NTDS
Credentials
Gather Victim Org Information
Hidden Files and Directories
Virtual Private Server
Search Open Technical Databases
Domains
Timestomp
External Proxy
Spearphishing Attachment
PowerShell
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Registry Run Keys / Startup Folder
Encrypted/Encoded File
Exploitation for Client Execution
Email Accounts
Remote Email Collection
Web Shell
Network Devices
Pass the Hash
Logon Script (Windows)
Tool
Hidden Window
Multi-hop Proxy
Exfiltration Over Web Service
Keylogging
File and Directory Discovery
Exploit Public-Facing Application
Wi-Fi Networks
Data from Network Shared Drive
Screen Capture
Password Guessing
Web Services
Process Discovery
Drive-by Compromise
Vulnerability Scanning
Component Object Model Hijacking
Trusted Relationship
Peripheral Device Discovery
Windows Command Shell
Evil Twin
Network Denial of Service
File Deletion
Archive Collected Data
Ingress Tool Transfer
Phishing for Information
Dynamic Data Exchange
Match Legitimate Resource Name or Location
Automated Collection
Cloud Accounts
Template Injection
Data from Local System
Sharepoint
Valid Accounts
Data from Removable Media
Web Protocols
Data from Information Repositories
Rundll32
Archive via Utility
Deobfuscate/Decode Files or Information
Spearphishing Link
Bootkit
Mail Protocols
Masquerading
Exploitation of Remote Services
Rootkit
Malicious File
Application Access Token
Data Transfer Size Limits
Token Impersonation/Theft
Remote Data Staging
Communication Through Removable Media
Additional Email Delegate Permissions
OS Credential Dumping
Network Sniffing
Exploitation for Privilege Escalation
Office Test
Steal Application Access Token
Password Spraying
Malicious Link
External Remote Services
Bidirectional Communication
Junk Data
Clear Windows Event Logs
Exploitation for Stealth
LSASS Memory
Symmetric Cryptography
Local Data Staging
Replication Through Removable Media
Artificial Intelligence
Brute Force
Impersonation
SMB/Windows Admin Shares