Analytic Coverage Comparison
Generated on: January 08, 2024
A cross-walk of CAR, Sigma, Elastic Detection, and Splunk Security Content rules in terms of their coverage of ATT&CK Techniques and Sub-techniques. Note that some analytics may have coverage for multiple techniques, so there is not necessarily a 1:1 correlation between the number of hits in this table for a technique/sub-technique and the number of analytics in each repository. The below table is current as of the Generated On date at the top of this page.
- # CAR: the number of CAR analytics that contain coverage for the technique/sub-technique.
- # Sigma: the number of Sigma rules that contain coverage for the technique/sub-technique.
- # ES: the number of ES detection rules that contain coverage for the technique/sub-technique.
- # Splunk: the number of Splunk detections rules that contain coverage for the technique/sub-technique.
- # Total: the total number of analytics between CAR/Sigma/ES/Splunk that contain coverage for the technique-sub-technique.
This table is sortable, so feel free to click on any column to sort by its values. Clicking on each of the CAR/Sigma/ES/Splunk results will search the corresponding repository for the analytics that contain coverage for the technique/sub-technique.
This data is also available as:
- A CSV file.
- Separate ATT&CK Navigator Layers:
- CAR Analytic Coverage.
- Sigma Analytic Coverage.
- ES Analytic Coverage.
- Splunk Analytic Coverage.
| Technique ID | Technique Name | Sub-technique Name | # CAR | # Sigma | # ES | # Splunk | # Total |
|---|---|---|---|---|---|---|---|
| T1001 | Data Obfuscation | n/a | 0 | 0 | 0 | 0 | 0 |
| T1001.001 | Data Obfuscation | Junk Data | 0 | 0 | 0 | 0 | 0 |
| T1001.002 | Data Obfuscation | Steganography | 0 | 0 | 0 | 0 | 0 |
| T1001.003 | Data Obfuscation | Protocol Impersonation | 0 | 3 | 0 | 1 | 4 |
| T1003 | OS Credential Dumping | n/a | 0 | 23 | 34 | 36 | 93 |
| T1003.001 | OS Credential Dumping | LSASS Memory | 5 | 75 | 10 | 14 | 104 |
| T1003.002 | OS Credential Dumping | Security Account Manager | 1 | 28 | 5 | 9 | 43 |
| T1003.003 | OS Credential Dumping | NTDS | 2 | 19 | 1 | 8 | 30 |
| T1003.004 | OS Credential Dumping | LSA Secrets | 0 | 12 | 1 | 0 | 13 |
| T1003.005 | OS Credential Dumping | Cached Domain Credentials | 0 | 8 | 0 | 1 | 9 |
| T1003.006 | OS Credential Dumping | DCSync | 0 | 8 | 0 | 0 | 8 |
| T1003.007 | OS Credential Dumping | Proc Filesystem | 0 | 0 | 0 | 0 | 0 |
| T1003.008 | OS Credential Dumping | /etc/passwd and /etc/shadow | 0 | 0 | 1 | 1 | 2 |
| T1005 | Data from Local System | n/a | 0 | 7 | 2 | 1 | 10 |
| T1006 | Direct Volume Access | n/a | 0 | 1 | 1 | 0 | 2 |
| T1007 | System Service Discovery | n/a | 2 | 3 | 0 | 0 | 5 |
| T1008 | Fallback Channels | n/a | 0 | 2 | 0 | 0 | 2 |
| T1010 | Application Window Discovery | n/a | 1 | 1 | 0 | 0 | 2 |
| T1011 | Exfiltration Over Other Network Medium | n/a | 0 | 0 | 0 | 0 | 0 |
| T1011.001 | Exfiltration Over Other Network Medium | Exfiltration Over Bluetooth | 0 | 0 | 0 | 0 | 0 |
| T1012 | Query Registry | n/a | 3 | 10 | 1 | 2 | 16 |
| T1014 | Rootkit | n/a | 0 | 1 | 0 | 3 | 4 |
| T1016 | System Network Configuration Discovery | n/a | 2 | 8 | 3 | 4 | 17 |
| T1016.001 | System Network Configuration Discovery | Internet Connection Discovery | 0 | 0 | 0 | 1 | 1 |
| T1018 | Remote System Discovery | n/a | 1 | 15 | 4 | 18 | 38 |
| T1020 | Automated Exfiltration | n/a | 0 | 5 | 1 | 6 | 12 |
| T1020.001 | Automated Exfiltration | Traffic Duplication | 0 | 0 | 0 | 1 | 1 |
| T1021 | Remote Services | n/a | 1 | 3 | 34 | 24 | 62 |
| T1021.001 | Remote Services | Remote Desktop Protocol | 3 | 14 | 1 | 9 | 27 |
| T1021.002 | Remote Services | SMB/Windows Admin Shares | 5 | 33 | 6 | 5 | 49 |
| T1021.003 | Remote Services | Distributed Component Object Model | 1 | 9 | 0 | 5 | 15 |
| T1021.004 | Remote Services | SSH | 0 | 1 | 1 | 2 | 4 |
| T1021.005 | Remote Services | VNC | 0 | 1 | 0 | 0 | 1 |
| T1021.006 | Remote Services | Windows Remote Management | 3 | 9 | 0 | 6 | 18 |
| T1025 | Data from Removable Media | n/a | 0 | 0 | 0 | 0 | 0 |
| T1026 | Multiband Communication | n/a | 0 | 0 | 0 | 0 | 0 |
| T1027 | Obfuscated Files or Information | n/a | 0 | 83 | 7 | 8 | 98 |
| T1027.001 | Obfuscated Files or Information | Binary Padding | 0 | 3 | 0 | 0 | 3 |
| T1027.002 | Obfuscated Files or Information | Software Packing | 0 | 1 | 0 | 0 | 1 |
| T1027.003 | Obfuscated Files or Information | Steganography | 0 | 5 | 0 | 0 | 5 |
| T1027.004 | Obfuscated Files or Information | Compile After Delivery | 0 | 5 | 2 | 1 | 8 |
| T1027.005 | Obfuscated Files or Information | Indicator Removal from Tools | 0 | 4 | 0 | 2 | 6 |
| T1027.006 | Obfuscated Files or Information | HTML Smuggling | 0 | 0 | 1 | 0 | 1 |
| T1029 | Scheduled Transfer | n/a | 1 | 0 | 0 | 0 | 1 |
| T1030 | Data Transfer Size Limits | n/a | 0 | 2 | 0 | 0 | 2 |
| T1033 | System Owner/User Discovery | n/a | 2 | 25 | 4 | 10 | 41 |
| T1034 | Path Interception | n/a | 0 | 0 | 0 | 0 | 0 |
| T1036 | Masquerading | n/a | 1 | 27 | 16 | 27 | 71 |
| T1036.001 | Masquerading | Invalid Code Signature | 0 | 0 | 0 | 0 | 0 |
| T1036.002 | Masquerading | Right-to-Left Override | 0 | 0 | 0 | 0 | 0 |
| T1036.003 | Masquerading | Rename System Utilities | 1 | 21 | 2 | 22 | 46 |
| T1036.004 | Masquerading | Masquerade Task or Service | 0 | 2 | 0 | 1 | 3 |
| T1036.005 | Masquerading | Match Legitimate Name or Location | 1 | 9 | 1 | 1 | 12 |
| T1036.006 | Masquerading | Space after Filename | 0 | 1 | 1 | 0 | 2 |
| T1036.007 | Masquerading | Double File Extension | 0 | 2 | 1 | 0 | 3 |
| T1037 | Boot or Logon Initialization Scripts | n/a | 0 | 0 | 5 | 2 | 7 |
| T1037.001 | Boot or Logon Initialization Scripts | Logon Script (Windows) | 2 | 2 | 0 | 1 | 5 |
| T1037.002 | Boot or Logon Initialization Scripts | Login Hook | 0 | 0 | 0 | 0 | 0 |
| T1037.003 | Boot or Logon Initialization Scripts | Network Logon Script | 0 | 0 | 0 | 0 | 0 |
| T1037.004 | Boot or Logon Initialization Scripts | RC Scripts | 0 | 0 | 2 | 1 | 3 |
| T1037.005 | Boot or Logon Initialization Scripts | Startup Items | 0 | 1 | 0 | 0 | 1 |
| T1039 | Data from Network Shared Drive | n/a | 1 | 2 | 0 | 1 | 4 |
| T1040 | Network Sniffing | n/a | 1 | 8 | 2 | 1 | 12 |
| T1041 | Exfiltration Over C2 Channel | n/a | 0 | 3 | 0 | 1 | 4 |
| T1043 | Commonly Used Port | n/a | 0 | 0 | 0 | 0 | 0 |
| T1046 | Network Service Discovery | n/a | 2 | 11 | 1 | 0 | 14 |
| T1047 | Windows Management Instrumentation | n/a | 3 | 40 | 5 | 14 | 62 |
| T1048 | Exfiltration Over Alternative Protocol | n/a | 0 | 7 | 6 | 9 | 22 |
| T1048.001 | Exfiltration Over Alternative Protocol | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | 0 | 1 | 0 | 0 | 1 |
| T1048.002 | Exfiltration Over Alternative Protocol | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | 0 | 0 | 0 | 0 | 0 |
| T1048.003 | Exfiltration Over Alternative Protocol | Exfiltration Over Unencrypted Non-C2 Protocol | 0 | 14 | 0 | 9 | 23 |
| T1049 | System Network Connections Discovery | n/a | 1 | 8 | 1 | 6 | 16 |
| T1051 | Shared Webroot | n/a | 0 | 0 | 0 | 0 | 0 |
| T1052 | Exfiltration Over Physical Medium | n/a | 0 | 0 | 0 | 0 | 0 |
| T1052.001 | Exfiltration Over Physical Medium | Exfiltration over USB | 0 | 0 | 0 | 0 | 0 |
| T1053 | Scheduled Task/Job | n/a | 0 | 11 | 19 | 28 | 58 |
| T1053.002 | Scheduled Task/Job | At | 3 | 8 | 0 | 3 | 14 |
| T1053.003 | Scheduled Task/Job | Cron | 0 | 6 | 5 | 6 | 17 |
| T1053.004 | Scheduled Task/Job | Launchd | 0 | 0 | 0 | 0 | 0 |
| T1053.005 | Scheduled Task/Job | Scheduled Task | 6 | 38 | 9 | 15 | 68 |
| T1053.006 | Scheduled Task/Job | Systemd Timers | 0 | 0 | 0 | 3 | 3 |
| T1053.007 | Scheduled Task/Job | Container Orchestration Job | 0 | 0 | 0 | 0 | 0 |
| T1055 | Process Injection | n/a | 0 | 23 | 13 | 26 | 62 |
| T1055.001 | Process Injection | Dynamic-link Library Injection | 2 | 8 | 0 | 4 | 14 |
| T1055.002 | Process Injection | Portable Executable Injection | 0 | 0 | 0 | 2 | 2 |
| T1055.003 | Process Injection | Thread Execution Hijacking | 0 | 2 | 0 | 0 | 2 |
| T1055.004 | Process Injection | Asynchronous Procedure Call | 0 | 0 | 0 | 0 | 0 |
| T1055.005 | Process Injection | Thread Local Storage | 0 | 0 | 0 | 0 | 0 |
| T1055.008 | Process Injection | Ptrace System Calls | 0 | 0 | 0 | 0 | 0 |
| T1055.009 | Process Injection | Proc Memory | 0 | 0 | 0 | 0 | 0 |
| T1055.011 | Process Injection | Extra Window Memory Injection | 0 | 0 | 0 | 0 | 0 |
| T1055.012 | Process Injection | Process Hollowing | 1 | 2 | 2 | 0 | 5 |
| T1055.013 | Process Injection | Process Doppelgänging | 0 | 0 | 0 | 0 | 0 |
| T1055.014 | Process Injection | VDSO Hijacking | 0 | 0 | 0 | 0 | 0 |
| T1055.015 | Process Injection | ListPlanting | 0 | 0 | 0 | 0 | 0 |
| T1056 | Input Capture | n/a | 0 | 0 | 2 | 1 | 3 |
| T1056.001 | Input Capture | Keylogging | 0 | 2 | 0 | 0 | 2 |
| T1056.002 | Input Capture | GUI Input Capture | 0 | 3 | 1 | 1 | 5 |
| T1056.003 | Input Capture | Web Portal Capture | 0 | 0 | 0 | 0 | 0 |
| T1056.004 | Input Capture | Credential API Hooking | 0 | 0 | 0 | 0 | 0 |
| T1057 | Process Discovery | n/a | 2 | 5 | 2 | 0 | 9 |
| T1059 | Command and Scripting Interpreter | n/a | 1 | 51 | 64 | 57 | 173 |
| T1059.001 | Command and Scripting Interpreter | PowerShell | 3 | 181 | 7 | 32 | 223 |
| T1059.002 | Command and Scripting Interpreter | AppleScript | 0 | 2 | 2 | 0 | 4 |
| T1059.003 | Command and Scripting Interpreter | Windows Command Shell | 2 | 21 | 0 | 9 | 32 |
| T1059.004 | Command and Scripting Interpreter | Unix Shell | 0 | 8 | 18 | 3 | 29 |
| T1059.005 | Command and Scripting Interpreter | Visual Basic | 1 | 18 | 0 | 4 | 23 |
| T1059.006 | Command and Scripting Interpreter | Python | 0 | 2 | 2 | 0 | 4 |
| T1059.007 | Command and Scripting Interpreter | JavaScript | 0 | 13 | 3 | 4 | 20 |
| T1059.008 | Command and Scripting Interpreter | Network Device CLI | 0 | 0 | 0 | 0 | 0 |
| T1061 | Graphical User Interface | n/a | 0 | 0 | 0 | 0 | 0 |
| T1062 | Hypervisor | n/a | 0 | 0 | 0 | 0 | 0 |
| T1064 | Scripting | n/a | 0 | 0 | 0 | 0 | 0 |
| T1068 | Exploitation for Privilege Escalation | n/a | 1 | 25 | 18 | 10 | 54 |
| T1069 | Permission Groups Discovery | n/a | 0 | 1 | 5 | 25 | 31 |
| T1069.001 | Permission Groups Discovery | Local Groups | 3 | 14 | 1 | 11 | 29 |
| T1069.002 | Permission Groups Discovery | Domain Groups | 3 | 10 | 2 | 18 | 33 |
| T1069.003 | Permission Groups Discovery | Cloud Groups | 0 | 0 | 0 | 1 | 1 |
| T1070 | Indicator Removal on Host | n/a | 0 | 13 | 14 | 23 | 50 |
| T1070.001 | Indicator Removal on Host | Clear Windows Event Logs | 2 | 8 | 3 | 6 | 19 |
| T1070.002 | Indicator Removal on Host | Clear Linux or Mac System Logs | 0 | 3 | 1 | 0 | 4 |
| T1070.003 | Indicator Removal on Host | Clear Command History | 1 | 7 | 2 | 0 | 10 |
| T1070.004 | Indicator Removal on Host | File Deletion | 0 | 12 | 4 | 12 | 28 |
| T1070.005 | Indicator Removal on Host | Network Share Connection Removal | 1 | 3 | 0 | 1 | 5 |
| T1070.006 | Indicator Removal on Host | Timestomp | 0 | 5 | 1 | 0 | 6 |
| T1071 | Application Layer Protocol | n/a | 0 | 6 | 11 | 10 | 27 |
| T1071.001 | Application Layer Protocol | Web Protocols | 0 | 29 | 3 | 2 | 34 |
| T1071.002 | Application Layer Protocol | File Transfer Protocols | 0 | 0 | 0 | 1 | 1 |
| T1071.003 | Application Layer Protocol | Mail Protocols | 0 | 0 | 0 | 3 | 3 |
| T1071.004 | Application Layer Protocol | DNS | 0 | 17 | 0 | 4 | 21 |
| T1072 | Software Deployment Tools | n/a | 0 | 3 | 0 | 2 | 5 |
| T1074 | Data Staged | n/a | 0 | 2 | 2 | 1 | 5 |
| T1074.001 | Data Staged | Local Data Staging | 0 | 4 | 0 | 0 | 4 |
| T1074.002 | Data Staged | Remote Data Staging | 0 | 0 | 1 | 0 | 1 |
| T1078 | Valid Accounts | n/a | 0 | 42 | 40 | 51 | 133 |
| T1078.001 | Valid Accounts | Default Accounts | 0 | 1 | 2 | 8 | 11 |
| T1078.002 | Valid Accounts | Domain Accounts | 5 | 1 | 2 | 6 | 14 |
| T1078.003 | Valid Accounts | Local Accounts | 5 | 1 | 5 | 2 | 13 |
| T1078.004 | Valid Accounts | Cloud Accounts | 0 | 3 | 1 | 28 | 32 |
| T1080 | Taint Shared Content | n/a | 0 | 0 | 2 | 0 | 2 |
| T1082 | System Information Discovery | n/a | 2 | 14 | 7 | 5 | 28 |
| T1083 | File and Directory Discovery | n/a | 0 | 12 | 2 | 1 | 15 |
| T1087 | Account Discovery | n/a | 0 | 12 | 4 | 27 | 43 |
| T1087.001 | Account Discovery | Local Account | 2 | 11 | 0 | 11 | 24 |
| T1087.002 | Account Discovery | Domain Account | 2 | 15 | 1 | 19 | 37 |
| T1087.003 | Account Discovery | Email Account | 0 | 0 | 0 | 0 | 0 |
| T1087.004 | Account Discovery | Cloud Account | 0 | 1 | 0 | 0 | 1 |
| T1090 | Proxy | n/a | 0 | 11 | 1 | 3 | 15 |
| T1090.001 | Proxy | Internal Proxy | 0 | 3 | 0 | 0 | 3 |
| T1090.002 | Proxy | External Proxy | 0 | 1 | 0 | 0 | 1 |
| T1090.003 | Proxy | Multi-hop Proxy | 0 | 2 | 1 | 0 | 3 |
| T1090.004 | Proxy | Domain Fronting | 0 | 0 | 0 | 0 | 0 |
| T1091 | Replication Through Removable Media | n/a | 0 | 1 | 0 | 0 | 1 |
| T1092 | Communication Through Removable Media | n/a | 0 | 0 | 0 | 0 | 0 |
| T1095 | Non-Application Layer Protocol | n/a | 0 | 4 | 1 | 2 | 7 |
| T1098 | Account Manipulation | n/a | 1 | 22 | 35 | 10 | 68 |
| T1098.001 | Account Manipulation | Additional Cloud Credentials | 0 | 0 | 0 | 1 | 1 |
| T1098.002 | Account Manipulation | Additional Email Delegate Permissions | 0 | 0 | 2 | 0 | 2 |
| T1098.003 | Account Manipulation | Additional Cloud Roles | 0 | 1 | 3 | 2 | 6 |
| T1098.004 | Account Manipulation | SSH Authorized Keys | 0 | 0 | 1 | 3 | 4 |
| T1098.005 | Account Manipulation | Device Registration | 0 | 0 | 0 | 0 | 0 |
| T1102 | Web Service | n/a | 0 | 3 | 1 | 2 | 6 |
| T1102.001 | Web Service | Dead Drop Resolver | 0 | 3 | 0 | 0 | 3 |
| T1102.002 | Web Service | Bidirectional Communication | 0 | 2 | 0 | 0 | 2 |
| T1102.003 | Web Service | One-Way Communication | 0 | 2 | 0 | 0 | 2 |
| T1104 | Multi-Stage Channels | n/a | 0 | 1 | 0 | 0 | 1 |
| T1105 | Ingress Tool Transfer | n/a | 4 | 47 | 9 | 23 | 83 |
| T1106 | Native API | n/a | 0 | 12 | 6 | 0 | 18 |
| T1108 | Redundant Access | n/a | 0 | 0 | 0 | 0 | 0 |
| T1110 | Brute Force | n/a | 0 | 10 | 19 | 25 | 54 |
| T1110.001 | Brute Force | Password Guessing | 0 | 3 | 6 | 3 | 12 |
| T1110.002 | Brute Force | Password Cracking | 0 | 1 | 0 | 0 | 1 |
| T1110.003 | Brute Force | Password Spraying | 0 | 8 | 6 | 15 | 29 |
| T1110.004 | Brute Force | Credential Stuffing | 0 | 0 | 0 | 5 | 5 |
| T1111 | Multi-Factor Authentication Interception | n/a | 0 | 0 | 1 | 0 | 1 |
| T1112 | Modify Registry | n/a | 8 | 62 | 5 | 25 | 100 |
| T1113 | Screen Capture | n/a | 0 | 6 | 1 | 3 | 10 |
| T1114 | Email Collection | n/a | 0 | 4 | 3 | 8 | 15 |
| T1114.001 | Email Collection | Local Email Collection | 0 | 1 | 0 | 2 | 3 |
| T1114.002 | Email Collection | Remote Email Collection | 0 | 0 | 1 | 3 | 4 |
| T1114.003 | Email Collection | Email Forwarding Rule | 0 | 0 | 1 | 2 | 3 |
| T1115 | Clipboard Data | n/a | 0 | 6 | 0 | 2 | 8 |
| T1119 | Automated Collection | n/a | 0 | 5 | 0 | 0 | 5 |
| T1120 | Peripheral Device Discovery | n/a | 0 | 2 | 1 | 0 | 3 |
| T1123 | Audio Capture | n/a | 0 | 6 | 1 | 0 | 7 |
| T1124 | System Time Discovery | n/a | 0 | 3 | 0 | 1 | 4 |
| T1125 | Video Capture | n/a | 0 | 1 | 0 | 0 | 1 |
| T1127 | Trusted Developer Utilities Proxy Execution | n/a | 0 | 17 | 8 | 9 | 34 |
| T1127.001 | Trusted Developer Utilities Proxy Execution | MSBuild | 1 | 1 | 3 | 6 | 11 |
| T1129 | Shared Modules | n/a | 0 | 0 | 1 | 0 | 1 |
| T1132 | Data Encoding | n/a | 0 | 0 | 0 | 0 | 0 |
| T1132.001 | Data Encoding | Standard Encoding | 0 | 1 | 0 | 0 | 1 |
| T1132.002 | Data Encoding | Non-Standard Encoding | 0 | 0 | 0 | 0 | 0 |
| T1133 | External Remote Services | n/a | 0 | 7 | 5 | 0 | 12 |
| T1134 | Access Token Manipulation | n/a | 0 | 0 | 12 | 5 | 17 |
| T1134.001 | Access Token Manipulation | Token Impersonation/Theft | 0 | 7 | 1 | 3 | 11 |
| T1134.002 | Access Token Manipulation | Create Process with Token | 0 | 5 | 3 | 1 | 9 |
| T1134.003 | Access Token Manipulation | Make and Impersonate Token | 0 | 1 | 1 | 0 | 2 |
| T1134.004 | Access Token Manipulation | Parent PID Spoofing | 0 | 1 | 2 | 1 | 4 |
| T1134.005 | Access Token Manipulation | SID-History Injection | 0 | 1 | 0 | 0 | 1 |
| T1135 | Network Share Discovery | n/a | 0 | 7 | 3 | 0 | 10 |
| T1136 | Create Account | n/a | 0 | 1 | 7 | 14 | 22 |
| T1136.001 | Create Account | Local Account | 1 | 12 | 2 | 5 | 20 |
| T1136.002 | Create Account | Domain Account | 0 | 2 | 0 | 0 | 2 |
| T1136.003 | Create Account | Cloud Account | 0 | 2 | 2 | 10 | 14 |
| T1137 | Office Application Startup | n/a | 0 | 6 | 2 | 0 | 8 |
| T1137.001 | Office Application Startup | Office Template Macros | 0 | 0 | 0 | 0 | 0 |
| T1137.002 | Office Application Startup | Office Test | 0 | 1 | 0 | 0 | 1 |
| T1137.003 | Office Application Startup | Outlook Forms | 0 | 1 | 0 | 0 | 1 |
| T1137.004 | Office Application Startup | Outlook Home Page | 0 | 0 | 0 | 0 | 0 |
| T1137.005 | Office Application Startup | Outlook Rules | 0 | 0 | 0 | 0 | 0 |
| T1137.006 | Office Application Startup | Add-ins | 0 | 3 | 0 | 0 | 3 |
| T1140 | Deobfuscate/Decode Files or Information | n/a | 1 | 13 | 6 | 2 | 22 |
| T1149 | LC_MAIN Hijacking | n/a | 0 | 0 | 0 | 0 | 0 |
| T1153 | Source | n/a | 0 | 0 | 0 | 0 | 0 |
| T1175 | Component Object Model and Distributed COM | n/a | 0 | 0 | 0 | 0 | 0 |
| T1176 | Browser Extensions | n/a | 0 | 1 | 0 | 0 | 1 |
| T1185 | Browser Session Hijacking | n/a | 0 | 1 | 0 | 0 | 1 |
| T1187 | Forced Authentication | n/a | 1 | 3 | 0 | 1 | 5 |
| T1189 | Drive-by Compromise | n/a | 0 | 2 | 1 | 5 | 8 |
| T1190 | Exploit Public-Facing Application | n/a | 0 | 74 | 15 | 31 | 120 |
| T1195 | Supply Chain Compromise | n/a | 0 | 1 | 4 | 3 | 8 |
| T1195.001 | Supply Chain Compromise | Compromise Software Dependencies and Development Tools | 0 | 1 | 0 | 2 | 3 |
| T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain | 0 | 0 | 4 | 1 | 5 |
| T1195.003 | Supply Chain Compromise | Compromise Hardware Supply Chain | 0 | 0 | 0 | 0 | 0 |
| T1197 | BITS Jobs | n/a | 2 | 16 | 1 | 6 | 25 |
| T1199 | Trusted Relationship | n/a | 0 | 1 | 0 | 2 | 3 |
| T1200 | Hardware Additions | n/a | 0 | 2 | 0 | 5 | 7 |
| T1201 | Password Policy Discovery | n/a | 0 | 4 | 0 | 7 | 11 |
| T1202 | Indirect Command Execution | n/a | 0 | 28 | 0 | 4 | 32 |
| T1203 | Exploitation for Client Execution | n/a | 0 | 21 | 2 | 4 | 27 |
| T1204 | User Execution | n/a | 0 | 8 | 7 | 15 | 30 |
| T1204.001 | User Execution | Malicious Link | 0 | 2 | 0 | 1 | 3 |
| T1204.002 | User Execution | Malicious File | 1 | 26 | 3 | 4 | 34 |
| T1204.003 | User Execution | Malicious Image | 0 | 0 | 0 | 7 | 7 |
| T1205 | Traffic Signaling | n/a | 0 | 0 | 0 | 0 | 0 |
| T1205.001 | Traffic Signaling | Port Knocking | 0 | 0 | 0 | 0 | 0 |
| T1207 | Rogue Domain Controller | n/a | 0 | 1 | 0 | 0 | 1 |
| T1210 | Exploitation of Remote Services | n/a | 0 | 8 | 1 | 3 | 12 |
| T1211 | Exploitation for Defense Evasion | n/a | 0 | 3 | 1 | 0 | 4 |
| T1212 | Exploitation for Credential Access | n/a | 0 | 8 | 1 | 2 | 11 |
| T1213 | Data from Information Repositories | n/a | 0 | 0 | 0 | 1 | 1 |
| T1213.001 | Data from Information Repositories | Confluence | 0 | 0 | 0 | 0 | 0 |
| T1213.002 | Data from Information Repositories | Sharepoint | 0 | 0 | 0 | 0 | 0 |
| T1213.003 | Data from Information Repositories | Code Repositories | 0 | 0 | 0 | 0 | 0 |
| T1216 | System Script Proxy Execution | n/a | 0 | 17 | 0 | 1 | 18 |
| T1216.001 | System Script Proxy Execution | PubPrn | 0 | 2 | 0 | 0 | 2 |
| T1217 | Browser Bookmark Discovery | n/a | 0 | 3 | 0 | 0 | 3 |
| T1218 | System Binary Proxy Execution | n/a | 0 | 94 | 18 | 70 | 182 |
| T1218.001 | System Binary Proxy Execution | Compiled HTML File | 1 | 5 | 1 | 8 | 15 |
| T1218.002 | System Binary Proxy Execution | Control Panel | 0 | 1 | 1 | 1 | 3 |
| T1218.003 | System Binary Proxy Execution | CMSTP | 1 | 7 | 0 | 3 | 11 |
| T1218.004 | System Binary Proxy Execution | InstallUtil | 0 | 0 | 1 | 9 | 10 |
| T1218.005 | System Binary Proxy Execution | Mshta | 0 | 8 | 4 | 12 | 24 |
| T1218.007 | System Binary Proxy Execution | Msiexec | 0 | 9 | 0 | 9 | 18 |
| T1218.008 | System Binary Proxy Execution | Odbcconf | 0 | 1 | 0 | 4 | 5 |
| T1218.009 | System Binary Proxy Execution | Regsvcs/Regasm | 0 | 1 | 1 | 6 | 8 |
| T1218.010 | System Binary Proxy Execution | Regsvr32 | 2 | 16 | 2 | 6 | 26 |
| T1218.011 | System Binary Proxy Execution | Rundll32 | 1 | 32 | 3 | 16 | 52 |
| T1218.012 | System Binary Proxy Execution | Verclsid | 0 | 0 | 0 | 1 | 1 |
| T1218.013 | System Binary Proxy Execution | Mavinject | 0 | 2 | 0 | 1 | 3 |
| T1218.014 | System Binary Proxy Execution | MMC | 0 | 0 | 0 | 3 | 3 |
| T1219 | Remote Access Software | n/a | 0 | 28 | 3 | 3 | 34 |
| T1220 | XSL Script Processing | n/a | 0 | 3 | 3 | 2 | 8 |
| T1221 | Template Injection | n/a | 0 | 1 | 0 | 0 | 1 |
| T1222 | File and Directory Permissions Modification | n/a | 0 | 0 | 4 | 11 | 15 |
| T1222.001 | File and Directory Permissions Modification | Windows File and Directory Permissions Modification | 1 | 4 | 0 | 2 | 7 |
| T1222.002 | File and Directory Permissions Modification | Linux and Mac File and Directory Permissions Modification | 1 | 4 | 1 | 1 | 7 |
| T1480 | Execution Guardrails | n/a | 0 | 0 | 0 | 0 | 0 |
| T1480.001 | Execution Guardrails | Environmental Keying | 0 | 0 | 0 | 0 | 0 |
| T1482 | Domain Trust Discovery | n/a | 0 | 13 | 2 | 11 | 26 |
| T1484 | Domain Policy Modification | n/a | 0 | 2 | 4 | 2 | 8 |
| T1484.001 | Domain Policy Modification | Group Policy Modification | 0 | 2 | 0 | 0 | 2 |
| T1484.002 | Domain Policy Modification | Domain Trust Modification | 0 | 0 | 1 | 2 | 3 |
| T1485 | Data Destruction | n/a | 0 | 10 | 8 | 19 | 37 |
| T1486 | Data Encrypted for Impact | n/a | 0 | 10 | 1 | 7 | 18 |
| T1489 | Service Stop | n/a | 0 | 7 | 6 | 14 | 27 |
| T1490 | Inhibit System Recovery | n/a | 2 | 18 | 6 | 12 | 38 |
| T1491 | Defacement | n/a | 0 | 0 | 0 | 2 | 2 |
| T1491.001 | Defacement | Internal Defacement | 0 | 2 | 0 | 0 | 2 |
| T1491.002 | Defacement | External Defacement | 0 | 0 | 0 | 0 | 0 |
| T1495 | Firmware Corruption | n/a | 0 | 1 | 0 | 0 | 1 |
| T1496 | Resource Hijacking | n/a | 0 | 4 | 1 | 0 | 5 |
| T1497 | Virtualization/Sandbox Evasion | n/a | 0 | 0 | 1 | 1 | 2 |
| T1497.001 | Virtualization/Sandbox Evasion | System Checks | 0 | 1 | 0 | 0 | 1 |
| T1497.002 | Virtualization/Sandbox Evasion | User Activity Based Checks | 0 | 0 | 0 | 0 | 0 |
| T1497.003 | Virtualization/Sandbox Evasion | Time Based Evasion | 0 | 0 | 0 | 1 | 1 |
| T1498 | Network Denial of Service | n/a | 0 | 0 | 1 | 7 | 8 |
| T1498.001 | Network Denial of Service | Direct Network Flood | 0 | 0 | 0 | 0 | 0 |
| T1498.002 | Network Denial of Service | Reflection Amplification | 0 | 0 | 0 | 1 | 1 |
| T1499 | Endpoint Denial of Service | n/a | 0 | 1 | 1 | 1 | 3 |
| T1499.001 | Endpoint Denial of Service | OS Exhaustion Flood | 0 | 1 | 0 | 0 | 1 |
| T1499.002 | Endpoint Denial of Service | Service Exhaustion Flood | 0 | 0 | 0 | 0 | 0 |
| T1499.003 | Endpoint Denial of Service | Application Exhaustion Flood | 0 | 0 | 0 | 0 | 0 |
| T1499.004 | Endpoint Denial of Service | Application or System Exploitation | 0 | 3 | 0 | 0 | 3 |
| T1505 | Server Software Component | n/a | 0 | 1 | 2 | 7 | 10 |
| T1505.001 | Server Software Component | SQL Stored Procedures | 0 | 0 | 0 | 0 | 0 |
| T1505.002 | Server Software Component | Transport Agent | 0 | 3 | 0 | 0 | 3 |
| T1505.003 | Server Software Component | Web Shell | 1 | 27 | 2 | 7 | 37 |
| T1505.004 | Server Software Component | IIS Components | 0 | 0 | 0 | 0 | 0 |
| T1505.005 | Server Software Component | Terminal Services DLL | 0 | 1 | 0 | 0 | 1 |
| T1518 | Software Discovery | n/a | 0 | 2 | 3 | 0 | 5 |
| T1518.001 | Software Discovery | Security Software Discovery | 1 | 4 | 2 | 0 | 7 |
| T1525 | Implant Internal Image | n/a | 0 | 1 | 0 | 0 | 1 |
| T1526 | Cloud Service Discovery | n/a | 0 | 2 | 1 | 7 | 10 |
| T1528 | Steal Application Access Token | n/a | 0 | 10 | 3 | 0 | 13 |
| T1529 | System Shutdown/Reboot | n/a | 0 | 6 | 0 | 3 | 9 |
| T1530 | Data from Cloud Storage Object | n/a | 0 | 0 | 5 | 6 | 11 |
| T1531 | Account Access Removal | n/a | 0 | 3 | 9 | 4 | 16 |
| T1534 | Internal Spearphishing | n/a | 0 | 0 | 0 | 0 | 0 |
| T1535 | Unused/Unsupported Cloud Regions | n/a | 0 | 0 | 0 | 8 | 8 |
| T1537 | Transfer Data to Cloud Account | n/a | 0 | 4 | 6 | 2 | 12 |
| T1538 | Cloud Service Dashboard | n/a | 0 | 0 | 0 | 0 | 0 |
| T1539 | Steal Web Session Cookie | n/a | 0 | 2 | 3 | 0 | 5 |
| T1542 | Pre-OS Boot | n/a | 0 | 0 | 0 | 1 | 1 |
| T1542.001 | Pre-OS Boot | System Firmware | 0 | 2 | 0 | 0 | 2 |
| T1542.002 | Pre-OS Boot | Component Firmware | 0 | 0 | 0 | 0 | 0 |
| T1542.003 | Pre-OS Boot | Bootkit | 0 | 1 | 0 | 0 | 1 |
| T1542.004 | Pre-OS Boot | ROMMONkit | 0 | 0 | 0 | 0 | 0 |
| T1542.005 | Pre-OS Boot | TFTP Boot | 0 | 0 | 0 | 1 | 1 |
| T1543 | Create or Modify System Process | n/a | 0 | 9 | 28 | 16 | 53 |
| T1543.001 | Create or Modify System Process | Launch Agent | 0 | 0 | 3 | 2 | 5 |
| T1543.002 | Create or Modify System Process | Systemd Service | 0 | 2 | 1 | 0 | 3 |
| T1543.003 | Create or Modify System Process | Windows Service | 6 | 40 | 10 | 14 | 70 |
| T1543.004 | Create or Modify System Process | Launch Daemon | 0 | 0 | 0 | 0 | 0 |
| T1546 | Event Triggered Execution | n/a | 0 | 9 | 15 | 15 | 39 |
| T1546.001 | Event Triggered Execution | Change Default File Association | 1 | 3 | 0 | 3 | 7 |
| T1546.002 | Event Triggered Execution | Screensaver | 1 | 4 | 1 | 1 | 7 |
| T1546.003 | Event Triggered Execution | Windows Management Instrumentation Event Subscription | 1 | 12 | 1 | 3 | 17 |
| T1546.004 | Event Triggered Execution | Unix Shell Configuration Modification | 0 | 1 | 1 | 2 | 4 |
| T1546.005 | Event Triggered Execution | Trap | 0 | 0 | 0 | 0 | 0 |
| T1546.006 | Event Triggered Execution | LC_LOAD_DYLIB Addition | 0 | 0 | 0 | 0 | 0 |
| T1546.007 | Event Triggered Execution | Netsh Helper DLL | 0 | 2 | 0 | 0 | 2 |
| T1546.008 | Event Triggered Execution | Accessibility Features | 3 | 7 | 1 | 1 | 12 |
| T1546.009 | Event Triggered Execution | AppCert DLLs | 0 | 2 | 1 | 0 | 3 |
| T1546.010 | Event Triggered Execution | AppInit DLLs | 2 | 1 | 1 | 0 | 4 |
| T1546.011 | Event Triggered Execution | Application Shimming | 0 | 2 | 2 | 3 | 7 |
| T1546.012 | Event Triggered Execution | Image File Execution Options Injection | 0 | 2 | 1 | 2 | 5 |
| T1546.013 | Event Triggered Execution | PowerShell Profile | 0 | 3 | 1 | 0 | 4 |
| T1546.014 | Event Triggered Execution | Emond | 0 | 1 | 2 | 0 | 3 |
| T1546.015 | Event Triggered Execution | Component Object Model Hijacking | 1 | 9 | 1 | 4 | 15 |
| T1547 | Boot or Logon Autostart Execution | n/a | 0 | 6 | 24 | 16 | 46 |
| T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder | 4 | 31 | 9 | 2 | 46 |
| T1547.002 | Boot or Logon Autostart Execution | Authentication Package | 0 | 1 | 2 | 0 | 3 |
| T1547.003 | Boot or Logon Autostart Execution | Time Providers | 0 | 1 | 1 | 1 | 3 |
| T1547.004 | Boot or Logon Autostart Execution | Winlogon Helper DLL | 2 | 3 | 0 | 0 | 5 |
| T1547.005 | Boot or Logon Autostart Execution | Security Support Provider | 0 | 1 | 1 | 1 | 3 |
| T1547.006 | Boot or Logon Autostart Execution | Kernel Modules and Extensions | 0 | 1 | 4 | 3 | 8 |
| T1547.007 | Boot or Logon Autostart Execution | Re-opened Applications | 0 | 0 | 0 | 0 | 0 |
| T1547.008 | Boot or Logon Autostart Execution | LSASS Driver | 0 | 1 | 0 | 1 | 2 |
| T1547.009 | Boot or Logon Autostart Execution | Shortcut Modification | 0 | 4 | 0 | 0 | 4 |
| T1547.010 | Boot or Logon Autostart Execution | Port Monitors | 1 | 4 | 1 | 1 | 7 |
| T1547.012 | Boot or Logon Autostart Execution | Print Processors | 0 | 0 | 0 | 7 | 7 |
| T1547.013 | Boot or Logon Autostart Execution | XDG Autostart Entries | 0 | 0 | 0 | 0 | 0 |
| T1547.014 | Boot or Logon Autostart Execution | Active Setup | 0 | 1 | 0 | 1 | 2 |
| T1547.015 | Boot or Logon Autostart Execution | Login Items | 0 | 0 | 0 | 0 | 0 |
| T1548 | Abuse Elevation Control Mechanism | n/a | 1 | 17 | 23 | 51 | 92 |
| T1548.001 | Abuse Elevation Control Mechanism | Setuid and Setgid | 0 | 1 | 2 | 3 | 6 |
| T1548.002 | Abuse Elevation Control Mechanism | Bypass User Account Control | 3 | 48 | 11 | 13 | 75 |
| T1548.003 | Abuse Elevation Control Mechanism | Sudo and Sudo Caching | 0 | 2 | 4 | 32 | 38 |
| T1548.004 | Abuse Elevation Control Mechanism | Elevated Execution with Prompt | 0 | 0 | 1 | 0 | 1 |
| T1550 | Use Alternate Authentication Material | n/a | 0 | 3 | 6 | 9 | 18 |
| T1550.001 | Use Alternate Authentication Material | Application Access Token | 0 | 3 | 5 | 0 | 8 |
| T1550.002 | Use Alternate Authentication Material | Pass the Hash | 1 | 5 | 0 | 3 | 9 |
| T1550.003 | Use Alternate Authentication Material | Pass the Ticket | 0 | 3 | 1 | 3 | 7 |
| T1550.004 | Use Alternate Authentication Material | Web Session Cookie | 0 | 0 | 0 | 0 | 0 |
| T1552 | Unsecured Credentials | n/a | 0 | 5 | 7 | 5 | 17 |
| T1552.001 | Unsecured Credentials | Credentials In Files | 1 | 14 | 2 | 1 | 18 |
| T1552.002 | Unsecured Credentials | Credentials in Registry | 1 | 3 | 0 | 3 | 7 |
| T1552.003 | Unsecured Credentials | Bash History | 0 | 3 | 0 | 0 | 3 |
| T1552.004 | Unsecured Credentials | Private Keys | 0 | 5 | 1 | 1 | 7 |
| T1552.005 | Unsecured Credentials | Cloud Instance Metadata API | 0 | 0 | 0 | 0 | 0 |
| T1552.006 | Unsecured Credentials | Group Policy Preferences | 0 | 4 | 0 | 0 | 4 |
| T1552.007 | Unsecured Credentials | Container API | 0 | 2 | 0 | 0 | 2 |
| T1553 | Subvert Trust Controls | n/a | 0 | 2 | 5 | 2 | 9 |
| T1553.001 | Subvert Trust Controls | Gatekeeper Bypass | 0 | 1 | 0 | 0 | 1 |
| T1553.002 | Subvert Trust Controls | Code Signing | 0 | 1 | 1 | 0 | 2 |
| T1553.003 | Subvert Trust Controls | SIP and Trust Provider Hijacking | 0 | 1 | 1 | 0 | 2 |
| T1553.004 | Subvert Trust Controls | Install Root Certificate | 1 | 5 | 2 | 2 | 10 |
| T1553.005 | Subvert Trust Controls | Mark-of-the-Web Bypass | 0 | 3 | 0 | 0 | 3 |
| T1553.006 | Subvert Trust Controls | Code Signing Policy Modification | 0 | 0 | 0 | 0 | 0 |
| T1554 | Compromise Client Software Binary | n/a | 0 | 3 | 2 | 2 | 7 |
| T1555 | Credentials from Password Stores | n/a | 0 | 4 | 9 | 4 | 17 |
| T1555.001 | Credentials from Password Stores | Keychain | 0 | 1 | 4 | 0 | 5 |
| T1555.002 | Credentials from Password Stores | Securityd Memory | 0 | 0 | 0 | 0 | 0 |
| T1555.003 | Credentials from Password Stores | Credentials from Web Browsers | 0 | 2 | 2 | 3 | 7 |
| T1555.004 | Credentials from Password Stores | Windows Credential Manager | 0 | 4 | 2 | 0 | 6 |
| T1555.005 | Credentials from Password Stores | Password Managers | 0 | 1 | 0 | 1 | 2 |
| T1556 | Modify Authentication Process | n/a | 0 | 2 | 9 | 5 | 16 |
| T1556.001 | Modify Authentication Process | Domain Controller Authentication | 0 | 0 | 0 | 0 | 0 |
| T1556.002 | Modify Authentication Process | Password Filter DLL | 0 | 3 | 0 | 0 | 3 |
| T1556.003 | Modify Authentication Process | Pluggable Authentication Modules | 0 | 0 | 0 | 0 | 0 |
| T1556.004 | Modify Authentication Process | Network Device Authentication | 0 | 0 | 0 | 0 | 0 |
| T1556.005 | Modify Authentication Process | Reversible Encryption | 0 | 0 | 0 | 0 | 0 |
| T1557 | Adversary-in-the-Middle | n/a | 0 | 1 | 0 | 4 | 5 |
| T1557.001 | Adversary-in-the-Middle | LLMNR/NBT-NS Poisoning and SMB Relay | 0 | 7 | 0 | 0 | 7 |
| T1557.002 | Adversary-in-the-Middle | ARP Cache Poisoning | 0 | 0 | 0 | 3 | 3 |
| T1557.003 | Adversary-in-the-Middle | DHCP Spoofing | 0 | 0 | 0 | 0 | 0 |
| T1558 | Steal or Forge Kerberos Tickets | n/a | 0 | 3 | 9 | 18 | 30 |
| T1558.001 | Steal or Forge Kerberos Tickets | Golden Ticket | 0 | 0 | 0 | 1 | 1 |
| T1558.002 | Steal or Forge Kerberos Tickets | Silver Ticket | 0 | 0 | 0 | 0 | 0 |
| T1558.003 | Steal or Forge Kerberos Tickets | Kerberoasting | 0 | 11 | 1 | 8 | 20 |
| T1558.004 | Steal or Forge Kerberos Tickets | AS-REP Roasting | 0 | 0 | 0 | 7 | 7 |
| T1559 | Inter-Process Communication | n/a | 0 | 1 | 2 | 0 | 3 |
| T1559.001 | Inter-Process Communication | Component Object Model | 0 | 4 | 1 | 1 | 6 |
| T1559.002 | Inter-Process Communication | Dynamic Data Exchange | 1 | 1 | 0 | 0 | 2 |
| T1559.003 | Inter-Process Communication | XPC Services | 0 | 0 | 0 | 0 | 0 |
| T1560 | Archive Collected Data | n/a | 0 | 2 | 2 | 6 | 10 |
| T1560.001 | Archive Collected Data | Archive via Utility | 1 | 12 | 2 | 6 | 21 |
| T1560.002 | Archive Collected Data | Archive via Library | 0 | 0 | 0 | 0 | 0 |
| T1560.003 | Archive Collected Data | Archive via Custom Method | 0 | 0 | 0 | 0 | 0 |
| T1561 | Disk Wipe | n/a | 0 | 0 | 0 | 2 | 2 |
| T1561.001 | Disk Wipe | Disk Content Wipe | 0 | 1 | 0 | 0 | 1 |
| T1561.002 | Disk Wipe | Disk Structure Wipe | 0 | 1 | 0 | 2 | 3 |
| T1562 | Impair Defenses | n/a | 0 | 17 | 77 | 62 | 156 |
| T1562.001 | Impair Defenses | Disable or Modify Tools | 3 | 74 | 39 | 45 | 161 |
| T1562.002 | Impair Defenses | Disable Windows Event Logging | 1 | 12 | 2 | 0 | 15 |
| T1562.003 | Impair Defenses | Impair Command History Logging | 0 | 0 | 0 | 0 | 0 |
| T1562.004 | Impair Defenses | Disable or Modify System Firewall | 0 | 13 | 4 | 5 | 22 |
| T1562.006 | Impair Defenses | Indicator Blocking | 2 | 4 | 3 | 1 | 10 |
| T1562.007 | Impair Defenses | Disable or Modify Cloud Firewall | 0 | 0 | 3 | 6 | 9 |
| T1562.008 | Impair Defenses | Disable Cloud Logs | 0 | 0 | 0 | 6 | 6 |
| T1562.009 | Impair Defenses | Safe Mode Boot | 0 | 0 | 0 | 0 | 0 |
| T1562.010 | Impair Defenses | Downgrade Attack | 0 | 1 | 0 | 0 | 1 |
| T1563 | Remote Service Session Hijacking | n/a | 0 | 0 | 0 | 0 | 0 |
| T1563.001 | Remote Service Session Hijacking | SSH Hijacking | 0 | 0 | 0 | 0 | 0 |
| T1563.002 | Remote Service Session Hijacking | RDP Hijacking | 0 | 2 | 0 | 0 | 2 |
| T1564 | Hide Artifacts | n/a | 0 | 6 | 7 | 1 | 14 |
| T1564.001 | Hide Artifacts | Hidden Files and Directories | 0 | 8 | 5 | 2 | 15 |
| T1564.002 | Hide Artifacts | Hidden Users | 0 | 4 | 0 | 0 | 4 |
| T1564.003 | Hide Artifacts | Hidden Window | 0 | 2 | 0 | 0 | 2 |
| T1564.004 | Hide Artifacts | NTFS File Attributes | 2 | 19 | 2 | 0 | 23 |
| T1564.005 | Hide Artifacts | Hidden File System | 0 | 0 | 0 | 0 | 0 |
| T1564.006 | Hide Artifacts | Run Virtual Instance | 0 | 2 | 0 | 0 | 2 |
| T1564.007 | Hide Artifacts | VBA Stomping | 0 | 0 | 0 | 0 | 0 |
| T1564.008 | Hide Artifacts | Email Hiding Rules | 0 | 0 | 0 | 0 | 0 |
| T1564.009 | Hide Artifacts | Resource Forking | 0 | 0 | 0 | 0 | 0 |
| T1564.010 | Hide Artifacts | Process Argument Spoofing | 0 | 0 | 0 | 0 | 0 |
| T1565 | Data Manipulation | n/a | 0 | 3 | 3 | 0 | 6 |
| T1565.001 | Data Manipulation | Stored Data Manipulation | 0 | 3 | 3 | 0 | 6 |
| T1565.002 | Data Manipulation | Transmitted Data Manipulation | 0 | 1 | 0 | 0 | 1 |
| T1565.003 | Data Manipulation | Runtime Data Manipulation | 0 | 0 | 0 | 0 | 0 |
| T1566 | Phishing | n/a | 0 | 9 | 17 | 33 | 59 |
| T1566.001 | Phishing | Spearphishing Attachment | 0 | 15 | 11 | 29 | 55 |
| T1566.002 | Phishing | Spearphishing Link | 0 | 1 | 8 | 1 | 10 |
| T1566.003 | Phishing | Spearphishing via Service | 0 | 0 | 0 | 1 | 1 |
| T1567 | Exfiltration Over Web Service | n/a | 0 | 7 | 1 | 2 | 10 |
| T1567.001 | Exfiltration Over Web Service | Exfiltration to Code Repository | 0 | 3 | 0 | 0 | 3 |
| T1567.002 | Exfiltration Over Web Service | Exfiltration to Cloud Storage | 0 | 7 | 0 | 1 | 8 |
| T1568 | Dynamic Resolution | n/a | 0 | 1 | 3 | 0 | 4 |
| T1568.001 | Dynamic Resolution | Fast Flux DNS | 0 | 0 | 0 | 0 | 0 |
| T1568.002 | Dynamic Resolution | Domain Generation Algorithms | 0 | 2 | 3 | 1 | 6 |
| T1568.003 | Dynamic Resolution | DNS Calculation | 0 | 0 | 0 | 0 | 0 |
| T1569 | System Services | n/a | 0 | 4 | 3 | 5 | 12 |
| T1569.001 | System Services | Launchctl | 1 | 0 | 0 | 0 | 1 |
| T1569.002 | System Services | Service Execution | 4 | 40 | 3 | 5 | 52 |
| T1570 | Lateral Tool Transfer | n/a | 3 | 2 | 1 | 0 | 6 |
| T1571 | Non-Standard Port | n/a | 0 | 3 | 1 | 0 | 4 |
| T1572 | Protocol Tunneling | n/a | 0 | 12 | 5 | 3 | 20 |
| T1573 | Encrypted Channel | n/a | 0 | 4 | 1 | 2 | 7 |
| T1573.001 | Encrypted Channel | Symmetric Cryptography | 0 | 0 | 0 | 0 | 0 |
| T1573.002 | Encrypted Channel | Asymmetric Cryptography | 0 | 0 | 0 | 0 | 0 |
| T1574 | Hijack Execution Flow | n/a | 0 | 8 | 9 | 11 | 28 |
| T1574.001 | Hijack Execution Flow | DLL Search Order Hijacking | 1 | 22 | 1 | 4 | 28 |
| T1574.002 | Hijack Execution Flow | DLL Side-Loading | 0 | 42 | 2 | 5 | 49 |
| T1574.004 | Hijack Execution Flow | Dylib Hijacking | 0 | 0 | 0 | 0 | 0 |
| T1574.005 | Hijack Execution Flow | Executable Installer File Permissions Weakness | 0 | 1 | 0 | 0 | 1 |
| T1574.006 | Hijack Execution Flow | Dynamic Linker Hijacking | 0 | 2 | 3 | 1 | 6 |
| T1574.007 | Hijack Execution Flow | Path Interception by PATH Environment Variable | 1 | 1 | 3 | 0 | 5 |
| T1574.008 | Hijack Execution Flow | Path Interception by Search Order Hijacking | 1 | 1 | 0 | 0 | 2 |
| T1574.009 | Hijack Execution Flow | Path Interception by Unquoted Path | 2 | 0 | 0 | 1 | 3 |
| T1574.010 | Hijack Execution Flow | Services File Permissions Weakness | 2 | 0 | 1 | 0 | 3 |
| T1574.011 | Hijack Execution Flow | Services Registry Permissions Weakness | 4 | 9 | 0 | 2 | 15 |
| T1574.012 | Hijack Execution Flow | COR_PROFILER | 0 | 2 | 0 | 0 | 2 |
| T1574.013 | Hijack Execution Flow | KernelCallbackTable | 0 | 0 | 0 | 0 | 0 |
| T1578 | Modify Cloud Compute Infrastructure | n/a | 0 | 1 | 2 | 0 | 3 |
| T1578.001 | Modify Cloud Compute Infrastructure | Create Snapshot | 0 | 0 | 0 | 0 | 0 |
| T1578.002 | Modify Cloud Compute Infrastructure | Create Cloud Instance | 0 | 0 | 0 | 0 | 0 |
| T1578.003 | Modify Cloud Compute Infrastructure | Delete Cloud Instance | 0 | 1 | 0 | 0 | 1 |
| T1578.004 | Modify Cloud Compute Infrastructure | Revert Cloud Instance | 0 | 0 | 1 | 0 | 1 |
| T1580 | Cloud Infrastructure Discovery | n/a | 0 | 0 | 0 | 2 | 2 |
| T1583 | Acquire Infrastructure | n/a | 0 | 0 | 0 | 0 | 0 |
| T1583.001 | Acquire Infrastructure | Domains | 0 | 0 | 0 | 0 | 0 |
| T1583.002 | Acquire Infrastructure | DNS Server | 0 | 0 | 0 | 0 | 0 |
| T1583.003 | Acquire Infrastructure | Virtual Private Server | 0 | 0 | 0 | 0 | 0 |
| T1583.004 | Acquire Infrastructure | Server | 0 | 0 | 0 | 0 | 0 |
| T1583.005 | Acquire Infrastructure | Botnet | 0 | 0 | 0 | 0 | 0 |
| T1583.006 | Acquire Infrastructure | Web Services | 0 | 0 | 0 | 0 | 0 |
| T1584 | Compromise Infrastructure | n/a | 0 | 2 | 0 | 0 | 2 |
| T1584.001 | Compromise Infrastructure | Domains | 0 | 0 | 0 | 0 | 0 |
| T1584.002 | Compromise Infrastructure | DNS Server | 0 | 0 | 0 | 0 | 0 |
| T1584.003 | Compromise Infrastructure | Virtual Private Server | 0 | 0 | 0 | 0 | 0 |
| T1584.004 | Compromise Infrastructure | Server | 0 | 0 | 0 | 0 | 0 |
| T1584.005 | Compromise Infrastructure | Botnet | 0 | 0 | 0 | 0 | 0 |
| T1584.006 | Compromise Infrastructure | Web Services | 0 | 0 | 0 | 0 | 0 |
| T1585 | Establish Accounts | n/a | 0 | 0 | 0 | 0 | 0 |
| T1585.001 | Establish Accounts | Social Media Accounts | 0 | 0 | 0 | 0 | 0 |
| T1585.002 | Establish Accounts | Email Accounts | 0 | 0 | 0 | 0 | 0 |
| T1586 | Compromise Accounts | n/a | 0 | 0 | 0 | 26 | 26 |
| T1586.001 | Compromise Accounts | Social Media Accounts | 0 | 0 | 0 | 0 | 0 |
| T1586.002 | Compromise Accounts | Email Accounts | 0 | 0 | 0 | 0 | 0 |
| T1587 | Develop Capabilities | n/a | 0 | 5 | 0 | 0 | 5 |
| T1587.001 | Develop Capabilities | Malware | 0 | 10 | 0 | 0 | 10 |
| T1587.002 | Develop Capabilities | Code Signing Certificates | 0 | 0 | 0 | 0 | 0 |
| T1587.003 | Develop Capabilities | Digital Certificates | 0 | 0 | 0 | 2 | 2 |
| T1587.004 | Develop Capabilities | Exploits | 0 | 0 | 0 | 0 | 0 |
| T1588 | Obtain Capabilities | n/a | 0 | 2 | 1 | 0 | 3 |
| T1588.001 | Obtain Capabilities | Malware | 0 | 1 | 0 | 0 | 1 |
| T1588.002 | Obtain Capabilities | Tool | 0 | 7 | 0 | 2 | 9 |
| T1588.003 | Obtain Capabilities | Code Signing Certificates | 0 | 0 | 0 | 0 | 0 |
| T1588.004 | Obtain Capabilities | Digital Certificates | 0 | 0 | 0 | 2 | 2 |
| T1588.005 | Obtain Capabilities | Exploits | 0 | 0 | 0 | 0 | 0 |
| T1588.006 | Obtain Capabilities | Vulnerabilities | 0 | 0 | 0 | 0 | 0 |
| T1589 | Gather Victim Identity Information | n/a | 0 | 1 | 0 | 2 | 3 |
| T1589.001 | Gather Victim Identity Information | Credentials | 0 | 0 | 0 | 1 | 1 |
| T1589.002 | Gather Victim Identity Information | Email Addresses | 0 | 0 | 0 | 1 | 1 |
| T1589.003 | Gather Victim Identity Information | Employee Names | 0 | 0 | 0 | 0 | 0 |
| T1590 | Gather Victim Network Information | n/a | 0 | 2 | 0 | 2 | 4 |
| T1590.001 | Gather Victim Network Information | Domain Properties | 0 | 0 | 0 | 0 | 0 |
| T1590.002 | Gather Victim Network Information | DNS | 0 | 0 | 0 | 0 | 0 |
| T1590.003 | Gather Victim Network Information | Network Trust Dependencies | 0 | 0 | 0 | 0 | 0 |
| T1590.004 | Gather Victim Network Information | Network Topology | 0 | 0 | 0 | 0 | 0 |
| T1590.005 | Gather Victim Network Information | IP Addresses | 0 | 0 | 0 | 2 | 2 |
| T1590.006 | Gather Victim Network Information | Network Security Appliances | 0 | 0 | 0 | 0 | 0 |
| T1591 | Gather Victim Org Information | n/a | 0 | 0 | 0 | 0 | 0 |
| T1591.001 | Gather Victim Org Information | Determine Physical Locations | 0 | 0 | 0 | 0 | 0 |
| T1591.002 | Gather Victim Org Information | Business Relationships | 0 | 0 | 0 | 0 | 0 |
| T1591.003 | Gather Victim Org Information | Identify Business Tempo | 0 | 0 | 0 | 0 | 0 |
| T1591.004 | Gather Victim Org Information | Identify Roles | 0 | 0 | 0 | 0 | 0 |
| T1592 | Gather Victim Host Information | n/a | 0 | 1 | 0 | 5 | 6 |
| T1592.001 | Gather Victim Host Information | Hardware | 0 | 0 | 0 | 1 | 1 |
| T1592.002 | Gather Victim Host Information | Software | 0 | 0 | 0 | 0 | 0 |
| T1592.003 | Gather Victim Host Information | Firmware | 0 | 0 | 0 | 0 | 0 |
| T1592.004 | Gather Victim Host Information | Client Configurations | 0 | 3 | 0 | 0 | 3 |
| T1593 | Search Open Websites/Domains | n/a | 0 | 0 | 0 | 0 | 0 |
| T1593.001 | Search Open Websites/Domains | Social Media | 0 | 0 | 0 | 0 | 0 |
| T1593.002 | Search Open Websites/Domains | Search Engines | 0 | 0 | 0 | 0 | 0 |
| T1594 | Search Victim-Owned Websites | n/a | 0 | 0 | 0 | 0 | 0 |
| T1595 | Active Scanning | n/a | 0 | 0 | 0 | 1 | 1 |
| T1595.001 | Active Scanning | Scanning IP Blocks | 0 | 0 | 0 | 0 | 0 |
| T1595.002 | Active Scanning | Vulnerability Scanning | 0 | 1 | 0 | 0 | 1 |
| T1595.003 | Active Scanning | Wordlist Scanning | 0 | 0 | 0 | 0 | 0 |
| T1596 | Search Open Technical Databases | n/a | 0 | 0 | 0 | 0 | 0 |
| T1596.001 | Search Open Technical Databases | DNS/Passive DNS | 0 | 0 | 0 | 0 | 0 |
| T1596.002 | Search Open Technical Databases | WHOIS | 0 | 0 | 0 | 0 | 0 |
| T1596.003 | Search Open Technical Databases | Digital Certificates | 0 | 0 | 0 | 0 | 0 |
| T1596.004 | Search Open Technical Databases | CDNs | 0 | 0 | 0 | 0 | 0 |
| T1596.005 | Search Open Technical Databases | Scan Databases | 0 | 0 | 0 | 0 | 0 |
| T1597 | Search Closed Sources | n/a | 0 | 0 | 0 | 0 | 0 |
| T1597.001 | Search Closed Sources | Threat Intel Vendors | 0 | 0 | 0 | 0 | 0 |
| T1597.002 | Search Closed Sources | Purchase Technical Data | 0 | 0 | 0 | 0 | 0 |
| T1598 | Phishing for Information | n/a | 0 | 0 | 0 | 0 | 0 |
| T1598.001 | Phishing for Information | Spearphishing Service | 0 | 0 | 0 | 0 | 0 |
| T1598.002 | Phishing for Information | Spearphishing Attachment | 0 | 0 | 0 | 0 | 0 |
| T1598.003 | Phishing for Information | Spearphishing Link | 0 | 0 | 0 | 0 | 0 |
| T1599 | Network Boundary Bridging | n/a | 0 | 0 | 0 | 0 | 0 |
| T1599.001 | Network Boundary Bridging | Network Address Translation Traversal | 0 | 1 | 0 | 0 | 1 |
| T1600 | Weaken Encryption | n/a | 0 | 0 | 0 | 0 | 0 |
| T1600.001 | Weaken Encryption | Reduce Key Space | 0 | 0 | 0 | 0 | 0 |
| T1600.002 | Weaken Encryption | Disable Crypto Hardware | 0 | 0 | 0 | 0 | 0 |
| T1601 | Modify System Image | n/a | 0 | 0 | 0 | 0 | 0 |
| T1601.001 | Modify System Image | Patch System Image | 0 | 0 | 0 | 0 | 0 |
| T1601.002 | Modify System Image | Downgrade System Image | 0 | 0 | 0 | 0 | 0 |
| T1602 | Data from Configuration Repository | n/a | 0 | 0 | 0 | 0 | 0 |
| T1602.001 | Data from Configuration Repository | SNMP (MIB Dump) | 0 | 0 | 0 | 0 | 0 |
| T1602.002 | Data from Configuration Repository | Network Device Configuration Dump | 0 | 0 | 0 | 0 | 0 |
| T1606 | Forge Web Credentials | n/a | 0 | 0 | 0 | 0 | 0 |
| T1606.001 | Forge Web Credentials | Web Cookies | 0 | 0 | 0 | 0 | 0 |
| T1606.002 | Forge Web Credentials | SAML Tokens | 1 | 0 | 0 | 0 | 1 |
| T1608 | Stage Capabilities | n/a | 0 | 1 | 0 | 0 | 1 |
| T1608.001 | Stage Capabilities | Upload Malware | 0 | 0 | 0 | 0 | 0 |
| T1608.002 | Stage Capabilities | Upload Tool | 0 | 0 | 0 | 0 | 0 |
| T1608.003 | Stage Capabilities | Install Digital Certificate | 0 | 0 | 0 | 0 | 0 |
| T1608.004 | Stage Capabilities | Drive-by Target | 0 | 0 | 0 | 0 | 0 |
| T1608.005 | Stage Capabilities | Link Target | 0 | 0 | 0 | 0 | 0 |
| T1609 | Container Administration Command | n/a | 0 | 0 | 1 | 0 | 1 |
| T1610 | Deploy Container | n/a | 0 | 0 | 6 | 0 | 6 |
| T1611 | Escape to Host | n/a | 0 | 0 | 6 | 0 | 6 |
| T1612 | Build Image on Host | n/a | 0 | 0 | 0 | 0 | 0 |
| T1613 | Container and Resource Discovery | n/a | 0 | 0 | 2 | 0 | 2 |
| T1614 | System Location Discovery | n/a | 0 | 0 | 1 | 0 | 1 |
| T1614.001 | System Location Discovery | System Language Discovery | 0 | 1 | 0 | 0 | 1 |
| T1615 | Group Policy Discovery | n/a | 0 | 4 | 0 | 0 | 4 |
| T1619 | Cloud Storage Object Discovery | n/a | 0 | 0 | 0 | 0 | 0 |
| T1620 | Reflective Code Loading | n/a | 0 | 1 | 0 | 0 | 1 |
| T1621 | Multi-Factor Authentication Request Generation | n/a | 0 | 0 | 0 | 7 | 7 |
| T1622 | Debugger Evasion | n/a | 0 | 0 | 0 | 0 | 0 |
| T1647 | Plist File Modification | n/a | 0 | 0 | 2 | 1 | 3 |