1059.001Command and Scripting InterpreterPowerShell3181732223
T1059.002Command and Scripting InterpreterAppleScript02204
T1059.003Command and Scripting InterpreterWindows Command Shell2210932
T1059.004Command and Scripting InterpreterUnix Shell0818329
T1059.005Command and Scripting InterpreterVisual Basic1180423
T1059.006Command and Scripting InterpreterPython02204
T1059.007Command and Scripting InterpreterJavaScript0133420
T1059.008Command and Scripting InterpreterNetwork Device CLI00000
T1061Graphical User Interfacen/a00000
T1062Hypervisorn/a00000
T1064Scriptingn/a00000
T1068Exploitation for Privilege Escalationn/a125181054
T1069Permission Groups Discoveryn/a0152531
T1069.001Permission Groups DiscoveryLocal Groups31411129
T1069.002Permission Groups DiscoveryDomain Groups31021833
T1069.003Permission Groups DiscoveryCloud Groups00011
T1070Indicator Removal on Hostn/a013142350
T1070.001Indicator Removal on HostClear Windows Event Logs283619
T1070.002Indicator Removal on HostClear Linux or Mac System Logs03104
T1070.003Indicator Removal on HostClear Command History172010
T1070.004Indicator Removal on HostFile Deletion01241228
T1070.005Indicator Removal on HostNetwork Share Connection Removal13015
T1070.006Indicator Removal on HostTimestomp05106
T1071Application Layer Protocoln/a06111027
T1071.001Application Layer ProtocolWeb Protocols0293234
T1071.002Application Layer ProtocolFile Transfer Protocols00011
T1071.003Application Layer ProtocolMail Protocols00033
T1071.004Application Layer ProtocolDNS0170421
T1072Software Deployment Toolsn/a03025
T1074Data Stagedn/a02215
T1074.001Data StagedLocal Data Staging04004
T1074.002Data StagedRemote Data Staging00101
T1078Valid Accountsn/a0424051133
T1078.001Valid AccountsDefault Accounts012811
T1078.002Valid AccountsDomain Accounts512614
T1078.003Valid AccountsLocal Accounts515213
T1078.004Valid AccountsCloud Accounts0312832
T1080Taint Shared Contentn/a00202
T1082System Information Discoveryn/a2147528
T1083File and Directory Discoveryn/a0122115
T1087Account Discoveryn/a01242743
T1087.001Account DiscoveryLocal Account21101124
T1087.002Account DiscoveryDomain Account21511937
T1087.003Account DiscoveryEmail Account00000
T1087.004Account DiscoveryCloud Account01001
T1090Proxyn/a0111315
T1090.001ProxyInternal Proxy03003
T1090.002ProxyExternal Proxy01001
T1090.003ProxyMulti-hop Proxy02103
T1090.004ProxyDomain Fronting00000
T1091Replication Through Removable Median/a01001
T1092Communication Through Removable Median/a00000
T1095Non-Application Layer Protocoln/a04127
T1098Account Manipulationn/a122351068
T1098.001Account ManipulationAdditional Cloud Credentials00011
T1098.002Account ManipulationAdditional Email Delegate Permissions00202
T1098.003Account ManipulationAdditional Cloud Roles01326
T1098.004Account ManipulationSSH Authorized Keys00134
T1098.005Account ManipulationDevice Registration00000
T1102Web Servicen/a03126
T1102.001Web ServiceDead Drop Resolver03003
T1102.002Web ServiceBidirectional Communication02002
T1102.003Web ServiceOne-Way Communication02002
T1104Multi-Stage Channelsn/a01001
T1105Ingress Tool Transfern/a44792383
T1106Native APIn/a0126018
T1108Redundant Accessn/a00000
T1110Brute Forcen/a010192554
T1110.001Brute ForcePassword Guessing036312
T1110.002Brute ForcePassword Cracking01001
T1110.003Brute ForcePassword Spraying0861529
T1110.004Brute ForceCredential Stuffing00055
T1111Multi-Factor Authentication Interceptionn/a00101
T1112Modify Registryn/a862525100
T1113Screen Capturen/a061310
T1114Email Collectionn/a043815
T1114.001Email CollectionLocal Email Collection01023
T1114.002Email CollectionRemote Email Collection00134
T1114.003Email CollectionEmail Forwarding Rule00123
T1115Clipboard Datan/a06028
T1119Automated Collectionn/a05005
T1120Peripheral Device Discoveryn/a02103
T1123Audio Capturen/a06107
T1124System Time Discoveryn/a03014
T1125Video Capturen/a01001
T1127Trusted Developer Utilities Proxy Executionn/a0178934
T1127.001Trusted Developer Utilities Proxy ExecutionMSBuild113611
T1129Shared Modulesn/a00101
T1132Data Encodingn/a00000
T1132.001Data EncodingStandard Encoding01001
T1132.002Data EncodingNon-Standard Encoding00000
T1133External Remote Servicesn/a075012
T1134Access Token Manipulationn/a0012517
T1134.001Access Token ManipulationToken Impersonation/Theft071311
T1134.002Access Token ManipulationCreate Process with Token05319
T1134.003Access Token ManipulationMake and Impersonate Token01102
T1134.004Access Token ManipulationParent PID Spoofing01214
T1134.005Access Token ManipulationSID-History Injection01001
T1135Network Share Discoveryn/a073010
T1136Create Accountn/a0171422
T1136.001Create AccountLocal Account1122520
T1136.002Create AccountDomain Account02002
T1136.003Create AccountCloud Account0221014
T1137Office Application Startupn/a06208
T1137.001Office Application StartupOffice Template Macros00000
T1137.002Office Application StartupOffice Test01001
T1137.003Office Application StartupOutlook Forms01001
T1137.004Office Application StartupOutlook Home Page00000
T1137.005Office Application StartupOutlook Rules00000
T1137.006Office Application StartupAdd-ins03003
T1140Deobfuscate/Decode Files or Informationn/a1136222
T1149LC_MAIN Hijackingn/a00000
T1153Sourcen/a00000
T1175Component Object Model and Distributed COMn/a00000
T1176Browser Extensionsn/a01001
T1185Browser Session Hijackingn/a01001
T1187Forced Authenticationn/a13015
T1189Drive-by Compromisen/a02158
T1190Exploit Public-Facing Applicationn/a0741531120
T1195Supply Chain Compromisen/a01438
T1195.001Supply Chain CompromiseCompromise Software Dependencies and Development Tools01023
T1195.002Supply Chain CompromiseCompromise Software Supply Chain00415
T1195.003Supply Chain CompromiseCompromise Hardware Supply Chain00000
T1197BITS Jobsn/a2161625
T1199Trusted Relationshipn/a01023
T1200Hardware Additionsn/a02057
T1201Password Policy Discoveryn/a040711
T1202Indirect Command Executionn/a0280432
T1203Exploitation for Client Executionn/a0212427
T1204User Executionn/a0871530
T1204.001User ExecutionMalicious Link02013
T1204.002User ExecutionMalicious File1263434
T1204.003User ExecutionMalicious Image00077
T1205Traffic Signalingn/a00000
T1205.001Traffic SignalingPort Knocking00000
T1207Rogue Domain Controllern/a01001
T1210Exploitation of Remote Servicesn/a081312
T1211Exploitation for Defense Evasionn/a03104
T1212Exploitation for Credential Accessn/a081211
T1213Data from Information Repositoriesn/a00011
T1213.001Data from Information RepositoriesConfluence00000
T1213.002Data from Information RepositoriesSharepoint00000
T1213.003Data from Information RepositoriesCode Repositories00000
T1216System Script Proxy Executionn/a0170118
T1216.001System Script Proxy ExecutionPubPrn02002
T1217Browser Bookmark Discoveryn/a03003
T1218System Binary Proxy Executionn/a0941870182
T1218.001System Binary Proxy ExecutionCompiled HTML File151815
T1218.002System Binary Proxy ExecutionControl Panel01113
T1218.003System Binary Proxy ExecutionCMSTP170311
T1218.004System Binary Proxy ExecutionInstallUtil001910
T1218.005System Binary Proxy ExecutionMshta0841224
T1218.007System Binary Proxy ExecutionMsiexec090918
T1218.008System Binary Proxy ExecutionOdbcconf01045
T1218.009System Binary Proxy ExecutionRegsvcs/Regasm01168
T1218.010System Binary Proxy ExecutionRegsvr322162626
T1218.011System Binary Proxy ExecutionRundll3213231652
T1218.012System Binary Proxy ExecutionVerclsid00011
T1218.013System Binary Proxy ExecutionMavinject02013
T1218.014System Binary Proxy ExecutionMMC00033
T1219Remote Access Softwaren/a0283334
T1220XSL Script Processingn/a03328
T1221Template Injectionn/a01001
T1222File and Directory Permissions Modificationn/a0041115
T1222.001File and Directory Permissions ModificationWindows File and Directory Permissions Modification14027
T1222.002File and Directory Permissions ModificationLinux and Mac File and Directory Permissions Modification14117
T1480Execution Guardrailsn/a00000
T1480.001Execution GuardrailsEnvironmental Keying00000
T1482Domain Trust Discoveryn/a01321126
T1484Domain Policy Modificationn/a02428
T1484.001Domain Policy ModificationGroup Policy Modification02002
T1484.002Domain Policy ModificationDomain Trust Modification00123
T1485Data Destructionn/a01081937
T1486Data Encrypted for Impactn/a0101718
T1489Service Stopn/a0761427
T1490Inhibit System Recoveryn/a21861238
T1491Defacementn/a00022
T1491.001DefacementInternal Defacement02002
T1491.002DefacementExternal Defacement00000
T1495Firmware Corruptionn/a01001
T1496Resource Hijackingn/a04105
T1497Virtualization/Sandbox Evasionn/a00112
T1497.001Virtualization/Sandbox EvasionSystem Checks01001
T1497.002Virtualization/Sandbox EvasionUser Activity Based Checks00000
T1497.003Virtualization/Sandbox EvasionTime Based Evasion00011
T1498Network Denial of Servicen/a00178
T1498.001Network Denial of ServiceDirect Network Flood00000
T1498.002Network Denial of ServiceReflection Amplification00011
T1499Endpoint Denial of Servicen/a01113
T1499.001Endpoint Denial of ServiceOS Exhaustion Flood01001
T1499.002Endpoint Denial of ServiceService Exhaustion Flood00000
T1499.003Endpoint Denial of ServiceApplication Exhaustion Flood00000
T1499.004Endpoint Denial of ServiceApplication or System Exploitation03003
T1505Server Software Componentn/a012710
T1505.001Server Software ComponentSQL Stored Procedures00000
T1505.002Server Software ComponentTransport Agent03003
T1505.003Server Software ComponentWeb Shell1272737
T1505.004Server Software ComponentIIS Components00000
T1505.005Server Software ComponentTerminal Services DLL01001
T1518Software Discoveryn/a02305
T1518.001Software DiscoverySecurity Software Discovery14207
T1525Implant Internal Imagen/a01001
T1526Cloud Service Discoveryn/a021710
T1528Steal Application Access Tokenn/a0103013
T1529System Shutdown/Rebootn/a06039
T1530Data from Cloud Storage Objectn/a005611
T1531Account Access Removaln/a039416
T1534Internal Spearphishingn/a00000
T1535Unused/Unsupported Cloud Regionsn/a00088
T1537Transfer Data to Cloud Accountn/a046212
T1538Cloud Service Dashboardn/a00000
T1539Steal Web Session Cookien/a02305
T1542Pre-OS Bootn/a00011
T1542.001Pre-OS BootSystem Firmware02002
T1542.002Pre-OS BootComponent Firmware00000
T1542.003Pre-OS BootBootkit01001
T1542.004Pre-OS BootROMMONkit00000
T1542.005Pre-OS BootTFTP Boot00011
T1543Create or Modify System Processn/a09281653
T1543.001Create or Modify System ProcessLaunch Agent00325
T1543.002Create or Modify System ProcessSystemd Service02103
T1543.003Create or Modify System ProcessWindows Service640101470
T1543.004Create or Modify System ProcessLaunch Daemon00000
T1546Event Triggered Executionn/a09151539
T1546.001Event Triggered ExecutionChange Default File Association13037
T1546.002Event Triggered ExecutionScreensaver14117
T1546.003Event Triggered ExecutionWindows Management Instrumentation Event Subscription1121317
T1546.004Event Triggered ExecutionUnix Shell Configuration Modification01124
T1546.005Event Triggered ExecutionTrap00000
T1546.006Event Triggered ExecutionLC_LOAD_DYLIB Addition00000
T1546.007Event Triggered ExecutionNetsh Helper DLL02002
T1546.008Event Triggered ExecutionAccessibility Features371112
T1546.009Event Triggered ExecutionAppCert DLLs02103
T1546.010Event Triggered ExecutionAppInit DLLs21104
T1546.011Event Triggered ExecutionApplication Shimming02237
T1546.012Event Triggered ExecutionImage File Execution Options Injection02125
T1546.013Event Triggered ExecutionPowerShell Profile03104
T1546.014Event Triggered ExecutionEmond01203
T1546.015Event Triggered ExecutionComponent Object Model Hijacking191415
T1547Boot or Logon Autostart Executionn/a06241646
T1547.001Boot or Logon Autostart ExecutionRegistry Run Keys / Startup Folder4319246
T1547.002Boot or Logon Autostart ExecutionAuthentication Package01203
T1547.003Boot or Logon Autostart ExecutionTime Providers01113
T1547.004Boot or Logon Autostart ExecutionWinlogon Helper DLL23005
T1547.005Boot or Logon Autostart ExecutionSecurity Support Provider01113
T1547.006Boot or Logon Autostart ExecutionKernel Modules and Extensions01438
T1547.007Boot or Logon Autostart ExecutionRe-opened Applications00000
T1547.008Boot or Logon Autostart ExecutionLSASS Driver01012
T1547.009Boot or Logon Autostart ExecutionShortcut Modification04004
T1547.010Boot or Logon Autostart ExecutionPort Monitors14117
T1547.012Boot or Logon Autostart ExecutionPrint Processors00077
T1547.013Boot or Logon Autostart ExecutionXDG Autostart Entries00000
T1547.014Boot or Logon Autostart ExecutionActive Setup01012
T1547.015Boot or Logon Autostart ExecutionLogin Items00000
T1548Abuse Elevation Control Mechanismn/a117235192
T1548.001Abuse Elevation Control MechanismSetuid and Setgid01236
T1548.002Abuse Elevation Control MechanismBypass User Account Control348111375
T1548.003Abuse Elevation Control MechanismSudo and Sudo Caching0243238
T1548.004Abuse Elevation Control MechanismElevated Execution with Prompt00101
T1550Use Alternate Authentication Materialn/a036918
T1550.001Use Alternate Authentication MaterialApplication Access Token03508
T1550.002Use Alternate Authentication MaterialPass the Hash15039
T1550.003Use Alternate Authentication MaterialPass the Ticket03137
T1550.004Use Alternate Authentication MaterialWeb Session Cookie00000
T1552Unsecured Credentialsn/a057517
T1552.001Unsecured CredentialsCredentials In Files1142118
T1552.002Unsecured CredentialsCredentials in Registry13037
T1552.003Unsecured CredentialsBash History03003
T1552.004Unsecured CredentialsPrivate Keys05117
T1552.005Unsecured CredentialsCloud Instance Metadata API00000
T1552.006Unsecured CredentialsGroup Policy Preferences04004
T1552.007Unsecured CredentialsContainer API02002
T1553Subvert Trust Controlsn/a02529
T1553.001Subvert Trust ControlsGatekeeper Bypass01001
T1553.002Subvert Trust ControlsCode Signing01102
T1553.003Subvert Trust ControlsSIP and Trust Provider Hijacking01102
T1553.004Subvert Trust ControlsInstall Root Certificate152210
T1553.005Subvert Trust ControlsMark-of-the-Web Bypass03003
T1553.006Subvert Trust ControlsCode Signing Policy Modification00000
T1554Compromise Client Software Binaryn/a03227
T1555Credentials from Password Storesn/a049417
T1555.001Credentials from Password StoresKeychain01405
T1555.002Credentials from Password StoresSecurityd Memory00000
T1555.003Credentials from Password StoresCredentials from Web Browsers02237
T1555.004Credentials from Password StoresWindows Credential Manager04206
T1555.005Credentials from Password StoresPassword Managers01012
T1556Modify Authentication Processn/a029516
T1556.001Modify Authentication ProcessDomain Controller Authentication00000
T1556.002Modify Authentication ProcessPassword Filter DLL03003
T1556.003Modify Authentication ProcessPluggable Authentication Modules00000
T1556.004Modify Authentication ProcessNetwork Device Authentication00000
T1556.005Modify Authentication ProcessReversible Encryption00000
T1557Adversary-in-the-Middlen/a01045
T1557.001Adversary-in-the-MiddleLLMNR/NBT-NS Poisoning and SMB Relay07007
T1557.002Adversary-in-the-MiddleARP Cache Poisoning00033
T1557.003Adversary-in-the-MiddleDHCP Spoofing00000
T1558Steal or Forge Kerberos Ticketsn/a0391830
T1558.001Steal or Forge Kerberos TicketsGolden Ticket00011
T1558.002Steal or Forge Kerberos TicketsSilver Ticket00000
T1558.003Steal or Forge Kerberos TicketsKerberoasting0111820
T1558.004Steal or Forge Kerberos TicketsAS-REP Roasting00077
T1559Inter-Process Communicationn/a01203
T1559.001Inter-Process CommunicationComponent Object Model04116
T1559.002Inter-Process CommunicationDynamic Data Exchange11002
T1559.003Inter-Process CommunicationXPC Services00000
T1560Archive Collected Datan/a022610
T1560.001Archive Collected DataArchive via Utility1122621
T1560.002Archive Collected DataArchive via Library00000
T1560.003Archive Collected DataArchive via Custom Method00000
T1561Disk Wipen/a00022
T1561.001Disk WipeDisk Content Wipe01001
T1561.002Disk WipeDisk Structure Wipe01023
T1562Impair Defensesn/a0177762156
T1562.001Impair DefensesDisable or Modify Tools3743945161
T1562.002Impair DefensesDisable Windows Event Logging1122015
T1562.003Impair DefensesImpair Command History Logging00000
T1562.004Impair DefensesDisable or Modify System Firewall0134522
T1562.006Impair DefensesIndicator Blocking243110
T1562.007Impair DefensesDisable or Modify Cloud Firewall00369
T1562.008Impair DefensesDisable Cloud Logs00066
T1562.009Impair DefensesSafe Mode Boot00000
T1562.010Impair DefensesDowngrade Attack01001
T1563Remote Service Session Hijackingn/a00000
T1563.001Remote Service Session HijackingSSH Hijacking00000
T1563.002Remote Service Session HijackingRDP Hijacking02002
T1564Hide Artifactsn/a067114
T1564.001Hide ArtifactsHidden Files and Directories085215
T1564.002Hide ArtifactsHidden Users04004
T1564.003Hide ArtifactsHidden Window02002
T1564.004Hide ArtifactsNTFS File Attributes2192023
T1564.005Hide ArtifactsHidden File System00000
T1564.006Hide ArtifactsRun Virtual Instance02002
T1564.007Hide ArtifactsVBA Stomping00000
T1564.008Hide ArtifactsEmail Hiding Rules00000
T1564.009Hide ArtifactsResource Forking00000
T1564.010Hide ArtifactsProcess Argument Spoofing00000
T1565Data Manipulationn/a03306
T1565.001Data ManipulationStored Data Manipulation03306
T1565.002Data ManipulationTransmitted Data Manipulation01001
T1565.003Data ManipulationRuntime Data Manipulation00000
T1566Phishingn/a09173359
T1566.001PhishingSpearphishing Attachment015112955
T1566.002PhishingSpearphishing Link018110
T1566.003PhishingSpearphishing via Service00011
T1567Exfiltration Over Web Servicen/a071210
T1567.001Exfiltration Over Web ServiceExfiltration to Code Repository03003
T1567.002Exfiltration Over Web ServiceExfiltration to Cloud Storage07018
T1568Dynamic Resolutionn/a01304
T1568.001Dynamic ResolutionFast Flux DNS00000
T1568.002Dynamic ResolutionDomain Generation Algorithms02316
T1568.003Dynamic ResolutionDNS Calculation00000
T1569System Servicesn/a043512
T1569.001System ServicesLaunchctl10001
T1569.002System ServicesService Execution4403552
T1570Lateral Tool Transfern/a32106
T1571Non-Standard Portn/a03104
T1572Protocol Tunnelingn/a0125320
T1573Encrypted Channeln/a04127
T1573.001Encrypted ChannelSymmetric Cryptography00000
T1573.002Encrypted ChannelAsymmetric Cryptography00000
T1574Hijack Execution Flown/a0891128
T1574.001Hijack Execution FlowDLL Search Order Hijacking1221428
T1574.002Hijack Execution FlowDLL Side-Loading0422549
T1574.004Hijack Execution FlowDylib Hijacking00000
T1574.005Hijack Execution FlowExecutable Installer File Permissions Weakness01001
T1574.006Hijack Execution FlowDynamic Linker Hijacking02316
T1574.007Hijack Execution FlowPath Interception by PATH Environment Variable11305
T1574.008Hijack Execution FlowPath Interception by Search Order Hijacking11002
T1574.009Hijack Execution FlowPath Interception by Unquoted Path20013
T1574.010Hijack Execution FlowServices File Permissions Weakness20103
T1574.011Hijack Execution FlowServices Registry Permissions Weakness490215
T1574.012Hijack Execution FlowCOR_PROFILER02002
T1574.013Hijack Execution FlowKernelCallbackTable00000
T1578Modify Cloud Compute Infrastructuren/a01203
T1578.001Modify Cloud Compute InfrastructureCreate Snapshot00000
T1578.002Modify Cloud Compute InfrastructureCreate Cloud Instance00000
T1578.003Modify Cloud Compute InfrastructureDelete Cloud Instance01001
T1578.004Modify Cloud Compute InfrastructureRevert Cloud Instance00101
T1580Cloud Infrastructure Discoveryn/a00022
T1583Acquire Infrastructuren/a00000
T1583.001Acquire InfrastructureDomains00000
T1583.002Acquire InfrastructureDNS Server00000
T1583.003Acquire InfrastructureVirtual Private Server00000
T1583.004Acquire InfrastructureServer00000
T1583.005Acquire InfrastructureBotnet00000
T1583.006Acquire InfrastructureWeb Services00000
T1584Compromise Infrastructuren/a02002
T1584.001Compromise InfrastructureDomains00000
T1584.002Compromise InfrastructureDNS Server00000
T1584.003Compromise InfrastructureVirtual Private Server00000
T1584.004Compromise InfrastructureServer00000
T1584.005Compromise InfrastructureBotnet00000
T1584.006Compromise InfrastructureWeb Services00000
T1585Establish Accountsn/a00000
T1585.001Establish AccountsSocial Media Accounts00000
T1585.002Establish AccountsEmail Accounts00000
T1586Compromise Accountsn/a0002626
T1586.001Compromise AccountsSocial Media Accounts00000
T1586.002Compromise AccountsEmail Accounts00000
T1587Develop Capabilitiesn/a05005
T1587.001Develop CapabilitiesMalware0100010
T1587.002Develop CapabilitiesCode Signing Certificates00000
T1587.003Develop CapabilitiesDigital Certificates00022
T1587.004Develop CapabilitiesExploits00000
T1588Obtain Capabilitiesn/a02103
T1588.001Obtain CapabilitiesMalware01001
T1588.002Obtain CapabilitiesTool07029
T1588.003Obtain CapabilitiesCode Signing Certificates00000
T1588.004Obtain CapabilitiesDigital Certificates00022
T1588.005Obtain CapabilitiesExploits00000
T1588.006Obtain CapabilitiesVulnerabilities00000
T1589Gather Victim Identity Informationn/a01023
T1589.001Gather Victim Identity InformationCredentials00011
T1589.002Gather Victim Identity InformationEmail Addresses00011
T1589.003Gather Victim Identity InformationEmployee Names00000
T1590Gather Victim Network Informationn/a02024
T1590.001Gather Victim Network InformationDomain Properties00000
T1590.002Gather Victim Network InformationDNS00000
T1590.003Gather Victim Network InformationNetwork Trust Dependencies00000
T1590.004Gather Victim Network InformationNetwork Topology00000
T1590.005Gather Victim Network InformationIP Addresses00022
T1590.006Gather Victim Network InformationNetwork Security Appliances00000
T1591Gather Victim Org Informationn/a00000
T1591.001Gather Victim Org InformationDetermine Physical Locations00000
T1591.002Gather Victim Org InformationBusiness Relationships00000
T1591.003Gather Victim Org InformationIdentify Business Tempo00000
T1591.004Gather Victim Org InformationIdentify Roles00000
T1592Gather Victim Host Informationn/a01056
T1592.001Gather Victim Host InformationHardware00011
T1592.002Gather Victim Host InformationSoftware00000
T1592.003Gather Victim Host InformationFirmware00000
T1592.004Gather Victim Host InformationClient Configurations03003
T1593Search Open Websites/Domainsn/a00000
T1593.001Search Open Websites/DomainsSocial Media00000
T1593.002Search Open Websites/DomainsSearch Engines00000
T1594Search Victim-Owned Websitesn/a00000
T1595Active Scanningn/a00011
T1595.001Active ScanningScanning IP Blocks00000
T1595.002Active ScanningVulnerability Scanning01001
T1595.003Active ScanningWordlist Scanning00000
T1596Search Open Technical Databasesn/a00000
T1596.001Search Open Technical DatabasesDNS/Passive DNS00000
T1596.002Search Open Technical DatabasesWHOIS00000
T1596.003Search Open Technical DatabasesDigital Certificates00000
T1596.004Search Open Technical DatabasesCDNs00000
T1596.005Search Open Technical DatabasesScan Databases00000
T1597Search Closed Sourcesn/a00000
T1597.001Search Closed SourcesThreat Intel Vendors00000
T1597.002Search Closed SourcesPurchase Technical Data00000
T1598Phishing for Informationn/a00000
T1598.001Phishing for InformationSpearphishing Service00000
T1598.002Phishing for InformationSpearphishing Attachment00000
T1598.003Phishing for InformationSpearphishing Link00000
T1599Network Boundary Bridgingn/a00000
T1599.001Network Boundary BridgingNetwork Address Translation Traversal01001
T1600Weaken Encryptionn/a00000
T1600.001Weaken EncryptionReduce Key Space00000
T1600.002Weaken EncryptionDisable Crypto Hardware00000
T1601Modify System Imagen/a00000
T1601.001Modify System ImagePatch System Image00000
T1601.002Modify System ImageDowngrade System Image00000
T1602Data from Configuration Repositoryn/a00000
T1602.001Data from Configuration RepositorySNMP (MIB Dump)00000
T1602.002Data from Configuration RepositoryNetwork Device Configuration Dump00000
T1606Forge Web Credentialsn/a00000
T1606.001Forge Web CredentialsWeb Cookies00000
T1606.002Forge Web CredentialsSAML Tokens10001
T1608Stage Capabilitiesn/a01001
T1608.001Stage CapabilitiesUpload Malware00000
T1608.002Stage CapabilitiesUpload Tool00000
T1608.003Stage CapabilitiesInstall Digital Certificate00000
T1608.004Stage CapabilitiesDrive-by Target00000
T1608.005Stage CapabilitiesLink Target00000
T1609Container Administration Commandn/a00101
T1610Deploy Containern/a00606
T1611Escape to Hostn/a00606
T1612Build Image on Hostn/a00000
T1613Container and Resource Discoveryn/a00202
T1614System Location Discoveryn/a00101
T1614.001System Location DiscoverySystem Language Discovery01001
T1615Group Policy Discoveryn/a04004
T1619Cloud Storage Object Discoveryn/a00000
T1620Reflective Code Loadingn/a01001
T1621Multi-Factor Authentication Request Generationn/a00077
T1622Debugger Evasionn/a00000
T1647Plist File Modificationn/a00213
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Technique IDTechnique NameSub-technique Name# CAR# Sigma# ES# Splunk# Total
T1001Data Obfuscationn/a00000
T1001.001Data ObfuscationJunk Data00000
T1001.002Data ObfuscationSteganography00000
T1001.003Data ObfuscationProtocol Impersonation03014
T1003OS Credential Dumpingn/a023343693
T1003.001OS Credential DumpingLSASS Memory5751014104
T1003.002OS Credential DumpingSecurity Account Manager1285943
T1003.003OS Credential DumpingNTDS2191830
T1003.004OS Credential DumpingLSA Secrets0121013
T1003.005OS Credential DumpingCached Domain Credentials08019
T1003.006OS Credential DumpingDCSync08008
T1003.007OS Credential DumpingProc Filesystem00000
T1003.008OS Credential Dumping/etc/passwd and /etc/shadow00112
T1005Data from Local Systemn/a072110
T1006Direct Volume Accessn/a01102
T1007System Service Discoveryn/a23005
T1008Fallback Channelsn/a02002
T1010Application Window Discoveryn/a11002
T1011Exfiltration Over Other Network Mediumn/a00000
T1011.001Exfiltration Over Other Network MediumExfiltration Over Bluetooth00000
T1012Query Registryn/a3101216
T1014Rootkitn/a01034
T1016System Network Configuration Discoveryn/a283417
T1016.001System Network Configuration DiscoveryInternet Connection Discovery00011
T1018Remote System Discoveryn/a11541838
T1020Automated Exfiltrationn/a051612
T1020.001Automated ExfiltrationTraffic Duplication00011
T1021Remote Servicesn/a13342462
T1021.001Remote ServicesRemote Desktop Protocol3141927
T1021.002Remote ServicesSMB/Windows Admin Shares5336549
T1021.003Remote ServicesDistributed Component Object Model190515
T1021.004Remote ServicesSSH01124
T1021.005Remote ServicesVNC01001
T1021.006Remote ServicesWindows Remote Management390618
T1025Data from Removable Median/a00000
T1026Multiband Communicationn/a00000
T1027Obfuscated Files or Informationn/a0837898
T1027.001Obfuscated Files or InformationBinary Padding03003
T1027.002Obfuscated Files or InformationSoftware Packing01001
T1027.003Obfuscated Files or InformationSteganography05005
T1027.004Obfuscated Files or InformationCompile After Delivery05218
T1027.005Obfuscated Files or InformationIndicator Removal from Tools04026
T1027.006Obfuscated Files or InformationHTML Smuggling00101
T1029Scheduled Transfern/a10001
T1030Data Transfer Size Limitsn/a02002
T1033System Owner/User Discoveryn/a22541041
T1034Path Interceptionn/a00000
T1036Masqueradingn/a127162771
T1036.001MasqueradingInvalid Code Signature00000
T1036.002MasqueradingRight-to-Left Override00000
T1036.003MasqueradingRename System Utilities12122246
T1036.004MasqueradingMasquerade Task or Service02013
T1036.005MasqueradingMatch Legitimate Name or Location191112
T1036.006MasqueradingSpace after Filename01102
T1036.007MasqueradingDouble File Extension02103
T1037Boot or Logon Initialization Scriptsn/a00527
T1037.001Boot or Logon Initialization ScriptsLogon Script (Windows)22015
T1037.002Boot or Logon Initialization ScriptsLogin Hook00000
T1037.003Boot or Logon Initialization ScriptsNetwork Logon Script00000
T1037.004Boot or Logon Initialization ScriptsRC Scripts00213
T1037.005Boot or Logon Initialization ScriptsStartup Items01001
T1039Data from Network Shared Driven/a12014
T1040Network Sniffingn/a182112
T1041Exfiltration Over C2 Channeln/a03014
T1043Commonly Used Portn/a00000
T1046Network Service Discoveryn/a2111014
T1047Windows Management Instrumentationn/a34051462
T1048Exfiltration Over Alternative Protocoln/a076922
T1048.001Exfiltration Over Alternative ProtocolExfiltration Over Symmetric Encrypted Non-C2 Protocol01001
T1048.002Exfiltration Over Alternative ProtocolExfiltration Over Asymmetric Encrypted Non-C2 Protocol00000
T1048.003Exfiltration Over Alternative ProtocolExfiltration Over Unencrypted Non-C2 Protocol0140923
T1049System Network Connections Discoveryn/a181616
T1051Shared Webrootn/a00000
T1052Exfiltration Over Physical Mediumn/a00000
T1052.001Exfiltration Over Physical MediumExfiltration over USB00000
T1053Scheduled Task/Jobn/a011192858
T1053.002Scheduled Task/JobAt380314
T1053.003Scheduled Task/JobCron065617
T1053.004Scheduled Task/JobLaunchd00000
T1053.005Scheduled Task/JobScheduled Task63891568
T1053.006Scheduled Task/JobSystemd Timers00033
T1053.007Scheduled Task/JobContainer Orchestration Job00000
T1055Process Injectionn/a023132662
T1055.001Process InjectionDynamic-link Library Injection280414
T1055.002Process InjectionPortable Executable Injection00022
T1055.003Process InjectionThread Execution Hijacking02002
T1055.004Process InjectionAsynchronous Procedure Call00000
T1055.005Process InjectionThread Local Storage00000
T1055.008Process InjectionPtrace System Calls00000
T1055.009Process InjectionProc Memory00000
T1055.011Process InjectionExtra Window Memory Injection00000
T1055.012Process InjectionProcess Hollowing12205
T1055.013Process InjectionProcess Doppelgänging00000
T1055.014Process InjectionVDSO Hijacking00000
T1055.015Process InjectionListPlanting00000
T1056Input Capturen/a00213
T1056.001Input CaptureKeylogging02002
T1056.002Input CaptureGUI Input Capture03115
T1056.003Input CaptureWeb Portal Capture00000
T1056.004Input CaptureCredential API Hooking00000
T1057Process Discoveryn/a25209
T1059Command and Scripting Interpretern/a1516457173
T1059.001Command and Scripting InterpreterPowerShell3181732223
T1059.002Command and Scripting InterpreterAppleScript02204
T1059.003Command and Scripting InterpreterWindows Command Shell2210932
T1059.004Command and Scripting InterpreterUnix Shell0818329
T1059.005Command and Scripting InterpreterVisual Basic1180423
T1059.006Command and Scripting InterpreterPython02204
T1059.007Command and Scripting InterpreterJavaScript0133420
T1059.008Command and Scripting InterpreterNetwork Device CLI00000
T1061Graphical User Interfacen/a00000
T1062Hypervisorn/a00000
T1064Scriptingn/a00000
T1068Exploitation for Privilege Escalationn/a125181054
T1069Permission Groups Discoveryn/a0152531
T1069.001Permission Groups DiscoveryLocal Groups31411129
T1069.002Permission Groups DiscoveryDomain Groups31021833
T1069.003Permission Groups DiscoveryCloud Groups00011
T1070Indicator Removal on Hostn/a013142350
T1070.001Indicator Removal on HostClear Windows Event Logs283619
T1070.002Indicator Removal on HostClear Linux or Mac System Logs03104
T1070.003Indicator Removal on HostClear Command History172010
T1070.004Indicator Removal on HostFile Deletion01241228
T1070.005Indicator Removal on HostNetwork Share Connection Removal13015
T1070.006Indicator Removal on HostTimestomp05106
T1071Application Layer Protocoln/a06111027
T1071.001Application Layer ProtocolWeb Protocols0293234
T1071.002Application Layer ProtocolFile Transfer Protocols00011
T1071.003Application Layer ProtocolMail Protocols00033
T1071.004Application Layer ProtocolDNS0170421
T1072Software Deployment Toolsn/a03025
T1074Data Stagedn/a02215
T1074.001Data StagedLocal Data Staging04004
T1074.002Data StagedRemote Data Staging00101
T1078Valid Accountsn/a0424051133
T1078.001Valid AccountsDefault Accounts012811
T1078.002Valid AccountsDomain Accounts512614
T1078.003Valid AccountsLocal Accounts515213
T1078.004Valid AccountsCloud Accounts0312832
T1080Taint Shared Contentn/a00202
T1082System Information Discoveryn/a2147528
T1083File and Directory Discoveryn/a0122115
T1087Account Discoveryn/a01242743
T1087.001Account DiscoveryLocal Account21101124
T1087.002Account DiscoveryDomain Account21511937
T1087.003Account DiscoveryEmail Account00000
T1087.004Account DiscoveryCloud Account01001
T1090Proxyn/a0111315
T1090.001ProxyInternal Proxy03003
T1090.002ProxyExternal Proxy01001
T1090.003ProxyMulti-hop Proxy02103
T1090.004ProxyDomain Fronting00000
T1091Replication Through Removable Median/a01001
T1092Communication Through Removable Median/a00000
T1095Non-Application Layer Protocoln/a04127
T1098Account Manipulationn/a122351068
T1098.001Account ManipulationAdditional Cloud Credentials00011
T1098.002Account ManipulationAdditional Email Delegate Permissions00202
T1098.003Account ManipulationAdditional Cloud Roles01326
T1098.004Account ManipulationSSH Authorized Keys00134
T1098.005Account ManipulationDevice Registration00000
T1102Web Servicen/a03126
T1102.001Web ServiceDead Drop Resolver03003
T1102.002Web ServiceBidirectional Communication02002
T1102.003Web ServiceOne-Way Communication02002
T1104Multi-Stage Channelsn/a01001
T1105Ingress Tool Transfern/a44792383
T1106Native APIn/a0126018
T1108Redundant Accessn/a00000
T1110Brute Forcen/a010192554
T1110.001Brute ForcePassword Guessing036312
T1110.002Brute ForcePassword Cracking01001
T1110.003Brute ForcePassword Spraying0861529
T1110.004Brute ForceCredential Stuffing00055
T1111Multi-Factor Authentication Interceptionn/a00101
T1112Modify Registryn/a862525100
T1113Screen Capturen/a061310
T1114Email Collectionn/a043815
T1114.001Email CollectionLocal Email Collection01023
T1114.002Email CollectionRemote Email Collection00134
T1114.003Email CollectionEmail Forwarding Rule00123
T1115Clipboard Datan/a06028
T1119Automated Collectionn/a05005
T1120Peripheral Device Discoveryn/a02103
T1123Audio Capturen/a06107
T1124System Time Discoveryn/a03014
T1125Video Capturen/a01001
T1127Trusted Developer Utilities Proxy Executionn/a0178934
T1127.001Trusted Developer Utilities Proxy ExecutionMSBuild113611
T1129Shared Modulesn/a00101
T1132Data Encodingn/a00000
T1132.001Data EncodingStandard Encoding01001
T1132.002Data EncodingNon-Standard Encoding00000
T1133External Remote Servicesn/a075012
T1134Access Token Manipulationn/a0012517
T1134.001Access Token ManipulationToken Impersonation/Theft071311
T1134.002Access Token ManipulationCreate Process with Token05319
T1134.003Access Token ManipulationMake and Impersonate Token01102
T1134.004Access Token ManipulationParent PID Spoofing01214
T1134.005Access Token ManipulationSID-History Injection01001
T1135Network Share Discoveryn/a073010
T1136Create Accountn/a0171422
T1136.001Create AccountLocal Account1122520
T1136.002Create AccountDomain Account02002
T1136.003Create AccountCloud Account0221014
T1137Office Application Startupn/a06208
T1137.001Office Application StartupOffice Template Macros00000
T1137.002Office Application StartupOffice Test01001
T1137.003Office Application StartupOutlook Forms01001
T1137.004Office Application StartupOutlook Home Page00000
T1137.005Office Application StartupOutlook Rules00000
T1137.006Office Application StartupAdd-ins03003
T1140Deobfuscate/Decode Files or Informationn/a1136222
T1149LC_MAIN Hijackingn/a00000
T1153Sourcen/a00000
T1175Component Object Model and Distributed COMn/a00000
T1176Browser Extensionsn/a01001
T1185Browser Session Hijackingn/a01001
T1187Forced Authenticationn/a13015
T1189Drive-by Compromisen/a02158
T1190Exploit Public-Facing Applicationn/a0741531120
T1195Supply Chain Compromisen/a01438
T1195.001Supply Chain CompromiseCompromise Software Dependencies and Development Tools01023
T1195.002Supply Chain CompromiseCompromise Software Supply Chain00415
T1195.003Supply Chain CompromiseCompromise Hardware Supply Chain00000
T1197BITS Jobsn/a2161625
T1199Trusted Relationshipn/a01023
T1200Hardware Additionsn/a02057
T1201Password Policy Discoveryn/a040711
T1202Indirect Command Executionn/a0280432
T1203Exploitation for Client Executionn/a0212427
T1204User Executionn/a0871530
T1204.001User ExecutionMalicious Link02013
T1204.002User ExecutionMalicious File1263434
T1204.003User ExecutionMalicious Image00077
T1205Traffic Signalingn/a00000
T1205.001Traffic SignalingPort Knocking00000
T1207Rogue Domain Controllern/a01001
T1210Exploitation of Remote Servicesn/a081312
T1211Exploitation for Defense Evasionn/a03104
T1212Exploitation for Credential Accessn/a081211
T1213Data from Information Repositoriesn/a00011
T1213.001Data from Information RepositoriesConfluence00000
T1213.002Data from Information RepositoriesSharepoint00000
T1213.003Data from Information RepositoriesCode Repositories00000
T1216System Script Proxy Executionn/a0170118
T1216.001System Script Proxy ExecutionPubPrn02002
T1217Browser Bookmark Discoveryn/a03003
T1218System Binary Proxy Executionn/a0941870182
T1218.001System Binary Proxy ExecutionCompiled HTML File151815
T1218.002System Binary Proxy ExecutionControl Panel01113
T1218.003System Binary Proxy ExecutionCMSTP170311
T1218.004System Binary Proxy ExecutionInstallUtil001910
T1218.005System Binary Proxy ExecutionMshta0841224
T1218.007System Binary Proxy ExecutionMsiexec090918
T1218.008System Binary Proxy ExecutionOdbcconf01045
T1218.009System Binary Proxy ExecutionRegsvcs/Regasm01168
T1218.010System Binary Proxy ExecutionRegsvr322162626
T1218.011System Binary Proxy ExecutionRundll3213231652
T1218.012System Binary Proxy ExecutionVerclsid00011
T1218.013System Binary Proxy ExecutionMavinject02013
T1218.014System Binary Proxy ExecutionMMC00033
T1219Remote Access Softwaren/a0283334
T1220XSL Script Processingn/a03328
T1221Template Injectionn/a01001
T1222File and Directory Permissions Modificationn/a0041115
T1222.001File and Directory Permissions ModificationWindows File and Directory Permissions Modification14027
T1222.002File and Directory Permissions ModificationLinux and Mac File and Directory Permissions Modification14117
T1480Execution Guardrailsn/a00000
T1480.001Execution GuardrailsEnvironmental Keying00000
T1482Domain Trust Discoveryn/a01321126
T1484Domain Policy Modificationn/a02428
T1484.001Domain Policy ModificationGroup Policy Modification02002
T1484.002Domain Policy ModificationDomain Trust Modification00123
T1485Data Destructionn/a01081937
T1486Data Encrypted for Impactn/a0101718
T1489Service Stopn/a0761427
T1490Inhibit System Recoveryn/a21861238
T1491Defacementn/a00022
T1491.001DefacementInternal Defacement02002
T1491.002DefacementExternal Defacement00000
T1495Firmware Corruptionn/a01001
T1496Resource Hijackingn/a04105
T1497Virtualization/Sandbox Evasionn/a00112
T1497.001Virtualization/Sandbox EvasionSystem Checks01001
T1497.002Virtualization/Sandbox EvasionUser Activity Based Checks00000
T1497.003Virtualization/Sandbox EvasionTime Based Evasion00011
T1498Network Denial of Servicen/a00178
T1498.001Network Denial of ServiceDirect Network Flood00000
T1498.002Network Denial of ServiceReflection Amplification00011
T1499Endpoint Denial of Servicen/a01113
T1499.001Endpoint Denial of ServiceOS Exhaustion Flood01001
T1499.002Endpoint Denial of ServiceService Exhaustion Flood00000
T1499.003Endpoint Denial of ServiceApplication Exhaustion Flood00000
T1499.004Endpoint Denial of ServiceApplication or System Exploitation03003
T1505Server Software Componentn/a012710
T1505.001Server Software ComponentSQL Stored Procedures00000
T1505.002Server Software ComponentTransport Agent03003
T1505.003Server Software ComponentWeb Shell1272737
T1505.004Server Software ComponentIIS Components00000
T1505.005Server Software ComponentTerminal Services DLL01001
T1518Software Discoveryn/a02305
T1518.001Software DiscoverySecurity Software Discovery14207
T1525Implant Internal Imagen/a01001
T1526Cloud Service Discoveryn/a021710
T1528Steal Application Access Tokenn/a0103013
T1529System Shutdown/Rebootn/a06039
T1530Data from Cloud Storage Objectn/a005611
T1531Account Access Removaln/a039416
T1534Internal Spearphishingn/a00000
T1535Unused/Unsupported Cloud Regionsn/a00088
T1537Transfer Data to Cloud Accountn/a046212
T1538Cloud Service Dashboardn/a00000
T1539Steal Web Session Cookien/a02305
T1542Pre-OS Bootn/a00011
T1542.001Pre-OS BootSystem Firmware02002
T1542.002Pre-OS BootComponent Firmware00000
T1542.003Pre-OS BootBootkit01001
T1542.004Pre-OS BootROMMONkit00000
T1542.005Pre-OS BootTFTP Boot00011
T1543Create or Modify System Processn/a09281653
T1543.001Create or Modify System ProcessLaunch Agent00325
T1543.002Create or Modify System ProcessSystemd Service02103
T1543.003Create or Modify System ProcessWindows Service640101470
T1543.004Create or Modify System ProcessLaunch Daemon00000
T1546Event Triggered Executionn/a09151539
T1546.001Event Triggered ExecutionChange Default File Association13037
T1546.002Event Triggered ExecutionScreensaver14117
T1546.003Event Triggered ExecutionWindows Management Instrumentation Event Subscription1121317
T1546.004Event Triggered ExecutionUnix Shell Configuration Modification01124
T1546.005Event Triggered ExecutionTrap00000
T1546.006Event Triggered ExecutionLC_LOAD_DYLIB Addition00000
T1546.007Event Triggered ExecutionNetsh Helper DLL02002
T1546.008Event Triggered ExecutionAccessibility Features371112
T1546.009Event Triggered ExecutionAppCert DLLs02103
T1546.010Event Triggered ExecutionAppInit DLLs21104
T1546.011Event Triggered ExecutionApplication Shimming02237
T1546.012Event Triggered ExecutionImage File Execution Options Injection02125
T1546.013Event Triggered ExecutionPowerShell Profile03104
T1546.014Event Triggered ExecutionEmond01203
T1546.015Event Triggered ExecutionComponent Object Model Hijacking191415
T1547Boot or Logon Autostart Executionn/a06241646
T1547.001Boot or Logon Autostart ExecutionRegistry Run Keys / Startup Folder4319246
T1547.002Boot or Logon Autostart ExecutionAuthentication Package01203
T1547.003Boot or Logon Autostart ExecutionTime Providers01113
T1547.004Boot or Logon Autostart ExecutionWinlogon Helper DLL23005
T1547.005Boot or Logon Autostart ExecutionSecurity Support Provider01113
T1547.006Boot or Logon Autostart ExecutionKernel Modules and Extensions01438
T1547.007Boot or Logon Autostart ExecutionRe-opened Applications00000
T1547.008Boot or Logon Autostart ExecutionLSASS Driver01012
T1547.009Boot or Logon Autostart ExecutionShortcut Modification04004
T1547.010Boot or Logon Autostart ExecutionPort Monitors14117
T1547.012Boot or Logon Autostart ExecutionPrint Processors00077
T1547.013Boot or Logon Autostart ExecutionXDG Autostart Entries00000
T1547.014Boot or Logon Autostart ExecutionActive Setup01012
T1547.015Boot or Logon Autostart ExecutionLogin Items00000
T1548Abuse Elevation Control Mechanismn/a117235192
T1548.001Abuse Elevation Control MechanismSetuid and Setgid01236
T1548.002Abuse Elevation Control MechanismBypass User Account Control348111375
T1548.003Abuse Elevation Control MechanismSudo and Sudo Caching0243238
T1548.004Abuse Elevation Control MechanismElevated Execution with Prompt00101
T1550Use Alternate Authentication Materialn/a036918
T1550.001Use Alternate Authentication MaterialApplication Access Token03508
T1550.002Use Alternate Authentication MaterialPass the Hash15039
T1550.003Use Alternate Authentication MaterialPass the Ticket03137
T1550.004Use Alternate Authentication MaterialWeb Session Cookie00000
T1552Unsecured Credentialsn/a057517
T1552.001Unsecured CredentialsCredentials In Files1142118
T1552.002Unsecured CredentialsCredentials in Registry13037
T1552.003Unsecured CredentialsBash History03003
T1552.004Unsecured CredentialsPrivate Keys05117
T1552.005Unsecured CredentialsCloud Instance Metadata API00000
T1552.006Unsecured CredentialsGroup Policy Preferences04004
T1552.007Unsecured CredentialsContainer API02002
T1553Subvert Trust Controlsn/a02529
T1553.001Subvert Trust ControlsGatekeeper Bypass01001
T1553.002Subvert Trust ControlsCode Signing01102
T1553.003Subvert Trust ControlsSIP and Trust Provider Hijacking01102
T1553.004Subvert Trust ControlsInstall Root Certificate152210
T1553.005Subvert Trust ControlsMark-of-the-Web Bypass03003
T1553.006Subvert Trust ControlsCode Signing Policy Modification00000
T1554Compromise Client Software Binaryn/a03227
T1555Credentials from Password Storesn/a049417
T1555.001Credentials from Password StoresKeychain01405
T1555.002Credentials from Password StoresSecurityd Memory00000
T1555.003Credentials from Password StoresCredentials from Web Browsers02237
T1555.004Credentials from Password StoresWindows Credential Manager04206
T1555.005Credentials from Password StoresPassword Managers01012
T1556Modify Authentication Processn/a029516
T1556.001Modify Authentication ProcessDomain Controller Authentication00000
T1556.002Modify Authentication ProcessPassword Filter DLL03003
T1556.003Modify Authentication ProcessPluggable Authentication Modules00000
T1556.004Modify Authentication ProcessNetwork Device Authentication00000
T1556.005Modify Authentication ProcessReversible Encryption00000
T1557Adversary-in-the-Middlen/a01045
T1557.001Adversary-in-the-MiddleLLMNR/NBT-NS Poisoning and SMB Relay07007
T1557.002Adversary-in-the-MiddleARP Cache Poisoning00033
T1557.003Adversary-in-the-MiddleDHCP Spoofing00000
T1558Steal or Forge Kerberos Ticketsn/a0391830
T1558.001Steal or Forge Kerberos TicketsGolden Ticket00011
T1558.002Steal or Forge Kerberos TicketsSilver Ticket00000
T1558.003Steal or Forge Kerberos TicketsKerberoasting0111820
T1558.004Steal or Forge Kerberos TicketsAS-REP Roasting00077
T1559Inter-Process Communicationn/a01203
T1559.001Inter-Process CommunicationComponent Object Model04116
T1559.002Inter-Process CommunicationDynamic Data Exchange11002
T1559.003Inter-Process CommunicationXPC Services00000
T1560Archive Collected Datan/a022610
T1560.001Archive Collected DataArchive via Utility1122621
T1560.002Archive Collected DataArchive via Library00000
T1560.003Archive Collected DataArchive via Custom Method00000
T1561Disk Wipen/a00022
T1561.001Disk WipeDisk Content Wipe01001
T1561.002Disk WipeDisk Structure Wipe01023
T1562Impair Defensesn/a0177762156
T1562.001Impair DefensesDisable or Modify Tools3743945161
T1562.002Impair DefensesDisable Windows Event Logging1122015
T1562.003Impair DefensesImpair Command History Logging00000
T1562.004Impair DefensesDisable or Modify System Firewall0134522
T1562.006Impair DefensesIndicator Blocking243110
T1562.007Impair DefensesDisable or Modify Cloud Firewall00369
T1562.008Impair DefensesDisable Cloud Logs00066
T1562.009Impair DefensesSafe Mode Boot00000
T1562.010Impair DefensesDowngrade Attack01001
T1563Remote Service Session Hijackingn/a00000
T1563.001Remote Service Session HijackingSSH Hijacking00000
T1563.002Remote Service Session HijackingRDP Hijacking02002
T1564Hide Artifactsn/a067114
T1564.001Hide ArtifactsHidden Files and Directories085215
T1564.002Hide ArtifactsHidden Users04004
T1564.003Hide ArtifactsHidden Window02002
T1564.004Hide ArtifactsNTFS File Attributes2192023
T1564.005Hide ArtifactsHidden File System00000
T1564.006Hide ArtifactsRun Virtual Instance02002
T1564.007Hide ArtifactsVBA Stomping00000
T1564.008Hide ArtifactsEmail Hiding Rules00000
T1564.009Hide ArtifactsResource Forking00000
T1564.010Hide ArtifactsProcess Argument Spoofing00000
T1565Data Manipulationn/a03306
T1565.001Data ManipulationStored Data Manipulation03306
T1565.002Data ManipulationTransmitted Data Manipulation01001
T1565.003Data ManipulationRuntime Data Manipulation00000
T1566Phishingn/a09173359
T1566.001PhishingSpearphishing Attachment015112955
T1566.002PhishingSpearphishing Link018110
T1566.003PhishingSpearphishing via Service00011
T1567Exfiltration Over Web Servicen/a071210
T1567.001Exfiltration Over Web ServiceExfiltration to Code Repository03003
T1567.002Exfiltration Over Web ServiceExfiltration to Cloud Storage07018
T1568Dynamic Resolutionn/a01304
T1568.001Dynamic ResolutionFast Flux DNS00000
T1568.002Dynamic ResolutionDomain Generation Algorithms02316
T1568.003Dynamic ResolutionDNS Calculation00000
T1569System Servicesn/a043512
T1569.001System ServicesLaunchctl10001
T1569.002System ServicesService Execution4403552
T1570Lateral Tool Transfern/a32106
T1571Non-Standard Portn/a03104
T1572Protocol Tunnelingn/a0125320
T1573Encrypted Channeln/a04127
T1573.001Encrypted ChannelSymmetric Cryptography00000
T1573.002Encrypted ChannelAsymmetric Cryptography00000
T1574Hijack Execution Flown/a0891128
T1574.001Hijack Execution FlowDLL Search Order Hijacking1221428
T1574.002Hijack Execution FlowDLL Side-Loading0422549
T1574.004Hijack Execution FlowDylib Hijacking00000
T1574.005Hijack Execution FlowExecutable Installer File Permissions Weakness01001
T1574.006Hijack Execution FlowDynamic Linker Hijacking02316
T1574.007Hijack Execution FlowPath Interception by PATH Environment Variable11305
T1574.008Hijack Execution FlowPath Interception by Search Order Hijacking11002
T1574.009Hijack Execution FlowPath Interception by Unquoted Path20013
T1574.010Hijack Execution FlowServices File Permissions Weakness20103
T1574.011Hijack Execution FlowServices Registry Permissions Weakness490215
T1574.012Hijack Execution FlowCOR_PROFILER02002
T1574.013Hijack Execution FlowKernelCallbackTable00000
T1578Modify Cloud Compute Infrastructuren/a01203
T1578.001Modify Cloud Compute InfrastructureCreate Snapshot00000
T1578.002Modify Cloud Compute InfrastructureCreate Cloud Instance00000
T1578.003Modify Cloud Compute InfrastructureDelete Cloud Instance01001
T1578.004Modify Cloud Compute InfrastructureRevert Cloud Instance00101
T1580Cloud Infrastructure Discoveryn/a00022
T1583Acquire Infrastructuren/a00000
T1583.001Acquire InfrastructureDomains00000
T1583.002Acquire InfrastructureDNS Server00000
T1583.003Acquire InfrastructureVirtual Private Server00000
T1583.004Acquire InfrastructureServer00000
T1583.005Acquire InfrastructureBotnet00000
T1583.006Acquire InfrastructureWeb Services00000
T1584Compromise Infrastructuren/a02002
T1584.001Compromise InfrastructureDomains00000
T1584.002Compromise InfrastructureDNS Server00000
T1584.003Compromise InfrastructureVirtual Private Server00000
T1584.004Compromise InfrastructureServer00000
T1584.005Compromise InfrastructureBotnet00000
T1584.006Compromise InfrastructureWeb Services00000
T1585Establish Accountsn/a00000
T1585.001Establish AccountsSocial Media Accounts00000
T1585.002Establish AccountsEmail Accounts00000
T1586Compromise Accountsn/a0002626
T1586.001Compromise AccountsSocial Media Accounts00000
T1586.002Compromise AccountsEmail Accounts00000
T1587Develop Capabilitiesn/a05005
T1587.001Develop CapabilitiesMalware0100010
T1587.002Develop CapabilitiesCode Signing Certificates00000
T1587.003Develop CapabilitiesDigital Certificates00022
T1587.004Develop CapabilitiesExploits00000
T1588Obtain Capabilitiesn/a02103
T1588.001Obtain CapabilitiesMalware01001
T1588.002Obtain CapabilitiesTool07029
T1588.003Obtain CapabilitiesCode Signing Certificates00000
T1588.004Obtain CapabilitiesDigital Certificates00022
T1588.005Obtain CapabilitiesExploits00000
T1588.006Obtain CapabilitiesVulnerabilities00000
T1589Gather Victim Identity Informationn/a01023
T1589.001Gather Victim Identity InformationCredentials00011
T1589.002Gather Victim Identity InformationEmail Addresses00011
T1589.003Gather Victim Identity InformationEmployee Names00000
T1590Gather Victim Network Informationn/a02024
T1590.001Gather Victim Network InformationDomain Properties00000
T1590.002Gather Victim Network InformationDNS00000
T1590.003Gather Victim Network InformationNetwork Trust Dependencies00000
T1590.004Gather Victim Network InformationNetwork Topology00000
T1590.005Gather Victim Network InformationIP Addresses00022
T1590.006Gather Victim Network InformationNetwork Security Appliances00000
T1591Gather Victim Org Informationn/a00000
T1591.001Gather Victim Org InformationDetermine Physical Locations00000
T1591.002Gather Victim Org InformationBusiness Relationships00000
T1591.003Gather Victim Org InformationIdentify Business Tempo00000
T1591.004Gather Victim Org InformationIdentify Roles00000
T1592Gather Victim Host Informationn/a01056
T1592.001Gather Victim Host InformationHardware00011
T1592.002Gather Victim Host InformationSoftware00000
T1592.003Gather Victim Host InformationFirmware00000
T1592.004Gather Victim Host InformationClient Configurations03003
T1593Search Open Websites/Domainsn/a00000
T1593.001Search Open Websites/DomainsSocial Media00000
T1593.002Search Open Websites/DomainsSearch Engines00000
T1594Search Victim-Owned Websitesn/a00000
T1595Active Scanningn/a00011
T1595.001Active ScanningScanning IP Blocks00000
T1595.002Active ScanningVulnerability Scanning01001
T1595.003Active ScanningWordlist Scanning00000
T1596Search Open Technical Databasesn/a00000
T1596.001Search Open Technical DatabasesDNS/Passive DNS00000
T1596.002Search Open Technical DatabasesWHOIS00000
T1596.003Search Open Technical DatabasesDigital Certificates00000
T1596.004Search Open Technical DatabasesCDNs00000
T1596.005Search Open Technical DatabasesScan Databases00000
T1597Search Closed Sourcesn/a00000
T1597.001Search Closed SourcesThreat Intel Vendors00000
T1597.002Search Closed SourcesPurchase Technical Data00000
T1598Phishing for Informationn/a00000
T1598.001Phishing for InformationSpearphishing Service00000
T1598.002Phishing for InformationSpearphishing Attachment00000
T1598.003Phishing for InformationSpearphishing Link00000
T1599Network Boundary Bridgingn/a00000
T1599.001Network Boundary BridgingNetwork Address Translation Traversal01001
T1600Weaken Encryptionn/a00000
T1600.001Weaken EncryptionReduce Key Space00000
T1600.002Weaken EncryptionDisable Crypto Hardware00000
T1601Modify System Imagen/a00000
T1601.001Modify System ImagePatch System Image00000
T1601.002Modify System ImageDowngrade System Image00000
T1602Data from Configuration Repositoryn/a00000
T1602.001Data from Configuration RepositorySNMP (MIB Dump)00000
T1602.002Data from Configuration RepositoryNetwork Device Configuration Dump00000
T1606Forge Web Credentialsn/a00000
T1606.001Forge Web CredentialsWeb Cookies00000
T1606.002Forge Web CredentialsSAML Tokens10001
T1608Stage Capabilitiesn/a01001
T1608.001Stage CapabilitiesUpload Malware00000
T1608.002Stage CapabilitiesUpload Tool00000
T1608.003Stage CapabilitiesInstall Digital Certificate00000
T1608.004Stage CapabilitiesDrive-by Target00000
T1608.005Stage CapabilitiesLink Target00000
T1609Container Administration Commandn/a00101
T1610Deploy Containern/a00606
T1611Escape to Hostn/a00606
T1612Build Image on Hostn/a00000
T1613Container and Resource Discoveryn/a00202
T1614System Location Discoveryn/a00101
T1614.001System Location DiscoverySystem Language Discovery01001
T1615Group Policy Discoveryn/a04004
T1619Cloud Storage Object Discoveryn/a00000
T1620Reflective Code Loadingn/a01001
T1621Multi-Factor Authentication Request Generationn/a00077
T1622Debugger Evasionn/a00000
T1647Plist File Modificationn/a00213