| T1602.001 |
SNMP (MIB Dump) |
1 |
0 |
| T1595.001 |
Scanning IP Blocks |
5 |
0 |
| T1611 |
Escape to Host |
1 |
0 |
| T1021.003 |
Distributed Component Object Model |
1 |
0 |
| T1059.009 |
Cloud API |
1 |
0 |
| T1561.001 |
Disk Content Wipe |
2 |
0 |
| T1592.001 |
Hardware |
1 |
0 |
| T1078 |
Valid Accounts |
10 |
3 |
| T1070.006 |
Timestomp |
1 |
0 |
| T1595.003 |
Wordlist Scanning |
1 |
0 |
| T1072 |
Software Deployment Tools |
1 |
0 |
| T1610 |
Deploy Container |
2 |
0 |
| T1053.001 |
|
1 |
0 |
| T1003.008 |
/etc/passwd and /etc/shadow |
1 |
0 |
| T1555.006 |
Cloud Secrets Management Stores |
1 |
0 |
| T1071.002 |
File Transfer Protocols |
2 |
0 |
| T1219 |
Remote Access Software |
2 |
0 |
| T1570 |
Lateral Tool Transfer |
1 |
0 |
| T1591.003 |
Identify Business Tempo |
1 |
0 |
| T1568 |
Dynamic Resolution |
1 |
1 |
| T1548.003 |
Sudo and Sudo Caching |
1 |
0 |
| T1021.001 |
Remote Desktop Protocol |
2 |
0 |
| T1078.001 |
Default Accounts |
1 |
0 |
| T1552.004 |
Private Keys |
4 |
0 |
| T1562 |
Impair Defenses |
6 |
6 |
| T1190 |
Exploit Public-Facing Application |
8 |
0 |
| T1020.001 |
Traffic Duplication |
2 |
0 |
| T1591.002 |
Business Relationships |
1 |
0 |
| T1136.003 |
Cloud Account |
1 |
0 |
| T1557.003 |
DHCP Spoofing |
1 |
0 |
| T1059 |
Command and Scripting Interpreter |
1 |
4 |
| T1048.003 |
Exfiltration Over Unencrypted Non-C2 Protocol |
4 |
0 |
| T1526 |
Cloud Service Discovery |
1 |
0 |
| T1589.002 |
Email Addresses |
2 |
0 |
| T1491.001 |
Internal Defacement |
3 |
0 |
| T1078.002 |
Domain Accounts |
1 |
0 |
| T1609 |
Container Administration Command |
1 |
0 |
| T1568.002 |
Domain Generation Algorithms |
1 |
0 |
| T1580 |
Cloud Infrastructure Discovery |
3 |
0 |
| T1021.007 |
Cloud Services |
2 |
0 |
| T1590.006 |
Network Security Appliances |
3 |
0 |
| T1189 |
Drive-by Compromise |
3 |
0 |
| T1529 |
System Shutdown/Reboot |
2 |
0 |
| T1552 |
Unsecured Credentials |
6 |
5 |
| T1567.002 |
Exfiltration to Cloud Storage |
1 |
0 |
| T1136 |
Create Account |
1 |
1 |
| T1048.001 |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
3 |
0 |
| T1602.002 |
Network Device Configuration Dump |
1 |
0 |
| T1619 |
Cloud Storage Object Discovery |
1 |
0 |
| T1098.005 |
Device Registration |
2 |
0 |
| T1550.001 |
Application Access Token |
1 |
0 |
| T1552.001 |
Credentials In Files |
5 |
0 |
| T1542 |
Pre-OS Boot |
2 |
1 |
| T1552.007 |
Container API |
1 |
0 |
| T1041 |
Exfiltration Over C2 Channel |
3 |
0 |
| T1203 |
Exploitation for Client Execution |
4 |
0 |
| T1222 |
File and Directory Permissions Modification |
1 |
1 |
| T1222.002 |
Linux and Mac File and Directory Permissions Modification |
1 |
0 |
| T1048 |
Exfiltration Over Alternative Protocol |
4 |
3 |
| T1566.001 |
Spearphishing Attachment |
1 |
0 |
| T1590 |
Gather Victim Network Information |
3 |
6 |
| T1567.003 |
Exfiltration to Text Storage Sites |
1 |
0 |
| T1204 |
User Execution |
1 |
1 |
| T1565.001 |
Stored Data Manipulation |
4 |
0 |
| T1561.002 |
Disk Structure Wipe |
2 |
0 |
| T1602 |
Data from Configuration Repository |
1 |
2 |
| T1489 |
Service Stop |
2 |
0 |
| T1211 |
Exploitation for Defense Evasion |
3 |
0 |
| T1059.007 |
JavaScript |
1 |
0 |
| T1071.004 |
DNS |
2 |
0 |
| T1021.005 |
VNC |
2 |
0 |
| T1090.003 |
Multi-hop Proxy |
4 |
0 |
| T1599 |
Network Boundary Bridging |
1 |
1 |
| T1552.002 |
Credentials in Registry |
1 |
0 |
| T1595 |
Active Scanning |
5 |
3 |
| T1070.008 |
Clear Mailbox Data |
1 |
0 |
| T1053.007 |
Container Orchestration Job |
1 |
0 |
| T1578.005 |
Modify Cloud Compute Configurations |
1 |
0 |
| T1498.001 |
Direct Network Flood |
4 |
0 |
| T1548.005 |
Temporary Elevated Cloud Access |
1 |
0 |
| T1590.001 |
Domain Properties |
3 |
0 |
| T1548 |
Abuse Elevation Control Mechanism |
1 |
2 |
| T1562.003 |
Impair Command History Logging |
1 |
0 |
| T1037 |
Boot or Logon Initialization Scripts |
1 |
1 |
| T1499 |
Endpoint Denial of Service |
4 |
4 |
| T1499.003 |
Application Exhaustion Flood |
4 |
0 |
| T1071.003 |
Mail Protocols |
2 |
0 |
| T1621 |
Multi-Factor Authentication Request Generation |
1 |
0 |
| T1592.004 |
Client Configurations |
1 |
0 |
| T1070 |
Indicator Removal |
1 |
8 |
| T1098.001 |
Additional Cloud Credentials |
4 |
0 |
| T1557.002 |
ARP Cache Poisoning |
1 |
0 |
| T1212 |
Exploitation for Credential Access |
4 |
0 |
| T1133 |
External Remote Services |
4 |
0 |
| T1588.003 |
Code Signing Certificates |
2 |
0 |
| T1530 |
Data from Cloud Storage |
7 |
0 |
| T1078.004 |
Cloud Accounts |
10 |
0 |
| T1590.003 |
Network Trust Dependencies |
1 |
0 |
| T1119 |
Automated Collection |
1 |
0 |
| T1542.005 |
TFTP Boot |
2 |
0 |
| T1552.005 |
Cloud Instance Metadata API |
2 |
0 |
| T1048.002 |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
3 |
0 |
| T1087.004 |
Cloud Account |
1 |
0 |
| T1021.008 |
Direct Cloud VM Connections |
1 |
0 |
| T1110.002 |
Password Cracking |
3 |
0 |
| T1565.002 |
Transmitted Data Manipulation |
3 |
0 |
| T1567.001 |
Exfiltration to Code Repository |
1 |
0 |
| T1566.003 |
Spearphishing via Service |
1 |
0 |
| T1020 |
Automated Exfiltration |
3 |
1 |
| T1543.005 |
Container Service |
1 |
0 |
| T1498 |
Network Denial of Service |
5 |
2 |
| T1070.004 |
File Deletion |
1 |
0 |
| T1070.007 |
Clear Network Connection History and Configurations |
1 |
0 |
| T1053.006 |
Systemd Timers |
1 |
0 |
| T1651 |
Cloud Administration Command |
3 |
0 |
| T1059.001 |
PowerShell |
1 |
0 |
| T1110.004 |
Credential Stuffing |
7 |
0 |
| T1599.001 |
Network Address Translation Traversal |
1 |
0 |
| T1071 |
Application Layer Protocol |
4 |
4 |
| T1021.004 |
SSH |
3 |
0 |
| T1490 |
Inhibit System Recovery |
3 |
0 |
| T1525 |
Implant Internal Image |
1 |
0 |
| T1029 |
Scheduled Transfer |
1 |
0 |
| T1550 |
Use Alternate Authentication Material |
1 |
1 |
| T1592.003 |
Firmware |
1 |
0 |
| T1590.004 |
Network Topology |
3 |
0 |
| T1590.005 |
IP Addresses |
3 |
0 |
| T1562.008 |
Disable or Modify Cloud Logs |
5 |
0 |
| T1553.002 |
Code Signing |
1 |
0 |
| T1589.001 |
Credentials |
2 |
0 |
| T1485 |
Data Destruction |
8 |
0 |
| T1090.002 |
External Proxy |
4 |
0 |
| T1499.002 |
Service Exhaustion Flood |
4 |
0 |
| T1486 |
Data Encrypted for Impact |
4 |
0 |
| T1589.003 |
Employee Names |
2 |
0 |
| T1528 |
Steal Application Access Token |
2 |
0 |
| T1204.003 |
Malicious Image |
1 |
0 |
| T1613 |
Container and Resource Discovery |
1 |
0 |
| T1046 |
Network Service Discovery |
6 |
0 |
| T1561 |
Disk Wipe |
2 |
2 |
| T1562.007 |
Disable or Modify Cloud Firewall |
2 |
0 |
| T1572 |
Protocol Tunneling |
1 |
0 |
| T1566.002 |
Spearphishing Link |
1 |
0 |
| T1592 |
Gather Victim Host Information |
1 |
4 |
| T1565 |
Data Manipulation |
5 |
2 |
| T1543 |
Create or Modify System Process |
1 |
2 |
| T1110 |
Brute Force |
7 |
4 |
| T1040 |
Network Sniffing |
5 |
0 |
| T1538 |
Cloud Service Dashboard |
2 |
0 |
| T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
1 |
0 |
| T1567.004 |
Exfiltration Over Webhook |
1 |
0 |
| T1531 |
Account Access Removal |
2 |
0 |
| T1021 |
Remote Services |
3 |
8 |
| T1562.004 |
Disable or Modify System Firewall |
1 |
0 |
| T1070.009 |
Clear Persistence |
1 |
0 |
| T1087 |
Account Discovery |
1 |
1 |
| T1571 |
Non-Standard Port |
3 |
0 |
| T1053 |
Scheduled Task/Job |
2 |
3 |
| T1018 |
Remote System Discovery |
2 |
0 |
| T1110.001 |
Password Guessing |
7 |
0 |
| T1588 |
Obtain Capabilities |
2 |
2 |
| T1021.006 |
Windows Remote Management |
2 |
0 |
| T1095 |
Non-Application Layer Protocol |
3 |
0 |
| T1070.002 |
Clear Linux or Mac System Logs |
1 |
0 |
| T1590.002 |
DNS |
1 |
0 |
| T1210 |
Exploitation of Remote Services |
6 |
0 |
| T1037.004 |
RC Scripts |
1 |
0 |
| T1562.006 |
Indicator Blocking |
2 |
0 |
| T1205 |
Traffic Signaling |
2 |
2 |
| T1498.002 |
Reflection Amplification |
4 |
0 |
| T1003 |
OS Credential Dumping |
1 |
2 |
| T1588.004 |
Digital Certificates |
2 |
0 |
| T1090 |
Proxy |
4 |
3 |
| T1205.001 |
Port Knocking |
2 |
0 |
| T1553 |
Subvert Trust Controls |
1 |
2 |
| T1110.003 |
Password Spraying |
7 |
0 |
| T1566 |
Phishing |
1 |
3 |
| T1557 |
Adversary-in-the-Middle |
4 |
3 |
| T1205.002 |
Socket Filters |
1 |
0 |
| T1553.004 |
Install Root Certificate |
1 |
0 |
| T1491 |
Defacement |
3 |
2 |
| T1648 |
Serverless Execution |
1 |
0 |
| T1589 |
Gather Victim Identity Information |
2 |
3 |
| T1071.001 |
Web Protocols |
3 |
0 |
| T1649 |
Steal or Forge Authentication Certificates |
2 |
0 |
| T1199 |
Trusted Relationship |
1 |
0 |
| T1003.007 |
Proc Filesystem |
1 |
0 |
| T1098.004 |
SSH Authorized Keys |
1 |
0 |
| T1068 |
Exploitation for Privilege Escalation |
3 |
0 |
| T1499.004 |
Application or System Exploitation |
1 |
0 |
| T1070.003 |
Clear Command History |
1 |
0 |
| T1591.004 |
Identify Roles |
1 |
0 |
| T1059.004 |
Unix Shell |
1 |
0 |
| T1008 |
Fallback Channels |
2 |
0 |
| T1496 |
Resource Hijacking |
4 |
0 |
| T1622 |
Debugger Evasion |
1 |
0 |
| T1591.001 |
Determine Physical Locations |
1 |
0 |
| T1654 |
Log Enumeration |
1 |
0 |
| T1591 |
Gather Victim Org Information |
1 |
4 |
| T1070.005 |
Network Share Connection Removal |
1 |
0 |
| T1592.002 |
Software |
1 |
0 |
| T1053.003 |
Cron |
1 |
0 |
| T1482 |
Domain Trust Discovery |
1 |
0 |
| T1187 |
Forced Authentication |
1 |
0 |
| T1104 |
Multi-Stage Channels |
1 |
0 |
| T1021.002 |
SMB/Windows Admin Shares |
2 |
0 |
| T1562.001 |
Disable or Modify Tools |
4 |
0 |
| T1555 |
Credentials from Password Stores |
1 |
1 |
| T1090.001 |
Internal Proxy |
2 |
0 |
| T1567 |
Exfiltration Over Web Service |
1 |
4 |
| T1543.002 |
Systemd Service |
1 |
0 |
| T1499.001 |
OS Exhaustion Flood |
4 |
0 |
| T1491.002 |
External Defacement |
3 |
0 |
| T1098 |
Account Manipulation |
4 |
3 |
| T1595.002 |
Vulnerability Scanning |
5 |
0 |
