Lazarus Group

T1001 - Data Obfuscation T1001.003 - Protocol Impersonation T1002 T1003 - OS Credential Dumping T1003.001 - LSASS Memory T1003.003 - NTDS T1003.004 - LSA Secrets T1005 - Data from Local System T1007 T1008 T1010 - Application Window Discovery T1011 T1011.001 - Exfiltration Over Bluetooth T1012 - Query Registry T1014 - Rootkit T1016 - System Network Configuration Discovery T1016.001 - Internet Connection Discovery T1017 - Application Deployment Software T1018 - Remote System Discovery T1020 - Automated Exfiltration T1020.001 - Traffic Duplication T1021 - Remote Services T1021.001 - Remote Desktop Protocol T1021.002 - SMB/Windows Admin Shares T1021.004 - SSH T1021.006 - Windows Remote Management T1022 T1023 - Shortcut Modification T1024 - Custom Cryptographic Protocol T1025 T1027 - Obfuscated Files or Information T1027.002 - Software Packing T1027.003 T1027.007 T1027.009 T1027.013 T1031 - Modify Existing Service T1033 - System Owner/User Discovery T1035 - Service Execution T1036 - Masquerading T1036.003 T1036.004 - Masquerade Task or Service T1036.005 - Match Legitimate Name or Location T1036.006 T1036.008 T1037 - Boot or Logon Initialization Scripts T1037.001 - Logon Script (Windows) T1037.003 - Network Logon Script T1038 - DLL Search Order Hijacking T1039 - Data from Network Shared Drive T1040 - Network Sniffing T1041 - Exfiltration Over C2 Channel T1045 - Software Packing T1046 T1047 - Windows Management Instrumentation T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1049 - System Network Connections Discovery T1053 - Scheduled Task/Job T1053.003 T1053.005 - Scheduled Task T1055 - Process Injection T1055.001 - Dynamic-link Library Injection T1055.002 - Portable Executable Injection T1055.011 - Extra Window Memory Injection T1055.012 - Process Hollowing T1056 - Input Capture T1056.001 - Keylogging T1056.002 - GUI Input Capture T1056.004 - Credential API Hooking T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.002 - AppleScript T1059.003 - Windows Command Shell T1059.004 - Unix Shell T1059.005 - Visual Basic T1059.006 - Python T1059.007 - JavaScript T1060 - Registry Run Keys / Startup Folder T1062 - Hypervisor T1063 - Security Software Discovery T1064 T1068 - Exploitation for Privilege Escalation T1069 - Permission Groups Discovery T1069.002 - Domain Groups T1070 - Indicator Removal on Host T1070.001 T1070.003 T1070.004 - File Deletion T1070.006 - Timestomp T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.004 - DNS T1072 - Software Deployment Tools T1074 - Data Staged T1074.001 T1076 - Remote Desktop Protocol T1078 - Valid Accounts T1078.002 - Domain Accounts T1078.003 - Local Accounts T1078.004 - Cloud Accounts T1081 - Credentials in Files T1082 - System Information Discovery T1083 - File and Directory Discovery T1084 - Windows Management Instrumentation Event Subscription T1087 - Account Discovery T1087.002 T1089 - Disabling Security Tools T1090 - Proxy T1090.001 T1090.002 T1090.003 - Multi-hop Proxy T1091 T1095 - Non-Application Layer Protocol T1098 T1102 - Web Service T1102.001 - Dead Drop Resolver T1102.002 - Bidirectional Communication T1102.003 - One-Way Communication T1104 - Multi-Stage Channels T1105 - Ingress Tool Transfer T1106 - Native API T1107 T1110 - Brute Force T1110.003 T1111 - Two-Factor Authentication Interception T1112 - Modify Registry T1113 - Screen Capture T1114 - Email Collection T1115 - Clipboard Data T1119 - Automated Collection T1124 T1125 - Video Capture T1127 T1129 - Shared Modules T1130 - Install Root Certificate T1132 - Data Encoding T1132.001 - Standard Encoding T1133 - External Remote Services T1134 - Access Token Manipulation T1134.001 T1134.002 - Create Process with Token T1135 - Network Share Discovery T1136 - Create Account T1137 - Office Application Startup T1138 - Application Shimming T1139 - Bash History T1140 - Deobfuscate/Decode Files or Information T1143 - Hidden Window T1155 - AppleScript T1176 - Browser Extensions T1185 - Man in the Browser T1187 - Forced Authentication T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application T1192 - Spearphishing Link T1193 - Spearphishing Attachment T1195 - Supply Chain Compromise T1195.001 - Compromise Software Dependencies and Development Tools T1195.002 - Compromise Software Supply Chain T1199 - Trusted Relationship T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204 - User Execution T1204.001 - Malicious Link T1204.002 - Malicious File T1207 - Rogue Domain Controller T1210 - Exploitation of Remote Services T1211 - Exploitation for Defense Evasion T1212 - Exploitation for Credential Access T1213 - Data from Information Repositories T1217 - Browser Bookmark Discovery T1218 - Signed Binary Proxy Execution T1218.001 T1218.005 T1218.007 - Msiexec T1218.010 T1218.011 - Rundll32 T1219 - Remote Access Software T1220 T1221 - Template Injection T1404 - Exploit OS Vulnerability T1406 - Obfuscated Files or Information T1410 - Network Traffic Capture or Redirection T1428 - Exploit Enterprise Resources T1432 - Access Contact List T1441 T1442 T1444 T1445 - Abuse of iOS Enterprise App Signing Key T1449 - Exploit SS7 to Redirect Phone Calls/SMS T1454 - Malicious SMS Message T1459 - Device Unlock Code Guessing or Brute Force T1480 - Execution Guardrails T1480.002 T1485 - Data Destruction T1486 - Data Encrypted for Impact T1489 T1490 - Inhibit System Recovery T1491 T1491.001 T1495 T1496 - Resource Hijacking T1497 - Virtualization/Sandbox Evasion T1497.001 - System Checks T1497.002 - User Activity Based Checks T1497.003 T1498 - Network Denial of Service T1499 - Endpoint Denial of Service T1505 - Server Software Component T1505.003 - Web Shell T1505.004 T1512 - Capture Camera T1518 - Software Discovery T1518.001 - Security Software Discovery T1528 - Steal Application Access Token T1529 T1530 T1531 T1534 T1539 - Steal Web Session Cookie T1542 T1542.003 T1543 - Create or Modify System Process T1543.001 - Launch Agent T1543.003 T1543.004 - Launch Daemon T1546 - Event Triggered Execution T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder T1547.006 T1547.008 - LSASS Driver T1547.009 T1547.011 - Plist Modification T1548 - Abuse Elevation Control Mechanism T1548.002 - Bypass User Account Control T1550 - Use Alternate Authentication Material T1550.002 - Pass the Hash T1552 - Unsecured Credentials T1552.001 - Credentials In Files T1552.004 - Private Keys T1553 - Subvert Trust Controls T1553.002 - Code Signing T1553.003 - SIP and Trust Provider Hijacking T1553.005 - Mark-of-the-Web Bypass T1555 - Credentials from Password Stores T1555.001 - Keychain T1555.003 - Credentials from Web Browsers T1555.005 - Password Managers T1556 - Modify Authentication Process T1556.001 - Domain Controller Authentication T1557 - Man-in-the-Middle T1557.001 T1559 T1560 - Archive Collected Data T1560.001 - Archive via Utility T1560.002 T1560.003 T1561 - Disk Wipe T1561.001 - Disk Content Wipe T1561.002 - Disk Structure Wipe T1562 - Impair Defenses T1562.001 - Disable or Modify Tools T1562.003 T1562.004 T1562.013 T1563 T1564 - Hide Artifacts T1564.001 T1564.003 - Hidden Window T1565 - Data Manipulation T1565.001 T1565.002 T1565.003 T1566 - Phishing T1566.001 - Spearphishing Attachment T1566.002 - Spearphishing Link T1566.003 - Spearphishing via Service T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration to Cloud Storage T1568 - Dynamic Resolution T1568.002 - Domain Generation Algorithms T1569 T1569.002 T1570 - Lateral Tool Transfer T1571 - Non-Standard Port T1572 - Protocol Tunneling T1573 - Encrypted Channel T1573.001 - Symmetric Cryptography T1573.002 - Asymmetric Cryptography T1574 - Hijack Execution Flow T1574.001 - DLL Search Order Hijacking T1574.002 - DLL Side-Loading T1574.010 - Services File Permissions Weakness T1574.012 - COR_PROFILER T1574.013 T1578 - Modify Cloud Compute Infrastructure T1580 - Cloud Infrastructure Discovery T1583 - Acquire Infrastructure T1583.001 - Domains T1583.002 - DNS Server T1583.003 - Virtual Private Server T1583.004 - Server T1583.005 T1583.006 T1584 - Compromise Infrastructure T1584.001 - Domains T1584.002 - DNS Server T1584.004 - Server T1584.005 - Botnet T1585 - Establish Accounts T1585.001 - Social Media Accounts T1585.002 T1586 - Compromise Accounts T1587 - Develop Capabilities T1587.001 - Malware T1587.002 T1587.003 - Digital Certificates T1587.004 - Exploits T1588 - Obtain Capabilities T1588.001 - Malware T1588.002 - Tool T1588.003 T1588.004 - Digital Certificates T1589 - Gather Victim Identity Information T1589.002 T1590 - Gather Victim Network Information T1590.005 T1591 - Gather Victim Org Information T1591.001 - Determine Physical Locations T1591.002 - Business Relationships T1591.004 T1592 - Gather Victim Host Information T1592.002 T1593 - Search Open Websites/Domains T1593.001 T1595 - Active Scanning T1596 - Search Open Technical Databases T1598 T1598.003 T1602.001 - SNMP (MIB Dump) T1602.002 - Network Device Configuration Dump T1608 - Stage Capabilities T1608.001 - Upload Malware T1608.002 T1609 - Container Administration Command T1614 T1614.001 T1620 T1622 T1656 T1680 T1684 T1684.001 T1685 T1685.005 T1686 T1686.002 T1686.003 T1690 TA0002 - Execution TA0003 - Persistence TA0004 TA0005 - Defense Evasion TA0006 TA0007 TA0009 TA0011 TA0034 TA0040