ATT&CK Technique ATT&CK Sub-technique(s) CAR Analytic(s)
T1003: OS Credential Dumping
T1003.003: NTDS
T1003.001: LSASS Memory
T1003.002: Security Account Manager
T1021: Remote Services (N/A - technique only)
T1021.001: Remote Desktop Protocol
T1021.002: SMB/Windows Admin Shares
T1021.003: Distributed Component Object Model
T1021.006: Windows Remote Management
T1036: Masquerading (N/A - technique only)
T1036.003: Rename System Utilities
T1036.005: Match Legitimate Name or Location
T1037: Boot or Logon Initialization Scripts T1037.001: Logon Script (Windows)
T1053: Scheduled Task/Job
T1053.005: Scheduled Task
T1053.002: At (Windows)
T1055: Process Injection
T1055.012: Process Hollowing
T1055.001: Dynamic-link Library Injection
T1059: Command and Scripting Interpreter (N/A - technique only)
T1059.003: Windows Command Shell
T1059.005: Visual Basic
T1059.001: PowerShell
T1069: Permission Groups Discovery
T1069.001: Local Groups
T1069.002: Domain Groups
T1070: Indicator Removal on Host
T1070.003: Clear Command History
T1070.001: Clear Windows Event Logs
T1070.005: Network Share Connection Removal
T1078: Valid Accounts
T1078.002: Domain Accounts
T1078.003: Local Accounts
T1087: Account Discovery
T1087.001: Local Account
T1087.002: Domain Account
T1127: Trusted Developer Utilities Proxy Execution T1127.001: MSBuild
T1136: Create Account T1136.001: Local Account
T1204: User Execution T1204.002: Malicious File
T1218: Signed Binary Proxy Execution
T1218.010: Regsvr32
T1218.001: Compiled HTML File
T1218.011: Rundll32
T1218.003: CMSTP
T1222: File and Directory Permissions Modification
T1222.001: Windows File and Directory Permissions Modification
T1222.002: Linux and Mac File and Directory Permissions Modification
T1505: Server Software Component T1505.003: Web Shell
T1518: Software Discovery T1518.001: Security Software Discovery
T1543: Create or Modify System Process T1543.003: Windows Service
T1546: Event Triggered Execution
T1546.008: Accessibility Features
T1546.015: Component Object Model Hijacking
T1546.001: Change Default File Association
T1546.003: Windows Management Instrumentation Event Subscription
T1546.010: AppInit DLLs
T1546.002: Screensaver
T1547: Boot or Logon Autostart Execution
T1547.001: Registry Run Keys / Startup Folder
T1547.010: Port Monitors
T1547.004: Winlogon Helper DLL
T1548: Abuse Elevation Control Mechanism T1548.002: Bypass User Account Control
T1550: Use Alternate Authentication Material T1550.002: Pass the Hash
T1552: Unsecured Credentials
T1552.001: Credentials In Files
T1552.002: Credentials in Registry
T1553: Subvert Trust Controls T1553.004: Install Root Certificate
T1559: Inter-Process Communication T1559.002: Dynamic Data Exchange
T1560: Archive Collected Data T1560.001: Archive via Utility
T1562: Impair Defenses
T1562.001: Disable or Modify Tools
T1562.006: Indicator Blocking
T1562.002: Disable Windows Event Logging
T1564: Hide Artifacts T1564.004: NTFS File Attributes
T1569: System Services
T1569.001: Launchctl
T1569.002: Service Execution
T1574: Hijack Execution Flow
T1574.010: Services File Permissions Weakness
T1574.001: DLL Search Order Hijacking
T1574.011: Services Registry Permissions Weakness
T1574.007: Path Interception by PATH Environment Variable
T1574.008: Path Interception by Search Order Hijacking
T1574.009: Path Interception by Unquoted Path
T1606: Forge Web Credentials T1606.002: SAML Tokens