TA0001 7
Initial Access
T1078Valid Accounts
T1091Replication Through Removable Media
T1189Drive-by Compromise
T1190Exploit Public-Facing Application
T1566.001Phishing: Spearphishing Attachment
T1566.002Phishing: Spearphishing Link
T1566.003Phishing: Spearphishing Voice
TA0002 12
Execution
T1047Windows Management Instrumentation
T1047Windows Management Instrumentation
T1053.005Scheduled Task/Job: Scheduled Task
T1059Command and Scripting Interpreter
T1059.001Command and Scripting Interpreter: PowerShell
T1059.003Command and Scripting Interpreter: Windows Command Shell
T1059.005Command and Scripting Interpreter: Visual Basic
T1106Native API
T1129Shared Modules
T1203Exploitation for Client Execution
T1204.001User Execution: Malicious Link
T1204.002User Execution: Malicious File
TA0003 9
Persistence
T1078Valid Accounts
T1098Account Manipulation
T1505.004Server Software Component: IIS Components
T1542.003Pre-OS Boot: Bootkit
T1543.003Create or Modify System Process: Windows Service
T1547Boot or Logon Autostart Execution
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.009Boot or Logon Autostart Execution: Shortcut Modification
T1574.001Hijack Execution Flow: DLL Search Order Hijacking
TA0004 3
Privilege Escalation
T1078Valid Accounts
T1134.002Access Token Manipulation: Create Process with Token
T1134.004Access Token Manipulation: Parent PID Spoofing
TA0005 44
Defense Evasion
T1014Rootkit
T1027Obfuscated Files or Information
T1027.002Obfuscated Files or Information: Software Packing
T1027.005Obfuscated Files or Information: Indicator Removal from Tools
T1027.007Obfuscated Files or Information: Dynamic API Resolution
T1027.009Obfuscated Files or Information: Embedded Payloads
T1027.013Obfuscated Files or Information: Encrypted/Encoded File
T1027.016Obfuscated Files or Information: Junk Code Insertion
T1036Masquerading
T1036.003Masquerading: Rename Legitimate Utilities
T1036.004Masquerading: Masquerade Task or Service
T1036.005Masquerading: Match Legitimate Name or Location
T1036.007Masquerading: Double File Extension
T1036.008Masquerading: Masquerade File Type
T1055Process Injection
T1055.001Process Injection: DLL Injection
T1070Indicator Removal
T1070.003Indicator Removal: Clear Command History
T1070.004Indicator Removal: File Deletion
T1070.006Indicator Removal: Timestomp
T1112Modify Registry
T1140Deobfuscate/Decode Files or Information
T1218System Binary Proxy Execution
T1218.004System Binary Proxy Execution: InstallUtil
T1218.005System Binary Proxy Execution: Mshta
T1218.007System Binary Proxy Execution: Msiexec
T1218.010System Binary Proxy Execution: Regsvr32
T1218.011System Binary Proxy Execution: Rundll32
T1218.014System Binary Proxy Execution: MMC
T1220XSL Script Processing
T1221Template Injection
T1222File and Directory Permissions Modification
T1497Virtualization/Sandbox Evasion
T1497.001Virtualization/Sandbox Evasion: System Checks
T1497.003Virtualization/Sandbox Evasion: Time Based Checks
T1553.002Subvert Trust Controls: Code Signing
T1562.001Disable or Modify Tools
T1562.001Impair Defenses: Disable or Modify Tools
T1562.004Impair Defenses: Disable or Modify System Firewall
T1564.001Hidden Artifacts: Hidden Files and Directories
T1574Hijack Execution Flow
T1574.013Hijack Execution Flow: KernelCallbackTable
T1620Reflective DLL Injection
T1622Debugger Evasion
TA0006 7
Credential Access
T1003OS Credential Dumping
T1003.003OS Credential Dumping: NTDS
T1056Input Capture
T1056.001Input Capture: Keylogging
T1110.003Brute Force: Password Spraying
T1555Credentials from Password Stores
T1557.001Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning
TA0007 15
Discovery
T1010Application Window Discovery
T1012Query Registry
T1016System Network Configuration Discovery
T1033System Owner/User Discovery
T1046Network Service Discovery
T1049System Network Connections Discovery
T1057Process Discovery
T1082System Information Discovery
T1083File and Directory Discovery
T1087.002Account Discovery: Domain Account
T1119Automated Collection
T1120Peripheral Device Discovery
T1124Time Discovery
T1482Domain Trust Discovery
T1614.001System Location Discovery: System Language Discovery
TA0008 6
Lateral Movement
T1021Remote Services
T1021.001Remote Services: Remote Desktop Protocol
T1021.002Remote Services: SMB/Windows Admin Shares
T1021.004Remote Services: SSH
T1091Replication Through Removable Media
T1534Internal Spearphishing
TA0009 6
Collection
T1005Data from Local System
T1074Data Staged
T1074.001Data Staged: Local Data Staging
T1560Archive Collected Data
T1560.002Archive Collected Data: Archive via Library
T1560.003Archive Collected Data: Archive via Custom Method
TA0010 5
Exfiltration
T1041Exfiltration Over C2 Channel
T1048.003Exfiltration Over Alternative Protocol: Unencrypted Non-C2 Protocol
T1052.001Exfiltration Over Physical Medium: Exfiltration over USB
T1567.002Exfiltration Over Web Service
T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage
TA0011 16
Command & Control
T1001.003Data Obfuscation: Protocol or Service Impersonation
T1008Fallback Channels
T1071.001Application Layer Protocol: Web Protocols
T1090Proxy
T1090.001Proxy: Internal Proxy
T1090.002Proxy: External Proxy
T1095Non-Application Layer Protocol
T1102Web Service
T1102.002Web Service: Bidirectional Communication
T1104Multi-Stage Channels
T1105Ingress Tool Transfer
T1132.001Data Encoding: Standard Encoding
T1219.002Remote Access Software: Remote Desktop Software
T1571Non-Standard Port
T1573Encrypted Channel
T1573.001Encrypted Channel: Symmetric Cryptography
TA0040 8
Impact
T1485Data Destruction
T1486Data Encrypted for Impact
T1489Service Stop
T1490Inhibit System Recovery
T1491.001Defacement: Internal Defacement
T1529System Shutdown/Reboot
T1561.001Disk Wipe: Disk Content Wipe
T1561.002Disk Wipe: Disk Structure Wipe