Exploiting vulnerabilities
Which techniques are used to exploit vulnerabilities?
We have analyzed each CVE to identify the MITRE ATT&CK Enterprise techniques it enables or facilitates. These charts show the distribution of attack tactics and techniques across 37,236 annotated CVEs, their severity and exploit probability, and how actively-exploited vulnerabilities (CISA KEV) compare to the full set.
Last updated: 28 May 2026 22:48 UTC
Tactics & Techniques
How are vulnerabilities linked to tactics and techniques?
→ Click any tactic bar to filter the technique list below it.
→ Click any technique bar to open its MITRE ATT&CK detail page in a new tab.
Technique Risk
Which techniques are used to exploit the most severe vulnerabilities?
→ Each bubble is one MITRE technique. Bubble size = CVE count. The upper-right quadrant (high CVSS, high EPSS) highlights techniques associated with the most severe and exploit-likely vulnerabilities.
→ Hover (or tap) any bubble for technique details.
Top 25 techniques by CVE count.
| ID | Name | Tactic | CVEs | Avg CVSS | Avg EPSS |
|---|---|---|---|---|---|
| T1190 | Exploit Public-Facing Application | Initial Access | 21,819 | 7.47 | 0.0169 |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation | 4,905 | 7.79 | 0.0073 |
| T1499.004 | Application or System Exploitation | Impact | 3,526 | 6.77 | 0.0036 |
| T1213.006 | Databases | Collection | 3,231 | 7.21 | 0.0075 |
| T1059.007 | JavaScript | Execution | 2,826 | 5.78 | 0.0049 |
| T1203 | Exploitation for Client Execution | Execution | 2,022 | 7.96 | 0.0101 |
| T1005 | Data from Local System | Collection | 1,623 | 7.13 | 0.0281 |
| T1059.004 | Unix Shell | Execution | 1,437 | 8.04 | 0.0383 |
| T1539 | Steal Web Session Cookie | Credential Access | 1,325 | 6.02 | 0.0061 |
| T1505 | Server Software Component | Persistence | 1,206 | 6.64 | 0.0047 |
| T1505.003 | Web Shell | Persistence | 1,032 | 7.81 | 0.0401 |
| T1210 | Exploitation of Remote Services | Lateral Movement | 1,007 | 8.20 | 0.0239 |
| T1185 | Browser Session Hijacking | Collection | 883 | 6.57 | 0.0034 |
| T1204.002 | Malicious File | Execution | 840 | 7.49 | 0.0035 |
| T1189 | Drive-by Compromise | Initial Access | 813 | 7.30 | 0.0055 |
| T1059 | Command and Scripting Interpreter | Execution | 704 | 8.00 | 0.0193 |
| T1565.001 | Stored Data Manipulation | Impact | 634 | 7.22 | 0.0042 |
| T1552.001 | Credentials In Files | Credential Access | 613 | 7.10 | 0.0386 |
| T1204.001 | Malicious Link | Execution | 500 | 7.09 | 0.0036 |
| T1083 | File and Directory Discovery | Discovery | 406 | 6.85 | 0.0508 |
| T1566.002 | Spearphishing Link | Initial Access | 401 | 6.65 | 0.0044 |
| T1555.003 | Credentials from Web Browsers | Credential Access | 389 | 5.48 | 0.0083 |
| T1059.008 | Network Device CLI | Execution | 362 | 7.71 | 0.0466 |
| T1105 | Ingress Tool Transfer | Command And Control | 358 | 7.42 | 0.0361 |
| T1552 | Unsecured Credentials | Credential Access | 351 | 7.06 | 0.0132 |
KEV Tactics
→ Compares how attack tactics are distributed across all annotated CVEs
versus those on the CISA Known Exploited Vulnerabilities list.
Tactics with a larger red bar than grey bar are over-represented in
actively exploited vulnerabilities.
KEV Techniques
→ Each circle is one MITRE ATT&CK technique used by at least one
KEV-listed CVE. Above the dashed diagonal = the technique
appears in KEV-listed exploits more frequently than its share of the
overall annotated-CVE population (attackers favour it).
Below = under-represented.
Bubble size encodes KEV count.
Hover (or tap) any bubble for technique details.
Top 25 techniques by KEV count, sorted by KEV count descending. Tap any column header to re-sort.
| ID | Name | KEV count | All count | KEV % | All % | Ratio |
|---|---|---|---|---|---|---|
| T1190 | Exploit Public-Facing Application | 130 | 22,266 | 56.0% | 59.80% | 0.9× |
| T1068 | Exploitation for Privilege Escalation | 45 | 5,163 | 19.4% | 13.87% | 1.4× |
| T1203 | Exploitation for Client Execution | 30 | 2,092 | 12.9% | 5.62% | 2.3× |
| T1059.004 | Unix Shell | 18 | 1,460 | 7.8% | 3.92% | 2.0× |
| T1005 | Data from Local System | 15 | 1,690 | 6.5% | 4.54% | 1.4× |
| T1210 | Exploitation of Remote Services | 13 | 1,024 | 5.6% | 2.75% | 2.0× |
| T1189 | Drive-by Compromise | 12 | 822 | 5.2% | 2.21% | 2.3× |
| T1195.002 | Compromise Software Supply Chain | 8 | 91 | 3.4% | 0.24% | 14.1× |
| T1059 | Command and Scripting Interpreter | 6 | 734 | 2.6% | 1.97% | 1.3× |
| T1204.002 | Malicious File | 6 | 860 | 2.6% | 2.31% | 1.1× |
| T1505.003 | Web Shell | 6 | 1,053 | 2.6% | 2.83% | 0.9× |
| T1552.001 | Credentials In Files | 6 | 644 | 2.6% | 1.73% | 1.5× |
| T1083 | File and Directory Discovery | 5 | 435 | 2.2% | 1.17% | 1.8× |
| T1078.001 | Default Accounts | 4 | 200 | 1.7% | 0.54% | 3.2× |
| T1105 | Ingress Tool Transfer | 4 | 369 | 1.7% | 0.99% | 1.7× |
| T1136.001 | Local Account | 4 | 88 | 1.7% | 0.24% | 7.3× |
| T1187 | Forced Authentication | 4 | 21 | 1.7% | 0.06% | 30.6× |
| T1195.001 | Compromise Software Dependencies and Development Tools | 4 | 59 | 1.7% | 0.16% | 10.9× |
| T1212 | Exploitation for Credential Access | 4 | 295 | 1.7% | 0.79% | 2.2× |
| T1059.006 | Python | 3 | 306 | 1.3% | 0.82% | 1.6× |
| T1059.007 | JavaScript | 3 | 2,863 | 1.3% | 7.69% | 0.2× |
| T1059.008 | Network Device CLI | 3 | 364 | 1.3% | 0.98% | 1.3× |
| T1211 | Exploitation for Stealth | 3 | 131 | 1.3% | 0.35% | 3.7× |
| T1611 | Escape to Host | 3 | 97 | 1.3% | 0.26% | 5.0× |
| T1003 | OS Credential Dumping | 2 | 13 | 0.9% | 0.03% | 24.7× |
Mitigating Controls per Technique
Which NIST 800-53 r5 controls mitigate each ATT&CK technique?
→ One row per technique. The # Controls column counts the NIST 800-53 r5 controls that have a published mitigation relationship with this technique (Center for Threat-Informed Defense / mappings-explorer, refreshed to ATT&CK v19).
→ Hover any control pill for its NIST title. Tap the column headers to re-sort; tap "more" inside a row to see additional controls.
| Technique | Name | Tactic(s) | # Controls | Top mitigating controls (NIST 800-53 r5) |
|---|---|---|---|---|
| T1530 | Data from Cloud Storage | Collection | 32 | AC-16 AC-17 AC-18 AC-19 AC-2+27 moreAC-20 AC-3 AC-4 AC-5 AC-6 AC-7 CA-7 CM-2 CM-5 CM-6 CM-7 CM-8 IA-2 IA-3 IA-4 IA-5 IA-6 IA-8 RA-5 SC-28 SC-4 SC-7 SI-10 SI-12 SI-15 SI-4 SI-7 |
| T1552 | Unsecured Credentials | Credential Access | 32 | AC-16 AC-17 AC-18 AC-19 AC-2+27 moreAC-20 AC-3 AC-4 AC-5 AC-6 CA-7 CM-2 CM-5 CM-6 CM-7 IA-2 IA-3 IA-4 IA-5 RA-5 SA-11 SA-15 SC-12 SC-28 SC-4 SC-7 SI-10 SI-12 SI-15 SI-2 SI-4 SI-7 |
| T1210 | Exploitation of Remote Services | Lateral Movement | 31 | AC-2 AC-3 AC-4 AC-5 AC-6+26 moreCA-2 CA-7 CM-2 CM-5 CM-6 CM-7 CM-8 IA-2 IA-8 RA-10 RA-5 SC-18 SC-2 SC-26 SC-29 SC-3 SC-30 SC-35 SC-39 SC-46 SC-7 SI-2 SI-3 SI-4 SI-5 SI-7 |
| T1190 | Exploit Public-Facing Application | Initial Access | 29 | AC-2 AC-3 AC-4 AC-5 AC-6+24 moreCA-2 CA-7 CM-5 CM-6 CM-7 CM-8 IA-2 IA-8 RA-10 RA-5 SA-8 SC-18 SC-2 SC-29 SC-3 SC-30 SC-39 SC-46 SC-7 SI-10 SI-2 SI-3 SI-4 SI-7 |
| T1072 | Software Deployment Tools | Execution, Lateral Movement | 27 | AC-12 AC-2 AC-20 AC-3 AC-4+22 moreAC-5 AC-6 CA-7 CM-11 CM-2 CM-5 CM-6 CM-7 CM-8 IA-2 IA-5 SA-10 SA-9 SC-12 SC-17 SC-46 SC-7 SI-2 SI-23 SI-3 SI-4 SI-7 |
| T1565 | Data Manipulation | Impact | 26 | AC-16 AC-17 AC-18 AC-19 AC-20+21 moreAC-3 AC-4 CA-7 CM-2 CM-6 CM-7 CM-8 CP-10 CP-6 CP-7 CP-9 SC-28 SC-36 SC-4 SC-46 SC-7 SI-12 SI-16 SI-23 SI-4 SI-7 |
| T1078 | Valid Accounts | Stealth, Persistence, Privilege Escalation, Initial Access | 25 | AC-2 AC-3 AC-5 AC-6 CA-3+20 moreCA-7 CM-5 CM-6 CM-7 IA-12 IA-13 IA-2 IA-5 RA-5 SA-10 SA-11 SA-15 SA-17 SA-3 SA-4 SA-8 SC-28 SC-43 SC-7 SI-4 |
| T1602 | Data from Configuration Repository | Collection | 25 | AC-16 AC-17 AC-18 AC-19 AC-20+20 moreAC-3 AC-4 CA-7 CM-2 CM-6 CM-7 CM-8 IA-3 IA-4 SC-28 SC-3 SC-4 SC-7 SC-8 SI-10 SI-12 SI-15 SI-3 SI-4 SI-7 |
| T1602.001 | SNMP (MIB Dump) | Collection | 25 | AC-16 AC-17 AC-18 AC-19 AC-20+20 moreAC-3 AC-4 CA-7 CM-2 CM-6 CM-7 CM-8 IA-3 IA-4 SC-28 SC-3 SC-4 SC-7 SC-8 SI-10 SI-12 SI-15 SI-3 SI-4 SI-7 |
| T1602.002 | Network Device Configuration Dump | Collection | 25 | AC-16 AC-17 AC-18 AC-19 AC-20+20 moreAC-3 AC-4 CA-7 CM-2 CM-6 CM-7 CM-8 IA-3 IA-4 SC-28 SC-3 SC-4 SC-7 SC-8 SI-10 SI-12 SI-15 SI-3 SI-4 SI-7 |
| T1078.004 | Cloud Accounts | Stealth, Persistence, Privilege Escalation, Initial Access | 24 | AC-2 AC-20 AC-3 AC-5 AC-6+19 moreAC-7 CA-7 CM-5 CM-6 CM-7 IA-12 IA-13 IA-2 IA-5 SA-10 SA-11 SA-15 SA-17 SA-3 SA-4 SA-8 SC-28 SC-43 SI-4 |
| T1212 | Exploitation for Credential Access | Credential Access | 24 | AC-2 AC-4 AC-6 CA-7 CM-2+19 moreCM-6 CM-8 IA-2 IA-5 RA-10 RA-5 SC-18 SC-2 SC-26 SC-3 SC-30 SC-35 SC-39 SC-7 SI-2 SI-3 SI-4 SI-5 SI-7 |
| T1213 | Data from Information Repositories | Collection | 24 | AC-16 AC-17 AC-2 AC-21 AC-23+19 moreAC-3 AC-4 AC-5 AC-6 CA-7 CM-2 CM-3 CM-5 CM-6 CM-7 CM-8 IA-2 IA-4 IA-8 RA-5 SC-28 SC-37 SI-4 SI-7 |
| T1213.005 | Messaging Applications | Collection | 24 | AC-16 AC-17 AC-2 AC-21 AC-23+19 moreAC-3 AC-4 AC-6 CA-7 CM-2 CM-3 CM-5 CM-6 CM-7 CM-8 IA-2 IA-4 IA-8 RA-5 SC-28 SC-37 SI-2 SI-4 SI-7 |
| T1557 | Adversary-in-the-Middle | Credential Access, Collection | 24 | AC-16 AC-17 AC-18 AC-19 AC-20+19 moreAC-3 AC-4 CA-7 CM-2 CM-6 CM-7 CM-8 RA-5 SC-23 SC-4 SC-46 SC-7 SC-8 SI-10 SI-12 SI-15 SI-3 SI-4 SI-7 |
| T1601 | Modify System Image | Defense Impairment | 24 | AC-2 AC-3 AC-4 AC-5 AC-6+19 moreCM-2 CM-3 CM-5 CM-6 CM-7 CM-8 IA-2 IA-5 IA-7 RA-9 SA-10 SA-11 SC-34 SI-2 SI-4 SI-7 SR-11 SR-4 SR-5 |
| T1601.001 | Patch System Image | Defense Impairment | 24 | AC-2 AC-3 AC-4 AC-5 AC-6+19 moreCM-2 CM-3 CM-5 CM-6 CM-7 CM-8 IA-2 IA-5 IA-7 RA-9 SA-10 SA-11 SC-34 SI-2 SI-4 SI-7 SR-11 SR-4 SR-5 |
| T1601.002 | Downgrade System Image | Defense Impairment | 24 | AC-2 AC-3 AC-4 AC-5 AC-6+19 moreCM-2 CM-3 CM-5 CM-6 CM-7 CM-8 IA-2 IA-5 IA-7 RA-9 SA-10 SA-11 SC-34 SI-2 SI-4 SI-7 SR-11 SR-4 SR-5 |
| T1021.001 | Remote Desktop Protocol | Lateral Movement | 23 | AC-11 AC-12 AC-17 AC-2 AC-20+18 moreAC-3 AC-4 AC-5 AC-6 AC-7 CM-2 CM-5 CM-6 CM-7 CM-8 IA-2 IA-4 IA-5 IA-6 RA-5 SC-46 SC-7 SI-4 |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration | 23 | AC-16 AC-2 AC-20 AC-23 AC-3+18 moreAC-4 AC-6 CA-3 CA-7 CM-2 CM-6 CM-7 SA-8 SA-9 SC-28 SC-31 SC-46 SC-7 SI-10 SI-15 SI-3 SI-4 SR-4 |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration | 23 | AC-16 AC-2 AC-20 AC-23 AC-3+18 moreAC-4 AC-6 CA-3 CA-7 CM-2 CM-6 CM-7 SA-8 SA-9 SC-28 SC-31 SC-46 SC-7 SI-10 SI-15 SI-3 SI-4 SR-4 |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration | 23 | AC-16 AC-2 AC-20 AC-23 AC-3+18 moreAC-4 AC-6 CA-3 CA-7 CM-2 CM-6 CM-7 SA-8 SA-9 SC-13 SC-28 SC-31 SC-7 SI-10 SI-15 SI-3 SI-4 SR-4 |
| T1059 | Command and Scripting Interpreter | Execution | 23 | AC-17 AC-2 AC-3 AC-5 AC-6+18 moreCA-7 CM-11 CM-2 CM-5 CM-6 CM-7 CM-8 IA-2 IA-8 IA-9 RA-5 SC-18 SI-10 SI-16 SI-2 SI-3 SI-4 SI-7 |
| T1213.001 | Confluence | Collection | 23 | AC-16 AC-17 AC-2 AC-21 AC-23+18 moreAC-3 AC-4 AC-5 AC-6 CA-7 CM-2 CM-3 CM-5 CM-6 CM-7 CM-8 IA-2 IA-4 IA-8 RA-5 SC-28 SI-4 SI-7 |
| T1213.002 | Sharepoint | Collection | 23 | AC-16 AC-17 AC-2 AC-21 AC-23+18 moreAC-3 AC-4 AC-5 AC-6 CA-7 CM-2 CM-3 CM-5 CM-6 CM-7 CM-8 IA-2 IA-4 IA-8 RA-5 SC-28 SI-4 SI-7 |
| T1542.005 | TFTP Boot | Stealth, Persistence | 23 | AC-2 AC-3 AC-5 AC-6 CA-7+18 moreCM-2 CM-3 CM-5 CM-6 CM-7 CM-8 IA-2 IA-7 IA-8 RA-5 RA-9 SA-10 SA-11 SC-34 SC-7 SI-2 SI-4 SI-7 |
| T1565.001 | Stored Data Manipulation | Impact | 23 | AC-16 AC-17 AC-18 AC-19 AC-20+18 moreAC-3 CA-7 CM-2 CM-6 CM-8 CP-10 CP-6 CP-7 CP-9 SC-28 SC-36 SC-4 SC-7 SI-12 SI-16 SI-23 SI-4 SI-7 |
| T1003 | OS Credential Dumping | Credential Access | 22 | AC-16 AC-2 AC-3 AC-4 AC-5+17 moreAC-6 CA-7 CM-2 CM-5 CM-6 CM-7 CP-9 IA-2 IA-4 IA-5 SC-28 SC-39 SI-12 SI-2 SI-3 SI-4 SI-7 |
| T1021.005 | VNC | Lateral Movement | 22 | AC-17 AC-2 AC-3 AC-4 AC-6+17 moreCA-7 CM-11 CM-2 CM-3 CM-5 CM-6 CM-7 CM-8 IA-2 IA-4 IA-6 RA-5 SC-7 SI-10 SI-15 SI-3 SI-4 |
| T1070.008 | Clear Mailbox Data | Stealth | 22 | AC-16 AC-17 AC-18 AC-19 AC-2+17 moreAC-20 AC-3 AC-4 AC-5 AC-6 CA-7 CM-2 CM-6 CP-6 CP-7 CP-9 SC-36 SC-4 SI-12 SI-3 SI-4 SI-7 |
| T1195 | Supply Chain Compromise | Initial Access | 22 | AC-2 AC-3 AC-6 CA-2 CA-7+17 moreCM-11 CM-2 CM-3 CM-5 CM-6 CM-7 CM-8 RA-10 RA-5 SA-22 SI-2 SI-3 SI-4 SI-7 SR-11 SR-4 SR-5 |
| T1211 | Exploitation for Stealth | Stealth | 22 | AC-4 AC-6 CA-7 CM-2 CM-6+17 moreCM-8 RA-10 RA-5 SC-18 SC-2 SC-26 SC-29 SC-3 SC-30 SC-35 SC-39 SC-7 SI-2 SI-3 SI-4 SI-5 SI-7 |
| T1505.004 | IIS Components | Persistence | 22 | AC-17 AC-3 AC-4 AC-6 CM-11+17 moreCM-2 CM-6 CM-7 CM-8 IA-2 RA-5 SA-10 SA-11 SC-7 SI-14 SI-16 SI-3 SI-4 SI-7 SR-11 SR-4 SR-5 |
| T1548 | Abuse Elevation Control Mechanism | Privilege Escalation | 22 | AC-16 AC-2 AC-3 AC-5 AC-6+17 moreCA-7 CM-2 CM-3 CM-5 CM-6 CM-7 CM-8 IA-2 RA-5 SC-18 SC-34 SI-12 SI-16 SI-2 SI-3 SI-4 SI-7 |
| T1557.002 | ARP Cache Poisoning | Credential Access, Collection | 22 | AC-16 AC-17 AC-18 AC-19 AC-20+17 moreAC-3 AC-4 CA-7 CM-2 CM-6 CM-7 CM-8 SC-23 SC-4 SC-7 SC-8 SI-10 SI-12 SI-15 SI-3 SI-4 SI-7 |
| T1020.001 | Traffic Duplication | Exfiltration | 21 | AC-16 AC-17 AC-18 AC-19 AC-2+16 moreAC-20 AC-3 AC-4 AC-6 CA-3 CM-2 CM-5 CM-6 CM-7 CM-8 SC-4 SC-7 SC-8 SI-12 SI-4 SI-7 |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation | 21 | AC-2 AC-4 AC-6 CA-7 CM-2+16 moreCM-6 CM-7 CM-8 RA-10 RA-5 SC-18 SC-2 SC-3 SC-30 SC-39 SC-7 SI-2 SI-3 SI-4 SI-5 SI-7 |
| T1505 | Server Software Component | Persistence | 21 | AC-16 AC-2 AC-3 AC-5 AC-6+16 moreCM-11 CM-2 CM-5 CM-6 CM-8 IA-2 RA-5 SA-10 SA-11 SC-16 SI-14 SI-4 SI-7 SR-11 SR-4 SR-5 |
| T1505.002 | Transport Agent | Persistence | 21 | AC-16 AC-2 AC-3 AC-5 AC-6+16 moreCM-11 CM-2 CM-5 CM-6 CM-8 IA-2 RA-5 SA-10 SA-11 SC-16 SI-14 SI-4 SI-7 SR-11 SR-4 SR-5 |
| T1552.004 | Private Keys | Credential Access | 21 | AC-16 AC-17 AC-18 AC-19 AC-2+16 moreAC-20 CA-7 CM-2 CM-6 IA-2 IA-5 RA-5 SA-11 SA-15 SC-12 SC-28 SC-4 SC-7 SI-12 SI-4 SI-7 |
| T1685.005 | Clear Windows Event Logs | Defense Impairment | 21 | AC-16 AC-17 AC-18 AC-19 AC-2+16 moreAC-3 AC-5 AC-6 CA-7 CM-2 CM-6 CP-6 CP-7 CP-9 SC-36 SC-4 SI-12 SI-23 SI-3 SI-4 SI-7 |
| T1685.006 | Clear Linux or Mac System Logs | Defense Impairment | 21 | AC-16 AC-17 AC-18 AC-19 AC-2+16 moreAC-3 AC-5 AC-6 CA-7 CM-2 CM-6 CP-6 CP-7 CP-9 SC-36 SC-4 SI-12 SI-23 SI-3 SI-4 SI-7 |
| T1070 | Indicator Removal | Stealth | 20 | AC-16 AC-17 AC-18 AC-2 AC-3+15 moreAC-5 AC-6 CA-7 CM-2 CM-6 CP-6 CP-7 CP-9 SC-36 SC-4 SI-12 SI-23 SI-3 SI-4 SI-7 |
| T1218 | System Binary Proxy Execution | Stealth | 20 | AC-2 AC-3 AC-4 AC-5 AC-6+15 moreCA-7 CM-11 CM-2 CM-5 CM-6 CM-7 CM-8 IA-2 RA-5 SC-7 SI-10 SI-16 SI-3 SI-4 SI-7 |
| T1537 | Transfer Data to Cloud Account | Exfiltration | 20 | AC-16 AC-17 AC-2 AC-20 AC-3+15 moreAC-4 AC-5 AC-6 CA-7 CM-5 CM-6 CM-7 IA-2 IA-3 IA-4 IA-8 SC-7 SI-10 SI-15 SI-4 |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation | 20 | AC-17 AC-2 AC-3 AC-5 AC-6+15 moreCA-7 CM-11 CM-2 CM-3 CM-5 CM-6 CM-7 IA-2 IA-4 RA-5 SA-22 SI-16 SI-3 SI-4 SI-7 |
| T1553 | Subvert Trust Controls | Defense Impairment | 20 | AC-2 AC-3 AC-6 CM-10 CM-2+15 moreCM-3 CM-5 CM-6 CM-7 CM-8 IA-7 IA-9 RA-9 SA-10 SA-11 SC-34 SI-10 SI-2 SI-4 SI-7 |
| T1003.001 | LSASS Memory | Credential Access | 19 | AC-2 AC-3 AC-4 AC-5 AC-6+14 moreCA-7 CM-2 CM-5 CM-6 CM-7 IA-2 IA-5 SC-28 SC-3 SC-39 SI-16 SI-2 SI-3 SI-4 |
| T1021.003 | Distributed Component Object Model | Lateral Movement | 19 | AC-17 AC-2 AC-3 AC-4 AC-5+14 moreAC-6 CM-2 CM-5 CM-6 CM-7 CM-8 IA-2 RA-5 SC-18 SC-3 SC-46 SC-7 SI-3 SI-4 |
| T1052 | Exfiltration Over Physical Medium | Exfiltration | 19 | AC-16 AC-2 AC-20 AC-23 AC-3+14 moreAC-6 CA-7 CM-2 CM-6 CM-7 CM-8 MP-7 RA-5 SA-8 SC-28 SC-41 SI-3 SI-4 SR-4 |
| T1052.001 | Exfiltration over USB | Exfiltration | 19 | AC-16 AC-2 AC-20 AC-23 AC-3+14 moreAC-6 CA-7 CM-2 CM-6 CM-7 CM-8 MP-7 RA-5 SA-8 SC-28 SC-41 SI-3 SI-4 SR-4 |
| T1059.001 | PowerShell | Execution | 19 | AC-17 AC-2 AC-3 AC-5 AC-6+14 moreCM-2 CM-5 CM-6 CM-8 IA-2 IA-8 IA-9 RA-5 SI-10 SI-16 SI-2 SI-3 SI-4 SI-7 |
| T1078.003 | Local Accounts | Stealth, Persistence, Privilege Escalation, Initial Access | 19 | AC-2 AC-3 AC-5 AC-6 CA-7+14 moreCM-5 CM-6 IA-12 IA-2 SA-10 SA-11 SA-15 SA-16 SA-17 SA-3 SA-4 SA-8 SC-28 SI-4 |
| T1528 | Steal Application Access Token | Credential Access | 19 | AC-10 AC-2 AC-3 AC-4 AC-5+14 moreAC-6 CA-7 CM-2 CM-5 CM-6 IA-13 IA-2 IA-4 IA-5 IA-8 RA-5 SA-11 SA-15 SI-4 |
| T1542 | Pre-OS Boot | Stealth, Persistence | 19 | AC-2 AC-3 AC-5 AC-6 CM-2+14 moreCM-3 CM-5 CM-6 CM-8 IA-2 IA-7 IA-8 RA-9 SA-10 SA-11 SC-34 SC-7 SI-2 SI-7 |
| T1542.004 | ROMMONkit | Stealth, Persistence | 19 | AC-3 AC-6 CA-7 CM-2 CM-3+14 moreCM-5 CM-6 CM-7 CM-8 IA-7 RA-5 RA-9 SA-10 SA-11 SC-34 SC-7 SI-2 SI-4 SI-7 |
| T1558 | Steal or Forge Kerberos Tickets | Credential Access | 19 | AC-16 AC-17 AC-18 AC-19 AC-2+14 moreAC-3 AC-5 AC-6 CA-7 CM-2 CM-5 CM-6 IA-2 IA-5 SC-4 SI-12 SI-3 SI-4 SI-7 |
| T1558.002 | Silver Ticket | Credential Access | 19 | AC-16 AC-17 AC-18 AC-19 AC-2+14 moreAC-3 AC-5 AC-6 CA-7 CM-2 CM-5 CM-6 IA-2 IA-5 SC-4 SI-12 SI-3 SI-4 SI-7 |
| T1558.003 | Kerberoasting | Credential Access | 19 | AC-16 AC-17 AC-18 AC-19 AC-2+14 moreAC-3 AC-5 AC-6 CA-7 CM-2 CM-5 CM-6 IA-2 IA-5 SC-4 SI-12 SI-3 SI-4 SI-7 |
| T1558.004 | AS-REP Roasting | Credential Access | 19 | AC-16 AC-17 AC-18 AC-19 AC-2+14 moreAC-3 CA-7 CM-2 CM-6 IA-2 IA-5 RA-5 SA-11 SA-15 SC-4 SI-12 SI-3 SI-4 SI-7 |
| T1559 | Inter-Process Communication | Execution | 19 | AC-2 AC-3 AC-4 AC-5 AC-6+14 moreCM-10 CM-2 CM-5 CM-6 CM-7 CM-8 IA-2 RA-5 SC-18 SC-3 SC-7 SI-2 SI-3 SI-4 |
| T1563 | Remote Service Session Hijacking | Lateral Movement | 19 | AC-12 AC-17 AC-2 AC-3 AC-4+14 moreAC-5 AC-6 CM-2 CM-5 CM-6 CM-7 CM-8 IA-2 IA-4 IA-6 RA-5 SC-46 SC-7 SI-4 |
| T1611 | Escape to Host | Privilege Escalation | 19 | AC-2 AC-3 AC-4 AC-5 AC-6+14 moreCM-5 CM-6 CM-7 IA-2 SC-2 SC-3 SC-34 SC-39 SC-7 SI-16 SI-2 SI-3 SI-4 SI-7 |
| T1685 | Disable or Modify Tools | Defense Impairment | 19 | AC-2 AC-3 AC-5 AC-6 CA-7+14 moreCM-10 CM-2 CM-5 CM-6 CM-7 IA-2 IA-4 IA-9 RA-5 SC-23 SC-8 SI-3 SI-4 SI-7 |
| T1003.003 | NTDS | Credential Access | 18 | AC-16 AC-2 AC-3 AC-5 AC-6+13 moreCA-7 CM-2 CM-5 CM-6 CP-9 IA-2 IA-5 SC-28 SC-39 SI-12 SI-3 SI-4 SI-7 |
| T1041 | Exfiltration Over C2 Channel | Exfiltration | 18 | AC-16 AC-2 AC-20 AC-23 AC-3+13 moreAC-4 AC-6 CA-3 CA-7 SA-8 SA-9 SC-13 SC-28 SC-31 SC-7 SI-3 SI-4 SR-4 |
| T1071.004 | DNS | Command And Control | 18 | AC-3 AC-4 CA-7 CM-2 CM-6+13 moreCM-7 SC-10 SC-20 SC-21 SC-22 SC-23 SC-31 SC-37 SC-7 SI-10 SI-15 SI-3 SI-4 |
| T1189 | Drive-by Compromise | Initial Access | 18 | AC-4 AC-6 CA-7 CM-2 CM-6+13 moreCM-8 SA-22 SC-18 SC-2 SC-29 SC-3 SC-30 SC-39 SC-7 SI-2 SI-3 SI-4 SI-7 |
| T1195.001 | Compromise Software Dependencies and Development Tools | Initial Access | 18 | CA-2 CA-7 CM-11 CM-5 CM-6+13 moreCM-7 RA-10 RA-5 SA-10 SA-11 SA-15 SA-22 SI-2 SI-4 SI-7 SR-11 SR-4 SR-5 |
| T1213.004 | Customer Relationship Management Software | Collection | 18 | AC-16 AC-2 AC-21 AC-23 AC-3+13 moreAC-4 AC-5 AC-6 CA-7 CM-6 CM-7 IA-2 IA-4 IA-8 SC-28 SI-12 SI-4 SI-7 |
| T1218.015 | Electron Applications | Stealth | 18 | AC-2 AC-6 CA-7 CM-2 CM-5+13 moreCM-6 CM-7 CM-8 RA-5 SC-18 SC-34 SC-7 SI-10 SI-15 SI-16 SI-3 SI-4 SI-7 |
| T1542.003 | Bootkit | Stealth, Persistence | 18 | AC-2 AC-3 AC-5 AC-6 CM-2+13 moreCM-3 CM-5 CM-6 CM-8 IA-2 IA-7 IA-8 RA-9 SA-10 SA-11 SC-34 SI-2 SI-7 |
| T1547.006 | Kernel Modules and Extensions | Persistence, Privilege Escalation | 18 | AC-2 AC-3 AC-5 AC-6 CM-5+13 moreCM-6 CM-7 IA-2 IA-4 IA-8 RA-5 SI-10 SI-14 SI-16 SI-2 SI-3 SI-4 SI-7 |
| T1552.002 | Credentials in Registry | Credential Access | 18 | AC-17 AC-2 AC-3 AC-5 AC-6+13 moreCA-7 CM-2 CM-5 CM-6 IA-2 IA-5 RA-5 SA-11 SA-15 SC-12 SC-28 SC-4 SI-4 |
| T1563.002 | RDP Hijacking | Lateral Movement | 18 | AC-11 AC-12 AC-17 AC-2 AC-3+13 moreAC-4 AC-5 AC-6 CM-2 CM-5 CM-6 CM-7 CM-8 IA-2 RA-5 SC-46 SC-7 SI-4 |
| T1574 | Hijack Execution Flow | Stealth, Execution | 18 | AC-2 AC-3 AC-4 AC-5 AC-6+13 moreCA-7 CM-2 CM-5 CM-6 CM-7 CM-8 IA-2 RA-5 SI-10 SI-2 SI-3 SI-4 SI-7 |
| T1599 | Network Boundary Bridging | Defense Impairment | 18 | AC-2 AC-3 AC-4 AC-5 AC-6+13 moreCA-7 CM-2 CM-5 CM-6 CM-7 IA-2 IA-5 SC-28 SC-7 SI-10 SI-15 SI-4 SI-7 |
| T1599.001 | Network Address Translation Traversal | Defense Impairment | 18 | AC-2 AC-3 AC-4 AC-5 AC-6+13 moreCA-7 CM-2 CM-5 CM-6 CM-7 IA-2 IA-5 SC-28 SC-7 SI-10 SI-15 SI-4 SI-7 |
| T1003.005 | Cached Domain Credentials | Credential Access | 17 | AC-2 AC-3 AC-4 AC-5 AC-6+12 moreCA-7 CM-2 CM-5 CM-6 CM-7 IA-2 IA-4 IA-5 SC-28 SC-39 SI-3 SI-4 |
| T1047 | Windows Management Instrumentation | Execution | 17 | AC-17 AC-2 AC-3 AC-5 AC-6+12 moreCM-2 CM-5 CM-6 CM-7 IA-2 RA-5 SC-3 SI-16 SI-2 SI-3 SI-4 SI-7 |
| T1059.005 | Visual Basic | Execution | 17 | AC-17 AC-2 AC-3 AC-6 CA-7+12 moreCM-2 CM-6 CM-7 CM-8 RA-5 SC-18 SI-10 SI-16 SI-2 SI-3 SI-4 SI-7 |
| T1119 | Automated Collection | Collection | 17 | AC-16 AC-17 AC-18 AC-19 AC-20+12 moreCM-2 CM-6 CM-8 CP-6 CP-7 CP-9 SC-36 SC-4 SI-12 SI-23 SI-4 SI-7 |
| T1133 | External Remote Services | Persistence, Initial Access | 17 | AC-17 AC-20 AC-3 AC-4 AC-6+12 moreAC-7 CM-2 CM-6 CM-7 CM-8 IA-2 IA-5 RA-5 SC-46 SC-7 SI-4 SI-7 |
| T1542.001 | System Firmware | Stealth, Persistence | 17 | AC-2 AC-3 AC-5 AC-6 CM-3+12 moreCM-5 CM-6 CM-8 IA-2 IA-7 IA-8 RA-9 SA-10 SA-11 SC-34 SI-2 SI-7 |
| T1548.006 | TCC Manipulation | Privilege Escalation | 17 | AC-16 AC-2 AC-3 AC-5 AC-6+12 moreCA-7 CM-2 CM-5 CM-6 CM-7 CM-8 RA-5 SI-10 SI-2 SI-3 SI-4 SI-7 |
| T1552.001 | Credentials In Files | Credential Access | 17 | AC-2 AC-4 AC-5 AC-6 CA-7+12 moreCM-2 CM-6 IA-2 IA-5 RA-5 SA-11 SA-15 SC-12 SC-28 SC-4 SC-7 SI-4 |
| T1556 | Modify Authentication Process | Defense Impairment, Persistence, Credential Access | 17 | AC-2 AC-20 AC-3 AC-5 AC-6+12 moreAC-7 CA-7 CM-2 CM-5 CM-6 CM-7 IA-13 IA-2 IA-5 SC-39 SI-4 SI-7 |
| T1563.001 | SSH Hijacking | Lateral Movement | 17 | AC-17 AC-2 AC-3 AC-5 AC-6+12 moreCA-7 CM-2 CM-5 CM-6 CM-7 CM-8 IA-2 IA-5 RA-5 SC-12 SC-23 SI-4 |
| T1567 | Exfiltration Over Web Service | Exfiltration | 17 | AC-16 AC-2 AC-20 AC-23 AC-3+12 moreAC-4 AC-6 CA-3 CA-7 SA-8 SA-9 SC-28 SC-31 SC-7 SI-3 SI-4 SR-4 |
| T1574.001 | DLL | Stealth, Execution | 17 | CM-2 CM-6 CM-7 RA-5 SA-10+12 moreSA-11 SA-15 SA-16 SA-17 SA-3 SA-4 SA-8 SI-10 SI-2 SI-3 SI-4 SI-7 |
| T1003.006 | DCSync | Credential Access | 16 | AC-2 AC-3 AC-4 AC-5 AC-6+11 moreCA-7 CM-2 CM-5 CM-6 IA-2 IA-4 IA-5 SC-28 SC-39 SI-3 SI-4 |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement | 16 | AC-17 AC-2 AC-3 AC-4 AC-5+11 moreAC-6 CA-7 CM-2 CM-5 CM-6 CM-7 IA-2 SC-7 SI-10 SI-15 SI-4 |
| T1021.006 | Windows Remote Management | Lateral Movement | 16 | AC-17 AC-2 AC-3 AC-4 AC-5+11 moreAC-6 CM-2 CM-5 CM-6 CM-7 CM-8 IA-2 RA-5 SC-46 SC-7 SI-4 |
| T1059.007 | JavaScript | Execution | 16 | AC-17 AC-2 AC-3 AC-6 CA-7+11 moreCM-2 CM-6 CM-7 CM-8 RA-5 SC-18 SI-10 SI-16 SI-3 SI-4 SI-7 |
| T1203 | Exploitation for Client Execution | Execution | 16 | AC-4 AC-6 CA-7 CM-8 SC-18+11 moreSC-2 SC-29 SC-3 SC-30 SC-39 SC-44 SC-7 SI-2 SI-3 SI-4 SI-7 |
| T1204.003 | Malicious Image | Execution | 16 | AC-4 CA-7 CM-2 CM-6 CM-7+11 moreRA-5 SC-44 SC-7 SI-2 SI-3 SI-4 SI-7 SI-8 SR-11 SR-4 SR-5 |
| T1218.012 | Verclsid | Stealth | 16 | AC-3 AC-4 CA-7 CM-11 CM-2+11 moreCM-6 CM-7 CM-8 RA-5 SC-7 SI-10 SI-15 SI-16 SI-3 SI-4 SI-7 |
| T1495 | Firmware Corruption | Impact | 16 | AC-2 AC-3 AC-5 AC-6 CM-2+11 moreCM-3 CM-5 CM-6 CM-8 IA-2 IA-7 RA-9 SA-10 SA-11 SI-2 SI-7 |
| T1543.002 | Systemd Service | Persistence, Privilege Escalation | 16 | AC-2 AC-3 AC-5 AC-6 CA-7+11 moreCM-11 CM-2 CM-3 CM-5 CM-6 IA-2 SA-22 SI-16 SI-3 SI-4 SI-7 |
| T1557.004 | Evil Twin | Credential Access, Collection | 16 | AC-18 AC-19 AC-3 AC-4 CA-7+11 moreCM-2 CM-6 SC-13 SC-23 SC-40 SC-46 SC-7 SC-8 SI-12 SI-4 SI-7 |
| T1003.002 | Security Account Manager | Credential Access | 15 | AC-2 AC-3 AC-5 AC-6 CA-7+10 moreCM-2 CM-5 CM-6 CM-7 IA-2 IA-5 SC-28 SC-39 SI-3 SI-4 |
| T1021.004 | SSH | Lateral Movement | 15 | AC-17 AC-2 AC-20 AC-3 AC-5+10 moreAC-6 AC-7 CM-2 CM-5 CM-6 CM-8 IA-2 IA-5 RA-5 SI-4 |
| T1025 | Data from Removable Media | Collection | 15 | AC-16 AC-2 AC-23 AC-3 AC-6+10 moreCM-12 CP-9 MP-7 SA-8 SC-13 SC-28 SC-38 SC-41 SI-3 SI-4 |
| T1059.002 | AppleScript | Execution | 15 | AC-17 AC-2 AC-3 AC-6 CM-2+10 moreCM-6 IA-9 SI-10 SI-16 SI-3 SI-4 SI-7 SR-11 SR-4 SR-5 |
| T1059.006 | Python | Execution | 15 | AC-17 AC-2 AC-3 AC-6 CM-11+10 moreCM-2 CM-3 CM-5 CM-6 SI-10 SI-16 SI-2 SI-3 SI-4 SI-7 |
| T1059.008 | Network Device CLI | Execution | 15 | AC-17 AC-2 AC-3 AC-5 AC-6+10 moreCM-2 CM-5 CM-6 IA-2 IA-8 SI-10 SI-16 SI-3 SI-4 SI-7 |
| T1071 | Application Layer Protocol | Command And Control | 15 | AC-4 CA-7 CM-2 CM-6 CM-7+10 moreSC-10 SC-20 SC-21 SC-22 SC-23 SC-31 SC-37 SC-7 SI-3 SI-4 |
| T1071.001 | Web Protocols | Command And Control | 15 | AC-4 CA-7 CM-2 CM-6 CM-7+10 moreSC-10 SC-20 SC-21 SC-22 SC-23 SC-31 SC-37 SC-7 SI-3 SI-4 |
| T1071.002 | File Transfer Protocols | Command And Control | 15 | AC-4 CA-7 CM-2 CM-6 CM-7+10 moreSC-10 SC-20 SC-21 SC-22 SC-23 SC-31 SC-37 SC-7 SI-3 SI-4 |
| T1071.003 | Mail Protocols | Command And Control | 15 | AC-4 CA-7 CM-2 CM-6 CM-7+10 moreSC-10 SC-20 SC-21 SC-22 SC-23 SC-31 SC-37 SC-7 SI-3 SI-4 |
| T1098.001 | Additional Cloud Credentials | Persistence, Privilege Escalation | 15 | AC-2 AC-20 AC-3 AC-4 AC-5+10 moreAC-6 CM-5 CM-6 CM-7 IA-2 IA-5 SC-46 SC-7 SI-4 SI-7 |
| T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation | 15 | AC-20 AC-3 AC-5 AC-6 CM-2+10 moreCM-5 CM-6 CM-7 CM-8 IA-2 IA-5 RA-5 SC-12 SI-3 SI-4 |
| T1114 | Email Collection | Collection | 15 | AC-16 AC-17 AC-19 AC-20 AC-3+10 moreAC-4 CM-2 CM-6 IA-2 IA-5 SC-37 SC-7 SI-12 SI-4 SI-7 |
| T1136 | Create Account | Persistence | 15 | AC-2 AC-20 AC-3 AC-4 AC-5+10 moreAC-6 CM-5 CM-6 CM-7 IA-2 IA-5 SC-46 SC-7 SI-4 SI-7 |
| T1136.002 | Domain Account | Persistence | 15 | AC-2 AC-20 AC-3 AC-4 AC-5+10 moreAC-6 CM-5 CM-6 CM-7 IA-2 IA-5 SC-46 SC-7 SI-4 SI-7 |
| T1525 | Implant Internal Image | Persistence | 15 | AC-2 AC-3 AC-5 AC-6 CM-2+10 moreCM-5 CM-6 CM-7 IA-2 IA-9 RA-5 SI-2 SI-3 SI-4 SI-7 |
| T1547.013 | XDG Autostart Entries | Persistence, Privilege Escalation | 15 | AC-17 AC-2 AC-3 AC-5 AC-6+10 moreCA-7 CM-11 CM-2 CM-3 CM-5 CM-6 IA-2 SI-3 SI-4 SI-7 |
| T1550.001 | Application Access Token | Lateral Movement | 15 | AC-16 AC-17 AC-19 AC-20 CM-10+10 moreCM-11 CM-2 CM-6 IA-2 IA-4 SC-28 SC-8 SI-12 SI-4 SI-7 |
| T1557.001 | Name Resolution Poisoning and SMB Relay | Credential Access, Collection | 15 | AC-3 AC-4 CA-7 CM-2 CM-6+10 moreCM-7 CM-8 SC-23 SC-46 SC-7 SC-8 SI-10 SI-15 SI-3 SI-4 |
| T1557.003 | DHCP Spoofing | Credential Access, Collection | 15 | AC-3 AC-4 CA-7 CM-2 CM-6+10 moreCM-7 CM-8 SC-23 SC-46 SC-7 SC-8 SI-10 SI-15 SI-3 SI-4 |
| T1574.007 | Path Interception by PATH Environment Variable | Stealth, Execution | 15 | AC-2 AC-3 AC-4 AC-5 AC-6+10 moreCA-7 CM-2 CM-6 CM-7 CM-8 RA-5 SI-10 SI-3 SI-4 SI-7 |
| T1574.008 | Path Interception by Search Order Hijacking | Stealth, Execution | 15 | AC-2 AC-3 AC-4 AC-5 AC-6+10 moreCA-7 CM-2 CM-6 CM-7 CM-8 RA-5 SI-10 SI-3 SI-4 SI-7 |
| T1574.009 | Path Interception by Unquoted Path | Stealth, Execution | 15 | AC-2 AC-3 AC-4 AC-5 AC-6+10 moreCA-7 CM-2 CM-6 CM-7 CM-8 RA-5 SI-10 SI-3 SI-4 SI-7 |
| T1622 | Debugger Evasion | Stealth, Discovery | 15 | AC-3 AC-4 CA-7 CM-2 CM-6+10 moreCM-7 CM-8 SC-23 SC-46 SC-7 SC-8 SI-10 SI-15 SI-3 SI-4 |
| T1647 | Plist File Modification | Defense Impairment | 15 | AC-16 AC-17 AC-3 AC-6 CA-7+10 moreCM-2 CM-3 CM-5 CM-6 CM-7 SA-10 SA-11 SA-8 SI-4 SI-7 |
| T1003.004 | LSA Secrets | Credential Access | 14 | AC-2 AC-3 AC-5 AC-6 CA-7+9 moreCM-2 CM-5 CM-6 IA-2 IA-5 SC-28 SC-39 SI-3 SI-4 |
| T1003.007 | Proc Filesystem | Credential Access | 14 | AC-2 AC-3 AC-5 AC-6 CA-7+9 moreCM-2 CM-5 CM-6 IA-2 IA-5 SC-28 SC-39 SI-3 SI-4 |
| T1003.008 | /etc/passwd and /etc/shadow | Credential Access | 14 | AC-2 AC-3 AC-5 AC-6 CA-7+9 moreCM-2 CM-5 CM-6 IA-2 IA-5 SC-28 SC-39 SI-3 SI-4 |
| T1021 | Remote Services | Lateral Movement | 14 | AC-17 AC-2 AC-20 AC-3 AC-5+9 moreAC-6 AC-7 CM-2 CM-5 CM-6 CM-7 IA-2 IA-5 SI-4 |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation | 14 | AC-2 AC-3 AC-5 AC-6 CM-2+9 moreCM-5 CM-6 CM-7 CM-8 IA-2 IA-4 IA-8 RA-5 SI-4 |
| T1078.001 | Default Accounts | Stealth, Persistence, Privilege Escalation, Initial Access | 14 | AC-2 AC-5 AC-6 CA-7 SA-10+9 moreSA-11 SA-15 SA-16 SA-17 SA-3 SA-4 SA-8 SC-28 SI-4 |
| T1110 | Brute Force | Credential Access | 14 | AC-2 AC-20 AC-3 AC-5 AC-6+9 moreAC-7 CA-7 CM-2 CM-6 IA-11 IA-2 IA-4 IA-5 SI-4 |
| T1110.001 | Password Guessing | Credential Access | 14 | AC-2 AC-20 AC-3 AC-5 AC-6+9 moreAC-7 CA-7 CM-2 CM-6 IA-11 IA-2 IA-4 IA-5 SI-4 |
| T1110.002 | Password Cracking | Credential Access | 14 | AC-2 AC-20 AC-3 AC-5 AC-6+9 moreAC-7 CA-7 CM-2 CM-6 IA-11 IA-2 IA-4 IA-5 SI-4 |
| T1110.003 | Password Spraying | Credential Access | 14 | AC-2 AC-20 AC-3 AC-5 AC-6+9 moreAC-7 CA-7 CM-2 CM-6 IA-11 IA-2 IA-4 IA-5 SI-4 |
| T1110.004 | Credential Stuffing | Credential Access | 14 | AC-2 AC-20 AC-3 AC-5 AC-6+9 moreAC-7 CA-7 CM-2 CM-6 IA-11 IA-2 IA-4 IA-5 SI-4 |
| T1114.002 | Remote Email Collection | Collection | 14 | AC-16 AC-17 AC-19 AC-20 AC-3+9 moreAC-4 CM-2 CM-6 IA-2 IA-5 SC-37 SI-12 SI-4 SI-7 |
| T1136.003 | Cloud Account | Persistence | 14 | AC-2 AC-20 AC-3 AC-4 AC-5+9 moreAC-6 CM-5 CM-6 CM-7 IA-2 IA-5 SC-7 SI-4 SI-7 |
| T1176 | Software Extensions | Persistence | 14 | AC-6 CA-7 CM-11 CM-2 CM-3+9 moreCM-5 CM-6 CM-7 RA-5 SC-7 SI-10 SI-3 SI-4 SI-7 |
| T1185 | Browser Session Hijacking | Collection | 14 | AC-10 AC-12 AC-2 AC-3 AC-5+9 moreAC-6 CA-7 CM-2 CM-5 IA-2 SC-23 SI-3 SI-4 SI-7 |
| T1195.003 | Compromise Hardware Supply Chain | Initial Access | 14 | CM-2 CM-3 CM-5 CM-8 IA-7+9 moreRA-9 SA-10 SA-11 SC-34 SI-2 SI-7 SR-11 SR-4 SR-5 |
| T1197 | BITS Jobs | Stealth, Persistence, Execution | 14 | AC-2 AC-3 AC-4 AC-5 AC-6+9 moreCA-7 CM-5 CM-6 CM-7 IA-2 SC-7 SI-10 SI-15 SI-4 |
| T1213.003 | Code Repositories | Collection | 14 | AC-2 AC-3 AC-5 AC-6 CA-7+9 moreIA-2 IA-9 RA-5 SA-10 SA-11 SA-15 SA-3 SA-8 SI-2 |
| T1221 | Template Injection | Stealth | 14 | CA-7 CM-2 CM-6 CM-7 CM-8+9 moreRA-5 SC-44 SC-7 SI-10 SI-2 SI-3 SI-4 SI-7 SI-8 |
| T1489 | Service Stop | Impact | 14 | AC-2 AC-3 AC-4 AC-5 AC-6+9 moreCA-7 CM-5 CM-6 CM-7 IA-2 SC-37 SC-46 SC-7 SI-4 |
| T1552.005 | Cloud Instance Metadata API | Credential Access | 14 | AC-16 AC-17 AC-20 AC-3 AC-4+9 moreCA-7 CM-6 CM-7 IA-3 IA-4 SC-7 SI-10 SI-15 SI-4 |
| T1552.007 | Container API | Credential Access | 14 | AC-17 AC-2 AC-23 AC-3 AC-4+9 moreAC-5 AC-6 CM-5 CM-6 CM-7 IA-2 SC-46 SC-7 SC-8 |
| T1556.001 | Domain Controller Authentication | Defense Impairment, Persistence, Credential Access | 14 | AC-2 AC-20 AC-3 AC-5 AC-6+9 moreAC-7 CA-7 CM-5 CM-6 IA-2 IA-5 SC-39 SI-4 SI-7 |
| T1556.009 | Conditional Access Policies | Defense Impairment, Persistence, Credential Access | 14 | AC-16 AC-2 AC-3 AC-5 AC-6+9 moreCM-5 CM-6 CM-7 CM-8 IA-13 IA-2 IA-5 SI-4 SI-7 |
| T1559.002 | Dynamic Data Exchange | Execution | 14 | AC-4 AC-6 CM-10 CM-2 CM-6+9 moreCM-7 CM-8 RA-5 SC-18 SC-3 SC-7 SI-2 SI-3 SI-4 |
| T1569 | System Services | Execution | 14 | AC-2 AC-3 AC-5 AC-6 CA-7+9 moreCM-11 CM-2 CM-5 CM-6 CM-7 IA-2 SI-3 SI-4 SI-7 |
| T1005 | Data from Local System | Collection | 13 | AC-16 AC-2 AC-23 AC-3 AC-6+8 moreCM-12 CP-9 SA-8 SC-13 SC-28 SC-38 SI-3 SI-4 |
| T1053.002 | At | Execution, Persistence, Privilege Escalation | 13 | AC-2 AC-3 AC-5 AC-6 CM-2+8 moreCM-5 CM-6 CM-7 CM-8 IA-2 IA-4 RA-5 SI-4 |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation | 13 | AC-2 AC-3 AC-5 AC-6 CM-2+8 moreCM-5 CM-6 CM-7 CM-8 IA-2 IA-4 RA-5 SI-4 |
| T1078.002 | Domain Accounts | Stealth, Persistence, Privilege Escalation, Initial Access | 13 | AC-2 AC-20 AC-3 AC-5 AC-6+8 moreAC-7 CM-5 CM-6 IA-12 IA-13 IA-2 IA-5 SI-4 |
| T1134.005 | SID-History Injection | Stealth, Privilege Escalation | 13 | AC-20 AC-3 AC-4 AC-5 AC-6+8 moreCM-2 CM-6 IA-13 SA-11 SA-17 SA-4 SA-8 SC-3 |
| T1137 | Office Application Startup | Persistence | 13 | AC-10 AC-17 AC-6 CM-2 CM-6+8 moreCM-8 RA-5 SC-18 SC-44 SI-2 SI-3 SI-4 SI-8 |
| T1204 | User Execution | Execution | 13 | AC-4 CA-7 CM-2 CM-6 CM-7+8 moreSC-44 SC-7 SI-10 SI-2 SI-3 SI-4 SI-7 SI-8 |
| T1219 | Remote Access Tools | Command And Control | 13 | AC-17 AC-3 AC-4 CA-7 CM-2+8 moreCM-6 CM-7 SC-7 SI-10 SI-15 SI-3 SI-4 SI-7 |
| T1490 | Inhibit System Recovery | Impact | 13 | AC-2 AC-3 AC-6 CM-2 CM-6+8 moreCM-7 CP-10 CP-2 CP-7 CP-9 SI-3 SI-4 SI-7 |
| T1546.006 | LC_LOAD_DYLIB Addition | Privilege Escalation, Persistence | 13 | CM-2 CM-6 CM-7 CM-8 IA-9+8 moreSI-10 SI-2 SI-3 SI-4 SI-7 SR-11 SR-4 SR-5 |
| T1547.004 | Winlogon Helper DLL | Persistence, Privilege Escalation | 13 | AC-17 AC-2 AC-3 AC-5 AC-6+8 moreCM-5 CM-7 IA-2 SI-10 SI-14 SI-16 SI-4 SI-7 |
| T1548.003 | Sudo and Sudo Caching | Privilege Escalation | 13 | AC-16 AC-2 AC-3 AC-5 AC-6+8 moreCA-7 CM-2 CM-5 CM-6 CM-7 IA-2 RA-5 SI-4 |
| T1553.006 | Code Signing Policy Modification | Defense Impairment | 13 | AC-6 CM-2 CM-3 CM-5 CM-7+8 moreCM-8 IA-7 RA-9 SA-10 SA-11 SC-34 SI-2 SI-7 |
| T1556.004 | Network Device Authentication | Defense Impairment, Persistence, Credential Access | 13 | AC-2 AC-20 AC-3 AC-5 AC-6+8 moreAC-7 CM-2 CM-5 CM-6 IA-2 IA-5 SI-4 SI-7 |
| T1559.001 | Component Object Model | Execution | 13 | AC-2 AC-3 AC-4 AC-5 AC-6+8 moreCM-2 CM-5 CM-6 IA-2 SC-18 SC-3 SC-7 SI-3 |
| T1564.009 | Resource Forking | Stealth | 13 | CM-11 CM-2 CM-6 CM-7 SA-10+8 moreSC-4 SC-44 SC-6 SI-10 SI-15 SI-3 SI-4 SI-7 |
| T1565.003 | Runtime Data Manipulation | Impact | 13 | AC-3 AC-4 CA-7 CM-6 CM-7+8 moreCP-9 SC-28 SC-4 SC-46 SC-7 SI-16 SI-4 SI-7 |
| T1566 | Phishing | Initial Access | 13 | AC-4 CA-7 CM-2 CM-6 IA-9+8 moreRA-5 SC-20 SC-44 SC-7 SI-2 SI-3 SI-4 SI-8 |
| T1569.002 | Service Execution | Execution | 13 | AC-2 AC-3 AC-5 AC-6 CA-7+8 moreCM-2 CM-5 CM-6 CM-7 IA-2 SI-3 SI-4 SI-7 |
| T1574.004 | Dylib Hijacking | Stealth, Execution | 13 | AC-2 AC-3 AC-4 AC-5 AC-6+8 moreCA-7 CM-2 CM-6 CM-8 RA-5 SI-3 SI-4 SI-7 |
| T1685.001 | Disable or Modify Windows Event Log | Defense Impairment | 13 | AC-2 AC-3 AC-5 AC-6 CA-7+8 moreCM-2 CM-5 CM-6 CM-7 IA-2 SI-3 SI-4 SI-7 |
| T1686 | Disable or Modify System Firewall | Defense Impairment | 13 | AC-2 AC-3 AC-5 AC-6 CA-7+8 moreCM-2 CM-5 CM-6 CM-7 IA-2 SI-3 SI-4 SI-7 |
| T1688 | Safe Mode Boot | Defense Impairment | 13 | AC-2 AC-3 AC-5 AC-6 CM-10+8 moreCM-5 CM-6 CM-7 IA-2 IA-9 SC-23 SC-8 SI-7 |
| T1036 | Masquerading | Stealth | 12 | AC-2 AC-3 AC-6 CA-7 CM-2+7 moreCM-6 CM-7 IA-9 SI-10 SI-3 SI-4 SI-7 |
| T1036.005 | Match Legitimate Resource Name or Location | Stealth | 12 | AC-2 AC-3 AC-6 CA-7 CM-2+7 moreCM-6 CM-7 IA-9 SI-10 SI-3 SI-4 SI-7 |
| T1040 | Network Sniffing | Credential Access, Discovery | 12 | AC-16 AC-17 AC-18 AC-19 CM-7+7 moreIA-2 IA-5 SC-4 SC-8 SI-12 SI-4 SI-7 |
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration | 12 | AC-3 AC-4 CA-7 CM-2 CM-6+7 moreCM-7 SC-46 SC-7 SI-10 SI-15 SI-3 SI-4 |
| T1055 | Process Injection | Stealth, Privilege Escalation | 12 | AC-2 AC-3 AC-5 AC-6 CM-5+7 moreCM-6 IA-2 SC-18 SC-7 SI-2 SI-3 SI-4 |
| T1055.008 | Ptrace System Calls | Stealth, Privilege Escalation | 12 | AC-2 AC-3 AC-5 AC-6 CM-5+7 moreCM-6 IA-2 SC-18 SC-7 SI-2 SI-3 SI-4 |
| T1090 | Proxy | Command And Control | 12 | AC-3 AC-4 CA-7 CM-2 CM-6+7 moreCM-7 SC-7 SC-8 SI-10 SI-15 SI-3 SI-4 |
| T1114.003 | Email Forwarding Rule | Collection | 12 | AC-16 AC-17 AC-19 AC-20 AC-4+7 moreCM-6 SC-37 SC-43 SC-7 SI-12 SI-4 SI-7 |
| T1204.002 | Malicious File | Execution | 12 | AC-4 CA-7 CM-2 CM-6 CM-7+7 moreSC-44 SC-7 SI-10 SI-3 SI-4 SI-7 SI-8 |
| T1484 | Domain or Tenant Policy Modification | Defense Impairment, Privilege Escalation | 12 | AC-2 AC-3 AC-4 AC-5 AC-6+7 moreCM-2 CM-5 CM-6 CM-7 IA-2 RA-5 SI-4 |
| T1505.001 | SQL Stored Procedures | Persistence | 12 | CM-11 CM-2 CM-6 CM-8 RA-5+7 moreSA-10 SA-11 SI-14 SI-7 SR-11 SR-4 SR-5 |
| T1546.003 | Windows Management Instrumentation Event Subscription | Privilege Escalation, Persistence | 12 | AC-2 AC-3 AC-5 AC-6 CA-7+7 moreCM-2 CM-5 CM-6 IA-2 SI-14 SI-3 SI-4 |
| T1552.006 | Group Policy Preferences | Credential Access | 12 | AC-2 AC-5 AC-6 CM-2 CM-6+7 moreIA-2 IA-5 RA-5 SA-11 SA-15 SI-2 SI-4 |
| T1556.003 | Pluggable Authentication Modules | Defense Impairment, Persistence, Credential Access | 12 | AC-2 AC-20 AC-3 AC-5 AC-6+7 moreAC-7 CM-5 CM-6 IA-2 IA-5 SI-4 SI-7 |
| T1565.002 | Transmitted Data Manipulation | Impact | 12 | AC-16 AC-17 AC-18 AC-19 AC-20+7 moreCM-2 CM-6 CM-8 SC-4 SI-12 SI-4 SI-7 |
| T1566.001 | Spearphishing Attachment | Initial Access | 12 | AC-4 CA-7 CM-2 CM-6 IA-9+7 moreSC-20 SC-44 SC-7 SI-2 SI-3 SI-4 SI-8 |
| T1021.008 | Direct Cloud VM Connections | Lateral Movement | 11 | AC-17 AC-2 AC-20 AC-3 AC-6+6 moreCM-5 CM-6 CM-7 IA-2 IA-5 SI-4 |
| T1046 | Network Service Discovery | Discovery | 11 | AC-4 CA-7 CM-2 CM-6 CM-7+6 moreCM-8 RA-5 SC-46 SC-7 SI-3 SI-4 |
| T1059.003 | Windows Command Shell | Execution | 11 | AC-17 AC-2 AC-3 AC-6 CM-2+6 moreCM-6 SI-10 SI-16 SI-3 SI-4 SI-7 |
| T1059.004 | Unix Shell | Execution | 11 | AC-17 AC-2 AC-3 AC-6 CM-2+6 moreCM-6 SI-10 SI-16 SI-3 SI-4 SI-7 |
| T1059.010 | AutoHotKey & AutoIT | Execution | 11 | AC-2 AC-3 AC-6 CA-7 CM-2+6 moreCM-6 CM-7 CM-8 SI-3 SI-4 SI-7 |
| T1095 | Non-Application Layer Protocol | Command And Control | 11 | AC-3 AC-4 CA-7 CM-2 CM-6+6 moreCM-7 SC-7 SI-10 SI-15 SI-3 SI-4 |
| T1098 | Account Manipulation | Persistence, Privilege Escalation | 11 | AC-2 AC-3 AC-4 AC-5 AC-6+6 moreCM-5 CM-6 CM-7 IA-2 SC-7 SI-4 |
| T1098.002 | Additional Email Delegate Permissions | Persistence, Privilege Escalation | 11 | AC-2 AC-20 AC-3 AC-5 AC-6+6 moreCM-5 CM-6 IA-2 IA-5 SI-4 SI-7 |
| T1098.003 | Additional Cloud Roles | Persistence, Privilege Escalation | 11 | AC-2 AC-20 AC-3 AC-5 AC-6+6 moreCM-5 CM-6 IA-2 IA-5 SI-4 SI-7 |
| T1098.007 | Additional Local or Domain Groups | Persistence, Privilege Escalation | 11 | AC-2 AC-3 AC-4 AC-5 AC-6+6 moreCM-5 CM-6 CM-7 IA-2 IA-4 SI-4 |
| T1136.001 | Local Account | Persistence | 11 | AC-2 AC-20 AC-3 AC-5 AC-6+6 moreCM-5 CM-6 IA-2 IA-5 SI-4 SI-7 |
| T1195.002 | Compromise Software Supply Chain | Initial Access | 11 | CA-2 CA-7 CM-11 CM-7 RA-10+6 moreRA-5 SA-22 SI-2 SR-11 SR-4 SR-5 |
| T1204.001 | Malicious Link | Execution | 11 | AC-4 CA-7 CM-2 CM-6 CM-7+6 moreSC-44 SC-7 SI-2 SI-3 SI-4 SI-8 |
| T1218.002 | Control Panel | Stealth | 11 | AC-3 CA-7 CM-11 CM-2 CM-6+6 moreCM-7 SI-10 SI-16 SI-3 SI-4 SI-7 |
| T1218.003 | CMSTP | Stealth | 11 | CM-11 CM-2 CM-6 CM-7 CM-8+6 moreRA-5 SI-10 SI-16 SI-3 SI-4 SI-7 |
| T1218.004 | InstallUtil | Stealth | 11 | CM-11 CM-2 CM-6 CM-7 CM-8+6 moreRA-5 SI-10 SI-16 SI-3 SI-4 SI-7 |
| T1218.005 | Mshta | Stealth | 11 | CM-11 CM-2 CM-6 CM-7 CM-8+6 moreRA-5 SI-10 SI-16 SI-3 SI-4 SI-7 |
| T1218.008 | Odbcconf | Stealth | 11 | CM-11 CM-2 CM-6 CM-7 CM-8+6 moreRA-5 SI-10 SI-16 SI-3 SI-4 SI-7 |
| T1218.009 | Regsvcs/Regasm | Stealth | 11 | CM-11 CM-2 CM-6 CM-7 CM-8+6 moreRA-5 SI-10 SI-16 SI-3 SI-4 SI-7 |
| T1218.013 | Mavinject | Stealth | 11 | CM-11 CM-2 CM-6 CM-7 CM-8+6 moreRA-5 SI-10 SI-16 SI-3 SI-4 SI-7 |
| T1218.014 | MMC | Stealth | 11 | CM-11 CM-2 CM-6 CM-7 CM-8+6 moreRA-5 SI-10 SI-16 SI-3 SI-4 SI-7 |
| T1222 | File and Directory Permissions Modification | Defense Impairment | 11 | AC-16 AC-2 AC-3 AC-5 AC-6+6 moreCA-7 CM-5 CM-6 IA-2 SI-4 SI-7 |
| T1222.001 | Windows Permissions | Defense Impairment | 11 | AC-16 AC-2 AC-3 AC-5 AC-6+6 moreCA-7 CM-5 CM-6 IA-2 SI-4 SI-7 |
| T1222.002 | Linux and Mac Permissions | Defense Impairment | 11 | AC-16 AC-2 AC-3 AC-5 AC-6+6 moreCA-7 CM-5 CM-6 IA-2 SI-4 SI-7 |
| T1486 | Data Encrypted for Impact | Impact | 11 | AC-3 AC-6 CM-2 CP-10 CP-2+6 moreCP-6 CP-7 CP-9 SI-3 SI-4 SI-7 |
| T1505.005 | Terminal Services DLL | Persistence | 11 | AC-12 AC-17 AC-2 AC-20 AC-3+6 moreAC-5 AC-6 CM-2 CM-6 RA-5 SI-4 |
| T1547.007 | Re-opened Applications | Persistence, Privilege Escalation | 11 | AC-16 AC-3 CM-2 CM-3 CM-5+6 moreCM-6 CM-7 CM-8 RA-5 SI-3 SI-4 |
| T1547.009 | Shortcut Modification | Persistence, Privilege Escalation | 11 | AC-17 AC-2 AC-3 AC-5 AC-6+6 moreCM-5 CM-6 CM-7 IA-2 SI-3 SI-4 |
| T1548.002 | Bypass User Account Control | Privilege Escalation | 11 | AC-2 AC-3 AC-5 AC-6 CM-2+6 moreCM-5 CM-6 IA-2 RA-5 SI-2 SI-4 |
| T1548.004 | Elevated Execution with Prompt | Privilege Escalation | 11 | CM-2 CM-6 CM-7 CM-8 SC-18+6 moreSC-34 SI-12 SI-16 SI-3 SI-4 SI-7 |
| T1550.003 | Pass the Ticket | Lateral Movement | 11 | AC-2 AC-3 AC-5 AC-6 CA-7+6 moreCM-2 CM-5 CM-6 IA-2 IA-5 SI-4 |
| T1566.002 | Spearphishing Link | Initial Access | 11 | AC-4 CA-7 CM-2 CM-6 IA-9+6 moreSC-20 SC-44 SC-7 SI-3 SI-4 SI-8 |
| T1570 | Lateral Tool Transfer | Lateral Movement | 11 | AC-3 AC-4 CA-7 CM-2 CM-6+6 moreCM-7 SC-7 SI-10 SI-15 SI-3 SI-4 |
| T1572 | Protocol Tunneling | Command And Control | 11 | AC-3 AC-4 CA-7 CM-2 CM-6+6 moreCM-7 SC-7 SI-10 SI-15 SI-3 SI-4 |
| T1573 | Encrypted Channel | Command And Control | 11 | AC-4 CA-7 CM-2 CM-6 CM-7+6 moreSC-12 SC-16 SC-23 SC-7 SI-3 SI-4 |
| T1573.001 | Symmetric Cryptography | Command And Control | 11 | AC-4 CA-7 CM-2 CM-6 CM-7+6 moreSC-12 SC-16 SC-23 SC-7 SI-3 SI-4 |
| T1573.002 | Asymmetric Cryptography | Command And Control | 11 | AC-4 CA-7 CM-2 CM-6 CM-7+6 moreSC-12 SC-16 SC-23 SC-7 SI-3 SI-4 |
| T1574.005 | Executable Installer File Permissions Weakness | Stealth, Execution | 11 | AC-2 AC-3 AC-4 AC-5 AC-6+6 moreCM-2 CM-5 CM-6 IA-2 RA-5 SI-4 |
| T1574.010 | Services File Permissions Weakness | Stealth, Execution | 11 | AC-2 AC-3 AC-4 AC-5 AC-6+6 moreCM-2 CM-5 CM-6 IA-2 RA-5 SI-4 |
| T1578 | Modify Cloud Compute Infrastructure | Defense Impairment | 11 | AC-2 AC-3 AC-5 AC-6 CM-2+6 moreCM-5 IA-2 IA-4 IA-6 RA-5 SI-4 |
| T1578.001 | Create Snapshot | Defense Impairment | 11 | AC-2 AC-3 AC-5 AC-6 CM-2+6 moreCM-5 IA-2 IA-4 IA-6 RA-5 SI-4 |
| T1578.002 | Create Cloud Instance | Defense Impairment | 11 | AC-2 AC-3 AC-5 AC-6 CM-2+6 moreCM-5 IA-2 IA-4 IA-6 RA-5 SI-4 |
| T1578.003 | Delete Cloud Instance | Defense Impairment | 11 | AC-2 AC-3 AC-5 AC-6 CM-2+6 moreCM-5 IA-2 IA-4 IA-6 RA-5 SI-4 |
| T1598 | Phishing for Information | Reconnaissance | 11 | AC-4 CA-7 CM-2 CM-6 IA-9+6 moreSC-20 SC-44 SC-7 SI-3 SI-4 SI-8 |
| T1598.002 | Spearphishing Attachment | Reconnaissance | 11 | AC-4 CA-7 CM-2 CM-6 IA-9+6 moreSC-20 SC-44 SC-7 SI-3 SI-4 SI-8 |
| T1598.003 | Spearphishing Link | Reconnaissance | 11 | AC-4 CA-7 CM-2 CM-6 IA-9+6 moreSC-20 SC-44 SC-7 SI-3 SI-4 SI-8 |
| T1609 | Container Administration Command | Execution | 11 | AC-17 AC-2 AC-3 AC-4 AC-5+6 moreAC-6 CM-6 CM-7 SC-7 SI-10 SI-7 |
| T1612 | Build Image on Host | Stealth | 11 | AC-17 AC-2 AC-3 AC-6 CM-2+6 moreCM-6 CM-7 RA-5 SA-11 SC-7 SI-4 |
| T1053.006 | Systemd Timers | Execution, Persistence, Privilege Escalation | 10 | AC-2 AC-3 AC-5 AC-6 CA-7+5 moreCM-5 CM-6 IA-2 SI-4 SI-7 |
| T1070.003 | Clear Command History | Stealth | 10 | AC-2 AC-3 AC-5 AC-6 CA-7+5 moreCM-2 CM-6 SI-3 SI-4 SI-7 |
| T1070.007 | Clear Network Connection History and Configurations | Stealth | 10 | AC-2 AC-3 AC-5 AC-6 CA-7+5 moreCM-2 CM-6 SI-3 SI-4 SI-7 |
| T1070.009 | Clear Persistence | Stealth | 10 | AC-2 AC-3 AC-5 AC-6 CA-7+5 moreCM-2 CM-6 SI-3 SI-4 SI-7 |
| T1080 | Taint Shared Content | Lateral Movement | 10 | AC-3 CA-7 CM-2 CM-7 SC-4+5 moreSC-7 SI-10 SI-3 SI-4 SI-7 |
| T1091 | Replication Through Removable Media | Lateral Movement, Initial Access | 10 | AC-3 AC-6 CM-2 CM-6 CM-8+5 moreMP-7 RA-5 SC-41 SI-3 SI-4 |
| T1127.002 | ClickOnce | Stealth, Execution | 10 | AC-17 CM-2 CM-6 CM-7 CM-8+5 moreRA-5 SC-18 SI-10 SI-4 SI-7 |
| T1137.001 | Office Template Macros | Persistence | 10 | AC-6 CM-2 CM-6 CM-8 RA-5+5 moreSC-18 SC-44 SI-3 SI-4 SI-8 |
| T1137.002 | Office Test | Persistence | 10 | AC-10 AC-14 AC-17 AC-6 CM-2+5 moreCM-5 CM-6 SC-18 SC-44 SI-8 |
| T1187 | Forced Authentication | Credential Access | 10 | AC-3 AC-4 CA-7 CM-2 CM-6+5 moreCM-7 SC-7 SI-10 SI-15 SI-4 |
| T1218.001 | Compiled HTML File | Stealth | 10 | CM-11 CM-2 CM-6 CM-7 SC-18+5 moreSI-10 SI-16 SI-3 SI-4 SI-7 |
| T1485 | Data Destruction | Impact | 10 | AC-3 AC-6 CM-2 CP-10 CP-2+5 moreCP-7 CP-9 SI-3 SI-4 SI-7 |
| T1491 | Defacement | Impact | 10 | AC-3 AC-6 CM-2 CP-10 CP-2+5 moreCP-7 CP-9 SI-3 SI-4 SI-7 |
| T1491.001 | Internal Defacement | Impact | 10 | AC-3 AC-6 CM-2 CP-10 CP-2+5 moreCP-7 CP-9 SI-3 SI-4 SI-7 |
| T1491.002 | External Defacement | Impact | 10 | AC-3 AC-6 CM-2 CP-10 CP-2+5 moreCP-7 CP-9 SI-3 SI-4 SI-7 |
| T1539 | Steal Web Session Cookie | Credential Access | 10 | AC-20 AC-3 AC-6 CA-7 CM-2+5 moreCM-6 IA-2 IA-5 SI-3 SI-4 |
| T1546.013 | PowerShell Profile | Privilege Escalation, Persistence | 10 | AC-3 AC-6 CA-7 CM-10 CM-2+5 moreCM-6 IA-9 SI-3 SI-4 SI-7 |
| T1547.003 | Time Providers | Persistence, Privilege Escalation | 10 | AC-17 AC-3 AC-4 AC-6 CA-7+5 moreCM-2 CM-5 CM-6 SI-4 SI-7 |
| T1553.003 | SIP and Trust Provider Hijacking | Defense Impairment | 10 | AC-3 AC-6 CA-7 CM-2 CM-6+5 moreCM-7 SI-10 SI-3 SI-4 SI-7 |
| T1558.005 | Ccache Files | Credential Access | 10 | AC-2 AC-3 AC-6 CA-7 IA-2+5 moreIA-5 SC-4 SI-12 SI-4 SI-7 |
| T1561 | Disk Wipe | Impact | 10 | AC-3 AC-6 CM-2 CP-10 CP-2+5 moreCP-7 CP-9 SI-3 SI-4 SI-7 |
| T1561.001 | Disk Content Wipe | Impact | 10 | AC-3 AC-6 CM-2 CP-10 CP-2+5 moreCP-7 CP-9 SI-3 SI-4 SI-7 |
| T1561.002 | Disk Structure Wipe | Impact | 10 | AC-3 AC-6 CM-2 CP-10 CP-2+5 moreCP-7 CP-9 SI-3 SI-4 SI-7 |
| T1566.003 | Spearphishing via Service | Initial Access | 10 | AC-2 AC-4 AC-6 CA-7 SC-44+5 moreSC-7 SI-2 SI-3 SI-4 SI-8 |
| T1574.014 | AppDomainManager | Stealth, Execution | 10 | AC-3 AC-6 CA-7 CM-5 CM-6+5 moreCM-7 SI-10 SI-3 SI-4 SI-7 |
| T1613 | Container and Resource Discovery | Discovery | 10 | AC-17 AC-2 AC-3 AC-6 CM-6+5 moreCM-7 IA-2 SC-43 SC-7 SI-4 |
| T1037 | Boot or Logon Initialization Scripts | Persistence, Privilege Escalation | 9 | AC-17 AC-3 CA-7 CM-2 CM-6+4 moreCM-7 SI-3 SI-4 SI-7 |
| T1053.003 | Cron | Execution, Persistence, Privilege Escalation | 9 | AC-2 AC-3 AC-5 AC-6 CM-2+4 moreCM-5 IA-2 RA-5 SI-4 |
| T1055.009 | Proc Memory | Stealth, Privilege Escalation | 9 | AC-3 AC-6 CA-7 SC-18 SC-7+4 moreSI-16 SI-2 SI-3 SI-4 |
| T1059.011 | Lua | Execution | 9 | AC-2 AC-3 AC-6 CM-2 CM-6+4 moreSI-16 SI-3 SI-4 SI-7 |
| T1111 | Multi-Factor Authentication Interception | Credential Access | 9 | AC-20 CA-7 CM-2 CM-6 IA-13+4 moreIA-2 IA-5 SI-3 SI-4 |
| T1114.001 | Local Email Collection | Collection | 9 | AC-16 AC-17 AC-19 AC-20 AC-4+4 moreSC-37 SI-12 SI-4 SI-7 |
| T1205 | Traffic Signaling | Stealth, Persistence, Command And Control | 9 | AC-3 AC-4 CA-7 CM-2 CM-6+4 moreCM-7 SC-7 SI-15 SI-4 |
| T1218.007 | Msiexec | Stealth | 9 | AC-2 AC-3 AC-5 AC-6 CM-2+4 moreCM-5 CM-6 CM-7 IA-2 |
| T1482 | Domain Trust Discovery | Discovery | 9 | AC-4 CM-2 CM-6 CM-7 RA-5+4 moreSA-17 SA-8 SC-46 SC-7 |
| T1499 | Endpoint Denial of Service | Impact | 9 | AC-3 AC-4 CA-7 CM-6 CM-7+4 moreSC-7 SI-10 SI-15 SI-4 |
| T1499.001 | OS Exhaustion Flood | Impact | 9 | AC-3 AC-4 CA-7 CM-6 CM-7+4 moreSC-7 SI-10 SI-15 SI-4 |
| T1499.002 | Service Exhaustion Flood | Impact | 9 | AC-3 AC-4 CA-7 CM-6 CM-7+4 moreSC-7 SI-10 SI-15 SI-4 |
| T1499.003 | Application Exhaustion Flood | Impact | 9 | AC-3 AC-4 CA-7 CM-6 CM-7+4 moreSC-7 SI-10 SI-15 SI-4 |
| T1499.004 | Application or System Exploitation | Impact | 9 | AC-3 AC-4 CA-7 CM-6 CM-7+4 moreSC-7 SI-10 SI-15 SI-4 |
| T1546 | Event Triggered Execution | Privilege Escalation, Persistence | 9 | AC-2 AC-3 AC-6 CM-2 CM-3+4 moreCM-6 IA-9 SI-2 SI-7 |
| T1546.002 | Screensaver | Privilege Escalation, Persistence | 9 | CM-2 CM-6 CM-7 CM-8 RA-5+4 moreSI-10 SI-3 SI-4 SI-7 |
| T1554 | Compromise Host Software Binary | Persistence | 9 | CM-2 CM-5 CM-6 IA-9 SI-3+4 moreSI-7 SR-11 SR-4 SR-5 |
| T1556.008 | Network Provider DLL | Defense Impairment, Persistence, Credential Access | 9 | AC-3 AC-6 CM-2 CM-3 CM-5+4 moreCM-6 CM-7 SI-4 SI-7 |
| T1558.001 | Golden Ticket | Credential Access | 9 | AC-2 AC-3 AC-5 AC-6 CM-2+4 moreCM-5 CM-6 IA-2 IA-5 |
| T1574.012 | COR_PROFILER | Stealth, Execution | 9 | AC-2 AC-3 AC-5 AC-6 CM-5+4 moreCM-7 IA-2 SI-10 SI-7 |
| T1610 | Deploy Container | Execution | 9 | AC-17 AC-2 AC-3 AC-6 CM-6+4 moreCM-7 IA-2 SC-7 SI-4 |
| T1008 | Fallback Channels | Command And Control | 8 | AC-4 CA-7 CM-2 CM-6 CM-7+3 moreSC-7 SI-3 SI-4 |
| T1011.001 | Exfiltration Over Bluetooth | Exfiltration | 8 | AC-18 CM-2 CM-6 CM-7 CM-8+3 moreRA-5 SI-3 SI-4 |
| T1027 | Obfuscated Files or Information | Stealth | 8 | AC-3 CM-2 CM-6 CM-7 SI-2+3 moreSI-3 SI-4 SI-7 |
| T1036.003 | Rename Legitimate Utilities | Stealth | 8 | AC-2 AC-3 AC-6 CA-7 CM-2+3 moreCM-6 SI-3 SI-4 |
| T1090.001 | Internal Proxy | Command And Control | 8 | AC-4 CA-7 CM-2 CM-6 CM-7+3 moreSC-7 SI-3 SI-4 |
| T1090.002 | External Proxy | Command And Control | 8 | AC-4 CA-7 CM-2 CM-6 CM-7+3 moreSC-7 SI-3 SI-4 |
| T1090.003 | Multi-hop Proxy | Command And Control | 8 | AC-3 AC-4 CA-7 CM-6 CM-7+3 moreSC-7 SI-10 SI-15 |
| T1092 | Communication Through Removable Media | Command And Control | 8 | CM-2 CM-6 CM-7 CM-8 MP-7+3 moreRA-5 SI-3 SI-4 |
| T1102 | Web Service | Command And Control | 8 | AC-4 CA-7 CM-2 CM-6 CM-7+3 moreSC-7 SI-3 SI-4 |
| T1102.001 | Dead Drop Resolver | Command And Control | 8 | AC-4 CA-7 CM-2 CM-6 CM-7+3 moreSC-7 SI-3 SI-4 |
| T1102.002 | Bidirectional Communication | Command And Control | 8 | AC-4 CA-7 CM-2 CM-6 CM-7+3 moreSC-7 SI-3 SI-4 |
| T1102.003 | One-Way Communication | Command And Control | 8 | AC-4 CA-7 CM-2 CM-6 CM-7+3 moreSC-7 SI-3 SI-4 |
| T1104 | Multi-Stage Channels | Command And Control | 8 | AC-4 CA-7 CM-2 CM-6 CM-7+3 moreSC-7 SI-3 SI-4 |
| T1105 | Ingress Tool Transfer | Command And Control | 8 | AC-4 CA-7 CM-2 CM-6 CM-7+3 moreSC-7 SI-3 SI-4 |
| T1127 | Trusted Developer Utilities Proxy Execution | Stealth, Execution | 8 | CM-2 CM-6 CM-7 CM-8 RA-5+3 moreSI-10 SI-4 SI-7 |
| T1134 | Access Token Manipulation | Stealth, Privilege Escalation | 8 | AC-2 AC-3 AC-5 AC-6 CM-5+3 moreCM-6 IA-13 IA-2 |
| T1134.001 | Token Impersonation/Theft | Stealth, Privilege Escalation | 8 | AC-2 AC-3 AC-5 AC-6 CM-5+3 moreCM-6 IA-13 IA-2 |
| T1134.003 | Make and Impersonate Token | Stealth, Privilege Escalation | 8 | AC-2 AC-3 AC-5 AC-6 CM-5+3 moreCM-6 IA-13 IA-2 |
| T1199 | Trusted Relationship | Initial Access | 8 | AC-3 AC-4 AC-6 AC-8 CM-6+3 moreCM-7 SC-46 SC-7 |
| T1205.001 | Port Knocking | Stealth, Persistence, Command And Control | 8 | AC-3 AC-4 CA-7 CM-6 CM-7+3 moreSC-7 SI-15 SI-4 |
| T1498 | Network Denial of Service | Impact | 8 | AC-3 AC-4 CA-7 CM-6 CM-7+3 moreSC-7 SI-10 SI-15 |
| T1498.001 | Direct Network Flood | Impact | 8 | AC-3 AC-4 CA-7 CM-6 CM-7+3 moreSC-7 SI-10 SI-15 |
| T1498.002 | Reflection Amplification | Impact | 8 | AC-3 AC-4 CA-7 CM-6 CM-7+3 moreSC-7 SI-10 SI-15 |
| T1505.003 | Web Shell | Persistence | 8 | AC-2 AC-3 AC-5 AC-6 CM-2+3 moreCM-6 RA-5 SI-4 |
| T1543.001 | Launch Agent | Persistence, Privilege Escalation | 8 | AC-2 AC-3 AC-5 AC-6 CM-11+3 moreCM-2 CM-5 IA-2 |
| T1543.003 | Windows Service | Persistence, Privilege Escalation | 8 | AC-2 AC-3 AC-5 AC-6 CM-11+3 moreCM-2 CM-5 IA-2 |
| T1543.004 | Launch Daemon | Persistence, Privilege Escalation | 8 | AC-2 AC-3 AC-5 AC-6 CM-11+3 moreCM-2 CM-5 IA-2 |
| T1546.004 | Unix Shell Configuration Modification | Privilege Escalation, Persistence | 8 | AC-3 AC-6 CA-7 CM-2 CM-6+3 moreSI-3 SI-4 SI-7 |
| T1547.012 | Print Processors | Persistence, Privilege Escalation | 8 | AC-17 AC-2 AC-3 AC-5 AC-6+3 moreCM-5 IA-2 SI-4 |
| T1550.002 | Pass the Hash | Lateral Movement | 8 | AC-2 AC-3 AC-5 AC-6 CM-5+3 moreCM-6 IA-2 SI-2 |
| T1555 | Credentials from Password Stores | Credential Access | 8 | AC-20 AC-3 AC-6 CA-7 CM-3+3 moreIA-5 SI-2 SI-4 |
| T1555.005 | Password Managers | Credential Access | 8 | AC-2 AC-3 CM-2 CM-6 IA-2+3 moreIA-5 SI-2 SI-4 |
| T1568 | Dynamic Resolution | Command And Control | 8 | AC-4 CA-7 SC-20 SC-21 SC-22+3 moreSC-7 SI-3 SI-4 |
| T1568.002 | Domain Generation Algorithms | Command And Control | 8 | AC-4 CA-7 SC-20 SC-21 SC-22+3 moreSC-7 SI-3 SI-4 |
| T1571 | Non-Standard Port | Command And Control | 8 | AC-4 CA-7 CM-2 CM-6 CM-7+3 moreSC-7 SI-3 SI-4 |
| T1648 | Serverless Execution | Execution | 8 | AC-2 AC-3 AC-6 CM-6 CM-7+3 moreIA-2 SC-7 SI-4 |
| T1685.004 | Disable or Modify Linux Audit System Log | Defense Impairment | 8 | AC-2 AC-3 AC-6 CM-3 CM-5+3 moreCM-6 SI-4 SI-7 |
| T1001 | Data Obfuscation | Command And Control | 7 | AC-4 CA-7 CM-2 CM-6 SC-7+2 moreSI-3 SI-4 |
| T1001.001 | Junk Data | Command And Control | 7 | AC-4 CA-7 CM-2 CM-6 SC-7+2 moreSI-3 SI-4 |
| T1001.002 | Steganography | Command And Control | 7 | AC-4 CA-7 CM-2 CM-6 SC-7+2 moreSI-3 SI-4 |
| T1001.003 | Protocol or Service Impersonation | Command And Control | 7 | AC-4 CA-7 CM-2 CM-6 SC-7+2 moreSI-3 SI-4 |
| T1021.007 | Cloud Services | Lateral Movement | 7 | AC-2 AC-20 AC-3 AC-5 AC-6+2 moreIA-2 IA-5 |
| T1029 | Scheduled Transfer | Exfiltration | 7 | AC-4 CA-7 CM-2 CM-6 SC-7+2 moreSI-3 SI-4 |
| T1030 | Data Transfer Size Limits | Exfiltration | 7 | AC-4 CA-7 CM-2 CM-6 SC-7+2 moreSI-3 SI-4 |
| T1037.002 | Login Hook | Persistence, Privilege Escalation | 7 | AC-3 CA-7 CM-2 CM-6 SI-3+2 moreSI-4 SI-7 |
| T1037.003 | Network Logon Script | Persistence, Privilege Escalation | 7 | AC-3 CA-7 CM-2 CM-6 SI-3+2 moreSI-4 SI-7 |
| T1037.004 | RC Scripts | Persistence, Privilege Escalation | 7 | AC-3 CA-7 CM-2 CM-6 SI-3+2 moreSI-4 SI-7 |
| T1037.005 | Startup Items | Persistence, Privilege Escalation | 7 | AC-3 CA-7 CM-2 CM-6 SI-3+2 moreSI-4 SI-7 |
| T1053.007 | Container Orchestration Job | Execution, Persistence, Privilege Escalation | 7 | AC-2 AC-3 AC-5 AC-6 CM-5+2 moreIA-2 IA-8 |
| T1056.003 | Web Portal Capture | Collection, Credential Access | 7 | AC-2 AC-3 AC-5 AC-6 CM-5+2 moreCM-6 IA-2 |
| T1098.005 | Device Registration | Persistence, Privilege Escalation | 7 | AC-2 AC-20 AC-3 AC-5 AC-6+2 moreCM-5 CM-6 |
| T1106 | Native API | Execution | 7 | AC-6 CM-2 CM-6 CM-7 SI-2+2 moreSI-3 SI-4 |
| T1132 | Data Encoding | Command And Control | 7 | AC-4 CA-7 CM-2 CM-6 SC-7+2 moreSI-3 SI-4 |
| T1132.001 | Standard Encoding | Command And Control | 7 | AC-4 CA-7 CM-2 CM-6 SC-7+2 moreSI-3 SI-4 |
| T1132.002 | Non-Standard Encoding | Command And Control | 7 | AC-4 CA-7 CM-2 CM-6 SC-7+2 moreSI-3 SI-4 |
| T1134.002 | Create Process with Token | Stealth, Privilege Escalation | 7 | AC-2 AC-3 AC-5 AC-6 CM-5+2 moreCM-6 IA-2 |
| T1137.003 | Outlook Forms | Persistence | 7 | AC-6 CM-2 CM-6 SC-18 SC-44+2 moreSI-2 SI-8 |
| T1137.004 | Outlook Home Page | Persistence | 7 | AC-6 CM-2 CM-6 SC-18 SC-44+2 moreSI-2 SI-8 |
| T1137.005 | Outlook Rules | Persistence | 7 | AC-6 CM-2 CM-6 SC-18 SC-44+2 moreSI-2 SI-8 |
| T1546.016 | Installer Packages | Privilege Escalation, Persistence | 7 | AC-6 CA-7 CM-5 CM-6 SI-2+2 moreSI-3 SI-4 |
| T1547.008 | LSASS Driver | Persistence, Privilege Escalation | 7 | CM-2 CM-6 RA-5 SC-39 SI-3+2 moreSI-4 SI-7 |
| T1550 | Use Alternate Authentication Material | Lateral Movement | 7 | AC-2 AC-3 AC-5 AC-6 CM-5+2 moreCM-6 IA-2 |
| T1559.003 | XPC Services | Execution | 7 | CM-5 CM-6 CM-7 SA-10 SA-11+2 moreSA-8 SI-4 |
| T1564.006 | Run Virtual Instance | Stealth | 7 | CM-2 CM-6 CM-7 CM-8 SI-10+2 moreSI-4 SI-7 |
| T1564.008 | Email Hiding Rules | Stealth | 7 | AC-4 CM-3 CM-5 CM-7 SI-3+2 moreSI-4 SI-7 |
| T1569.001 | Launchctl | Execution | 7 | AC-2 AC-3 AC-5 AC-6 CM-11+2 moreCM-5 IA-2 |
| T1574.013 | KernelCallbackTable | Stealth, Execution | 7 | CA-7 CM-2 SI-10 SI-2 SI-3+2 moreSI-4 SI-7 |
| T1598.001 | Spearphishing Service | Reconnaissance | 7 | AC-4 CA-7 SC-44 SC-7 SI-3+2 moreSI-4 SI-8 |
| T1606 | Forge Web Credentials | Credential Access | 7 | AC-2 AC-3 AC-5 AC-6 IA-13+2 moreSC-17 SI-2 |
| T1619 | Cloud Storage Object Discovery | Discovery | 7 | AC-17 AC-2 AC-3 AC-5 AC-6+2 moreCM-5 IA-2 |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access | 7 | AC-2 AC-6 CM-5 IA-13 IA-2+2 moreIA-3 IA-5 |
| T1685.002 | Disable or Modify Cloud Log | Defense Impairment | 7 | AC-2 AC-3 AC-5 AC-6 CM-3+2 moreCM-5 IA-2 |
| T1689 | Downgrade Attack | Defense Impairment | 7 | CM-2 CM-6 CM-7 RA-5 SC-8+2 moreSI-4 SI-7 |
| T1036.007 | Double File Extension | Stealth | 6 | CA-7 CM-2 CM-6 CM-7 IA-2+1 moreSI-4 |
| T1055.001 | Dynamic-link Library Injection | Stealth, Privilege Escalation | 6 | AC-6 SC-18 SC-7 SI-2 SI-3+1 moreSI-4 |
| T1055.002 | Portable Executable Injection | Stealth, Privilege Escalation | 6 | AC-6 SC-18 SC-7 SI-2 SI-3+1 moreSI-4 |
| T1055.003 | Thread Execution Hijacking | Stealth, Privilege Escalation | 6 | AC-6 SC-18 SC-7 SI-2 SI-3+1 moreSI-4 |
| T1055.004 | Asynchronous Procedure Call | Stealth, Privilege Escalation | 6 | AC-6 SC-18 SC-7 SI-2 SI-3+1 moreSI-4 |
| T1055.005 | Thread Local Storage | Stealth, Privilege Escalation | 6 | AC-6 SC-18 SC-7 SI-2 SI-3+1 moreSI-4 |
| T1055.011 | Extra Window Memory Injection | Stealth, Privilege Escalation | 6 | AC-6 SC-18 SC-7 SI-2 SI-3+1 moreSI-4 |
| T1055.012 | Process Hollowing | Stealth, Privilege Escalation | 6 | AC-6 SC-18 SC-7 SI-2 SI-3+1 moreSI-4 |
| T1055.013 | Process Doppelgänging | Stealth, Privilege Escalation | 6 | AC-6 SC-18 SC-7 SI-2 SI-3+1 moreSI-4 |
| T1055.014 | VDSO Hijacking | Stealth, Privilege Escalation | 6 | AC-6 SC-18 SC-7 SI-2 SI-3+1 moreSI-4 |
| T1059.009 | Cloud API | Execution | 6 | AC-2 AC-3 AC-6 CM-7 IA-2+1 moreSI-4 |
| T1087.004 | Cloud Account | Discovery | 6 | AC-2 AC-3 AC-5 AC-6 IA-2+1 moreIA-8 |
| T1129 | Shared Modules | Execution | 6 | CM-2 CM-7 SI-10 SI-3 SI-4+1 moreSI-7 |
| T1137.006 | Add-ins | Persistence | 6 | AC-6 CM-2 CM-6 SC-18 SC-44+1 moreSI-8 |
| T1216 | System Script Proxy Execution | Stealth | 6 | CM-2 CM-6 CM-7 SI-10 SI-4+1 moreSI-7 |
| T1216.001 | PubPrn | Stealth | 6 | CM-2 CM-6 CM-7 SI-10 SI-4+1 moreSI-7 |
| T1220 | XSL Script Processing | Stealth | 6 | CM-2 CM-6 CM-7 SI-10 SI-4+1 moreSI-7 |
| T1485.001 | Lifecycle-Triggered Deletion | Impact | 6 | AC-2 AC-3 AC-6 CP-10 CP-9+1 moreSI-7 |
| T1538 | Cloud Service Dashboard | Discovery | 6 | AC-2 AC-3 AC-5 AC-6 IA-2+1 moreIA-8 |
| T1546.008 | Accessibility Features | Privilege Escalation, Persistence | 6 | CM-10 CM-6 CM-7 SI-10 SI-4+1 moreSI-7 |
| T1546.014 | Emond | Privilege Escalation, Persistence | 6 | CM-2 CM-6 CM-8 RA-5 SI-3+1 moreSI-4 |
| T1553.001 | Gatekeeper Bypass | Defense Impairment | 6 | CM-2 CM-6 CM-7 SI-10 SI-4+1 moreSI-7 |
| T1553.004 | Install Root Certificate | Defense Impairment | 6 | CM-10 CM-6 CM-7 IA-9 SC-20+1 moreSI-4 |
| T1553.005 | Mark-of-the-Web Bypass | Defense Impairment | 6 | CM-2 CM-6 CM-7 SI-10 SI-4+1 moreSI-7 |
| T1556.006 | Multi-Factor Authentication | Defense Impairment, Persistence, Credential Access | 6 | AC-2 AC-3 AC-6 IA-11 IA-13+1 moreIA-2 |
| T1556.007 | Hybrid Identity | Defense Impairment, Persistence, Credential Access | 6 | AC-2 AC-3 AC-6 IA-11 IA-13+1 moreIA-2 |
| T1564.004 | NTFS File Attributes | Stealth | 6 | AC-16 AC-3 CA-7 SI-3 SI-4+1 moreSI-7 |
| T1651 | Cloud Administration Command | Execution | 6 | AC-17 AC-2 AC-3 AC-6 IA-2+1 moreSI-4 |
| T1686.001 | Cloud Firewall | Defense Impairment | 6 | AC-2 AC-3 AC-5 AC-6 CM-5+1 moreIA-2 |
| T1011 | Exfiltration Over Other Network Medium | Exfiltration | 5 | AC-18 CM-6 CM-7 SC-43 SI-4 |
| T1036.001 | Invalid Code Signature | Stealth | 5 | CM-2 CM-6 IA-9 SI-4 SI-7 |
| T1036.008 | Masquerade File Type | Stealth | 5 | CM-7 SC-7 SI-10 SI-3 SI-4 |
| T1036.010 | Masquerade Account Name | Stealth | 5 | AC-2 AC-3 CM-6 IA-2 SI-4 |
| T1127.001 | MSBuild | Stealth, Execution | 5 | CM-2 CM-6 CM-8 RA-5 SI-4 |
| T1200 | Hardware Additions | Initial Access | 5 | AC-20 AC-3 AC-6 MP-7 SC-41 |
| T1201 | Password Policy Discovery | Discovery | 5 | CA-7 CM-2 CM-6 SI-3 SI-4 |
| T1543.005 | Container Service | Persistence, Privilege Escalation | 5 | AC-2 AC-3 AC-5 AC-6 IA-2 |
| T1546.010 | AppInit DLLs | Privilege Escalation, Persistence | 5 | CM-2 CM-7 SI-10 SI-2 SI-7 |
| T1547.002 | Authentication Package | Persistence, Privilege Escalation | 5 | CM-6 SC-39 SI-3 SI-4 SI-7 |
| T1547.005 | Security Support Provider | Persistence, Privilege Escalation | 5 | CM-6 SC-39 SI-3 SI-4 SI-7 |
| T1555.002 | Securityd Memory | Credential Access | 5 | AC-3 AC-6 CA-7 IA-5 SI-4 |
| T1555.004 | Windows Credential Manager | Credential Access | 5 | CM-2 CM-6 CM-7 IA-5 SI-4 |
| T1560 | Archive Collected Data | Collection | 5 | CM-2 RA-5 SC-7 SI-3 SI-4 |
| T1560.001 | Archive via Utility | Collection | 5 | CM-2 RA-5 SC-7 SI-3 SI-4 |
| T1578.005 | Modify Cloud Compute Configurations | Defense Impairment | 5 | AC-2 AC-20 AC-3 AC-6 CM-3 |
| T1580 | Cloud Infrastructure Discovery | Discovery | 5 | AC-2 AC-3 AC-5 AC-6 IA-2 |
| T1590.002 | DNS | Reconnaissance | 5 | AC-4 CM-6 CM-7 SC-32 SC-7 |
| T1685.003 | Modify or Spoof Tool UI | Defense Impairment | 5 | CM-5 CM-6 SI-3 SI-4 SI-7 |
| T1027.002 | Software Packing | Stealth | 4 | SI-2 SI-3 SI-4 SI-7 |
| T1027.007 | Dynamic API Resolution | Stealth | 4 | SI-2 SI-3 SI-4 SI-7 |
| T1027.008 | Stripped Payloads | Stealth | 4 | SI-2 SI-3 SI-4 SI-7 |
| T1027.009 | Embedded Payloads | Stealth | 4 | SI-2 SI-3 SI-4 SI-7 |
| T1027.010 | Command Obfuscation | Stealth | 4 | CM-6 SI-10 SI-3 SI-4 |
| T1056.002 | GUI Input Capture | Collection, Credential Access | 4 | CA-7 SI-3 SI-4 SI-7 |
| T1071.005 | Publish/Subscribe Protocols | Command And Control | 4 | AC-4 SC-31 SC-7 SI-4 |
| T1087 | Account Discovery | Discovery | 4 | AC-2 CM-6 CM-7 SI-4 |
| T1098.006 | Additional Container Cluster Roles | Persistence, Privilege Escalation | 4 | AC-2 AC-3 AC-6 IA-5 |
| T1216.002 | SyncAppvPublishingServer | Stealth | 4 | CM-2 CM-6 CM-7 SI-7 |
| T1218.010 | Regsvr32 | Stealth | 4 | CA-7 SI-10 SI-4 SI-7 |
| T1218.011 | Rundll32 | Stealth | 4 | CA-7 SI-10 SI-4 SI-7 |
| T1548.005 | Temporary Elevated Cloud Access | Privilege Escalation | 4 | AC-2 AC-3 AC-6 CM-5 |
| T1552.003 | Shell History | Credential Access | 4 | CM-6 CM-7 SC-28 SI-4 |
| T1555.006 | Cloud Secrets Management Stores | Credential Access | 4 | AC-2 AC-3 AC-6 CM-7 |
| T1556.005 | Reversible Encryption | Defense Impairment, Persistence, Credential Access | 4 | AC-2 AC-5 AC-6 IA-5 |
| T1564.007 | VBA Stomping | Stealth | 4 | CM-2 CM-6 CM-8 SI-4 |
| T1574.006 | Dynamic Linker Hijacking | Stealth, Execution | 4 | CM-6 CM-7 SI-10 SI-7 |
| T1606.001 | Web Cookies | Credential Access | 4 | AC-2 AC-3 AC-6 SI-2 |
| T1606.002 | SAML Tokens | Credential Access | 4 | AC-2 AC-3 AC-6 IA-13 |
| T1653 | Power Settings | Persistence | 4 | CM-2 CM-3 CM-7 SI-4 |
| T1654 | Log Enumeration | Discovery | 4 | AC-2 AC-3 AC-4 AC-6 |
| T1690 | Prevent Command History Logging | Defense Impairment | 4 | CM-2 CM-6 CM-7 SI-4 |
| T1070.010 | Relocate Malware | Stealth | 3 | SI-3 SI-4 SI-7 |
| T1087.001 | Local Account | Discovery | 3 | CM-6 CM-7 SI-4 |
| T1087.002 | Domain Account | Discovery | 3 | CM-6 CM-7 SI-4 |
| T1112 | Modify Registry | Defense Impairment, Persistence | 3 | AC-6 CM-7 SI-7 |
| T1135 | Network Share Discovery | Discovery | 3 | CM-6 CM-7 SI-4 |
| T1546.009 | AppCert DLLs | Privilege Escalation, Persistence | 3 | CM-7 SI-10 SI-7 |
| T1548.001 | Setuid and Setgid | Privilege Escalation | 3 | CM-6 CM-7 SI-4 |
| T1550.004 | Web Session Cookie | Lateral Movement | 3 | SC-23 SC-8 SI-7 |
| T1555.001 | Keychain | Credential Access | 3 | CA-7 IA-5 SI-4 |
| T1556.002 | Password Filter DLL | Defense Impairment, Persistence, Credential Access | 3 | CM-6 CM-7 SI-4 |
| T1564.002 | Hidden Users | Stealth | 3 | CM-6 CM-7 SI-4 |
| T1564.003 | Hidden Window | Stealth | 3 | CM-7 SI-10 SI-7 |
| T1564.010 | Process Argument Spoofing | Stealth | 3 | CA-7 SI-4 SI-7 |
| T1567.001 | Exfiltration to Code Repository | Exfiltration | 3 | AC-20 AC-4 SC-7 |
| T1567.002 | Exfiltration to Cloud Storage | Exfiltration | 3 | AC-20 AC-4 SC-7 |
| T1567.003 | Exfiltration to Text Storage Sites | Exfiltration | 3 | AC-17 AC-4 SC-7 |
| T1567.004 | Exfiltration Over Webhook | Exfiltration | 3 | AC-17 AC-4 SC-7 |
| T1649 | Steal or Forge Authentication Certificates | Credential Access | 3 | IA-13 IA-2 IA-5 |
| T1659 | Content Injection | Initial Access, Command And Control | 3 | AC-17 AC-4 SC-7 |
| T1027.012 | LNK Icon Smuggling | Stealth | 2 | SI-3 SI-4 |
| T1037.001 | Logon Script (Windows) | Persistence, Privilege Escalation | 2 | AC-17 CM-7 |
| T1205.002 | Socket Filters | Stealth, Persistence, Command And Control | 2 | AC-4 SI-4 |
| T1546.011 | Application Shimming | Privilege Escalation, Persistence | 2 | AC-6 SI-2 |
| T1552.008 | Chat Messages | Credential Access | 2 | AC-4 SI-4 |
| T1574.011 | Services Registry Permissions Weakness | Stealth, Execution | 2 | AC-6 CM-5 |
| T1657 | Financial Theft | Impact | 2 | AC-5 AC-6 |
| T1027.011 | Fileless Storage | Stealth | 1 | SI-4 |
| T1027.013 | Encrypted/Encoded File | Stealth | 1 | SI-3 |
| T1027.014 | Polymorphic Code | Stealth | 1 | SI-3 |
| T1055.015 | ListPlanting | Stealth, Privilege Escalation | 1 | SI-3 |
| T1090.004 | Domain Fronting | Command And Control | 1 | SC-8 |
| T1496.003 | SMS Pumping | Impact | 1 | SC-5 |
| T1535 | Unused/Unsupported Cloud Regions | Stealth | 1 | SC-23 |
| T1564.012 | File/Path Exclusions | Stealth | 1 | SI-3 |
| T1593.003 | Code Repositories | Reconnaissance | 1 | CM-8 |
| T1595.003 | Wordlist Scanning | Reconnaissance | 1 | SC-4 |
| T1666 | Modify Cloud Resource Hierarchy | Defense Impairment | 1 | CM-3 |