TA0001 3
Initial Access
T1078.002Valid Accounts: Domain Accounts
T1190Exploit Public-Facing Application
T1566.001Phishing: Spearphishing Attachment
TA0002 2
Execution
T1047Windows Management Instrumentation
T1059.001Command and Scripting Interpreter: PowerShell
TA0003 2
Persistence
T1136.002Create Account: Domain Account
T1547.001Boot or Logon Autostart Execution: Registry Run Keys
TA0004 1
Privilege Escalation
T1068Exploitation for Privilege Escalation
TA0005 2
Defense Evasion
T1218.011Signed Binary Proxy Execution: Rundll32
T1562.001Disable or Modify Tools
TA0006 2
Credential Access
T1003.001OS Credential Dumping: LSASS Memory
T1003.003OS Credential Dumping: NTDS
TA0007 2
Discovery
T1046Network Service Discovery
T1482Domain Trust Discovery
TA0008 2
Lateral Movement
T1021.001Remote Services: Remote Desktop Protocol
T1021.002Remote Services: SMB/Windows Admin Shares
TA0009 2
Collection
T1005Data from Local System
T1560.001Archive Collected Data: Archive via Utility
TA0010 1
Exfiltration
T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage
TA0011 2
Command & Control
T1071.001Application Layer Protocol: Web Protocols
T1219Remote Access Software
TA0040 2
Impact
T1486Data Encrypted for Impact
T1490Inhibit System Recovery