| T1611 |
Escape to Host |
3 |
0 |
| T1595.001 |
Scanning IP Blocks |
1 |
0 |
| T1036.001 |
Invalid Code Signature |
1 |
0 |
| T1543.001 |
Launch Agent |
1 |
0 |
| T1078 |
Valid Accounts |
13 |
4 |
| T1070.006 |
Timestomp |
1 |
0 |
| T1072 |
Software Deployment Tools |
3 |
0 |
| T1584 |
Compromise Infrastructure |
1 |
1 |
| T1610 |
Deploy Container |
5 |
0 |
| T1213.003 |
Code Repositories |
2 |
0 |
| T1195 |
Supply Chain Compromise |
1 |
1 |
| T1570 |
Lateral Tool Transfer |
1 |
0 |
| T1219 |
Remote Access Software |
1 |
0 |
| T1069.003 |
Cloud Groups |
1 |
0 |
| T1078.001 |
Default Accounts |
2 |
0 |
| T1562 |
Impair Defenses |
4 |
5 |
| T1190 |
Exploit Public-Facing Application |
8 |
0 |
| T1136.003 |
Cloud Account |
3 |
0 |
| T1218.005 |
Mshta |
1 |
0 |
| T1562.002 |
Disable Windows Event Logging |
1 |
0 |
| T1569 |
System Services |
1 |
1 |
| T1059 |
Command and Scripting Interpreter |
2 |
3 |
| T1033 |
System Owner/User Discovery |
1 |
0 |
| T1546.006 |
LC_LOAD_DYLIB Addition |
1 |
0 |
| T1484 |
Domain Policy Modification |
2 |
0 |
| T1078.002 |
Domain Accounts |
2 |
0 |
| T1055 |
Process Injection |
1 |
1 |
| T1609 |
Container Administration Command |
2 |
0 |
| T1580 |
Cloud Infrastructure Discovery |
4 |
0 |
| T1136 |
Create Account |
3 |
3 |
| T1189 |
Drive-by Compromise |
1 |
0 |
| T1552 |
Unsecured Credentials |
5 |
4 |
| T1567.002 |
Exfiltration to Cloud Storage |
4 |
0 |
| T1550.001 |
Application Access Token |
2 |
0 |
| T1134 |
Access Token Manipulation |
1 |
1 |
| T1619 |
Cloud Storage Object Discovery |
1 |
0 |
| T1056.004 |
Credential API Hooking |
1 |
0 |
| T1552.001 |
Credentials In Files |
2 |
0 |
| T1542 |
Pre-OS Boot |
3 |
1 |
| T1564.001 |
Hidden Files and Directories |
1 |
0 |
| T1135 |
Network Share Discovery |
1 |
0 |
| T1552.007 |
Container API |
3 |
0 |
| T1041 |
Exfiltration Over C2 Channel |
3 |
0 |
| T1203 |
Exploitation for Client Execution |
3 |
0 |
| T1222 |
File and Directory Permissions Modification |
1 |
0 |
| T1057 |
Process Discovery |
1 |
0 |
| T1048 |
Exfiltration Over Alternative Protocol |
4 |
0 |
| T1566.001 |
Spearphishing Attachment |
2 |
0 |
| T1590 |
Gather Victim Network Information |
2 |
2 |
| T1204 |
User Execution |
1 |
3 |
| T1542.003 |
Bootkit |
1 |
0 |
| T1565.001 |
Stored Data Manipulation |
1 |
0 |
| T1137.001 |
Office Template Macros |
2 |
0 |
| T1602 |
Data from Configuration Repository |
1 |
0 |
| T1211 |
Exploitation for Defense Evasion |
2 |
0 |
| T1106 |
Native API |
1 |
0 |
| T1547.001 |
Registry Run Keys / Startup Folder |
1 |
0 |
| T1546.008 |
Accessibility Features |
1 |
0 |
| T1495 |
Firmware Corruption |
1 |
0 |
| T1059.007 |
JavaScript |
1 |
0 |
| T1071.004 |
DNS |
1 |
0 |
| T1137 |
Office Application Startup |
2 |
2 |
| T1052 |
Exfiltration Over Physical Medium |
1 |
1 |
| T1056.003 |
Web Portal Capture |
1 |
0 |
| T1053.007 |
Container Orchestration Job |
2 |
0 |
| T1595 |
Active Scanning |
2 |
1 |
| T1548 |
Abuse Elevation Control Mechanism |
1 |
1 |
| T1070.001 |
Clear Windows Event Logs |
1 |
0 |
| T1546.001 |
Change Default File Association |
1 |
0 |
| T1037 |
Boot or Logon Initialization Scripts |
1 |
1 |
| T1499 |
Endpoint Denial of Service |
3 |
1 |
| T1218 |
Signed Binary Proxy Execution |
1 |
3 |
| T1195.002 |
Compromise Software Supply Chain |
1 |
0 |
| T1499.003 |
Application Exhaustion Flood |
1 |
0 |
| T1574.007 |
Path Interception by PATH Environment Variable |
1 |
0 |
| T1049 |
System Network Connections Discovery |
1 |
0 |
| T1202 |
Indirect Command Execution |
1 |
0 |
| T1584.002 |
DNS Server |
1 |
0 |
| T1070 |
Indicator Removal on Host |
2 |
4 |
| T1098.001 |
Additional Cloud Credentials |
9 |
0 |
| T1557.002 |
ARP Cache Poisoning |
1 |
0 |
| T1212 |
Exploitation for Credential Access |
5 |
0 |
| T1133 |
External Remote Services |
6 |
0 |
| T1588.003 |
Code Signing Certificates |
3 |
0 |
| T1530 |
Data from Cloud Storage Object |
11 |
0 |
| T1598.003 |
Spearphishing Link |
2 |
0 |
| T1078.004 |
Cloud Accounts |
12 |
0 |
| T1574 |
Hijack Execution Flow |
1 |
1 |
| T1552.005 |
Cloud Instance Metadata API |
1 |
0 |
| T1087.004 |
Cloud Account |
6 |
0 |
| T1114 |
Email Collection |
1 |
0 |
| T1110.002 |
Password Cracking |
3 |
0 |
| T1565.002 |
Transmitted Data Manipulation |
1 |
0 |
| T1204.002 |
Malicious File |
1 |
0 |
| T1564 |
Hide Artifacts |
1 |
1 |
| T1020 |
Automated Exfiltration |
2 |
0 |
| T1213 |
Data from Information Repositories |
1 |
1 |
| T1218.003 |
CMSTP |
1 |
0 |
| T1052.001 |
Exfiltration over USB |
2 |
0 |
| T1498 |
Network Denial of Service |
3 |
0 |
| T1546 |
Event Triggered Execution |
1 |
5 |
| T1070.004 |
File Deletion |
1 |
0 |
| T1110.004 |
Credential Stuffing |
3 |
0 |
| T1003.001 |
LSASS Memory |
1 |
0 |
| T1071 |
Application Layer Protocol |
2 |
2 |
| T1565.003 |
Runtime Data Manipulation |
1 |
0 |
| T1490 |
Inhibit System Recovery |
1 |
0 |
| T1021.004 |
SSH |
2 |
0 |
| T1059.003 |
Windows Command Shell |
1 |
0 |
| T1525 |
Implant Internal Image |
7 |
0 |
| T1550 |
Use Alternate Authentication Material |
1 |
1 |
| T1505 |
Server Software Component |
1 |
2 |
| T1590.004 |
Network Topology |
1 |
0 |
| T1137.006 |
Add-ins |
1 |
0 |
| T1037.003 |
Network Logon Script |
1 |
0 |
| T1588.002 |
Tool |
1 |
0 |
| T1112 |
Modify Registry |
1 |
0 |
| T1590.005 |
IP Addresses |
1 |
0 |
| T1562.008 |
Disable Cloud Logs |
4 |
0 |
| T1589.001 |
Credentials |
1 |
0 |
| T1485 |
Data Destruction |
1 |
0 |
| T1003.003 |
NTDS |
1 |
0 |
| T1537 |
Transfer Data to Cloud Account |
1 |
0 |
| T1486 |
Data Encrypted for Impact |
2 |
0 |
| T1528 |
Steal Application Access Token |
5 |
0 |
| T1105 |
Ingress Tool Transfer |
2 |
0 |
| T1613 |
Container and Resource Discovery |
4 |
0 |
| T1204.003 |
Malicious Image |
3 |
0 |
| T1046 |
Network Service Scanning |
3 |
0 |
| T1561 |
Disk Wipe |
1 |
0 |
| T1505.001 |
SQL Stored Procedures |
1 |
0 |
| T1562.007 |
Disable or Modify Cloud Firewall |
3 |
0 |
| T1547 |
Boot or Logon Autostart Execution |
1 |
1 |
| T1056 |
Input Capture |
1 |
2 |
| T1132.001 |
Standard Encoding |
1 |
0 |
| T1572 |
Protocol Tunneling |
1 |
0 |
| T1014 |
Rootkit |
2 |
0 |
| T1566.002 |
Spearphishing Link |
2 |
0 |
| T1554 |
Compromise Client Software Binary |
1 |
0 |
| T1565 |
Data Manipulation |
2 |
3 |
| T1543 |
Create or Modify System Process |
1 |
3 |
| T1110 |
Brute Force |
7 |
4 |
| T1127 |
Trusted Developer Utilities Proxy Execution |
1 |
1 |
| T1040 |
Network Sniffing |
5 |
0 |
| T1055.002 |
Portable Executable Injection |
1 |
0 |
| T1538 |
Cloud Service Dashboard |
1 |
0 |
| T1546.007 |
Netsh Helper DLL |
1 |
0 |
| T1021 |
Remote Services |
3 |
2 |
| T1127.001 |
MSBuild |
1 |
0 |
| T1562.004 |
Disable or Modify System Firewall |
1 |
0 |
| T1011 |
Exfiltration Over Other Network Medium |
1 |
0 |
| T1136.001 |
Local Account |
2 |
0 |
| T1087 |
Account Discovery |
5 |
2 |
| T1053 |
Scheduled Task/Job |
1 |
2 |
| T1571 |
Non-Standard Port |
1 |
0 |
| T1078.003 |
Local Accounts |
1 |
0 |
| T1018 |
Remote System Discovery |
4 |
0 |
| T1110.001 |
Password Guessing |
3 |
0 |
| T1588 |
Obtain Capabilities |
3 |
3 |
| T1095 |
Non-Application Layer Protocol |
1 |
0 |
| T1543.004 |
Launch Daemon |
1 |
0 |
| T1070.002 |
Clear Linux or Mac System Logs |
1 |
0 |
| T1546.003 |
Windows Management Instrumentation Event Subscription |
1 |
0 |
| T1210 |
Exploitation of Remote Services |
3 |
0 |
| T1560 |
Archive Collected Data |
1 |
0 |
| T1598 |
Phishing for Information |
1 |
1 |
| T1134.005 |
SID-History Injection |
1 |
0 |
| T1505.003 |
Web Shell |
3 |
0 |
| T1136.002 |
Domain Account |
1 |
0 |
| T1205 |
Traffic Signaling |
1 |
0 |
| T1588.004 |
Digital Certificates |
3 |
0 |
| T1053.005 |
Scheduled Task |
1 |
0 |
| T1003 |
OS Credential Dumping |
1 |
2 |
| T1497 |
Virtualization/Sandbox Evasion |
1 |
0 |
| T1090 |
Proxy |
2 |
0 |
| T1543.003 |
Windows Service |
1 |
0 |
| T1601 |
Modify System Image |
1 |
0 |
| T1553 |
Subvert Trust Controls |
2 |
0 |
| T1082 |
System Information Discovery |
1 |
0 |
| T1566 |
Phishing |
5 |
2 |
| T1110.003 |
Password Spraying |
3 |
0 |
| T1204.001 |
Malicious Link |
1 |
0 |
| T1557 |
Adversary-in-the-Middle |
2 |
1 |
| T1548.002 |
Bypass User Account Control |
2 |
0 |
| T1132 |
Data Encoding |
1 |
1 |
| T1491 |
Defacement |
1 |
0 |
| T1027.004 |
Compile After Delivery |
1 |
0 |
| T1071.001 |
Web Protocols |
2 |
0 |
| T1027 |
Obfuscated Files or Information |
1 |
1 |
| T1199 |
Trusted Relationship |
1 |
0 |
| T1098.002 |
Exchange Email Delegate Permissions |
1 |
0 |
| T1098.004 |
SSH Authorized Keys |
1 |
0 |
| T1578 |
Modify Cloud Compute Infrastructure |
3 |
0 |
| T1069 |
Permission Groups Discovery |
1 |
1 |
| T1068 |
Exploitation for Privilege Escalation |
5 |
0 |
| T1098.003 |
Add Office 365 Global Administrator Role |
1 |
0 |
| T1569.002 |
Service Execution |
1 |
0 |
| T1059.004 |
Unix Shell |
1 |
0 |
| T1008 |
Fallback Channels |
1 |
0 |
| T1496 |
Resource Hijacking |
1 |
0 |
| T1612 |
Build Image on Host |
1 |
0 |
| T1087.002 |
Domain Account |
1 |
0 |
| T1036 |
Masquerading |
1 |
2 |
| T1187 |
Forced Authentication |
1 |
0 |
| T1104 |
Multi-Stage Channels |
1 |
0 |
| T1021.002 |
SMB/Windows Admin Shares |
1 |
0 |
| T1036.005 |
Match Legitimate Name or Location |
1 |
0 |
| T1562.001 |
Disable or Modify Tools |
1 |
0 |
| T1555 |
Credentials from Password Stores |
2 |
0 |
| T1567 |
Exfiltration Over Web Service |
4 |
1 |
| T1556 |
Modify Authentication Process |
2 |
0 |
| T1218.010 |
Regsvr32 |
1 |
0 |
| T1016 |
System Network Configuration Discovery |
1 |
0 |
| T1552.004 |
Private Keys |
2 |
0 |
| T1221 |
Template Injection |
1 |
0 |
| T1098 |
Account Manipulation |
8 |
4 |
