|
T1187
|
Forced Authentication
| 10 |
0 |
|
T1505.002
|
Transport Agent
| 23 |
0 |
|
T1195.003
|
Compromise Hardware Supply Chain
| 11 |
0 |
|
T1555.001
|
Keychain
| 3 |
0 |
|
T1547.008
|
LSASS Driver
| 7 |
0 |
|
T1562.010
|
Downgrade Attack
| 4 |
0 |
|
T1110
|
Brute Force
| 14 |
4 |
|
T1136
|
Create Account
| 15 |
3 |
|
T1574.001
|
DLL Search Order Hijacking
| 9 |
0 |
|
T1095
|
Non-Application Layer Protocol
| 11 |
0 |
|
T1129
|
Shared Modules
| 5 |
0 |
|
T1041
|
Exfiltration Over C2 Channel
| 18 |
0 |
|
T1565.001
|
Stored Data Manipulation
| 23 |
0 |
|
T1564.004
|
NTFS File Attributes
| 6 |
0 |
|
T1021.005
|
VNC
| 23 |
0 |
|
T1053.001
|
At (Linux)
| 9 |
0 |
|
T1563.001
|
SSH Hijacking
| 17 |
0 |
|
T1036.005
|
Match Legitimate Name or Location
| 12 |
0 |
|
T1204.002
|
Malicious File
| 12 |
0 |
|
T1552.003
|
Bash History
| 4 |
0 |
|
T1547.006
|
Kernel Modules and Extensions
| 18 |
0 |
|
T1491
|
Defacement
| 10 |
2 |
|
T1553.004
|
Install Root Certificate
| 6 |
0 |
|
T1564.007
|
VBA Stomping
| 4 |
0 |
|
T1580
|
Cloud Infrastructure Discovery
| 5 |
0 |
|
T1557.001
|
LLMNR/NBT-NS Poisoning and SMB Relay
| 15 |
0 |
|
T1056.003
|
Web Portal Capture
| 7 |
0 |
|
T1555.005
|
Password Managers
| 6 |
0 |
|
T1040
|
Network Sniffing
| 11 |
0 |
|
T1001.003
|
Protocol Impersonation
| 7 |
0 |
|
T1195
|
Supply Chain Compromise
| 8 |
3 |
|
T1021.002
|
SMB/Windows Admin Shares
| 16 |
0 |
|
T1578.003
|
Delete Cloud Instance
| 11 |
0 |
|
T1218.002
|
Control Panel
| 11 |
0 |
|
T1055.014
|
VDSO Hijacking
| 6 |
0 |
|
T1037.002
|
Logon Script (Mac)
| 7 |
0 |
|
T1102.001
|
Dead Drop Resolver
| 8 |
0 |
|
T1574.005
|
Executable Installer File Permissions Weakness
| 12 |
0 |
|
T1055.004
|
Asynchronous Procedure Call
| 6 |
0 |
|
T1499.004
|
Application or System Exploitation
| 9 |
0 |
|
T1548.001
|
Setuid and Setgid
| 3 |
0 |
|
T1220
|
XSL Script Processing
| 6 |
0 |
|
T1491.001
|
Internal Defacement
| 10 |
0 |
|
T1539
|
Steal Web Session Cookie
| 10 |
0 |
|
T1212
|
Exploitation for Credential Access
| 24 |
0 |
|
T1602
|
Data from Configuration Repository
| 25 |
2 |
|
T1578
|
Modify Cloud Compute Infrastructure
| 11 |
3 |
|
T1548.002
|
Bypass User Account Control
| 12 |
0 |
|
T1110.003
|
Password Spraying
| 14 |
0 |
|
T1553.006
|
Code Signing Policy Modification
| 13 |
0 |
|
T1550.001
|
Application Access Token
| 16 |
0 |
|
T1056.002
|
GUI Input Capture
| 4 |
0 |
|
T1218.003
|
CMSTP
| 11 |
0 |
|
T1543.004
|
Launch Daemon
| 8 |
0 |
|
T1132
|
Data Encoding
| 7 |
2 |
|
T1574.010
|
Services File Permissions Weakness
| 12 |
0 |
|
T1111
|
Two-Factor Authentication Interception
| 7 |
0 |
|
T1561
|
Disk Wipe
| 10 |
2 |
|
T1037.001
|
Logon Script (Windows)
| 2 |
0 |
|
T1547.011
|
Plist Modification
| 15 |
0 |
|
T1554
|
Compromise Client Software Binary
| 9 |
0 |
|
T1059.008
|
Network Device CLI
| 15 |
0 |
|
T1055.002
|
Portable Executable Injection
| 6 |
0 |
|
T1546.008
|
Accessibility Features
| 6 |
0 |
|
T1087
|
Account Discovery
| 3 |
3 |
|
T1505.001
|
SQL Stored Procedures
| 14 |
0 |
|
T1071.004
|
DNS
| 18 |
0 |
|
T1190
|
Exploit Public-Facing Application
| 29 |
0 |
|
T1489
|
Service Stop
| 13 |
0 |
|
T1218.005
|
Mshta
| 11 |
0 |
|
T1599
|
Network Boundary Bridging
| 18 |
1 |
|
T1505.004
|
IIS Components
| 24 |
0 |
|
T1550.002
|
Pass the Hash
| 8 |
0 |
|
T1609
|
Container Administration Command
| 9 |
0 |
|
T1105
|
Ingress Tool Transfer
| 8 |
0 |
|
T1036.007
|
Double File Extension
| 6 |
0 |
|
T1011
|
Exfiltration Over Other Network Medium
| 4 |
1 |
|
T1611
|
Escape to Host
| 20 |
0 |
|
T1106
|
Native API
| 7 |
0 |
|
T1574.012
|
COR_PROFILER
| 9 |
0 |
|
T1072
|
Software Deployment Tools
| 24 |
0 |
|
T1495
|
Firmware Corruption
| 16 |
0 |
|
T1087.001
|
Local Account
| 3 |
0 |
|
T1606.002
|
SAML Tokens
| 3 |
0 |
|
T1021.003
|
Distributed Component Object Model
| 19 |
0 |
|
T1003.007
|
Proc Filesystem
| 14 |
0 |
|
T1218.014
|
MMC
| 11 |
0 |
|
T1567.001
|
Exfiltration to Code Repository
| 3 |
0 |
|
T1598.003
|
Spearphishing Link
| 11 |
0 |
|
T1048.002
|
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
| 23 |
0 |
|
T1047
|
Windows Management Instrumentation
| 18 |
0 |
|
T1564.006
|
Run Virtual Instance
| 7 |
0 |
|
T1565
|
Data Manipulation
| 26 |
3 |
|
T1566.001
|
Spearphishing Attachment
| 12 |
0 |
|
T1498.002
|
Reflection Amplification
| 8 |
0 |
|
T1205.001
|
Port Knocking
| 8 |
0 |
|
T1185
|
Browser Session Hijacking
| 14 |
0 |
|
T1563.002
|
RDP Hijacking
| 18 |
0 |
|
T1213.003
|
Code Repositories
| 14 |
0 |
|
T1556
|
Modify Authentication Process
| 16 |
4 |
|
T1087.002
|
Domain Account
| 3 |
0 |
|
T1091
|
Replication Through Removable Media
| 10 |
0 |
|
T1550.004
|
Web Session Cookie
| 3 |
0 |
|
T1055.013
|
Process Doppelgänging
| 6 |
0 |
|
T1568.002
|
Domain Generation Algorithms
| 8 |
0 |
|
T1055.003
|
Thread Execution Hijacking
| 6 |
0 |
|
T1547.003
|
Time Providers
| 10 |
0 |
|
T1114
|
Email Collection
| 14 |
3 |
|
T1553.005
|
Mark-of-the-Web Bypass
| 6 |
0 |
|
T1132.002
|
Non-Standard Encoding
| 7 |
0 |
|
T1137.001
|
Office Template Macros
| 10 |
0 |
|
T1205
|
Traffic Signaling
| 9 |
1 |
|
T1036
|
Masquerading
| 12 |
4 |
|
T1216.001
|
PubPrn
| 6 |
0 |
|
T1137.004
|
Outlook Home Page
| 7 |
0 |
|
T1574.009
|
Path Interception by Unquoted Path
| 16 |
0 |
|
T1574.006
|
Dynamic Linker Hijacking
| 4 |
0 |
|
T1211
|
Exploitation for Defense Evasion
| 23 |
0 |
|
T1221
|
Template Injection
| 14 |
0 |
|
T1558.002
|
Silver Ticket
| 19 |
0 |
|
T1546.011
|
Application Shimming
| 2 |
0 |
|
T1499.002
|
Service Exhaustion Flood
| 9 |
0 |
|
T1136.002
|
Domain Account
| 15 |
0 |
|
T1104
|
Multi-Stage Channels
| 8 |
0 |
|
T1562.003
|
Impair Command History Logging
| 4 |
0 |
|
T1574.004
|
Dylib Hijacking
| 13 |
0 |
|
T1213.001
|
Confluence
| 24 |
0 |
|
T1573.002
|
Asymmetric Cryptography
| 11 |
0 |
|
T1564.002
|
Hidden Users
| 3 |
0 |
|
T1222.002
|
Linux and Mac File and Directory Permissions Modification
| 11 |
0 |
|
T1218.001
|
Compiled HTML File
| 10 |
0 |
|
T1090
|
Proxy
| 12 |
4 |
|
T1552.005
|
Cloud Instance Metadata API
| 13 |
0 |
|
T1612
|
Build Image on Host
| 11 |
0 |
|
T1546.013
|
PowerShell Profile
| 10 |
0 |
|
T1482
|
Domain Trust Discovery
| 9 |
0 |
|
T1036.001
|
Invalid Code Signature
| 5 |
0 |
|
T1070.002
|
Clear Linux or Mac System Logs
| 21 |
0 |
|
T1598.001
|
Spearphishing Service
| 7 |
0 |
|
T1566.002
|
Spearphishing Link
| 11 |
0 |
|
T1098.001
|
Additional Cloud Credentials
| 15 |
0 |
|
T1213
|
Data from Information Repositories
| 24 |
3 |
|
T1559
|
Inter-Process Communication
| 19 |
2 |
|
T1553
|
Subvert Trust Controls
| 19 |
5 |
|
T1543
|
Create or Modify System Process
| 21 |
4 |
|
T1110.002
|
Password Cracking
| 14 |
0 |
|
T1071.003
|
Mail Protocols
| 15 |
0 |
|
T1059
|
Command and Scripting Interpreter
| 24 |
8 |
|
T1112
|
Modify Registry
| 2 |
0 |
|
T1571
|
Non-Standard Port
| 8 |
0 |
|
T1601.002
|
Downgrade System Image
| 26 |
0 |
|
T1078.004
|
Cloud Accounts
| 22 |
0 |
|
T1090.001
|
Internal Proxy
| 8 |
0 |
|
T1542.001
|
System Firmware
| 18 |
0 |
|
T1134.005
|
SID-History Injection
| 12 |
0 |
|
T1564.008
|
Email Hiding Rules
| 8 |
0 |
|
T1574.007
|
Path Interception by PATH Environment Variable
| 16 |
0 |
|
T1559.002
|
Dynamic Data Exchange
| 14 |
0 |
|
T1556.003
|
Pluggable Authentication Modules
| 12 |
0 |
|
T1027.002
|
Software Packing
| 4 |
0 |
|
T1546
|
Event Triggered Execution
| 4 |
10 |
|
T1601.001
|
Patch System Image
| 26 |
0 |
|
T1570
|
Lateral Tool Transfer
| 11 |
0 |
|
T1562.009
|
Safe Mode Boot
| 13 |
0 |
|
T1552
|
Unsecured Credentials
| 33 |
7 |
|
T1574
|
Hijack Execution Flow
| 19 |
11 |
|
T1578.001
|
Create Snapshot
| 11 |
0 |
|
T1218
|
Signed Binary Proxy Execution
| 18 |
13 |
|
T1114.001
|
Local Email Collection
| 8 |
0 |
|
T1550
|
Use Alternate Authentication Material
| 7 |
4 |
|
T1569
|
System Services
| 14 |
2 |
|
T1059.006
|
Python
| 15 |
0 |
|
T1199
|
Trusted Relationship
| 8 |
0 |
|
T1003
|
OS Credential Dumping
| 22 |
8 |
|
T1218.004
|
InstallUtil
| 11 |
0 |
|
T1052
|
Exfiltration Over Physical Medium
| 19 |
1 |
|
T1499.003
|
Application Exhaustion Flood
| 9 |
0 |
|
T1136.001
|
Local Account
| 11 |
0 |
|
T1543.002
|
Systemd Service
| 16 |
0 |
|
T1553.003
|
SIP and Trust Provider Hijacking
| 10 |
0 |
|
T1556.002
|
Password Filter DLL
| 3 |
0 |
|
T1003.006
|
DCSync
| 16 |
0 |
|
T1574.011
|
Services Registry Permissions Weakness
| 2 |
0 |
|
T1562.002
|
Disable Windows Event Logging
| 13 |
0 |
|
T1195.002
|
Compromise Software Supply Chain
| 8 |
0 |
|
T1176
|
Browser Extensions
| 15 |
0 |
|
T1216
|
Signed Script Proxy Execution
| 6 |
1 |
|
T1547.004
|
Winlogon Helper DLL
| 13 |
0 |
|
T1137.005
|
Outlook Rules
| 7 |
0 |
|
T1557
|
Adversary-in-the-Middle
| 24 |
2 |
|
T1556.001
|
Domain Controller Authentication
| 14 |
0 |
|
T1561.002
|
Disk Structure Wipe
| 10 |
0 |
|
T1218.010
|
Regsvr32
| 4 |
0 |
|
T1574.002
|
DLL Side-Loading
| 9 |
0 |
|
T1189
|
Drive-by Compromise
| 18 |
0 |
|
T1602.002
|
Network Device Configuration Dump
| 25 |
0 |
|
T1087.004
|
Cloud Account
| 6 |
0 |
|
T1610
|
Deploy Container
| 9 |
0 |
|
T1102.002
|
Bidirectional Communication
| 8 |
0 |
|
T1134.003
|
Make and Impersonate Token
| 7 |
0 |
|
T1001
|
Data Obfuscation
| 7 |
3 |
|
T1204.003
|
Malicious Image
| 18 |
0 |
|
T1547.009
|
Shortcut Modification
| 8 |
0 |
|
T1484
|
Domain Policy Modification
| 13 |
0 |
|
T1499
|
Endpoint Denial of Service
| 9 |
4 |
|
T1573.001
|
Symmetric Cryptography
| 11 |
0 |
|
T1569.002
|
Service Execution
| 13 |
0 |
|
T1003.002
|
Security Account Manager
| 15 |
0 |
|
T1547.002
|
Authentication Package
| 5 |
0 |
|
T1008
|
Fallback Channels
| 8 |
0 |
|
T1059.003
|
Windows Command Shell
| 11 |
0 |
|
T1025
|
Data from Removable Media
| 15 |
0 |
|
T1119
|
Automated Collection
| 17 |
0 |
|
T1565.003
|
Runtime Data Manipulation
| 12 |
0 |
|
T1046
|
Network Service Scanning
| 11 |
0 |
|
T1053.005
|
Scheduled Task
| 14 |
0 |
|
T1092
|
Communication Through Removable Media
| 8 |
0 |
|
T1195.001
|
Compromise Software Dependencies and Development Tools
| 8 |
0 |
|
T1037.005
|
Startup Items
| 7 |
0 |
|
T1552.006
|
Group Policy Preferences
| 13 |
0 |
|
T1090.003
|
Multi-hop Proxy
| 8 |
0 |
|
T1218.011
|
Rundll32
| 4 |
0 |
|
T1548
|
Abuse Elevation Control Mechanism
| 21 |
4 |
|
T1546.014
|
Emond
| 6 |
0 |
|
T1003.003
|
NTDS
| 18 |
0 |
|
T1542.004
|
ROMMONkit
| 20 |
0 |
|
T1132.001
|
Standard Encoding
| 7 |
0 |
|
T1071
|
Application Layer Protocol
| 15 |
4 |
|
T1021.006
|
Windows Remote Management
| 16 |
0 |
|
T1059.005
|
Visual Basic
| 17 |
0 |
|
T1222.001
|
Windows File and Directory Permissions Modification
| 11 |
0 |
|
T1053
|
Scheduled Task/Job
| 15 |
6 |
|
T1555
|
Credentials from Password Stores
| 3 |
4 |
|
T1021
|
Remote Services
| 12 |
6 |
|
T1003.001
|
LSASS Memory
| 19 |
0 |
|
T1053.002
|
At (Windows)
| 14 |
0 |
|
T1552.002
|
Credentials in Registry
| 18 |
0 |
|
T1201
|
Password Policy Discovery
| 5 |
0 |
|
T1562.001
|
Disable or Modify Tools
| 13 |
0 |
|
T1098.003
|
Add Office 365 Global Administrator Role
| 11 |
0 |
|
T1070.001
|
Clear Windows Event Logs
| 21 |
0 |
|
T1558.001
|
Golden Ticket
| 9 |
0 |
|
T1558.004
|
AS-REP Roasting
| 20 |
0 |
|
T1029
|
Scheduled Transfer
| 7 |
0 |
|
T1547.013
|
XDG Autostart Entries
| 15 |
0 |
|
T1567
|
Exfiltration Over Web Service
| 17 |
2 |
|
T1133
|
External Remote Services
| 18 |
0 |
|
T1020.001
|
Traffic Duplication
| 16 |
0 |
|
T1543.001
|
Launch Agent
| 8 |
0 |
|
T1059.001
|
PowerShell
| 19 |
0 |
|
T1552.001
|
Credentials In Files
| 18 |
0 |
|
T1555.004
|
Windows Credential Manager
| 5 |
0 |
|
T1053.006
|
Systemd Timers
| 9 |
0 |
|
T1055.012
|
Process Hollowing
| 6 |
0 |
|
T1499.001
|
OS Exhaustion Flood
| 9 |
0 |
|
T1078.001
|
Default Accounts
| 14 |
0 |
|
T1542
|
Pre-OS Boot
| 19 |
4 |
|
T1005
|
Data from Local System
| 13 |
0 |
|
T1219
|
Remote Access Software
| 13 |
0 |
|
T1568
|
Dynamic Resolution
| 8 |
1 |
|
T1563
|
Remote Service Session Hijacking
| 19 |
2 |
|
T1574.008
|
Path Interception by Search Order Hijacking
| 16 |
0 |
|
T1555.002
|
Securityd Memory
| 3 |
0 |
|
T1606.001
|
Web Cookies
| 4 |
0 |
|
T1562.008
|
Disable Cloud Logs
| 6 |
0 |
|
T1598.002
|
Spearphishing Attachment
| 11 |
0 |
|
T1606
|
Forge Web Credentials
| 6 |
2 |
|
T1200
|
Hardware Additions
| 5 |
0 |
|
T1003.004
|
LSA Secrets
| 14 |
0 |
|
T1011.001
|
Exfiltration Over Bluetooth
| 8 |
0 |
|
T1538
|
Cloud Service Dashboard
| 6 |
0 |
|
T1560
|
Archive Collected Data
| 5 |
1 |
|
T1059.004
|
Unix Shell
| 11 |
0 |
|
T1543.003
|
Windows Service
| 8 |
0 |
|
T1562.004
|
Disable or Modify System Firewall
| 13 |
0 |
|
T1598
|
Phishing for Information
| 11 |
3 |
|
T1048.001
|
Exfiltration Over Symmetric Encrypted Non-C2 Protocol
| 12 |
0 |
|
T1055.001
|
Dynamic-link Library Injection
| 6 |
0 |
|
T1547.007
|
Re-opened Applications
| 11 |
0 |
|
T1535
|
Unused/Unsupported Cloud Regions
| 1 |
0 |
|
T1505
|
Server Software Component
| 23 |
4 |
|
T1542.003
|
Bootkit
| 18 |
0 |
|
T1070.003
|
Clear Command History
| 10 |
0 |
|
T1546.004
|
Unix Shell Configuration Modification
| 8 |
0 |
|
T1619
|
Cloud Storage Object Discovery
| 7 |
0 |
|
T1556.004
|
Network Device Authentication
| 13 |
0 |
|
T1055
|
Process Injection
| 12 |
11 |
|
T1110.001
|
Password Guessing
| 14 |
0 |
|
T1566
|
Phishing
| 12 |
3 |
|
T1078
|
Valid Accounts
| 23 |
4 |
|
T1080
|
Taint Shared Content
| 10 |
0 |
|
T1558
|
Steal or Forge Kerberos Tickets
| 19 |
4 |
|
T1197
|
BITS Jobs
| 14 |
0 |
|
T1558.003
|
Kerberoasting
| 19 |
0 |
|
T1491.002
|
External Defacement
| 10 |
0 |
|
T1213.002
|
Sharepoint
| 24 |
0 |
|
T1548.004
|
Elevated Execution with Prompt
| 11 |
0 |
|
T1059.002
|
AppleScript
| 16 |
0 |
|
T1053.003
|
Cron
| 9 |
0 |
|
T1552.004
|
Private Keys
| 22 |
0 |
|
T1578.002
|
Create Cloud Instance
| 11 |
0 |
|
T1134
|
Access Token Manipulation
| 7 |
4 |
|
T1090.002
|
External Proxy
| 8 |
0 |
|
T1068
|
Exploitation for Privilege Escalation
| 25 |
0 |
|
T1486
|
Data Encrypted for Impact
| 11 |
0 |
|
T1052.001
|
Exfiltration over USB
| 19 |
0 |
|
T1569.001
|
Launchctl
| 7 |
0 |
|
T1528
|
Steal Application Access Token
| 19 |
0 |
|
T1137.006
|
Add-ins
| 6 |
0 |
|
T1222
|
File and Directory Permissions Modification
| 11 |
2 |
|
T1137.003
|
Outlook Forms
| 7 |
0 |
|
T1218.007
|
Msiexec
| 9 |
0 |
|
T1498
|
Network Denial of Service
| 8 |
2 |
|
T1203
|
Exploitation for Client Execution
| 15 |
0 |
|
T1070
|
Indicator Removal on Host
| 21 |
3 |
|
T1048
|
Exfiltration Over Alternative Protocol
| 23 |
3 |
|
T1562
|
Impair Defenses
| 16 |
9 |
|
T1210
|
Exploitation of Remote Services
| 32 |
0 |
|
T1564.009
|
Resource Forking
| 13 |
0 |
|
T1573
|
Encrypted Channel
| 11 |
2 |
|
T1036.003
|
Rename System Utilities
| 8 |
0 |
|
T1055.011
|
Extra Window Memory Injection
| 6 |
0 |
|
T1098
|
Account Manipulation
| 12 |
4 |
|
T1572
|
Protocol Tunneling
| 11 |
0 |
|
T1561.001
|
Disk Content Wipe
| 10 |
0 |
|
T1566.003
|
Spearphishing via Service
| 8 |
0 |
|
T1037.003
|
Network Logon Script
| 7 |
0 |
|
T1102
|
Web Service
| 8 |
3 |
|
T1098.004
|
SSH Authorized Keys
| 9 |
0 |
|
T1055.005
|
Thread Local Storage
| 6 |
0 |
|
T1218.013
|
Mavinject
| 11 |
0 |
|
T1498.001
|
Direct Network Flood
| 8 |
0 |
|
T1602.001
|
SNMP (MIB Dump)
| 25 |
0 |
|
T1127
|
Trusted Developer Utilities Proxy Execution
| 8 |
1 |
|
T1546.003
|
Windows Management Instrumentation Event Subscription
| 12 |
0 |
|
T1053.007
|
Container Orchestration Job
| 7 |
0 |
|
T1204.001
|
Malicious Link
| 11 |
0 |
|
T1218.009
|
Regsvcs/Regasm
| 11 |
0 |
|
T1204
|
User Execution
| 13 |
3 |
|
T1078.003
|
Local Accounts
| 19 |
0 |
|
T1071.002
|
File Transfer Protocols
| 15 |
0 |
|
T1030
|
Data Transfer Size Limits
| 7 |
0 |
|
T1553.001
|
Gatekeeper Bypass
| 6 |
0 |
|
T1552.007
|
Container API
| 14 |
0 |
|
T1537
|
Transfer Data to Cloud Account
| 20 |
0 |
|
T1485
|
Data Destruction
| 10 |
0 |
|
T1110.004
|
Credential Stuffing
| 14 |
0 |
|
T1078.002
|
Domain Accounts
| 12 |
0 |
|
T1136.003
|
Cloud Account
| 15 |
0 |
|
T1546.009
|
AppCert DLLs
| 3 |
0 |
|
T1599.001
|
Network Address Translation Traversal
| 18 |
0 |
|
T1098.002
|
Exchange Email Delegate Permissions
| 11 |
0 |
|
T1055.008
|
Ptrace System Calls
| 12 |
0 |
|
T1102.003
|
One-Way Communication
| 8 |
0 |
|
T1557.002
|
ARP Cache Poisoning
| 22 |
0 |
|
T1055.009
|
Proc Memory
| 9 |
0 |
|
T1548.003
|
Sudo and Sudo Caching
| 13 |
0 |
|
T1071.001
|
Web Protocols
| 15 |
0 |
|
T1546.002
|
Screensaver
| 9 |
0 |
|
T1114.003
|
Email Forwarding Rule
| 11 |
0 |
|
T1601
|
Modify System Image
| 26 |
2 |
|
T1562.006
|
Indicator Blocking
| 17 |
0 |
|
T1550.003
|
Pass the Ticket
| 11 |
0 |
|
T1613
|
Container and Resource Discovery
| 10 |
0 |
|
T1127.001
|
MSBuild
| 5 |
0 |
|
T1021.001
|
Remote Desktop Protocol
| 24 |
0 |
|
T1114.002
|
Remote Email Collection
| 13 |
0 |
|
T1134.001
|
Token Impersonation/Theft
| 7 |
0 |
|
T1525
|
Implant Internal Image
| 16 |
0 |
|
T1218.008
|
Odbcconf
| 11 |
0 |
|
T1037.004
|
RC Scripts
| 7 |
0 |
|
T1001.002
|
Steganography
| 7 |
0 |
|
T1562.007
|
Disable or Modify Cloud Firewall
| 6 |
0 |
|
T1059.007
|
JavaScript
| 16 |
0 |
|
T1564.003
|
Hidden Window
| 3 |
0 |
|
T1003.005
|
Cached Domain Credentials
| 17 |
0 |
|
T1048.003
|
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
| 24 |
0 |
|
T1090.004
|
Domain Fronting
| 1 |
0 |
|
T1565.002
|
Transmitted Data Manipulation
| 12 |
0 |
|
T1547.012
|
Print Processors
| 8 |
0 |
|
T1567.002
|
Exfiltration to Cloud Storage
| 3 |
0 |
|
T1218.012
|
Verclsid
| 16 |
0 |
|
T1135
|
Network Share Discovery
| 3 |
0 |
|
T1490
|
Inhibit System Recovery
| 12 |
0 |
|
T1542.005
|
TFTP Boot
| 24 |
0 |
|
T1547.005
|
Security Support Provider
| 5 |
0 |
|
T1546.006
|
LC_LOAD_DYLIB Addition
| 14 |
0 |
|
T1137
|
Office Application Startup
| 13 |
6 |
|
T1021.004
|
SSH
| 15 |
0 |
|
T1559.001
|
Component Object Model
| 13 |
0 |
|
T1134.002
|
Create Process with Token
| 7 |
0 |
|
T1560.001
|
Archive via Utility
| 5 |
0 |
|
T1530
|
Data from Cloud Storage Object
| 33 |
0 |
|
T1037
|
Boot or Logon Initialization Scripts
| 9 |
5 |
|
T1137.002
|
Office Test
| 10 |
0 |
|
T1505.003
|
Web Shell
| 8 |
0 |
|
T1001.001
|
Junk Data
| 7 |
0 |
|
T1003.008
|
/etc/passwd and /etc/shadow
| 14 |
0 |
|
T1546.010
|
AppInit DLLs
| 5 |
0 |
|
T1027
|
Obfuscated Files or Information
| 6 |
1 |
