Filter

technique

Data Obfuscation

T1001

technique

Junk Data

T1001.001

technique

Steganography

T1001.002

technique

Protocol or Service Impersonation

T1001.003

technique

OS Credential Dumping

T1003

technique

LSASS Memory

T1003.001

technique

Security Account Manager

T1003.002

technique

NTDS

T1003.003

technique

LSA Secrets

T1003.004

technique

Cached Domain Credentials

T1003.005

technique

DCSync

T1003.006

technique

Proc Filesystem

T1003.007

technique

/etc/passwd and /etc/shadow

T1003.008

technique

Data from Local System

T1005

technique

Direct Volume Access

T1006

technique

System Service Discovery

T1007

technique

Fallback Channels

T1008

technique

Application Window Discovery

T1010

technique

Exfiltration Over Other Network Medium

T1011

technique

Exfiltration Over Bluetooth

T1011.001

technique

Query Registry

T1012

technique

Rootkit

T1014

technique

System Network Configuration Discovery

T1016

technique

Internet Connection Discovery

T1016.001

technique

Wi-Fi Discovery

T1016.002

technique

Remote System Discovery

T1018

technique

Automated Exfiltration

T1020

technique

Traffic Duplication

T1020.001

technique

Remote Services

T1021

technique

Remote Desktop Protocol

T1021.001

technique

SMB/Windows Admin Shares

T1021.002

technique

Distributed Component Object Model

T1021.003

technique

SSH

T1021.004

technique

VNC

T1021.005

technique

Windows Remote Management

T1021.006

technique

Cloud Services

T1021.007

technique

Direct Cloud VM Connections

T1021.008

technique

Data from Removable Media

T1025

technique

Obfuscated Files or Information

T1027

technique

Binary Padding

T1027.001

technique

Software Packing

T1027.002

technique

Steganography

T1027.003

technique

Compile After Delivery

T1027.004

technique

Indicator Removal from Tools

T1027.005

technique

HTML Smuggling

T1027.006

technique

Dynamic API Resolution

T1027.007

technique

Stripped Payloads

T1027.008

technique

Embedded Payloads

T1027.009

technique

Command Obfuscation

T1027.010

technique

Fileless Storage

T1027.011

technique

LNK Icon Smuggling

T1027.012

technique

Encrypted/Encoded File

T1027.013

technique

Polymorphic Code

T1027.014

technique

Compression

T1027.015

technique

Junk Code Insertion

T1027.016

technique

SVG Smuggling

T1027.017

technique

Invisible Unicode

T1027.018

technique

Scheduled Transfer

T1029

technique

Data Transfer Size Limits

T1030

technique

System Owner/User Discovery

T1033

technique

Masquerading

T1036

technique

Invalid Code Signature

T1036.001

technique

Right-to-Left Override

T1036.002

technique

Rename Legitimate Utilities

T1036.003

technique

Masquerade Task or Service

T1036.004

technique

Match Legitimate Resource Name or Location

T1036.005

technique

Space after Filename

T1036.006

technique

Double File Extension

T1036.007

technique

Masquerade File Type

T1036.008

technique

Break Process Trees

T1036.009

technique

Masquerade Account Name

T1036.010

technique

Overwrite Process Arguments

T1036.011

technique

Browser Fingerprint

T1036.012

technique

Boot or Logon Initialization Scripts

T1037

technique

Logon Script (Windows)

T1037.001

technique

Login Hook

T1037.002

technique

Network Logon Script

T1037.003

technique

RC Scripts

T1037.004

technique

Startup Items

T1037.005

technique

Data from Network Shared Drive

T1039

technique

Network Sniffing

T1040

technique

Exfiltration Over C2 Channel

T1041

technique

Network Service Discovery

T1046

technique

Windows Management Instrumentation

T1047

technique

Exfiltration Over Alternative Protocol

T1048

technique

Exfiltration Over Symmetric Encrypted Non-C2 Protocol

T1048.001

technique

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

T1048.002

technique

Exfiltration Over Unencrypted Non-C2 Protocol

T1048.003

technique

System Network Connections Discovery

T1049

technique

Exfiltration Over Physical Medium

T1052

technique

Exfiltration over USB

T1052.001

technique

Scheduled Task/Job

T1053

technique

At

T1053.002

technique

Cron

T1053.003

technique

Scheduled Task

T1053.005

technique

Systemd Timers

T1053.006

technique

Container Orchestration Job

T1053.007

technique

Process Injection

T1055

technique

Dynamic-link Library Injection

T1055.001

technique

Portable Executable Injection

T1055.002

technique

Thread Execution Hijacking

T1055.003

technique

Asynchronous Procedure Call

T1055.004

technique

Thread Local Storage

T1055.005

technique

Ptrace System Calls

T1055.008

technique

Proc Memory

T1055.009

technique

Extra Window Memory Injection

T1055.011

technique

Process Hollowing

T1055.012

technique

Process Doppelgänging

T1055.013

technique

VDSO Hijacking

T1055.014

technique

ListPlanting

T1055.015

technique

Input Capture

T1056

technique

Keylogging

T1056.001

technique

GUI Input Capture

T1056.002

technique

Web Portal Capture

T1056.003

technique

Credential API Hooking

T1056.004

technique

Process Discovery

T1057

technique

Command and Scripting Interpreter

T1059

technique

PowerShell

T1059.001

technique

AppleScript

T1059.002

technique

Windows Command Shell

T1059.003

technique

Unix Shell

T1059.004

technique

Visual Basic

T1059.005

technique

Python

T1059.006

technique

JavaScript

T1059.007

technique

Network Device CLI

T1059.008

technique

Cloud API

T1059.009

technique

AutoHotKey & AutoIT

T1059.010

technique

Lua

T1059.011

technique

Hypervisor CLI

T1059.012

technique

Container CLI/API

T1059.013

technique

Exploitation for Privilege Escalation

T1068

technique

Permission Groups Discovery

T1069

technique

Local Groups

T1069.001

technique

Domain Groups

T1069.002

technique

Cloud Groups

T1069.003

technique

Indicator Removal

T1070

technique

Clear Command History

T1070.003

technique

File Deletion

T1070.004

technique

Network Share Connection Removal

T1070.005

technique

Timestomp

T1070.006

technique

Clear Network Connection History and Configurations

T1070.007

technique

Clear Mailbox Data

T1070.008

technique

Clear Persistence

T1070.009

technique

Relocate Malware

T1070.010

technique

Application Layer Protocol

T1071

technique

Web Protocols

T1071.001

technique

File Transfer Protocols

T1071.002

technique

Mail Protocols

T1071.003

technique

DNS

T1071.004

technique

Publish/Subscribe Protocols

T1071.005

technique

Software Deployment Tools

T1072

technique

Data Staged

T1074

technique

Local Data Staging

T1074.001

technique

Remote Data Staging

T1074.002

technique

Valid Accounts

T1078

technique

Default Accounts

T1078.001

technique

Domain Accounts

T1078.002

technique

Local Accounts

T1078.003

technique

Cloud Accounts

T1078.004

technique

Taint Shared Content

T1080

technique

System Information Discovery

T1082

technique

File and Directory Discovery

T1083

technique

Account Discovery

T1087

technique

Local Account

T1087.001

technique

Domain Account

T1087.002

technique

Email Account

T1087.003

technique

Cloud Account

T1087.004

technique

Proxy

T1090

technique

Internal Proxy

T1090.001

technique

External Proxy

T1090.002

technique

Multi-hop Proxy

T1090.003

technique

Domain Fronting

T1090.004

technique

Replication Through Removable Media

T1091

technique

Communication Through Removable Media

T1092

technique

Non-Application Layer Protocol

T1095

technique

Account Manipulation

T1098

technique

Additional Cloud Credentials

T1098.001

technique

Additional Email Delegate Permissions

T1098.002

technique

Additional Cloud Roles

T1098.003

technique

SSH Authorized Keys

T1098.004

technique

Device Registration

T1098.005

technique

Additional Container Cluster Roles

T1098.006

technique

Additional Local or Domain Groups

T1098.007

technique

Web Service

T1102

technique

Dead Drop Resolver

T1102.001

technique

Bidirectional Communication

T1102.002

technique

One-Way Communication

T1102.003

technique

Multi-Stage Channels

T1104

technique

Ingress Tool Transfer

T1105

technique

Native API

T1106

technique

Brute Force

T1110

technique

Password Guessing

T1110.001

technique

Password Cracking

T1110.002

technique

Password Spraying

T1110.003

technique

Credential Stuffing

T1110.004

technique

Multi-Factor Authentication Interception

T1111

technique

Modify Registry

T1112

technique

Screen Capture

T1113

technique

Email Collection

T1114

technique

Local Email Collection

T1114.001

technique

Remote Email Collection

T1114.002

technique

Email Forwarding Rule

T1114.003

technique

Clipboard Data

T1115

technique

Automated Collection

T1119

technique

Peripheral Device Discovery

T1120

technique

Audio Capture

T1123

technique

System Time Discovery

T1124

technique

Video Capture

T1125

technique

Trusted Developer Utilities Proxy Execution

T1127

technique

MSBuild

T1127.001

technique

ClickOnce

T1127.002

technique

JamPlus

T1127.003

technique

Shared Modules

T1129

technique

Data Encoding

T1132

technique

Standard Encoding

T1132.001

technique

Non-Standard Encoding

T1132.002

technique

External Remote Services

T1133

technique

Access Token Manipulation

T1134

technique

Token Impersonation/Theft

T1134.001

technique

Create Process with Token

T1134.002

technique

Make and Impersonate Token

T1134.003

technique

Parent PID Spoofing

T1134.004

technique

SID-History Injection

T1134.005

technique

Network Share Discovery

T1135

technique

Create Account

T1136

technique

Local Account

T1136.001

technique

Domain Account

T1136.002

technique

Cloud Account

T1136.003

technique

Office Application Startup

T1137

technique

Office Template Macros

T1137.001

technique

Office Test

T1137.002

technique

Outlook Forms

T1137.003

technique

Outlook Home Page

T1137.004

technique

Outlook Rules

T1137.005

technique

Add-ins

T1137.006

technique

Deobfuscate/Decode Files or Information

T1140

technique

Software Extensions

T1176

technique

Browser Extensions

T1176.001

technique

IDE Extensions

T1176.002

technique

Browser Session Hijacking

T1185

technique

Forced Authentication

T1187

technique

Drive-by Compromise

T1189

technique

Exploit Public-Facing Application

T1190

technique

Supply Chain Compromise

T1195

technique

Compromise Software Dependencies and Development Tools

T1195.001

technique

Compromise Software Supply Chain

T1195.002

technique

Compromise Hardware Supply Chain

T1195.003

technique

BITS Jobs

T1197

technique

Trusted Relationship

T1199

technique

Hardware Additions

T1200

technique

Password Policy Discovery

T1201

technique

Indirect Command Execution

T1202

technique

Exploitation for Client Execution

T1203

technique

User Execution

T1204

technique

Malicious Link

T1204.001

technique

Malicious File

T1204.002

technique

Malicious Image

T1204.003

technique

Malicious Copy and Paste

T1204.004

technique

Malicious Library

T1204.005

technique

Traffic Signaling

T1205

technique

Port Knocking

T1205.001

technique

Socket Filters

T1205.002

technique

Rogue Domain Controller

T1207

technique

Exploitation of Remote Services

T1210

technique

Exploitation for Stealth

T1211

technique

Exploitation for Credential Access

T1212

technique

Data from Information Repositories

T1213

technique

Confluence

T1213.001

technique

Sharepoint

T1213.002

technique

Code Repositories

T1213.003

technique

Customer Relationship Management Software

T1213.004

technique

Messaging Applications

T1213.005

technique

Databases

T1213.006

technique

System Script Proxy Execution

T1216

technique

PubPrn

T1216.001

technique

SyncAppvPublishingServer

T1216.002

technique

Browser Information Discovery

T1217

technique

System Binary Proxy Execution

T1218

technique

Compiled HTML File

T1218.001

technique

Control Panel

T1218.002

technique

CMSTP

T1218.003

technique

InstallUtil

T1218.004

technique

Mshta

T1218.005

technique

Msiexec

T1218.007

technique

Odbcconf

T1218.008

technique

Regsvcs/Regasm

T1218.009

technique

Regsvr32

T1218.010

technique

Rundll32

T1218.011

technique

Verclsid

T1218.012

technique

Mavinject

T1218.013

technique

MMC

T1218.014

technique

Electron Applications

T1218.015

technique

Remote Access Tools

T1219

technique

IDE Tunneling

T1219.001

technique

Remote Desktop Software

T1219.002

technique

Remote Access Hardware

T1219.003

technique

XSL Script Processing

T1220

technique

Template Injection

T1221

technique

File and Directory Permissions Modification

T1222

technique

Windows Permissions

T1222.001

technique

Linux and Mac Permissions

T1222.002

technique

Execution Guardrails

T1480

technique

Environmental Keying

T1480.001

technique

Mutual Exclusion

T1480.002

technique

Domain Trust Discovery

T1482

technique

Domain or Tenant Policy Modification

T1484

technique

Group Policy Modification

T1484.001

technique

Trust Modification

T1484.002

technique

Data Destruction

T1485

technique

Lifecycle-Triggered Deletion

T1485.001

technique

Data Encrypted for Impact

T1486

technique

Service Stop

T1489

technique

Inhibit System Recovery

T1490

technique

Defacement

T1491

technique

Internal Defacement

T1491.001

technique

External Defacement

T1491.002

technique

Firmware Corruption

T1495

technique

Resource Hijacking

T1496

technique

Compute Hijacking

T1496.001

technique

Bandwidth Hijacking

T1496.002

technique

SMS Pumping

T1496.003

technique

Cloud Service Hijacking

T1496.004

technique

Virtualization/Sandbox Evasion

T1497

technique

System Checks

T1497.001

technique

User Activity Based Checks

T1497.002

technique

Time Based Checks

T1497.003

technique

Network Denial of Service

T1498

technique

Direct Network Flood

T1498.001

technique

Reflection Amplification

T1498.002

technique

Endpoint Denial of Service

T1499

technique

OS Exhaustion Flood

T1499.001

technique

Service Exhaustion Flood

T1499.002

technique

Application Exhaustion Flood

T1499.003

technique

Application or System Exploitation

T1499.004

technique

Server Software Component

T1505

technique

SQL Stored Procedures

T1505.001

technique

Transport Agent

T1505.002

technique

Web Shell

T1505.003

technique

IIS Components

T1505.004

technique

Terminal Services DLL

T1505.005

technique

vSphere Installation Bundles

T1505.006

technique

Software Discovery

T1518

technique

Security Software Discovery

T1518.001

technique

Backup Software Discovery

T1518.002

technique

Implant Internal Image

T1525

technique

Cloud Service Discovery

T1526

technique

Steal Application Access Token

T1528

technique

System Shutdown/Reboot

T1529

technique

Data from Cloud Storage

T1530

technique

Account Access Removal

T1531

technique

Internal Spearphishing

T1534

technique

Unused/Unsupported Cloud Regions

T1535

technique

Transfer Data to Cloud Account

T1537

technique

Cloud Service Dashboard

T1538

technique

Steal Web Session Cookie

T1539

technique

Pre-OS Boot

T1542

technique

System Firmware

T1542.001

technique

Component Firmware

T1542.002

technique

Bootkit

T1542.003

technique

ROMMONkit

T1542.004

technique

TFTP Boot

T1542.005

technique

Create or Modify System Process

T1543

technique

Launch Agent

T1543.001

technique

Systemd Service

T1543.002

technique

Windows Service

T1543.003

technique

Launch Daemon

T1543.004

technique

Container Service

T1543.005

technique

Event Triggered Execution

T1546

technique

Change Default File Association

T1546.001

technique

Screensaver

T1546.002

technique

Windows Management Instrumentation Event Subscription

T1546.003

technique

Unix Shell Configuration Modification

T1546.004

technique

Trap

T1546.005

technique

LC_LOAD_DYLIB Addition

T1546.006

technique

Netsh Helper DLL

T1546.007

technique

Accessibility Features

T1546.008

technique

AppCert DLLs

T1546.009

technique

AppInit DLLs

T1546.010

technique

Application Shimming

T1546.011

technique

Image File Execution Options Injection

T1546.012

technique

PowerShell Profile

T1546.013

technique

Emond

T1546.014

technique

Component Object Model Hijacking

T1546.015

technique

Installer Packages

T1546.016

technique

Udev Rules

T1546.017

technique

Python Startup Hooks

T1546.018

technique

Boot or Logon Autostart Execution

T1547

technique

Registry Run Keys / Startup Folder

T1547.001

technique

Authentication Package

T1547.002

technique

Time Providers

T1547.003

technique

Winlogon Helper DLL

T1547.004

technique

Security Support Provider

T1547.005

technique

Kernel Modules and Extensions

T1547.006

technique

Re-opened Applications

T1547.007

technique

LSASS Driver

T1547.008

technique

Shortcut Modification

T1547.009

technique

Port Monitors

T1547.010

technique

Print Processors

T1547.012

technique

XDG Autostart Entries

T1547.013

technique

Active Setup

T1547.014

technique

Login Items

T1547.015

technique

Abuse Elevation Control Mechanism

T1548

technique

Setuid and Setgid

T1548.001

technique

Bypass User Account Control

T1548.002

technique

Sudo and Sudo Caching

T1548.003

technique

Elevated Execution with Prompt

T1548.004

technique

Temporary Elevated Cloud Access

T1548.005

technique

TCC Manipulation

T1548.006

technique

Use Alternate Authentication Material

T1550

technique

Application Access Token

T1550.001

technique

Pass the Hash

T1550.002

technique

Pass the Ticket

T1550.003

technique

Web Session Cookie

T1550.004

technique

Unsecured Credentials

T1552

technique

Credentials In Files

T1552.001

technique

Credentials in Registry

T1552.002

technique

Shell History

T1552.003

technique

Private Keys

T1552.004

technique

Cloud Instance Metadata API

T1552.005

technique

Group Policy Preferences

T1552.006

technique

Container API

T1552.007

technique

Chat Messages

T1552.008

technique

Subvert Trust Controls

T1553

technique

Gatekeeper Bypass

T1553.001

technique

Code Signing

T1553.002

technique

SIP and Trust Provider Hijacking

T1553.003

technique

Install Root Certificate

T1553.004

technique

Mark-of-the-Web Bypass

T1553.005

technique

Code Signing Policy Modification

T1553.006

technique

Compromise Host Software Binary

T1554

technique

Credentials from Password Stores

T1555

technique

Keychain

T1555.001

technique

Securityd Memory

T1555.002

technique

Credentials from Web Browsers

T1555.003

technique

Windows Credential Manager

T1555.004

technique

Password Managers

T1555.005

technique

Cloud Secrets Management Stores

T1555.006

technique

Modify Authentication Process

T1556

technique

Domain Controller Authentication

T1556.001

technique

Password Filter DLL

T1556.002

technique

Pluggable Authentication Modules

T1556.003

technique

Network Device Authentication

T1556.004

technique

Reversible Encryption

T1556.005

technique

Multi-Factor Authentication

T1556.006

technique

Hybrid Identity

T1556.007

technique

Network Provider DLL

T1556.008

technique

Conditional Access Policies

T1556.009

technique

Adversary-in-the-Middle

T1557

technique

Name Resolution Poisoning and SMB Relay

T1557.001

technique

ARP Cache Poisoning

T1557.002

technique

DHCP Spoofing

T1557.003

technique

Evil Twin

T1557.004

technique

Steal or Forge Kerberos Tickets

T1558

technique

Golden Ticket

T1558.001

technique

Silver Ticket

T1558.002

technique

Kerberoasting

T1558.003

technique

AS-REP Roasting

T1558.004

technique

Ccache Files

T1558.005

technique

Inter-Process Communication

T1559

technique

Component Object Model

T1559.001

technique

Dynamic Data Exchange

T1559.002

technique

XPC Services

T1559.003

technique

Archive Collected Data

T1560

technique

Archive via Utility

T1560.001

technique

Archive via Library

T1560.002

technique

Archive via Custom Method

T1560.003

technique

Disk Wipe

T1561

technique

Disk Content Wipe

T1561.001

technique

Disk Structure Wipe

T1561.002

technique

Remote Service Session Hijacking

T1563

technique

SSH Hijacking

T1563.001

technique

RDP Hijacking

T1563.002

technique

Hide Artifacts

T1564

technique

Hidden Files and Directories

T1564.001

technique

Hidden Users

T1564.002

technique

Hidden Window

T1564.003

technique

NTFS File Attributes

T1564.004

technique

Hidden File System

T1564.005

technique

Run Virtual Instance

T1564.006

technique

VBA Stomping

T1564.007

technique

Email Hiding Rules

T1564.008

technique

Resource Forking

T1564.009

technique

Process Argument Spoofing

T1564.010

technique

Ignore Process Interrupts

T1564.011

technique

File/Path Exclusions

T1564.012

technique

Bind Mounts

T1564.013

technique

Extended Attributes

T1564.014

technique

Data Manipulation

T1565

technique

Stored Data Manipulation

T1565.001

technique

Transmitted Data Manipulation

T1565.002

technique

Runtime Data Manipulation

T1565.003

technique

Phishing

T1566

technique

Spearphishing Attachment

T1566.001

technique

Spearphishing Link

T1566.002

technique

Spearphishing via Service

T1566.003

technique

Spearphishing Voice

T1566.004

technique

Exfiltration Over Web Service

T1567

technique

Exfiltration to Code Repository

T1567.001

technique

Exfiltration to Cloud Storage

T1567.002

technique

Exfiltration to Text Storage Sites

T1567.003

technique

Exfiltration Over Webhook

T1567.004

technique

Dynamic Resolution

T1568

technique

Fast Flux DNS

T1568.001

technique

Domain Generation Algorithms

T1568.002

technique

DNS Calculation

T1568.003

technique

System Services

T1569

technique

Launchctl

T1569.001

technique

Service Execution

T1569.002

technique

Systemctl

T1569.003

technique

Lateral Tool Transfer

T1570

technique

Non-Standard Port

T1571

technique

Protocol Tunneling

T1572

technique

Encrypted Channel

T1573

technique

Symmetric Cryptography

T1573.001

technique

Asymmetric Cryptography

T1573.002

technique

Hijack Execution Flow

T1574

technique

DLL

T1574.001

technique

Dylib Hijacking

T1574.004

technique

Executable Installer File Permissions Weakness

T1574.005

technique

Dynamic Linker Hijacking

T1574.006

technique

Path Interception by PATH Environment Variable

T1574.007

technique

Path Interception by Search Order Hijacking

T1574.008

technique

Path Interception by Unquoted Path

T1574.009

technique

Services File Permissions Weakness

T1574.010

technique

Services Registry Permissions Weakness

T1574.011

technique

COR_PROFILER

T1574.012

technique

KernelCallbackTable

T1574.013

technique

AppDomainManager

T1574.014

technique

Modify Cloud Compute Infrastructure

T1578

technique

Create Snapshot

T1578.001

technique

Create Cloud Instance

T1578.002

technique

Delete Cloud Instance

T1578.003

technique

Revert Cloud Instance

T1578.004

technique

Modify Cloud Compute Configurations

T1578.005

technique

Cloud Infrastructure Discovery

T1580

technique

Acquire Infrastructure

T1583

technique

Domains

T1583.001

technique

DNS Server

T1583.002

technique

Virtual Private Server

T1583.003

technique

Server

T1583.004

technique

Botnet

T1583.005

technique

Web Services

T1583.006

technique

Serverless

T1583.007

technique

Malvertising

T1583.008

technique

Compromise Infrastructure

T1584

technique

Domains

T1584.001

technique

DNS Server

T1584.002

technique

Virtual Private Server

T1584.003

technique

Server

T1584.004

technique

Botnet

T1584.005

technique

Web Services

T1584.006

technique

Serverless

T1584.007

technique

Network Devices

T1584.008

technique

Establish Accounts

T1585

technique

Social Media Accounts

T1585.001

technique

Email Accounts

T1585.002

technique

Cloud Accounts

T1585.003

technique

Compromise Accounts

T1586

technique

Social Media Accounts

T1586.001

technique

Email Accounts

T1586.002

technique

Cloud Accounts

T1586.003

technique

Develop Capabilities

T1587

technique

Malware

T1587.001

technique

Code Signing Certificates

T1587.002

technique

Digital Certificates

T1587.003

technique

Exploits

T1587.004

technique

Obtain Capabilities

T1588

technique

Malware

T1588.001

technique

Tool

T1588.002

technique

Code Signing Certificates

T1588.003

technique

Digital Certificates

T1588.004

technique

Exploits

T1588.005

technique

Vulnerabilities

T1588.006

technique

Artificial Intelligence

T1588.007

technique

Gather Victim Identity Information

T1589

technique

Credentials

T1589.001

technique

Email Addresses

T1589.002

technique

Employee Names

T1589.003

technique

Gather Victim Network Information

T1590

technique

Domain Properties

T1590.001

technique

DNS

T1590.002

technique

Network Trust Dependencies

T1590.003

technique

Network Topology

T1590.004

technique

IP Addresses

T1590.005

technique

Network Security Appliances

T1590.006

technique

Gather Victim Org Information

T1591

technique

Determine Physical Locations

T1591.001

technique

Business Relationships

T1591.002

technique

Identify Business Tempo

T1591.003

technique

Identify Roles

T1591.004

technique

Gather Victim Host Information

T1592

technique

Hardware

T1592.001

technique

Software

T1592.002

technique

Firmware

T1592.003

technique

Client Configurations

T1592.004

technique

Search Open Websites/Domains

T1593

technique

Social Media

T1593.001

technique

Search Engines

T1593.002

technique

Code Repositories

T1593.003

technique

Search Victim-Owned Websites

T1594

technique

Active Scanning

T1595

technique

Scanning IP Blocks

T1595.001

technique

Vulnerability Scanning

T1595.002

technique

Wordlist Scanning

T1595.003

technique

Search Open Technical Databases

T1596

technique

DNS/Passive DNS

T1596.001

technique

WHOIS

T1596.002

technique

Digital Certificates

T1596.003

technique

CDNs

T1596.004

technique

Scan Databases

T1596.005

technique

Search Closed Sources

T1597

technique

Threat Intel Vendors

T1597.001

technique

Purchase Technical Data

T1597.002

technique

Phishing for Information

T1598

technique

Spearphishing Service

T1598.001

technique

Spearphishing Attachment

T1598.002

technique

Spearphishing Link

T1598.003

technique

Spearphishing Voice

T1598.004

technique

Network Boundary Bridging

T1599

technique

Network Address Translation Traversal

T1599.001

technique

Weaken Encryption

T1600

technique

Reduce Key Space

T1600.001

technique

Disable Crypto Hardware

T1600.002

technique

Modify System Image

T1601

technique

Patch System Image

T1601.001

technique

Downgrade System Image

T1601.002

technique

Data from Configuration Repository

T1602

technique

SNMP (MIB Dump)

T1602.001

technique

Network Device Configuration Dump

T1602.002

technique

Forge Web Credentials

T1606

technique

Web Cookies

T1606.001

technique

SAML Tokens

T1606.002

technique

Stage Capabilities

T1608

technique

Upload Malware

T1608.001

technique

Upload Tool

T1608.002

technique

Install Digital Certificate

T1608.003

technique

Drive-by Target

T1608.004

technique

Link Target

T1608.005

technique

SEO Poisoning

T1608.006

technique

Container Administration Command

T1609

technique

Deploy Container

T1610

technique

Escape to Host

T1611

technique

Build Image on Host

T1612

technique

Container and Resource Discovery

T1613

technique

System Location Discovery

T1614

technique

System Language Discovery

T1614.001

technique

Group Policy Discovery

T1615

technique

Cloud Storage Object Discovery

T1619

technique

Reflective Code Loading

T1620

technique

Multi-Factor Authentication Request Generation

T1621

technique

Debugger Evasion

T1622

technique

Plist File Modification

T1647

technique

Serverless Execution

T1648

technique

Steal or Forge Authentication Certificates

T1649

technique

Acquire Access

T1650

technique

Cloud Administration Command

T1651

technique

Device Driver Discovery

T1652

technique

Power Settings

T1653

technique

Log Enumeration

T1654

technique

Financial Theft

T1657

technique

Content Injection

T1659

technique

Hide Infrastructure

T1665

technique

Modify Cloud Resource Hierarchy

T1666

technique

Email Bombing

T1667

technique

Exclusive Control

T1668

technique

Wi-Fi Networks

T1669

technique

Cloud Application Integration

T1671

technique

Virtual Machine Discovery

T1673

technique

Input Injection

T1674

technique

ESXi Administration Command

T1675

technique

Poisoned Pipeline Execution

T1677

technique

Delay Execution

T1678

technique

Selective Exclusion

T1679

technique

Local Storage Discovery

T1680

technique

Search Threat Vendor Data

T1681

technique

Query Public AI Services

T1682

technique

Generate Content

T1683

technique

Written Content

T1683.001

technique

Audio-Visual Content

T1683.002

technique

Social Engineering

T1684

technique

Impersonation

T1684.001

technique

Email Spoofing

T1684.002

technique

Disable or Modify Tools

T1685

technique

Disable or Modify Windows Event Log

T1685.001

technique

Disable or Modify Cloud Log

T1685.002

technique

Modify or Spoof Tool UI

T1685.003

technique

Disable or Modify Linux Audit System Log

T1685.004

technique

Clear Windows Event Logs

T1685.005

technique

Clear Linux or Mac System Logs

T1685.006

technique

Disable or Modify System Firewall

T1686

technique

Cloud Firewall

T1686.001

technique

Network Device Firewall

T1686.002

technique

Windows Host Firewall

T1686.003

technique

Exploitation for Defense Impairment

T1687

technique

Safe Mode Boot

T1688

technique

Downgrade Attack

T1689

technique

Prevent Command History Logging

T1690