Vendor:

May 13, 2026 · View on GitHub

Product:

Rules	Models	MITRE ATT&CK® TTPs	Activity Types	Parsers
1007	343	183	59	236

Use-Case	Activity Types/Parsers	MITRE ATT&CK® TTP	Content
Abnormal Authentication & Access	account-deleted ↳microsoft-evsecurity-json-user-delete-success-4726 account-disabled ↳microsoft-evsecurity-json-user-disable-success-4725-1 account-enabled ↳microsoft-evsecurity-json-user-enable-success-4722-1 ↳microsoft-evsecurity-json-user-enable-success-4722-2 account-password-change ↳cyberark-pam-kv-user-password-modify-success-cpmpasswordchanged ↳sailpoint-identitynow-json-user-password-modify-passwordactivity ↳microsoft-azuread-json-user-password-reset-fail-changepassword ↳microsoft-o365-cef-user-password-modify-success-changeuserpassword ↳azure-azuread-json-user-password-modify-success-selfservice account-password-reset ↳cyberark-pam-kv-user-password-reset-success-setpassword account-switch ↳microsoft-evsecurity-json-endpoint-login-success-4648 ↳microsoft-evsecurity-json-endpoint-login-success-4648-2 account-unlocked ↳microsoft-evsecurity-json-user-unlock-success-4767-2 app-activity ↳epic-siem-cef-app-activity-success-browserexternalpage ↳epic-siem-cef-app-activity-success-icserviceaudit ↳epic-siem-cef-app-activity-success-accessgranted ↳epic-seim-cef-app-activity-success-secure ↳epic-siem-cef-app-activity-success-maskeddatadisplay ↳epic-seim-cef-app-activity-success-switchuser ↳epic-siem-cef-app-activity-success-unsecure ↳epic-siem-cef-app-activity-success-acbreaktheglassaccess ↳epic-siem-cef-app-activity-success-startup ↳beyondtrust-sra-kv-app-activity-success-connectionterminated ↳egnyte-e-cef-app-activity-success-create ↳engyte-e-cef-app-activity-success-update ↳egnyte-e-cef-app-activity-success-disable ↳slack-s-json-app-activity-success-userlogout ↳slack-s-json-app-activity-success-userchanneljoin ↳slack-s-json-app-activity-success-userchannelleave ↳slack-s-json-app-activity-success-fileshared ↳slack-s-json-app-activity-success-userdeactivated ↳slack-s-json-app-activity-success-publicchannelcreated ↳slack-s-json-app-activity-success-privatechannelcreated ↳forcepoint-ngfw-cef-app-activity-log ↳github-g-csv-app-activity-success-teamremovem ↳github-g-csv-app-activity-success-orgmem ↳github-g-csv-app-activity-success-teamadd ↳github-g-csv-app-activity-success-paymethod ↳github-g-csv-app-activity-success-billingemail ↳github-g-csv-app-activity-success-hookcreate ↳github-g-csv-app-activity-success-repocreate ↳github-g-csv-app-activity-success-branchupdate ↳github-g-csv-app-activity-success-parentteam ↳github-g-csv-app-activity-success-hookconfig ↳github-g-csv-app-activity-success-orginvite ↳github-g-csv-app-activity-success-createteam ↳beyondtrust-prividentity-cef-app-activity-success-idpassword ↳imprivata-i-kv-app-activity-success-primarylockout ↳imprivata-i-kv-app-activity-success-selfenroldeclined ↳imprivata-i-kv-app-activity-success-agentshutdown ↳imprivata-i-kv-app-activity-success-passwordreset ↳egnyte-egnyte-sk4-app-activity-success-addedtogroup ↳egnyte-egnyte-sk4-app-activity-success-removedfromgroup ↳egnyte-egnyte-sk4-app-activity-success-verificationdisable ↳egnyte-egnyte-sk4-app-activity-success-verified ↳beyondtrust-prividentity-cef-app-activity-listaddedaccount ↳beyondtrust-prividentity-cef-app-activity-elevationfailed ↳beyondtrust-prividentity-cef-app-activity-jobaccount ↳beyondtrust-prividentity-cef-app-activity-accountdeelevated ↳forcepoint-ngfw-cef-network-traffic-catchall ↳fortinet-fortigate-kv-network-app-fortigate ↳sentinelone-v-cef-app-activity-success-usermodified ↳sentinelone-v-cef-app-activity-success-usercreatedrole ↳crowdstrike-falcon-json-app-activity-awsec2networkacl ↳crowdstrike-falcon-sk4-app-activity-updateuser ↳crowdstrike-falcon-json-app-activity-awsec2securitygroup ↳crowdstrike-falcon-json-app-activity-awsec2networkaclentry ↳crowdstrike-falcon-sk4-app-activity-awsec2networkinterface ↳crowdstrike-falcon-sk4-app-activity-awsec2networkinterface ↳crowdstrike-falcon-sk4-app-activity-awsec2networkinterface ↳crowdstrike-falcon-sk4-app-activity-awsec2networkinterface ↳microsoft-evsecurity-kv-ds-object-delete-success-5141-1 ↳microsoft-evsecurity-kv-ds-object-delete-success-5141-1 ↳microsoft-evsecurity-kv-ds-object-delete-success-5141-1 ↳microsoft-evsecurity-xml-configuration-modify-success-4742 ↳microsoft-azuremon-json-endpoint-activity-success-catchall ↳microsoft-azure-mix-app-activity-success-caller ↳microsoft-o365-sk4-app-activity-success-office365-1 ↳microsoft-o365-sk4-app-activity-success-office365 ↳microsoft-o365-sk4-app-activity-success-usermanagement ↳microsoft-o365-sk4-app-activity-success-groupmanagement-1 ↳microsoft-o365-sk4-app-activity-success-graphdirectoryauditlogs-1 ↳microsoft-o365-sk4-app-activity-success-authzgrouprenamed ↳microsoft-o365-sk4-app-activity-success-groupmanagement ↳microsoft-o365-sk4-app-activity-success-authzgrouprenamed-1 ↳microsoft-mcas-cef-app-activity-success-purgemessages ↳microsoft-mcas-cef-app-activity-success-unspecified ↳microsoft-mcas-cef-app-activity-success-mailboxpermission ↳microsoft-mcas-str-app-activity-success-serviceaccessenforcementtriggered ↳microsoft-mcas-cef-app-activity-success-azureoperation ↳microsoft-mcas-cef-app-activity-success-removemember ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳azure-azuread-json-app-notification-activitydisplayname ↳azure-azuread-json-user-password-modify-success-selfservice ↳pan-gp-cef-app-activity-success-globalprotect ↳vmware-idm-json-app-activity-success-user ↳exabeam-aa-json-app-activity-success-search ↳exabeam-search-json-app-activity-success-rule ↳exabeam-search-json-app-activity-success-search ↳exabeam-search-json-app-activity-success-role ↳exabeam-search-json-app-activity-success-addededited ↳exabeam-search-json-app-activity-success-groupmodified ↳exabeam-search-json-app-activity-success-permissionchange ↳exabeam-search-json-app-activity-success-restarting ↳exabeam-search-json-app-activity-success-logsourceadded app-login ↳unix-unix-str-cron-session-success-sessionopened ↳securelink-s-str-app-login-success-loggedin ↳rubrik-cdm-kv-app-login-success-loggedin-1 ↳swift-s-cef-app-login-success-web ↳slack-s-json-app-login-success-userlogin ↳beyondtrust-prividentity-cef-app-login-privilegedidentity ↳microsoft-mcas-kv-app-login-success-successauth ↳microsoft-o365-cef-app-login-success-user ↳microsoft-o365-json-app-login-success-loginsuccess ↳exabeam-aa-json-app-login-success-applogin ↳exabeam-search-json-app-login-success-activitylogin audit-log-clear ↳microsoft-evsecurity-json-log-clear-success-auditlogcleared ↳microsoft-evsecurity-kv-log-clear-success-1102-2 authentication-failed ↳unix-unixauditd-json-endpoint-login-authentication ↳sailpoint-identitynow-json-endpoint-authentication-auth ↳ipswitch-moveittransfer-str-endpoint-authentication-fail-authfailed ↳stealthbits-s-kv-vpn-login-fail-failedlogin ↳pan-ngfw-leef-endpoint-authentication-fail-authfail authentication-successful ↳unix-unixauditd-json-endpoint-login-authentication ↳sailpoint-identitynow-json-endpoint-authentication-auth ↳stealthbits-s-kv-vpn-login-success-loginsucceed ↳beyondtrust-sra-kv-endpoint-login-success-challenge ↳pan-ngfw-leef-endpoint-authentication-success-authsuccess ↳pan-ngfw-leef-endpoint-authentication-success-signvalidated failed-app-login ↳securelink-s-str-app-login-fail-loginfailed ↳epic-siem-cef-app-activity-success-roverfailedlogin ↳okta-amfa-json-app-login-fail-userlogintookta ↳okta-amfa-json-app-login-fail-authenticateuserwithadagent ↳beyondtrust-prividentity-cef-app-login-privilegedidentity ↳microsoft-mcas-kv-app-login-fail-failedauth ↳microsoft-o365-cef-app-login-success-user ↳microsoft-o365-json-app-login-fail-loginfail ↳exabeam-aa-json-app-login-fail-failedlogin failed-logon ↳auth0-a-json-endpoint-login-fail-fp failed-vpn-login ↳pan-gp-csv-vpn-login-fail-loginfailure local-logon ↳microsoft-evsecurity-json-endpoint-login-success-4624-6 member-added ↳microsoft-evsecurity-kv-group-member-add-success-4756-1 member-removed ↳microsoft-evsecurity-json-group-member-remove-success-4757 print-activity ↳dg-ep-kv-printer-activity-success-22 privileged-access ↳rubrik-cdm-kv-user-privilege-assign-success-assignedroles ↳microsoft-windows-kv-user-privilege-use-success-578 ↳microsoft-evsecurity-json-user-privilege-assign-success-4673-1 ↳microsoft-evsecurity-json-user-privilege-assign-success-4673-1 privileged-object-access ↳microsoft-windows-kv-user-privilege-use-success-578 remote-access ↳microsoft-evsecurity-json-endpoint-login-success-4624-6 ↳microsoft-evsecurity-json-endpoint-login-success-4624-6 remote-logon ↳unix-unix-str-ssh-traffic-success-sftpsessionopened ↳dell-sw-kv-rdp-traffic-success-sslvpn ↳microsoft-evsecurity-json-endpoint-login-success-4624-6 ↳microsoft-evsecurity-json-endpoint-login-success-4648 ↳microsoft-evsecurity-json-endpoint-login-success-4648-2 ↳microsoft-evsecurity-json-endpoint-login-success-4648 ↳microsoft-evsecurity-json-endpoint-login-success-4648-2 vpn-login ↳microsoft-windows-xml-vpn-login-success-2002 ↳microsoft-windows-xml-vpn-login-success-2000 ↳microsoft-evdhcpserver-xml-vpn-login-success-4303 ↳pan-gp-csv-vpn-login-success-connected ↳pan-ngfw-cef-vpn-login-success-clientswitchtossltunnelmodesucceeded vpn-logout ↳microsoft-windows-xml-vpn-logout-success-4304 ↳microsoft-windows-xml-vpn-logout-success-2001 web-activity-allowed ↳microsoft-azuremon-sk4-http-request-success-azurefirewallapplicationrule ↳symantec-bcpa-mix-http-session-ssldenied ↳symantec-bcpa-mix-http-session-deniedtcp ↳symantec-bcpa-mix-http-session-connect ↳symantec-bcpa-mix-http-session-get ↳symantec-bcpa-mix-http-session-ssldenied ↳symantec-bcpa-mix-http-session-deniedtcp ↳symantec-bcpa-mix-http-session-connect ↳symantec-bcpa-mix-http-session-get web-activity-denied ↳eset-es-leef-http-session-fail-eset ↳symantec-bcpa-mix-http-session-ssldenied ↳symantec-bcpa-mix-http-session-deniedtcp ↳symantec-bcpa-mix-http-session-connect ↳symantec-bcpa-mix-http-session-get workstation-unlocked ↳microsoft-evsecurity-json-endpoint-login-success-4624-6	T1021 - Remote Services T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1110 - Brute Force T1133 - External Remote Services	69 Rules 29 Models
Account Manipulation	account-deleted ↳microsoft-evsecurity-json-user-delete-success-4726 account-password-change ↳cyberark-pam-kv-user-password-modify-success-cpmpasswordchanged ↳sailpoint-identitynow-json-user-password-modify-passwordactivity ↳microsoft-azuread-json-user-password-reset-fail-changepassword ↳microsoft-o365-cef-user-password-modify-success-changeuserpassword ↳azure-azuread-json-user-password-modify-success-selfservice account-password-reset ↳cyberark-pam-kv-user-password-reset-success-setpassword app-activity ↳epic-siem-cef-app-activity-success-browserexternalpage ↳epic-siem-cef-app-activity-success-icserviceaudit ↳epic-siem-cef-app-activity-success-accessgranted ↳epic-seim-cef-app-activity-success-secure ↳epic-siem-cef-app-activity-success-maskeddatadisplay ↳epic-seim-cef-app-activity-success-switchuser ↳epic-siem-cef-app-activity-success-unsecure ↳epic-siem-cef-app-activity-success-acbreaktheglassaccess ↳epic-siem-cef-app-activity-success-startup ↳beyondtrust-sra-kv-app-activity-success-connectionterminated ↳egnyte-e-cef-app-activity-success-create ↳engyte-e-cef-app-activity-success-update ↳egnyte-e-cef-app-activity-success-disable ↳slack-s-json-app-activity-success-userlogout ↳slack-s-json-app-activity-success-userchanneljoin ↳slack-s-json-app-activity-success-userchannelleave ↳slack-s-json-app-activity-success-fileshared ↳slack-s-json-app-activity-success-userdeactivated ↳slack-s-json-app-activity-success-publicchannelcreated ↳slack-s-json-app-activity-success-privatechannelcreated ↳forcepoint-ngfw-cef-app-activity-log ↳github-g-csv-app-activity-success-teamremovem ↳github-g-csv-app-activity-success-orgmem ↳github-g-csv-app-activity-success-teamadd ↳github-g-csv-app-activity-success-paymethod ↳github-g-csv-app-activity-success-billingemail ↳github-g-csv-app-activity-success-hookcreate ↳github-g-csv-app-activity-success-repocreate ↳github-g-csv-app-activity-success-branchupdate ↳github-g-csv-app-activity-success-parentteam ↳github-g-csv-app-activity-success-hookconfig ↳github-g-csv-app-activity-success-orginvite ↳github-g-csv-app-activity-success-createteam ↳beyondtrust-prividentity-cef-app-activity-success-idpassword ↳imprivata-i-kv-app-activity-success-primarylockout ↳imprivata-i-kv-app-activity-success-selfenroldeclined ↳imprivata-i-kv-app-activity-success-agentshutdown ↳imprivata-i-kv-app-activity-success-passwordreset ↳egnyte-egnyte-sk4-app-activity-success-addedtogroup ↳egnyte-egnyte-sk4-app-activity-success-removedfromgroup ↳egnyte-egnyte-sk4-app-activity-success-verificationdisable ↳egnyte-egnyte-sk4-app-activity-success-verified ↳beyondtrust-prividentity-cef-app-activity-listaddedaccount ↳beyondtrust-prividentity-cef-app-activity-elevationfailed ↳beyondtrust-prividentity-cef-app-activity-jobaccount ↳beyondtrust-prividentity-cef-app-activity-accountdeelevated ↳forcepoint-ngfw-cef-network-traffic-catchall ↳fortinet-fortigate-kv-network-app-fortigate ↳sentinelone-v-cef-app-activity-success-usermodified ↳sentinelone-v-cef-app-activity-success-usercreatedrole ↳crowdstrike-falcon-json-app-activity-awsec2networkacl ↳crowdstrike-falcon-sk4-app-activity-updateuser ↳crowdstrike-falcon-json-app-activity-awsec2securitygroup ↳crowdstrike-falcon-json-app-activity-awsec2networkaclentry ↳crowdstrike-falcon-sk4-app-activity-awsec2networkinterface ↳crowdstrike-falcon-sk4-app-activity-awsec2networkinterface ↳crowdstrike-falcon-sk4-app-activity-awsec2networkinterface ↳crowdstrike-falcon-sk4-app-activity-awsec2networkinterface ↳microsoft-evsecurity-kv-ds-object-delete-success-5141-1 ↳microsoft-evsecurity-kv-ds-object-delete-success-5141-1 ↳microsoft-evsecurity-kv-ds-object-delete-success-5141-1 ↳microsoft-evsecurity-xml-configuration-modify-success-4742 ↳microsoft-azuremon-json-endpoint-activity-success-catchall ↳microsoft-azure-mix-app-activity-success-caller ↳microsoft-o365-sk4-app-activity-success-office365-1 ↳microsoft-o365-sk4-app-activity-success-office365 ↳microsoft-o365-sk4-app-activity-success-usermanagement ↳microsoft-o365-sk4-app-activity-success-groupmanagement-1 ↳microsoft-o365-sk4-app-activity-success-graphdirectoryauditlogs-1 ↳microsoft-o365-sk4-app-activity-success-authzgrouprenamed ↳microsoft-o365-sk4-app-activity-success-groupmanagement ↳microsoft-o365-sk4-app-activity-success-authzgrouprenamed-1 ↳microsoft-mcas-cef-app-activity-success-purgemessages ↳microsoft-mcas-cef-app-activity-success-unspecified ↳microsoft-mcas-cef-app-activity-success-mailboxpermission ↳microsoft-mcas-str-app-activity-success-serviceaccessenforcementtriggered ↳microsoft-mcas-cef-app-activity-success-azureoperation ↳microsoft-mcas-cef-app-activity-success-removemember ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳azure-azuread-json-app-notification-activitydisplayname ↳azure-azuread-json-user-password-modify-success-selfservice ↳pan-gp-cef-app-activity-success-globalprotect ↳vmware-idm-json-app-activity-success-user ↳exabeam-aa-json-app-activity-success-search ↳exabeam-search-json-app-activity-success-rule ↳exabeam-search-json-app-activity-success-search ↳exabeam-search-json-app-activity-success-role ↳exabeam-search-json-app-activity-success-addededited ↳exabeam-search-json-app-activity-success-groupmodified ↳exabeam-search-json-app-activity-success-permissionchange ↳exabeam-search-json-app-activity-success-restarting ↳exabeam-search-json-app-activity-success-logsourceadded ds-access ↳microsoft-evsecurity-kv-ds-object-delete-success-5141-1 ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 ↳microsoft-evsecurity-kv-ds-object-activity-success-4662-3 member-added ↳microsoft-evsecurity-kv-group-member-add-success-4756-1 member-removed ↳microsoft-evsecurity-json-group-member-remove-success-4757 process-created ↳dg-ep-json-file-success-time ↳vmware-carbonblackceedr-sk4-process-create-success-crossproc vpn-logout ↳microsoft-windows-xml-vpn-logout-success-4304 ↳microsoft-windows-xml-vpn-logout-success-2001	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021 - Remote Services T1021.003 - T1021.003 T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1207 - Rogue Domain Controller T1218 - Signed Binary Proxy Execution T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1484 - Group Policy Modification T1531 - Account Access Removal T1559 - Inter-Process Communication T1559.002 - T1559.002	81 Rules 41 Models
Audit Tampering	audit-log-clear ↳microsoft-evsecurity-json-log-clear-success-auditlogcleared ↳microsoft-evsecurity-kv-log-clear-success-1102-2 process-created ↳dg-ep-json-file-success-time ↳vmware-carbonblackceedr-sk4-process-create-success-crossproc	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546 - Event Triggered Execution T1546.003 - T1546.003 T1562 - Impair Defenses T1562.002 - T1562.002 T1562.006 - T1562.006	8 Rules 2 Models
Brute Force Attack	failed-logon ↳auth0-a-json-endpoint-login-fail-fp vpn-logout ↳microsoft-windows-xml-vpn-logout-success-4304 ↳microsoft-windows-xml-vpn-logout-success-2001	T1021 - Remote Services T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	10 Rules 1 Models
Destruction of Data	file-delete ↳dg-ep-json-file-success-time ↳microsoft-azure-kv-file-success-vmid ↳microsoft-mcas-cef-file-delete-success-deletefile	T1070 - Indicator Removal on Host T1070.004 - Indicator Removal on Host: File Deletion T1485 - Data Destruction	1 Rules
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Phishing: Spearphishing Link External Remote Services Valid Accounts Drive-by Compromise Valid Accounts: Cloud Accounts Exploit Public Fasing Application Replication Through Removable Media Phishing	Windows Management Instrumentation Command and Scripting Interperter Scheduled Task/Job Inter-Process Communication System Services Exploitation for Client Execution User Execution Scheduled Task/Job: Scheduled Task Command and Scripting Interperter: PowerShell Scheduled Task/Job: At (Windows)	Pre-OS Boot Create Account Create or Modify System Process External Remote Services Valid Accounts Hijack Execution Flow Server Software Component: Web Shell Account Manipulation BITS Jobs Create or Modify System Process: Windows Service Scheduled Task/Job Server Software Component Event Triggered Execution Boot or Logon Autostart Execution Create Account: Create: Local Account Account Manipulation: Exchange Email Delegate Permissions	Access Token Manipulation: Token Impersonation/Theft Create or Modify System Process Valid Accounts Access Token Manipulation Exploitation for Privilege Escalation Hijack Execution Flow Group Policy Modification Process Injection Scheduled Task/Job Abuse Elevation Control Mechanism Event Triggered Execution Boot or Logon Autostart Execution Process Injection: Dynamic-link Library Injection Abuse Elevation Control Mechanism: Bypass User Account Control	Hide Artifacts Indirect Command Execution Impair Defenses Indicator Removal on Host: Clear Windows Event Logs Group Policy Modification Rogue Domain Controller Trusted Developer Utilities Proxy Execution Masquerading: Match Legitimate Name or Location Masquerading: Rename System Utilities File and Directory Permissions Modification: Windows File and Directory Permissions Modification Obfuscated Files or Information: Compile After Delivery Obfuscated Files or Information: Indicator Removal from Tools Hijack Execution Flow: DLL Side-Loading Indicator Removal on Host: File Deletion Masquerading Valid Accounts Modify Registry BITS Jobs Use Alternate Authentication Material Hide Artifacts: NTFS File Attributes Use Alternate Authentication Material: Pass the Hash Indicator Removal on Host Use Alternate Authentication Material: Pass the Ticket Pre-OS Boot File and Directory Permissions Modification Deobfuscate/Decode Files or Information Abuse Elevation Control Mechanism Impair Defenses: Disable or Modify System Firewall Obfuscated Files or Information Signed Binary Proxy Execution: Compiled HTML File Access Token Manipulation Hijack Execution Flow Process Injection Valid Accounts: Local Accounts Signed Binary Proxy Execution: Msiexec Signed Binary Proxy Execution Signed Binary Proxy Execution: Regsvcs/Regasm Signed Binary Proxy Execution: CMSTP Signed Binary Proxy Execution: Control Panel Signed Binary Proxy Execution: InstallUtil Signed Binary Proxy Execution: Regsvr32 Trusted Developer Utilities Proxy Execution: MSBuild Signed Binary Proxy Execution: Rundll32	OS Credential Dumping Unsecured Credentials Brute Force Forced Authentication Steal or Forge Kerberos Tickets Credentials from Password Stores Steal or Forge Kerberos Tickets: Kerberoasting OS Credential Dumping: DCSync Network Sniffing	Account Discovery Domain Trust Discovery System Service Discovery System Network Connections Discovery Account Discovery: Local Account Account Discovery: Domain Account File and Directory Discovery Network Sniffing System Information Discovery Network Share Discovery Query Registry Process Discovery System Owner/User Discovery Software Discovery Remote System Discovery System Network Configuration Discovery	Exploitation of Remote Services Remote Service Session Hijacking Remote Services Remote Services: SMB/Windows Admin Shares Use Alternate Authentication Material Remote Services: Remote Desktop Protocol Replication Through Removable Media Internal Spearphishing	Screen Capture Data from Information Repositories Email Collection Audio Capture Archive Collected Data Email Collection: Email Forwarding Rule	Web Service Protocol Tunneling Application Layer Protocol: DNS Application Layer Protocol: File Transfer Protocols Application Layer Protocol: Web Protocols Remote Access Software Dynamic Resolution Ingress Tool Transfer Dynamic Resolution: Domain Generation Algorithms Proxy: Multi-hop Proxy Application Layer Protocol Proxy	Exfiltration Over Alternative Protocol Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration Over Physical Medium: Exfiltration over USB Exfiltration Over C2 Channel Exfiltration Over Physical Medium Automated Exfiltration Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration Over Web Service	Account Access Removal Data Destruction Resource Hijacking Data Encrypted for Impact Inhibit System Recovery