Internal Defacement
Virtual Private Server
Data Obfuscation
Internal Spearphishing
Windows Management Instrumentation
Non-Application Layer Protocol
File and Directory Discovery
Replication Through Removable Media
Automated Collection
Match Legitimate Resource Name or Location
Compile After Delivery
Ingress Tool Transfer
VNC
Junk Code Insertion
Rundll32
Spearphishing Attachment
System Information Discovery
Visual Basic
Screen Capture
Security Software Discovery
Data from Local System
Data from Network Shared Drive
Upload Malware
Compression
One-Way Communication
Modify Registry
Internet Connection Discovery
Reflective Code Loading
Component Object Model
Query Registry
Data from Removable Media
Template Injection
Disable or Modify Tools
Deobfuscate/Decode Files or Information
Malicious Link
Taint Shared Content
Native API
Web Services
Disk Content Wipe
System Owner/User Discovery
Digital Certificates
Hidden Window
LNK Icon Smuggling
File Deletion
PowerShell
Non-Standard Port
Tool
Automated Exfiltration
Web Protocols
Domains
Fast Flux DNS
Process Injection
Peripheral Device Discovery
Exfiltration Over C2 Channel
Multi-hop Proxy
Scheduled Task
Obfuscated Files or Information
Process Discovery
Command Obfuscation
Malicious File
Dynamic Resolution
Proxy
Registry Run Keys / Startup Folder
Execution Guardrails
Bidirectional Communication
Windows Command Shell
Mshta
Office Application Startup
Web Service
System Checks