MITRE ATT&CK

Active Scanning

Tactic: TA0043

Adversaries scan victim infrastructure to gather information prior to exploitation, including IP ranges, open ports, and running services.

Gather Victim Host Information

Tactic: TA0043

Adversaries gather information about the victim's hosts including hardware, software, and configurations to identify weaknesses.

Gather Victim Identity Information

Tactic: TA0043

Adversaries gather identity information such as employee names, email addresses, and credentials to enable targeted attacks.

Phishing for Information

Tactic: TA0043

Adversaries send phishing messages to elicit sensitive information, such as credentials or system details, without deploying malware.

Acquire Infrastructure

Tactic: TA0042

Adversaries acquire infrastructure such as domains, VPS, or botnets to support operations and obscure attribution.

Compromise Infrastructure

Tactic: TA0042

Adversaries compromise third-party infrastructure to stage attacks, making detection and attribution more difficult.

Obtain Capabilities

Tactic: TA0042

Adversaries obtain tools, exploits, or access that can be used during targeting including purchasing malware or exploiting zero-days.

Exploit Public-Facing Application

Tactic: TA0001

Adversaries exploit weaknesses in internet-facing applications such as web servers, VPNs, or APIs to gain initial foothold.

Phishing

Tactic: TA0001

Adversaries send spearphishing emails with malicious links or attachments to gain access to victim systems.

Valid Accounts

Tactic: TA0001

Adversaries use compromised credentials of existing accounts to bypass access controls and blend in with normal activity.

External Remote Services

Tactic: TA0001

Adversaries leverage external-facing remote services such as VPN, RDP, or Citrix with stolen credentials to gain access.

Supply Chain Compromise

Tactic: TA0001

Adversaries tamper with software or hardware supply chains to compromise targets before delivery.

Command and Scripting Interpreter

Tactic: TA0002

Adversaries abuse command-line interfaces and scripting languages (PowerShell, Bash, Python) to execute malicious commands.

Exploitation for Client Execution

Tactic: TA0002

Adversaries exploit vulnerabilities in client-side software to execute code when a user interacts with malicious content.

Scheduled Task / Job

Tactic: TA0002

Adversaries abuse task scheduling utilities to execute programs at system startup or on a scheduled basis for persistence or execution.

Native API

Tactic: TA0002

Adversaries interact directly with OS native APIs to execute behaviors that may evade security tool detection.

Boot or Logon Autostart Execution

Tactic: TA0003

Adversaries configure system settings to execute malware automatically at boot or logon to maintain persistence.

Create Account

Tactic: TA0003

Adversaries create accounts on systems to maintain persistent access, including local, domain, or cloud accounts.

Create or Modify System Process

Tactic: TA0003

Adversaries create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.

Account Manipulation

Tactic: TA0003

Adversaries manipulate accounts to maintain or elevate access to victim systems, including modifying permissions.

Exploitation for Privilege Escalation

Tactic: TA0004

Adversaries exploit vulnerabilities to gain higher-level permissions beyond what is normally available.

Process Injection

Tactic: TA0004

Adversaries inject malicious code into running processes to evade defenses and escalate privileges.

Abuse Elevation Control Mechanism

Tactic: TA0004

Adversaries bypass UAC or sudo controls to elevate privileges without triggering alerts.

Access Token Manipulation

Tactic: TA0004

Adversaries manipulate access tokens to operate under a different user or system security context.

Indicator Removal

Tactic: TA0005

Adversaries delete or modify artifacts to remove evidence of their presence, including logs, files, and registry keys.

Masquerading

Tactic: TA0005

Adversaries disguise malicious activity by naming files or processes after legitimate ones to avoid detection.

Impair Defenses

Tactic: TA0005

Adversaries disable or tamper with security tools, logging, and monitoring to prevent detection of malicious activity.

Obfuscated Files or Information

Tactic: TA0005

Adversaries encode, encrypt, or otherwise obfuscate files and payloads to evade static analysis and signature detection.

Brute Force

Tactic: TA0006

Adversaries attempt to gain access to accounts by systematically guessing passwords or using credential stuffing.

OS Credential Dumping

Tactic: TA0006

Adversaries dump credentials from OS and software such as LSASS, SAM database, or /etc/shadow.

Credentials from Password Stores

Tactic: TA0006

Adversaries search for and collect credentials from password managers, browsers, and system credential stores.

Input Capture

Tactic: TA0006

Adversaries use keyloggers or input capture methods to intercept credentials as users type them.

System Information Discovery

Tactic: TA0007

Adversaries enumerate OS details, patch levels, and system configurations to inform further exploitation.

Network Service Discovery

Tactic: TA0007

Adversaries scan the internal network to identify active hosts, open ports, and running services.

File and Directory Discovery

Tactic: TA0007

Adversaries enumerate files and directories to identify valuable data, configurations, or staging locations.

Process Discovery

Tactic: TA0007

Adversaries enumerate running processes to identify security tools, target applications, or gather system context.

Remote Services

Tactic: TA0008

Adversaries use remote service protocols (RDP, SSH, SMB, WinRM) with valid credentials to move laterally.

Use Alternate Authentication Material

Tactic: TA0008

Adversaries use stolen tokens, hashes, or tickets (Pass-the-Hash, Pass-the-Ticket) instead of plaintext credentials.

Lateral Tool Transfer

Tactic: TA0008

Adversaries copy tools or payloads to remote systems to enable additional operations on compromised hosts.

Internal Spearphishing

Tactic: TA0008

Adversaries use existing access to send phishing messages internally to expand their foothold within an organization.

Data Staged

Tactic: TA0009

Adversaries stage collected data in a central location before exfiltration to minimize detection during transfer.

Email Collection

Tactic: TA0009

Adversaries collect email content from mail clients, servers, or cloud providers to extract sensitive information.

Archive Collected Data

Tactic: TA0009

Adversaries compress and encrypt collected data to reduce size and evade detection during exfiltration.

Screen Capture

Tactic: TA0009

Adversaries capture screen content to collect sensitive information displayed to users.

Application Layer Protocol

Tactic: TA0011

Adversaries communicate using standard application protocols (HTTP, HTTPS, DNS, SMTP) to blend in with legitimate traffic.

Proxy

Tactic: TA0011

Adversaries use proxies and multi-hop chains to obfuscate C2 traffic origins and evade network detection.

Ingress Tool Transfer

Tactic: TA0011

Adversaries transfer tools or malware from external systems into the compromised environment to enable further operations.

Protocol Tunneling

Tactic: TA0011

Adversaries tunnel C2 traffic inside legitimate protocols (DNS, ICMP, HTTP) to evade firewall and IDS detection.

Exfiltration Over C2 Channel

Tactic: TA0010

Adversaries exfiltrate data using the same channel established for command and control communications.

Exfiltration Over Alternative Protocol

Tactic: TA0010

Adversaries use protocols different from C2 (FTP, SMTP, DNS) to exfiltrate data and avoid detection.

Exfiltration Over Web Service

Tactic: TA0010

Adversaries exfiltrate data to cloud storage, code repositories, or social media to blend with normal traffic.

Scheduled Transfer

Tactic: TA0010

Adversaries schedule data exfiltration at specific intervals to blend with normal network patterns.

Data Encrypted for Impact

Tactic: TA0040

Adversaries encrypt data on target systems to interrupt availability — the primary technique behind ransomware attacks.

Inhibit System Recovery

Tactic: TA0040

Adversaries delete backups, shadow copies, and recovery mechanisms to maximize impact of destructive attacks.

Data Destruction

Tactic: TA0040

Adversaries destroy data on target systems or in large quantities to interrupt availability.

Network Denial of Service

Tactic: TA0040

Adversaries flood network resources to degrade or block legitimate users from accessing services.