Valid Accounts | Windows Management Instrumentation21 | Scheduled Task1 | Process Injection112 | Software Packing21 | Input Capture1 | System Time Discovery1 | Remote File Copy12 | Input Capture1 | Data Encrypted1 | Remote File Copy12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Replication Through Removable Media | PowerShell1 | Port Monitors | Scheduled Task1 | Disabling Security Tools1 | Network Sniffing | Account Discovery1 | Remote Services | Data from Removable Media | Exfiltration Over Other Network Medium | Standard Cryptographic Protocol12 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
External Remote Services | Scripting21 | Accessibility Features | Path Interception | Deobfuscate/Decode Files or Information1 | Input Capture | Security Software Discovery21 | Windows Remote Management | Data from Network Shared Drive | Automated Exfiltration | Standard Non-Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Drive-by Compromise | Execution through API3 | System Firmware | DLL Search Order Hijacking | Scripting21 | Credentials in Files | File and Directory Discovery1 | Logon Scripts | Input Capture | Data Encrypted | Standard Application Layer Protocol13 | SIM Card Swap | | Premium SMS Toll Fraud |
Exploit Public-Facing Application | Exploitation for Client Execution1 | Shortcut Modification | File System Permissions Weakness | Obfuscated Files or Information2 | Account Manipulation | System Information Discovery23 | Shared Webroot | Data Staged | Scheduled Transfer | Standard Cryptographic Protocol | Manipulate Device Communication | | Manipulate App Store Rankings or Ratings |
Spearphishing Link | Graphical User Interface1 | Modify Existing Service | New Service | Masquerading1 | Brute Force | Query Registry1 | Third-party Software | Screen Capture | Data Transfer Size Limits | Commonly Used Port | Jamming or Denial of Service | | Abuse Accessibility Features |
Spearphishing Attachment | Scheduled Task1 | Path Interception | Scheduled Task | Virtualization/Sandbox Evasion2 | Two-Factor Authentication Interception | Virtualization/Sandbox Evasion2 | Pass the Hash | Email Collection | Exfiltration Over Command and Control Channel | Uncommonly Used Port | Rogue Wi-Fi Access Points | | Data Encrypted for Impact |
Spearphishing via Service | Third-party Software | Logon Scripts | Process Injection | Process Injection112 | Bash History | Process Discovery2 | Remote Desktop Protocol | Clipboard Data | Exfiltration Over Alternative Protocol | Standard Application Layer Protocol | Downgrade to Insecure Protocols | | Generate Fraudulent Advertising Revenue |
Supply Chain Compromise | Rundll32 | DLL Search Order Hijacking | Service Registry Permissions Weakness | Process Injection | Input Prompt | Application Window Discovery1 | Windows Admin Shares | Automated Collection | Exfiltration Over Physical Medium | Multilayer Encryption | Rogue Cellular Base Station | | Data Destruction |
Trusted Relationship | PowerShell | Change Default File Association | Exploitation for Privilege Escalation | Scripting | Keychain | System Owner/User Discovery1 | Taint Shared Content | Audio Capture | Commonly Used Port | Connection Proxy | | | Data Encrypted for Impact |
Hardware Additions | Execution through API | File System Permissions Weakness | Valid Accounts | Indicator Removal from Tools | Private Keys | Remote System Discovery1 | Replication Through Removable Media | Video Capture | Standard Application Layer Protocol | Communication Through Removable Media | | | Disk Structure Wipe |