Windows Command Shell
Spearphishing Attachment
Indirect Command Execution
Exfiltration Over Unencrypted Non-C2 Protocol
Protocol or Service Impersonation
Server
Ingress Tool Transfer
Mshta
Application Window Discovery
Malware
Create Process with Token
SSH
Account Manipulation
Hidden Files and Directories
Data Destruction
Gather Victim Org Information
Native API
Valid Accounts
Embedded Payloads
Query Registry
External Proxy
Encrypted/Encoded File
Multi-Stage Channels
Network Service Discovery
Data from Local System
Service Stop
System Network Configuration Discovery
Digital Certificates
Symmetric Cryptography
System Information Discovery
System Owner/User Discovery
Reflective Code Loading
Exfiltration Over C2 Channel
Bidirectional Communication
Archive Collected Data
Exploitation for Client Execution
PowerShell
Spearphishing Link
Local Data Staging
Rename Legitimate Utilities
Windows Management Instrumentation
Web Protocols
Name Resolution Poisoning and SMB Relay
Process Discovery
Registry Run Keys / Startup Folder
Disable or Modify Tools
Email Addresses
Disk Content Wipe
Internal Defacement
Tool
Shortcut Modification
Visual Basic
Bootkit
Rundll32
Web Services
Keylogging
Non-Standard Port
Standard Encoding
Drive-by Compromise
Password Spraying
Malicious File
Code Signing
System Binary Proxy Execution
Archive via Library
Dynamic API Resolution
File Deletion
Internal Proxy
Fallback Channels
Deobfuscate/Decode Files or Information
Local Storage Discovery
Disk Structure Wipe
Domains
Scheduled Task
Spearphishing via Service
Match Legitimate Resource Name or Location
Indicator Removal
File and Directory Discovery
KernelCallbackTable
Dynamic-link Library Injection
Social Media Accounts
Remote Desktop Protocol
System Shutdown/Reboot
System Time Discovery
Masquerade Task or Service
Timestomp
Clear Command History
DLL
Windows Host Firewall
Windows Service
SMB/Windows Admin Shares
Email Accounts
System Network Connections Discovery
Archive via Custom Method