MITRE ATT&CK®

MITRE ATT&CK^® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

MITRE ATT&CK®是一个全球通用的基于现实世界观察的对手战术和技术的知识库。ATT&CK知识库被用作私营部门、政府以及网络安全产品和服务界开发特定威胁模型和方法的基础。

With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.

随着ATT&CK的创建，MITRE正在履行其为一个更安全的世界解决问题的使命--通过将社区联合起来开发更有效的网络安全。ATT&CK是开放的，任何个人或组织都可以免费使用。

This is a custom instance of the ATT&CK Website built from source code published by ATT&CK on GitHub. It is not affiliated with ATT&CK in any official capacity. The official instance of the ATT&CK website can be found at attack.mitre.org.

这个中文版是由云纷科技编者按照原文转译的ATT&CK网站的定制中文实例。它与ATT&CK没有任何官方关系。ATT&CK网站的官方实例可以在attack.mitre.org找到。

ATT&CK Matrix for Enterprise

10 techniques

7 techniques

9 techniques

12 techniques

19 techniques

13 techniques

42 techniques

16 techniques

30 techniques

9 techniques

17 techniques

16 techniques

9 techniques

13 techniques

主动扫描 ₍₃₎

Gather Victim Host Information ₍₄₎

Gather Victim Identity Information ₍₃₎

Gather Victim Network Information ₍₆₎

Gather Victim Org Information ₍₄₎

Phishing for Information ₍₃₎

Search Closed Sources ₍₂₎

Search Open Technical Databases ₍₅₎

Search Open Websites/Domains ₍₂₎

Search Victim-Owned Websites

Acquire Infrastructure ₍₆₎

Compromise Accounts ₍₂₎

Compromise Infrastructure ₍₆₎

Develop Capabilities ₍₄₎

Establish Accounts ₍₂₎

Obtain Capabilities ₍₆₎

Stage Capabilities ₍₅₎

Drive-by Compromise

Exploit Public-Facing Application

远程外部服务

Hardware Additions

Phishing ₍₃₎

通过可移动媒体复制

供应链攻击 ₍₃₎

信任关系

Valid Accounts ₍₄₎

Command and Scripting Interpreter ₍₈₎

Container Administration Command

Deploy Container

Exploitation for Client Execution

Inter-Process Communication ₍₃₎

Native API

Scheduled Task/Job ₍₅₎

Shared Modules

Software Deployment Tools

系统服务 ₍₂₎

User Execution ₍₃₎

Windows Management Instrumentation

Account Manipulation ₍₅₎

BITS Jobs

Boot or Logon Autostart Execution ₍₁₄₎

Boot or Logon Initialization Scripts ₍₅₎

Browser Extensions

Compromise Client Software Binary

Create Account ₍₃₎

Create or Modify System Process ₍₄₎

Event Triggered Execution ₍₁₅₎

远程外部服务

Hijack Execution Flow ₍₁₂₎

Implant Internal Image

Modify Authentication Process ₍₅₎

Office Application Startup ₍₆₎

Pre-OS Boot ₍₅₎

Scheduled Task/Job ₍₅₎

Server Software Component ₍₅₎

Traffic Signaling ₍₁₎

Valid Accounts ₍₄₎

Abuse Elevation Control Mechanism ₍₄₎

访问令牌操纵 ₍₅₎

Boot or Logon Autostart Execution ₍₁₄₎

Boot or Logon Initialization Scripts ₍₅₎

Create or Modify System Process ₍₄₎

Domain Policy Modification ₍₂₎

Escape to Host

Event Triggered Execution ₍₁₅₎

Exploitation for Privilege Escalation

Hijack Execution Flow ₍₁₂₎

Process Injection ₍₁₂₎

Scheduled Task/Job ₍₅₎

Valid Accounts ₍₄₎

Abuse Elevation Control Mechanism ₍₄₎

访问令牌操纵 ₍₅₎

BITS Jobs

Build Image on Host

Debugger Evasion

Deobfuscate/Decode Files or Information

Deploy Container

Direct Volume Access

Domain Policy Modification ₍₂₎

Execution Guardrails ₍₁₎

Exploitation for Defense Evasion

File and Directory Permissions Modification ₍₂₎

Hide Artifacts ₍₁₀₎

Hijack Execution Flow ₍₁₂₎

Impair Defenses ₍₉₎

Indicator Removal on Host ₍₆₎

Indirect Command Execution

Masquerading ₍₇₎

Modify Authentication Process ₍₅₎

Modify Cloud Compute Infrastructure ₍₄₎

Modify Registry

Modify System Image ₍₂₎

Network Boundary Bridging ₍₁₎

Obfuscated Files or Information ₍₆₎

Plist File Modification

Pre-OS Boot ₍₅₎

Process Injection ₍₁₂₎

Reflective Code Loading

Rogue Domain Controller

Rootkit

Subvert Trust Controls ₍₆₎

System Binary Proxy Execution ₍₁₃₎

System Script Proxy Execution ₍₁₎

Template Injection

Traffic Signaling ₍₁₎

Trusted Developer Utilities Proxy Execution ₍₁₎

Unused/Unsupported Cloud Regions

Use Alternate Authentication Material ₍₄₎

Valid Accounts ₍₄₎

Virtualization/Sandbox Evasion ₍₃₎

Weaken Encryption ₍₂₎

XSL Script Processing

Adversary-in-the-Middle ₍₃₎

蛮力攻击 ₍₄₎

Credentials from Password Stores ₍₅₎

Exploitation for Credential Access

Forced Authentication

Forge Web Credentials ₍₂₎

Input Capture ₍₄₎

Modify Authentication Process ₍₅₎

Multi-Factor Authentication Interception

Multi-Factor Authentication Request Generation

网络嗅探

OS Credential Dumping ₍₈₎

Steal Application Access Token

Steal or Forge Kerberos Tickets ₍₄₎

Steal Web Session Cookie

Unsecured Credentials ₍₇₎

Account Discovery ₍₄₎

Application Window Discovery

Browser Bookmark Discovery

Cloud Infrastructure Discovery

Cloud Service Dashboard

Cloud Service Discovery

Cloud Storage Object Discovery

Container and Resource Discovery

Debugger Evasion

Domain Trust Discovery

File and Directory Discovery

Group Policy Discovery

Network Service Discovery

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery ₍₃₎

Process Discovery

Query Registry

Remote System Discovery

Software Discovery ₍₁₎

System Information Discovery

System Location Discovery ₍₁₎

System Network Configuration Discovery ₍₁₎

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

Virtualization/Sandbox Evasion ₍₃₎

Exploitation of Remote Services

Internal Spearphishing

Lateral Tool Transfer

Remote Service Session Hijacking ₍₂₎

Remote Services ₍₆₎

通过可移动媒体复制

Software Deployment Tools

Taint Shared Content

Use Alternate Authentication Material ₍₄₎

Adversary-in-the-Middle ₍₃₎

Archive Collected Data ₍₃₎

Audio Capture

Automated Collection

Browser Session Hijacking

Clipboard Data

Data from Cloud Storage Object

Data from Configuration Repository ₍₂₎

Data from Information Repositories ₍₃₎

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Data Staged ₍₂₎

Email Collection ₍₃₎

Input Capture ₍₄₎

Screen Capture

Video Capture

Application Layer Protocol ₍₄₎

Communication Through Removable Media

Data Encoding ₍₂₎

Data Obfuscation ₍₃₎

Dynamic Resolution ₍₃₎

Encrypted Channel ₍₂₎

Fallback Channels

转移导入工具

多级渠道

Non-Application Layer Protocol

Non-Standard Port

Protocol Tunneling

Proxy ₍₄₎

Remote Access Software

Traffic Signaling ₍₁₎

Web Service ₍₃₎

Automated Exfiltration ₍₁₎

Data Transfer Size Limits

Exfiltration Over Alternative Protocol ₍₃₎

Exfiltration Over C2 Channel

Exfiltration Over Other Network Medium ₍₁₎

Exfiltration Over Physical Medium ₍₁₎

Exfiltration Over Web Service ₍₂₎

Scheduled Transfer

Transfer Data to Cloud Account

Account Access Removal

Data Destruction

Data Encrypted for Impact

Data Manipulation ₍₃₎

Defacement ₍₂₎

Disk Wipe ₍₂₎

Endpoint Denial of Service ₍₄₎

Firmware Corruption

Inhibit System Recovery

Network Denial of Service ₍₂₎

Resource Hijacking

Service Stop

System Shutdown/Reboot

10 techniques

7 techniques

9 techniques

12 techniques

19 techniques

13 techniques

42 techniques

16 techniques

30 techniques

9 techniques

17 techniques

16 techniques

9 techniques

13 techniques

=	主动扫描 ₍₃₎
	Vulnerability Scanning 扫描IP区块 Wordlist Scanning

=	Gather Victim Host Information ₍₄₎
	Software Client Configurations Firmware Hardware

=	Gather Victim Identity Information ₍₃₎
	Email Addresses Employee Names Credentials

=	Gather Victim Network Information ₍₆₎
	Network Security Appliances Network Trust Dependencies Network Topology Domain Properties IP Addresses DNS

=	Gather Victim Org Information ₍₄₎
	Business Relationships Determine Physical Locations Identify Business Tempo Identify Roles

=	Phishing for Information ₍₃₎
	Spearphishing Link Spearphishing Attachment Spearphishing Service

=	Search Closed Sources ₍₂₎
	Threat Intel Vendors Purchase Technical Data

=	Search Open Technical Databases ₍₅₎
	DNS/Passive DNS Digital Certificates Scan Databases CDNs WHOIS

=	Search Open Websites/Domains ₍₂₎
	Search Engines Social Media

Search Victim-Owned Websites

=	Acquire Infrastructure ₍₆₎
	Web Services Virtual Private Server Domains DNS Server Server Botnet

=	Compromise Accounts ₍₂₎
	Email Accounts Social Media Accounts

=	Compromise Infrastructure ₍₆₎
	Web Services Server Domains Botnet Virtual Private Server DNS Server

=	Develop Capabilities ₍₄₎
	Code Signing Certificates Digital Certificates Malware Exploits

=	Establish Accounts ₍₂₎
	Social Media Accounts Email Accounts

=	Obtain Capabilities ₍₆₎
	Code Signing Certificates Tool Exploits Vulnerabilities Malware Digital Certificates

=	Stage Capabilities ₍₅₎
	Upload Malware Install Digital Certificate Upload Tool Drive-by Target Link Target

Drive-by Compromise

Exploit Public-Facing Application

远程外部服务

Hardware Additions

=	Phishing ₍₃₎
	Spearphishing Attachment Spearphishing via Service Spearphishing Link

通过可移动媒体复制

=	供应链攻击 ₍₃₎
	Compromise Software Supply Chain Compromise Software Dependencies and Development Tools Compromise Hardware Supply Chain

信任关系

=	Valid Accounts ₍₄₎
	Local Accounts Default Accounts Cloud Accounts Domain Accounts

=	Command and Scripting Interpreter ₍₈₎
	Python AppleScript PowerShell Visual Basic Windows Command Shell Network Device CLI JavaScript Unix Shell

Container Administration Command

Deploy Container

Exploitation for Client Execution

=	Inter-Process Communication ₍₃₎
	Component Object Model Dynamic Data Exchange XPC Services

Native API

=	Scheduled Task/Job ₍₅₎
	Container Orchestration Job Scheduled Task At Cron Systemd Timers

Shared Modules

Software Deployment Tools

=	系统服务 ₍₂₎
	Launchctl 服务执行

=	User Execution ₍₃₎
	Malicious File Malicious Link Malicious Image

Windows Management Instrumentation

=	Account Manipulation ₍₅₎
	Additional Email Delegate Permissions SSH Authorized Keys Device Registration Additional Cloud Credentials Additional Cloud Roles

BITS Jobs

=	Boot or Logon Autostart Execution ₍₁₄₎
	Security Support Provider Login Items Print Processors Active Setup Authentication Package Kernel Modules and Extensions Registry Run Keys / Startup Folder Re-opened Applications Time Providers Winlogon Helper DLL XDG Autostart Entries Shortcut Modification Port Monitors LSASS Driver

=	Boot or Logon Initialization Scripts ₍₅₎
	Login Hook Logon Script (Windows) Startup Items RC Scripts Network Logon Script

Browser Extensions

Compromise Client Software Binary

=	Create Account ₍₃₎
	Local Account Domain Account Cloud Account

=	创建或修改系统程序 ₍₄₎
	Launch Agent Systemd服务 Windows服务启动守护进程

=	Event Triggered Execution ₍₁₅₎
	Component Object Model Hijacking Accessibility Features Change Default File Association LC_LOAD_DYLIB Addition Trap Image File Execution Options Injection Screensaver AppCert DLLs AppInit DLLs Unix Shell Configuration Modification Windows Management Instrumentation Event Subscription Emond PowerShell Profile Netsh Helper DLL Application Shimming

远程外部服务

=	Hijack Execution Flow ₍₁₂₎
	KernelCallbackTable Dylib Hijacking Path Interception by PATH Environment Variable Services Registry Permissions Weakness Executable Installer File Permissions Weakness Services File Permissions Weakness DLL Search Order Hijacking Dynamic Linker Hijacking DLL Side-Loading Path Interception by Search Order Hijacking COR_PROFILER Path Interception by Unquoted Path

Implant Internal Image

=	Modify Authentication Process ₍₅₎
	Reversible Encryption Network Device Authentication Pluggable Authentication Modules Domain Controller Authentication Password Filter DLL

=	Office Application Startup ₍₆₎
	Outlook Rules Outlook Forms Office Template Macros Office Test Add-ins Outlook Home Page

=	Pre-OS Boot ₍₅₎
	System Firmware Bootkit TFTP Boot Component Firmware ROMMONkit

=	Scheduled Task/Job ₍₅₎
	Container Orchestration Job Scheduled Task At Cron Systemd Timers

=	Server Software Component ₍₅₎
	Transport Agent SQL Stored Procedures IIS Components Terminal Services DLL Web Shell

=	Traffic Signaling ₍₁₎
	Port Knocking

=	Valid Accounts ₍₄₎
	Local Accounts Default Accounts Cloud Accounts Domain Accounts

=	Abuse Elevation Control Mechanism ₍₄₎
	Setuid and Setgid Sudo and Sudo Caching Elevated Execution with Prompt Bypass User Account Control

=	访问令牌操纵 ₍₅₎
	Token Impersonation/Theft Make and Impersonate Token Parent PID Spoofing SID-History Injection Create Process with Token

=	Boot or Logon Autostart Execution ₍₁₄₎
	Security Support Provider Login Items Print Processors Active Setup Authentication Package Kernel Modules and Extensions Registry Run Keys / Startup Folder Re-opened Applications Time Providers Winlogon Helper DLL XDG Autostart Entries Shortcut Modification Port Monitors LSASS Driver

=	Boot or Logon Initialization Scripts ₍₅₎
	Login Hook Logon Script (Windows) Startup Items RC Scripts Network Logon Script

=	Create or Modify System Process ₍₄₎
	Launch Agent Systemd服务 Windows服务启动守护进程

=	Domain Policy Modification ₍₂₎
	Domain Trust Modification Group Policy Modification

Escape to Host

=	Event Triggered Execution ₍₁₅₎
	Component Object Model Hijacking Accessibility Features Change Default File Association LC_LOAD_DYLIB Addition Trap Image File Execution Options Injection Screensaver AppCert DLLs AppInit DLLs Unix Shell Configuration Modification Windows Management Instrumentation Event Subscription Emond PowerShell Profile Netsh Helper DLL Application Shimming

Exploitation for Privilege Escalation

=	Hijack Execution Flow ₍₁₂₎
	KernelCallbackTable Dylib Hijacking Path Interception by PATH Environment Variable Services Registry Permissions Weakness Executable Installer File Permissions Weakness Services File Permissions Weakness DLL Search Order Hijacking Dynamic Linker Hijacking DLL Side-Loading Path Interception by Search Order Hijacking COR_PROFILER Path Interception by Unquoted Path

=	Process Injection ₍₁₂₎
	ListPlanting Thread Local Storage Thread Execution Hijacking Extra Window Memory Injection Proc Memory Portable Executable Injection Process Doppelgänging Ptrace System Calls VDSO Hijacking Asynchronous Procedure Call Process Hollowing Dynamic-link Library Injection

=	Scheduled Task/Job ₍₅₎
	Container Orchestration Job Scheduled Task At Cron Systemd Timers

=	Valid Accounts ₍₄₎
	Local Accounts Default Accounts Cloud Accounts Domain Accounts

=	Abuse Elevation Control Mechanism ₍₄₎
	Setuid and Setgid Sudo and Sudo Caching Elevated Execution with Prompt Bypass User Account Control

=	访问令牌操纵 ₍₅₎
	Token Impersonation/Theft Make and Impersonate Token Parent PID Spoofing SID-History Injection Create Process with Token

BITS Jobs

Build Image on Host

Debugger Evasion

Deobfuscate/Decode Files or Information

Deploy Container

Direct Volume Access

=	Domain Policy Modification ₍₂₎
	Domain Trust Modification Group Policy Modification

=	Execution Guardrails ₍₁₎
	Environmental Keying

Exploitation for Defense Evasion

=	File and Directory Permissions Modification ₍₂₎
	Windows File and Directory Permissions Modification Linux and Mac File and Directory Permissions Modification

=	Hide Artifacts ₍₁₀₎
	Process Argument Spoofing Hidden Users NTFS File Attributes Hidden File System Run Virtual Instance Hidden Window Email Hiding Rules VBA Stomping Hidden Files and Directories Resource Forking

=	Hijack Execution Flow ₍₁₂₎
	KernelCallbackTable Dylib Hijacking Path Interception by PATH Environment Variable Services Registry Permissions Weakness Executable Installer File Permissions Weakness Services File Permissions Weakness DLL Search Order Hijacking Dynamic Linker Hijacking DLL Side-Loading Path Interception by Search Order Hijacking COR_PROFILER Path Interception by Unquoted Path

=	Impair Defenses ₍₉₎
	Disable Windows Event Logging Disable or Modify System Firewall Indicator Blocking Disable or Modify Cloud Firewall Impair Command History Logging Disable or Modify Tools Downgrade Attack Safe Mode Boot Disable Cloud Logs

=	Indicator Removal on Host ₍₆₎
	Clear Linux or Mac System Logs Network Share Connection Removal Timestomp File Deletion Clear Windows Event Logs Clear Command History

Indirect Command Execution

=	Masquerading ₍₇₎
	Match Legitimate Name or Location Double File Extension Right-to-Left Override Space after Filename Masquerade Task or Service Invalid Code Signature Rename System Utilities

=	Modify Authentication Process ₍₅₎
	Reversible Encryption Network Device Authentication Pluggable Authentication Modules Domain Controller Authentication Password Filter DLL

=	Modify Cloud Compute Infrastructure ₍₄₎
	Revert Cloud Instance Create Cloud Instance Delete Cloud Instance Create Snapshot

Modify Registry

=	Modify System Image ₍₂₎
	Downgrade System Image Patch System Image

=	Network Boundary Bridging ₍₁₎
	Network Address Translation Traversal

=	Obfuscated Files or Information ₍₆₎
	Binary Padding HTML Smuggling Indicator Removal from Tools Steganography Software Packing Compile After Delivery

Plist File Modification

=	Pre-OS Boot ₍₅₎
	System Firmware Bootkit TFTP Boot Component Firmware ROMMONkit

=	Process Injection ₍₁₂₎
	ListPlanting Thread Local Storage Thread Execution Hijacking Extra Window Memory Injection Proc Memory Portable Executable Injection Process Doppelgänging Ptrace System Calls VDSO Hijacking Asynchronous Procedure Call Process Hollowing Dynamic-link Library Injection

Reflective Code Loading

Rogue Domain Controller

Rootkit

=	Subvert Trust Controls ₍₆₎
	SIP and Trust Provider Hijacking Gatekeeper Bypass Code Signing Mark-of-the-Web Bypass Code Signing Policy Modification Install Root Certificate

=	System Binary Proxy Execution ₍₁₃₎
	Msiexec Compiled HTML File Regsvr32 Odbcconf Mshta Rundll32 Verclsid InstallUtil Regsvcs/Regasm Control Panel Mavinject CMSTP MMC

=	System Script Proxy Execution ₍₁₎
	PubPrn

Template Injection

=	Traffic Signaling ₍₁₎
	Port Knocking

=	Trusted Developer Utilities Proxy Execution ₍₁₎
	MSBuild

Unused/Unsupported Cloud Regions

=	Use Alternate Authentication Material ₍₄₎
	Web Session Cookie Application Access Token Pass the Ticket Pass the Hash

=	Valid Accounts ₍₄₎
	Local Accounts Default Accounts Cloud Accounts Domain Accounts

=	Virtualization/Sandbox Evasion ₍₃₎
	User Activity Based Checks System Checks Time Based Evasion

=	Weaken Encryption ₍₂₎
	Reduce Key Space Disable Crypto Hardware

XSL Script Processing

=	Adversary-in-the-Middle ₍₃₎
	LLMNR/NBT-NS Poisoning and SMB Relay DHCP Spoofing ARP Cache Poisoning

=	Brute Force ₍₄₎
	Credential Stuffing Password Cracking Password Guessing Password Spraying

=	Credentials from Password Stores ₍₅₎
	Credentials from Web Browsers Keychain Windows Credential Manager Securityd Memory Password Managers

Exploitation for Credential Access

Forced Authentication

=	Forge Web Credentials ₍₂₎
	SAML Tokens Web Cookies

=	Input Capture ₍₄₎
	GUI Input Capture Keylogging Credential API Hooking Web Portal Capture

=	Modify Authentication Process ₍₅₎
	Reversible Encryption Network Device Authentication Pluggable Authentication Modules Domain Controller Authentication Password Filter DLL

Multi-Factor Authentication Interception

Multi-Factor Authentication Request Generation

Network Sniffing

=	OS Credential Dumping ₍₈₎
	Cached Domain Credentials /etc/passwd and /etc/shadow LSA Secrets LSASS Memory Proc Filesystem NTDS Security Account Manager DCSync

Steal Application Access Token

=	Steal or Forge Kerberos Tickets ₍₄₎
	Kerberoasting Golden Ticket AS-REP Roasting Silver Ticket

Steal Web Session Cookie

=	Unsecured Credentials ₍₇₎
	Credentials In Files Container API Bash History Group Policy Preferences Cloud Instance Metadata API Private Keys Credentials in Registry

=	Account Discovery ₍₄₎
	Email Account Cloud Account Local Account Domain Account

Application Window Discovery

Browser Bookmark Discovery

Cloud Infrastructure Discovery

Cloud Service Dashboard

Cloud Service Discovery

Cloud Storage Object Discovery

Container and Resource Discovery

Debugger Evasion

Domain Trust Discovery

File and Directory Discovery

Group Policy Discovery

Network Service Discovery

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

=	Permission Groups Discovery ₍₃₎
	Domain Groups Local Groups Cloud Groups

Process Discovery

Query Registry

Remote System Discovery

=	Software Discovery ₍₁₎
	Security Software Discovery

System Information Discovery

=	System Location Discovery ₍₁₎
	System Language Discovery

=	System Network Configuration Discovery ₍₁₎
	Internet Connection Discovery

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

=	Virtualization/Sandbox Evasion ₍₃₎
	User Activity Based Checks System Checks Time Based Evasion

Exploitation of Remote Services

Internal Spearphishing

Lateral Tool Transfer

=	Remote Service Session Hijacking ₍₂₎
	SSH Hijacking RDP Hijacking

=	Remote Services ₍₆₎
	SMB/Windows Admin Shares Distributed Component Object Model Remote Desktop Protocol VNC SSH Windows Remote Management

通过可移动媒体复制

Software Deployment Tools

Taint Shared Content

=	Use Alternate Authentication Material ₍₄₎
	Web Session Cookie Application Access Token Pass the Ticket Pass the Hash

=	Adversary-in-the-Middle ₍₃₎
	LLMNR/NBT-NS Poisoning and SMB Relay DHCP Spoofing ARP Cache Poisoning

=	Archive Collected Data ₍₃₎
	Archive via Library Archive via Custom Method Archive via Utility

Audio Capture

Automated Collection

Browser Session Hijacking

Clipboard Data

Data from Cloud Storage Object

=	Data from Configuration Repository ₍₂₎
	Network Device Configuration Dump SNMP (MIB Dump)

=	Data from Information Repositories ₍₃₎
	Code Repositories Sharepoint Confluence

Data from Local System

Data from Network Shared Drive

Data from Removable Media

=	Data Staged ₍₂₎
	Local Data Staging Remote Data Staging

=	Email Collection ₍₃₎
	Email Forwarding Rule Local Email Collection Remote Email Collection

=	Input Capture ₍₄₎
	GUI Input Capture Keylogging Credential API Hooking Web Portal Capture

Screen Capture

Video Capture

=	Application Layer Protocol ₍₄₎
	Web Protocols Mail Protocols DNS File Transfer Protocols

Communication Through Removable Media

=	Data Encoding ₍₂₎
	Standard Encoding Non-Standard Encoding

=	Data Obfuscation ₍₃₎
	Junk Data Protocol Impersonation Steganography

=	Dynamic Resolution ₍₃₎
	Domain Generation Algorithms Fast Flux DNS DNS Calculation

=	Encrypted Channel ₍₂₎
	Symmetric Cryptography Asymmetric Cryptography

Fallback Channels

Ingress Tool Transfer

Multi-Stage Channels

Non-Application Layer Protocol

Non-Standard Port

Protocol Tunneling

=	Proxy ₍₄₎
	Multi-hop Proxy Internal Proxy Domain Fronting External Proxy

Remote Access Software

=	Traffic Signaling ₍₁₎
	Port Knocking

=	Web Service ₍₃₎
	Bidirectional Communication One-Way Communication Dead Drop Resolver

=	Automated Exfiltration ₍₁₎
	Traffic Duplication

Data Transfer Size Limits

=	Exfiltration Over Alternative Protocol ₍₃₎
	Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Exfiltration Over C2 Channel

=	Exfiltration Over Other Network Medium ₍₁₎
	Exfiltration Over Bluetooth

=	Exfiltration Over Physical Medium ₍₁₎
	Exfiltration over USB

=	Exfiltration Over Web Service ₍₂₎
	Exfiltration to Code Repository Exfiltration to Cloud Storage

Scheduled Transfer

Transfer Data to Cloud Account

Account Access Removal

Data Destruction

Data Encrypted for Impact

=	Data Manipulation ₍₃₎
	Stored Data Manipulation 运行数据操纵 Transmitted Data Manipulation

=	Defacement ₍₂₎
	Internal Defacement External Defacement

=	Disk Wipe ₍₂₎
	Disk Content Wipe Disk Structure Wipe

=	Endpoint Denial of Service ₍₄₎
	OS Exhaustion Flood Service Exhaustion Flood Application Exhaustion Flood Application or System Exploitation

Firmware Corruption

Inhibit System Recovery

=	Network Denial of Service ₍₂₎
	Reflection Amplification Direct Network Flood

Resource Hijacking

Service Stop

System Shutdown/Reboot