T1195.002
|
Compromise Software Supply Chain
| 3 |
0 |
T1195.003
|
Compromise Hardware Supply Chain
| 2 |
0 |
T1552.004
|
Private Keys
| 1 |
0 |
T1047
|
Windows Management Instrumentation
| 3 |
0 |
T1564.006
|
Run Virtual Instance
| 1 |
0 |
T1547.008
|
LSASS Driver
| 5 |
0 |
T1566.001
|
Spearphishing Attachment
| 6 |
0 |
T1547.004
|
Winlogon Helper DLL
| 1 |
0 |
T1556
|
Modify Authentication Process
| 4 |
3 |
T1110
|
Brute Force
| 7 |
4 |
T1496
|
Resource Hijacking
| 19 |
0 |
T1136
|
Create Account
| 11 |
3 |
T1134
|
Access Token Manipulation
| 1 |
2 |
T1095
|
Non-Application Layer Protocol
| 1 |
0 |
T1087.002
|
Domain Account
| 7 |
0 |
T1068
|
Exploitation for Privilege Escalation
| 37 |
0 |
T1486
|
Data Encrypted for Impact
| 17 |
0 |
T1556.006
|
Multi-Factor Authentication
| 1 |
0 |
T1041
|
Exfiltration Over C2 Channel
| 8 |
0 |
T1222
|
File and Directory Permissions Modification
| 2 |
0 |
T1565.001
|
Stored Data Manipulation
| 2 |
0 |
T1564.004
|
NTFS File Attributes
| 2 |
0 |
T1007
|
System Service Discovery
| 2 |
0 |
T1189
|
Drive-by Compromise
| 19 |
0 |
T1564
|
Hide Artifacts
| 2 |
2 |
T1203
|
Exploitation for Client Execution
| 25 |
0 |
T1055.003
|
Thread Execution Hijacking
| 2 |
0 |
T1204.002
|
Malicious File
| 36 |
0 |
T1070
|
Indicator Removal
| 4 |
2 |
T1012
|
Query Registry
| 1 |
0 |
T1210
|
Exploitation of Remote Services
| 5 |
0 |
T1114
|
Email Collection
| 2 |
1 |
T1056.003
|
Web Portal Capture
| 1 |
0 |
T1573
|
Encrypted Channel
| 1 |
1 |
T1555.005
|
Password Managers
| 1 |
0 |
T1070.004
|
File Deletion
| 5 |
0 |
T1057
|
Process Discovery
| 1 |
0 |
T1055.011
|
Extra Window Memory Injection
| 2 |
0 |
T1098
|
Account Manipulation
| 2 |
2 |
T1621
|
Multi-Factor Authentication Request Generation
| 1 |
0 |
T1036
|
Masquerading
| 5 |
3 |
T1003.002
|
Security Account Manager
| 1 |
0 |
T1547.002
|
Authentication Package
| 1 |
0 |
T1140
|
Deobfuscate/Decode Files or Information
| 6 |
0 |
T1059.003
|
Windows Command Shell
| 5 |
0 |
T1027.008
|
Stripped Payloads
| 2 |
0 |
T1211
|
Exploitation for Defense Evasion
| 3 |
0 |
T1025
|
Data from Removable Media
| 2 |
0 |
T1102
|
Web Service
| 1 |
0 |
T1119
|
Automated Collection
| 2 |
0 |
T1195
|
Supply Chain Compromise
| 2 |
2 |
T1069
|
Permission Groups Discovery
| 3 |
0 |
T1021.002
|
SMB/Windows Admin Shares
| 1 |
0 |
T1027.004
|
Compile After Delivery
| 3 |
0 |
T1056.004
|
Credential API Hooking
| 1 |
0 |
T1056.001
|
Keylogging
| 1 |
0 |
T1136.002
|
Domain Account
| 1 |
0 |
T1542.002
|
Component Firmware
| 2 |
0 |
T1074.001
|
Local Data Staging
| 1 |
0 |
T1212
|
Exploitation for Credential Access
| 4 |
0 |
T1548
|
Abuse Elevation Control Mechanism
| 4 |
1 |
T1027.010
|
Command Obfuscation
| 2 |
0 |
T1018
|
Remote System Discovery
| 2 |
0 |
T1110.003
|
Password Spraying
| 2 |
0 |
T1548.002
|
Bypass User Account Control
| 2 |
0 |
T1014
|
Rootkit
| 5 |
0 |
T1553.006
|
Code Signing Policy Modification
| 3 |
0 |
T1071
|
Application Layer Protocol
| 2 |
2 |
T1082
|
System Information Discovery
| 8 |
0 |
T1132
|
Data Encoding
| 3 |
0 |
T1021.006
|
Windows Remote Management
| 1 |
0 |
T1059.005
|
Visual Basic
| 1 |
0 |
T1036.001
|
Invalid Code Signature
| 2 |
0 |
T1204
|
User Execution
| 3 |
2 |
T1078.003
|
Local Accounts
| 2 |
0 |
T1074
|
Data Staged
| 1 |
1 |
T1027.005
|
Indicator Removal from Tools
| 2 |
0 |
T1021
|
Remote Services
| 4 |
3 |
T1110.004
|
Credential Stuffing
| 1 |
0 |
T1078.002
|
Domain Accounts
| 1 |
0 |
T1027.003
|
Steganography
| 2 |
0 |
T1552.002
|
Credentials in Registry
| 1 |
0 |
T1136.003
|
Cloud Account
| 1 |
0 |
T1098.002
|
Additional Email Delegate Permissions
| 1 |
0 |
T1016
|
System Network Configuration Discovery
| 2 |
0 |
T1553
|
Subvert Trust Controls
| 3 |
3 |
T1543
|
Create or Modify System Process
| 4 |
1 |
T1055.002
|
Portable Executable Injection
| 2 |
0 |
T1110.002
|
Password Cracking
| 1 |
0 |
T1087
|
Account Discovery
| 4 |
2 |
T1059
|
Command and Scripting Interpreter
| 108 |
5 |
T1567
|
Exfiltration Over Web Service
| 2 |
0 |
T1112
|
Modify Registry
| 3 |
0 |
T1190
|
Exploit Public-Facing Application
| 128 |
0 |
T1571
|
Non-Standard Port
| 2 |
0 |
T1489
|
Service Stop
| 2 |
0 |
T1033
|
System Owner/User Discovery
| 2 |
0 |
T1115
|
Clipboard Data
| 1 |
0 |
T1550.003
|
Pass the Ticket
| 2 |
0 |
T1542.001
|
System Firmware
| 2 |
0 |
T1556.008
|
Network Provider DLL
| 1 |
0 |
T1550.002
|
Pass the Hash
| 2 |
0 |
T1059.001
|
PowerShell
| 4 |
0 |
T1027.009
|
Embedded Payloads
| 2 |
0 |
T1027.001
|
Binary Padding
| 2 |
0 |
T1027.002
|
Software Packing
| 3 |
0 |
T1021.001
|
Remote Desktop Protocol
| 2 |
0 |
T1547.001
|
Registry Run Keys / Startup Folder
| 2 |
0 |
T1552.001
|
Credentials In Files
| 5 |
0 |
T1105
|
Ingress Tool Transfer
| 33 |
0 |
T1555.004
|
Windows Credential Manager
| 1 |
0 |
T1055.012
|
Process Hollowing
| 1 |
0 |
T1546
|
Event Triggered Execution
| 1 |
0 |
T1027.011
|
Fileless Storage
| 2 |
0 |
T1078.001
|
Default Accounts
| 1 |
0 |
T1542
|
Pre-OS Boot
| 2 |
4 |
T1601.001
|
Patch System Image
| 1 |
0 |
T1005
|
Data from Local System
| 32 |
0 |
T1570
|
Lateral Tool Transfer
| 1 |
0 |
T1611
|
Escape to Host
| 1 |
0 |
T1049
|
System Network Connections Discovery
| 2 |
0 |
T1574
|
Hijack Execution Flow
| 17 |
0 |
T1552
|
Unsecured Credentials
| 5 |
3 |
T1113
|
Screen Capture
| 1 |
0 |
T1106
|
Native API
| 5 |
0 |
T1036.002
|
Right-to-Left Override
| 1 |
0 |
T1547.010
|
Port Monitors
| 1 |
0 |
T1083
|
File and Directory Discovery
| 4 |
0 |
T1218
|
System Binary Proxy Execution
| 3 |
0 |
T1056
|
Input Capture
| 3 |
3 |
T1550
|
Use Alternate Authentication Material
| 2 |
2 |
T1569
|
System Services
| 1 |
1 |
T1560
|
Archive Collected Data
| 1 |
1 |
T1495
|
Firmware Corruption
| 2 |
0 |
T1543.003
|
Windows Service
| 3 |
0 |
T1003
|
OS Credential Dumping
| 11 |
4 |
T1534
|
Internal Spearphishing
| 1 |
0 |
T1055.001
|
Dynamic-link Library Injection
| 3 |
0 |
T1589.001
|
Credentials
| 1 |
0 |
T1547.005
|
Security Support Provider
| 1 |
0 |
T1027.007
|
Dynamic API Resolution
| 2 |
0 |
T1542.003
|
Bootkit
| 2 |
0 |
T1136.001
|
Local Account
| 3 |
0 |
T1553.003
|
SIP and Trust Provider Hijacking
| 1 |
0 |
T1134.002
|
Create Process with Token
| 1 |
0 |
T1556.002
|
Password Filter DLL
| 1 |
0 |
T1555.003
|
Credentials from Web Browsers
| 1 |
0 |
T1560.001
|
Archive via Utility
| 3 |
0 |
T1547
|
Boot or Logon Autostart Execution
| 7 |
6 |
T1055
|
Process Injection
| 4 |
5 |
T1110.001
|
Password Guessing
| 1 |
0 |
T1027.013
|
Encrypted/Encoded File
| 2 |
0 |
T1566
|
Phishing
| 5 |
2 |
T1078
|
Valid Accounts
| 41 |
3 |
T1027
|
Obfuscated Files or Information
| 9 |
11 |
T1518
|
Software Discovery
| 1 |
0 |
T1558
|
Steal or Forge Kerberos Tickets
| 1 |
0 |
T1589
|
Gather Victim Identity Information
| 1 |
1 |
T1565
|
Data Manipulation
| 1 |
1 |
T1185
|
Browser Session Hijacking
| 2 |
0 |
T1557
|
Adversary-in-the-Middle
| 2 |
1 |
T1622
|
Debugger Evasion
| 2 |
0 |
T1498
|
Network Denial of Service
| 7 |
0 |
T1036.005
|
Match Legitimate Name or Location
| 1 |
0 |
T1048
|
Exfiltration Over Alternative Protocol
| 4 |
1 |
T1557.001
|
LLMNR/NBT-NS Poisoning and SMB Relay
| 1 |
0 |
T1553.005
|
Mark-of-the-Web Bypass
| 1 |
0 |
T1499
|
Endpoint Denial of Service
| 5 |
2 |
T1573.001
|
Symmetric Cryptography
| 3 |
0 |
T1569.002
|
Service Execution
| 1 |
0 |
T1497
|
Virtualization/Sandbox Evasion
| 2 |
0 |
T1040
|
Network Sniffing
| 1 |
0 |
T1653
|
Power Settings
| 1 |
0 |
T1046
|
Network Service Discovery
| 5 |
0 |
T1221
|
Template Injection
| 3 |
0 |
T1053.005
|
Scheduled Task
| 2 |
0 |
T1499.002
|
Service Exhaustion Flood
| 2 |
0 |
T1499.004
|
Application or System Exploitation
| 1 |
0 |
T1098.004
|
SSH Authorized Keys
| 1 |
0 |
T1003.003
|
NTDS
| 3 |
0 |
T1531
|
Account Access Removal
| 1 |
0 |
T1090
|
Proxy
| 3 |
1 |
T1204.001
|
Malicious Link
| 11 |
0 |
T1482
|
Domain Trust Discovery
| 2 |
0 |
T1555
|
Credentials from Password Stores
| 3 |
3 |
T1053
|
Scheduled Task/Job
| 1 |
1 |
T1071.002
|
File Transfer Protocols
| 1 |
0 |
T1566.002
|
Spearphishing Link
| 1 |
0 |
T1202
|
Indirect Command Execution
| 9 |
0 |
T1003.001
|
LSASS Memory
| 1 |
0 |
T1485
|
Data Destruction
| 3 |
0 |
T1562.001
|
Disable or Modify Tools
| 2 |
0 |
T1213
|
Data from Information Repositories
| 2 |
0 |
T1070.001
|
Clear Windows Event Logs
| 1 |
0 |
T1588.001
|
Malware
| 1 |
0 |
T1071.001
|
Web Protocols
| 9 |
0 |
T1133
|
External Remote Services
| 21 |
0 |
T1601
|
Modify System Image
| 1 |
1 |
T1090.001
|
Internal Proxy
| 1 |
0 |
T1217
|
Browser Information Discovery
| 1 |
0 |
T1114.002
|
Remote Email Collection
| 1 |
0 |
T1134.001
|
Token Impersonation/Theft
| 1 |
0 |
T1219
|
Remote Access Software
| 1 |
0 |
T1059.007
|
JavaScript
| 13 |
0 |
T1598.002
|
Spearphishing Attachment
| 1 |
0 |
T1592
|
Gather Victim Host Information
| 1 |
0 |
T1048.003
|
Exfiltration Over Unencrypted Non-C2 Protocol
| 1 |
0 |
T1608.001
|
Upload Malware
| 5 |
0 |
T1059.004
|
Unix Shell
| 9 |
0 |
T1490
|
Inhibit System Recovery
| 1 |
0 |
T1542.005
|
TFTP Boot
| 1 |
0 |
T1087.001
|
Local Account
| 1 |
0 |
T1505
|
Server Software Component
| 1 |
1 |
T1484.001
|
Group Policy Modification
| 1 |
0 |
T1584.005
|
Botnet
| 2 |
0 |
T1530
|
Data from Cloud Storage
| 1 |
0 |
T1037
|
Boot or Logon Initialization Scripts
| 1 |
0 |
T1505.003
|
Web Shell
| 20 |
0 |
T1003.008
|
/etc/passwd and /etc/shadow
| 1 |
0 |
T1491.002
|
External Defacement
| 1 |
0 |