Cobalt

T1001 - Data Obfuscation T1003 - OS Credential Dumping T1003.001 - LSASS Memory T1003.002 T1003.003 T1005 - Data from Local System T1007 - System Service Discovery T1008 - Fallback Channels T1011 T1012 - Query Registry T1014 - Rootkit T1016 - System Network Configuration Discovery T1018 - Remote System Discovery T1020 - Automated Exfiltration T1021 - Remote Services T1021.001 - Remote Desktop Protocol T1021.002 - SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.002 - Software Packing T1027.010 T1029 T1030 T1031 - Modify Existing Service T1033 - System Owner/User Discovery T1035 - Service Execution T1036 - Masquerading T1036.002 - Right-to-Left Override T1036.003 - Rename System Utilities T1036.004 - Masquerade Task or Service T1036.005 - Match Legitimate Name or Location T1037 - Boot or Logon Initialization Scripts T1037.001 T1039 - Data from Network Shared Drive T1040 - Network Sniffing T1041 - Exfiltration Over C2 Channel T1043 - Commonly Used Port T1045 - Software Packing T1046 - Network Service Scanning T1047 - Windows Management Instrumentation T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1049 - System Network Connections Discovery T1051 - Shared Webroot T1053 - Scheduled Task/Job T1053.005 - Scheduled Task T1055 - Process Injection T1055.012 - Process Hollowing T1056 - Input Capture T1056.001 - Keylogging T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.002 - AppleScript T1059.003 - Windows Command Shell T1059.004 - Unix Shell T1059.005 - Visual Basic T1059.006 - Python T1059.007 - JavaScript T1060 - Registry Run Keys / Startup Folder T1063 - Security Software Discovery T1065 - Uncommonly Used Port T1068 - Exploitation for Privilege Escalation T1069 - Permission Groups Discovery T1069.001 - Local Groups T1069.002 - Domain Groups T1070 - Indicator Removal on Host T1070.001 - Clear Windows Event Logs T1070.004 - File Deletion T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.004 - DNS T1074 - Data Staged T1078 - Valid Accounts T1078.001 - Default Accounts T1078.002 - Domain Accounts T1078.003 - Local Accounts T1080 - Taint Shared Content T1081 - Credentials in Files T1082 - System Information Discovery T1083 - File and Directory Discovery T1085 - Rundll32 T1086 - PowerShell T1087 - Account Discovery T1087.001 - Local Account T1087.002 - Domain Account T1089 - Disabling Security Tools T1090 - Proxy T1090.002 - External Proxy T1090.003 - Multi-hop Proxy T1090.004 - Domain Fronting T1094 - Custom Command and Control Protocol T1095 - Non-Application Layer Protocol T1096 - NTFS File Attributes T1097 T1098 - Account Manipulation T1102 - Web Service T1102.002 - Bidirectional Communication T1102.003 - One-Way Communication T1104 - Multi-Stage Channels T1105 - Ingress Tool Transfer T1106 - Native API T1107 T1110 - Brute Force T1112 - Modify Registry T1113 - Screen Capture T1114 - Email Collection T1114.001 T1115 - Clipboard Data T1119 - Automated Collection T1120 T1123 - Audio Capture T1124 T1125 - Video Capture T1127 - Trusted Developer Utilities Proxy Execution T1129 - Shared Modules T1130 T1132 - Data Encoding T1132.001 - Standard Encoding T1133 - External Remote Services T1134 - Access Token Manipulation T1135 - Network Share Discovery T1136 - Create Account T1136.001 - Local Account T1137 T1140 - Deobfuscate/Decode Files or Information T1143 - Hidden Window T1155 - AppleScript T1158 - Hidden Files and Directories T1170 T1176 - Browser Extensions T1179 - Hooking T1185 T1187 - Forced Authentication T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application T1195 - Supply Chain Compromise T1195.001 - Compromise Software Dependencies and Development Tools T1195.002 T1197 - BITS Jobs T1199 - Trusted Relationship T1203 - Exploitation for Client Execution T1204 - User Execution T1204.001 - Malicious Link T1204.002 - Malicious File T1204.003 - Malicious Image T1205 - Traffic Signaling T1210 - Exploitation of Remote Services T1213 - Data from Information Repositories T1216.001 - PubPrn T1217 - Browser Bookmark Discovery T1218 - Signed Binary Proxy Execution T1218.003 T1218.005 - Mshta T1218.008 T1218.010 T1218.011 - Rundll32 T1219 - Remote Access Software T1220 T1221 - Template Injection T1222 - File and Directory Permissions Modification T1222.001 - Windows File and Directory Permissions Modification T1222.002 - Linux and Mac File and Directory Permissions Modification T1449 - Exploit SS7 to Redirect Phone Calls/SMS T1457 - Malicious Media Content T1472 - Generate Fraudulent Advertising Revenue T1480 - Execution Guardrails T1482 - Domain Trust Discovery T1484 - Domain Policy Modification T1484.001 - Group Policy Modification T1485 - Data Destruction T1486 - Data Encrypted for Impact T1489 - Service Stop T1490 - Inhibit System Recovery T1491 - Defacement T1496 - Resource Hijacking T1497 - Virtualization/Sandbox Evasion T1497.001 - System Checks T1497.003 - Time Based Evasion T1498 - Network Denial of Service T1503 T1505 - Server Software Component T1505.003 - Web Shell T1506 - Web Session Cookie T1512 - Capture Camera T1518 - Software Discovery T1518.001 - Security Software Discovery T1528 - Steal Application Access Token T1529 T1530 - Data from Cloud Storage Object T1531 - Account Access Removal T1537 - Transfer Data to Cloud Account T1539 - Steal Web Session Cookie T1542 - Pre-OS Boot T1542.003 - Bootkit T1543 - Create or Modify System Process T1543.003 - Windows Service T1546 - Event Triggered Execution T1546.012 T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder T1547.009 - Shortcut Modification T1548 - Abuse Elevation Control Mechanism T1548.002 - Bypass User Account Control T1550 - Use Alternate Authentication Material T1552 - Unsecured Credentials T1552.001 - Credentials In Files T1553 - Subvert Trust Controls T1553.002 - Code Signing T1553.006 - Code Signing Policy Modification T1554 - Compromise Client Software Binary T1555 - Credentials from Password Stores T1555.003 - Credentials from Web Browsers T1556 - Modify Authentication Process T1557 - Man-in-the-Middle T1558 - Steal or Forge Kerberos Tickets T1559 T1559.002 T1560 - Archive Collected Data T1560.001 - Archive via Utility T1561 - Disk Wipe T1562 - Impair Defenses T1562.001 - Disable or Modify Tools T1562.004 - Disable or Modify System Firewall T1563 - Remote Service Session Hijacking T1564 - Hide Artifacts T1564.001 - Hidden Files and Directories T1565 - Data Manipulation T1566 - Phishing T1566.001 - Spearphishing Attachment T1566.002 - Spearphishing Link T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration to Cloud Storage T1568 - Dynamic Resolution T1568.002 - Domain Generation Algorithms T1569 - System Services T1569.002 - Service Execution T1570 - Lateral Tool Transfer T1571 - Non-Standard Port T1572 - Protocol Tunneling T1573 - Encrypted Channel T1573.001 - Symmetric Cryptography T1573.002 T1574 - Hijack Execution Flow T1574.001 - DLL Search Order Hijacking T1574.002 - DLL Side-Loading T1583 - Acquire Infrastructure T1583.001 - Domains T1583.003 - Virtual Private Server T1583.004 - Server T1583.006 - Web Services T1584 - Compromise Infrastructure T1584.001 - Domains T1584.003 - Virtual Private Server T1584.004 - Server T1585 - Establish Accounts T1585.001 - Social Media Accounts T1586 - Compromise Accounts T1587 - Develop Capabilities T1587.001 - Malware T1588 - Obtain Capabilities T1588.001 - Malware T1588.002 - Tool T1589 - Gather Victim Identity Information T1590 - Gather Victim Network Information T1591 - Gather Victim Org Information T1592 - Gather Victim Host Information T1594 - Search Victim-Owned Websites T1595 - Active Scanning T1595.001 - Scanning IP Blocks T1595.002 - Vulnerability Scanning T1596 - Search Open Technical Databases T1597 - Search Closed Sources T1598 - Phishing for Information T1599 - Network Boundary Bridging T1601 - Modify System Image T1608 - Stage Capabilities T1608.001 - Upload Malware T1608.002 - Upload Tool T1610 - Deploy Container T1614 - System Location Discovery TA0003 - Persistence