ATAGS is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations, specifically designed for the GSaaS environment. The ATAGS knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

By adopting an End-to-End Service Supply Chain approach, ATAGS analyzes threats across the full lifecycle—from physical antenna RF links to cloud control planes and third-party software libraries. ATAGS also distinguishes between multiple operational environments to provide context-specific threat assessments, dividing responsibilities between provider and customer, and identifying targeted components for each technique.

ATAGS - Adversarial Tactics Analysis for Ground Security

Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
14 techniques 7 techniques 21 techniques 24 techniques 12 techniques 11 techniques 29 techniques 17 techniques 32 techniques 11 techniques 18 techniques 16 techniques 13 techniques 19 techniques
Active Scanning of Provider Infrastructure
G2S Eavesdropping
G2U Eavesdropping
Gather Customer Network Information
Gather Customer Org Information
Gather Ground Station Communications Information
Gather Ground Station Logical and Cloud Design Information
Gather Ground Station Physical Architecture Information
Gather Mission Profile Configuration
Gather Mission Schedule / LEOP Timeline
Gather Mission that uses GSaaS Information
Gather Provider Org Information
Gather Supply Chain Information (4)
=
Phishing for Information (6)
=
Acquire Access
Acquire or Build Infrastructure (4)
=
Compromise Infrastructure (14)
=
Compromise or Establish Accounts
Develop or Obtain Cyber Capabilities
Develop or Obtain Non-Cyber Capabilities
Stage Capabilities (8)
=
Assembly, Test, and Launch Operation Compromise
Content Injection
Direct Attack to Space Communication Links (1)
=
Drive-by Compromise
Exploit Public-Facing Application
Ground Segment Compromise (2)
=
Hardware Additions
Internet Accessible Device
Phishing (4)
=
Remote Services Compromise
Remote Services Exploitation
Replication Through Removable Media
Rogue Master
Secondary/Backup Communication Channel Compromise
Software Defined Radio Compromise
Spacecraft Compromise
Supply Chain Compromise
Transient Cyber Asset
Trusted Relationship Exploitation
Valid Accounts Exploitation
Wireless Compromise
Autorun Image
Cloud Administration Command
Cloud API execution
Code Flaws Exploit
Command and Scripting Interpreter (13)
=
Encryption Disable/Bypass
Exploit Hardware/Firmware Corruption (2)
=
Flooding (2)
=
Hooking
Input Injection
Jamming (2)
=
Kinetic Physical Attack
Malicious Code (4)
=
Modify Authentication Process (9)
=
Modify Controller Tasking
Non-Kinetic Physical Attack (3)
=
Replay (1)
=
Scheduled Task/Job (5)
=
Serverless Execution
Side-Channel Attack
Software Deployment Tools
Spoofing (2)
=
System Services (3)
=
User Execution (5)
=
Backdoor (2)
=
Cloud Application Integration
Cloud Scheduled Task / Jobs
Event Triggered Execution (18)
=
External Remote Services
Implant Internal Image
Infrastructure File Infection
Modify Authentication Process (9)
=
Server Software Component (6)
=
Software Extentions (3)
=
Traffic Signaling (2)
=
Valid Credentialed Persistence
Abuse Elevation Control Mechanism (6)
=
Access Token Manipulation (5)
=
Account Manipulation (7)
=
Domain or Tenant Policy Modification (2)
=
Escape to Host (1)
=
Event Triggered Execution (18)
=
Exploitation for Privilege Escalation
Hooking
Process Injection (12)
=
Scheduled Task/job
Valid Accounts (4)
=
Abuse Elevation Control Mechanism (6)
=
Access Token Manipulation (5)
=
Build Image on Host
Component Collusion
Debugger Evasion
Delay Execution
Deobfuscate/Decode Files or Information
Deploy Container
Domain or Tenant Policy Modification (2)
=
Execution Guardrails (2)
=
Exploitation for Defense Evasion
File and Directory Permission Modification (2)
=
Hide Artifacts (14)
=
Impair Defenses (13)
=
Impersonation
Indicator Removal (10)
=
Masquerading (12)
=
Modify Authentication Process (9)
=
Modify Cloud Compute Infrastructure (5)
=
Modify Cloud Resource Hierarchy
Modify Whitelist
Obfuscated Files or Information (17)
=
Rootkit
Spoof Reporting Message
Subvert Trust Controls (6)
=
Traffic Signaling (2)
=
Trusted Developer Utilities Proxy Execution (3)
=
Use Alternate Authentication Material (4)
=
Valid Accounts Evasion
Adversary in the Middle (7)
=
Brute Force (5)
=
Credentials from Password Stores (6)
=
Exploitation for Credential Access
Forced Authentication
Forge Web Credentials (2)
=
Input Capture (4)
=
Modify Authentication Process (9)
=
Multi-Factor Authentication Interception
Multi-Factor Authentication Request Generation
Network Sniffing
OS Credential Dumping (8)
=
Phishing for credentials
Steal Application Access Token
Steal or Forge Authentication Certificates
Steal Web Session Cookie
Unsecured Credentials (8)
=
Account Discovery (4)
=
Browser Information Discovery
Cloud Infrastructure Discovery
Cloud Service Dashboard
Cloud Service Discovery
Cloud Storage Object Discovery
Cloud/Organization Policy Discovery
Container and Resource Discovery
Device Driver Discovery
File and Directory Discovery
Ground Network Sniffing
Key Management Policy Discovery
Link segment Sniffing
Local Storage Discovery
Log Enumeration
Network Service Discovery
Network Share Discovery
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery (3)
=
Process Discovery
Remote System Discovery
Remote System Information Discovery
Software Discovery (2)
=
System Information Discovery
System Location Discovery (1)
=
System Network Configuration Discovery (2)
=
System Network Connections Discovery
System Owner/User Discovery
System Service Discovery
Trust Relationships Discovery
Virtual Machine Discovery
Default Credentials
Hardcoded Credentials
Internal Spearphishing
Lateral Tool Transfer
Remote Service Session Hijacking (2)
=
Software Deployment Tools
Taint Shared Content
Use Alternate Authentication Material (4)
=
Use/Exploitation of Remote Services
Valid Accounts (4)
=
Virtualization Escape
Adversary in the Middle (7)
=
Archive Collected Data (3)
=
Audio Capture
Automated Collection
Browser Session Hijacking
Clipboard Data
Data from Cloud Storage
Data from Configuration Repository (2)
=
Data from Information Repositories (6)
=
Data from link eavesdropping (3)
=
Data from Local System
Data from Network Shared Drive
Data Staged (2)
=
Email Collection (3)
=
Input Capture (4)
=
Screen Capture
Video Capture
Wireless Sniffing
Content Injection
Data Encoding (2)
=
Data Obfuscation (3)
=
Dynamic Resolution (3)
=
Encrypted Channel (2)
=
Fallback Channels
Hide Infrastructure
Ingress Tool Transfer
Multi-Stage Channels
Non-Application Layer Protocol
Protocol Tunnelling
Proxy (4)
=
Remote Access Tools (3)
=
Standard Application Layer Protocol
Traffic Signaling (2)
=
Web Service (3)
=
Automated Exfiltration (1)
=
Data Transfer Size Limits
Exfiltration Over Alternative Protocol (3)
=
Exfiltration Over C2 Channel
Exfiltration Over Other Network Medium (1)
=
Exfiltration Over Payload Channel
Exfiltration Over Web Service (4)
=
Modify Communications Configuration (2)
=
Physical Layer Exfiltration
Replay Exfiltration
Scheduled Transfer
Side-Channel Exfiltration (4)
=
Transfer Data to Cloud Account
Account Access Removal
Data Destruction (1)
=
Data Encrypted for Impact
Data Manipulation (3)
=
Defacement (2)
=
Degradation of infrastructure
Denial of Service
Endpoint Denial of Service (4)
=
Financial Theft
Inhibit System Recovery
KMS Key Disablement / Replacement
Loss of Control
Loss of Intellectual property/proprietary data
Loss of Productivity and Revenue
Loss of Protection
Loss of View
Physical Destruction
Resource Hijacking (3)
=
Unauthorized Command Message
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
14 techniques 7 techniques 21 techniques 24 techniques 12 techniques 11 techniques 29 techniques 17 techniques 32 techniques 11 techniques 18 techniques 16 techniques 13 techniques 19 techniques
Active Scanning of Provider Infrastructure
G2S Eavesdropping
G2U Eavesdropping
Gather Customer Network Information
Gather Customer Org Information
Gather Ground Station Communications Information
Gather Ground Station Logical and Cloud Design Information
Gather Ground Station Physical Architecture Information
Gather Mission Profile Configuration
Gather Mission Schedule / LEOP Timeline
Gather Mission that uses GSaaS Information
Gather Provider Org Information
=
Gather Supply Chain Information (4)
=
Phishing for Information (6)
Acquire Access
=
Acquire or Build Infrastructure (4)
=
Compromise Infrastructure (14)
Compromise or Establish Accounts
Develop or Obtain Cyber Capabilities
Develop or Obtain Non-Cyber Capabilities
=
Stage Capabilities (8)
Assembly, Test, and Launch Operation Compromise
Content Injection
=
Direct Attack to Space Communication Links (1)
Drive-by Compromise
Exploit Public-Facing Application
=
Ground Segment Compromise (2)
Hardware Additions
Internet Accessible Device
=
Phishing (4)
Remote Services Compromise
Remote Services Exploitation
Replication Through Removable Media
Rogue Master
Secondary/Backup Communication Channel Compromise
Software Defined Radio Compromise
Spacecraft Compromise
Supply Chain Compromise
Transient Cyber Asset
Trusted Relationship Exploitation
Valid Accounts Exploitation
Wireless Compromise
Autorun Image
Cloud Administration Command
Cloud API execution
Code Flaws Exploit
=
Command and Scripting Interpreter (13)
Encryption Disable/Bypass
=
Exploit Hardware/Firmware Corruption (2)
=
Flooding (2)
Hooking
Input Injection
=
Jamming (2)
Kinetic Physical Attack
=
Malicious Code (4)
=
Modify Authentication Process (9)
Modify Controller Tasking
=
Non-Kinetic Physical Attack (3)
=
Replay (1)
=
Scheduled Task/Job (5)
Serverless Execution
Side-Channel Attack
Software Deployment Tools
=
Spoofing (2)
=
System Services (3)
=
User Execution (5)
=
Backdoor (2)
Cloud Application Integration
Cloud Scheduled Task / Jobs
=
Event Triggered Execution (18)
External Remote Services
Implant Internal Image
Infrastructure File Infection
=
Modify Authentication Process (9)
=
Server Software Component (6)
=
Software Extentions (3)
=
Traffic Signaling (2)
Valid Credentialed Persistence
=
Abuse Elevation Control Mechanism (6)
=
Access Token Manipulation (5)
=
Account Manipulation (7)
=
Domain or Tenant Policy Modification (2)
=
Escape to Host (1)
=
Event Triggered Execution (18)
Exploitation for Privilege Escalation
Hooking
=
Process Injection (12)
Scheduled Task/job
=
Valid Accounts (4)
=
Abuse Elevation Control Mechanism (6)
=
Access Token Manipulation (5)
Build Image on Host
Component Collusion
Debugger Evasion
Delay Execution
Deobfuscate/Decode Files or Information
Deploy Container
=
Domain or Tenant Policy Modification (2)
=
Execution Guardrails (2)
Exploitation for Defense Evasion
=
File and Directory Permission Modification (2)
=
Hide Artifacts (14)
=
Impair Defenses (13)
Impersonation
=
Indicator Removal (10)
=
Masquerading (12)
=
Modify Authentication Process (9)
=
Modify Cloud Compute Infrastructure (5)
Modify Cloud Resource Hierarchy
Modify Whitelist
=
Obfuscated Files or Information (17)
Rootkit
Spoof Reporting Message
=
Subvert Trust Controls (6)
=
Traffic Signaling (2)
=
Trusted Developer Utilities Proxy Execution (3)
=
Use Alternate Authentication Material (4)
Valid Accounts Evasion
=
Adversary in the Middle (7)
=
Brute Force (5)
=
Credentials from Password Stores (6)
Exploitation for Credential Access
Forced Authentication
=
Forge Web Credentials (2)
=
Input Capture (4)
=
Modify Authentication Process (9)
Multi-Factor Authentication Interception
Multi-Factor Authentication Request Generation
Network Sniffing
=
OS Credential Dumping (8)
Phishing for credentials
Steal Application Access Token
Steal or Forge Authentication Certificates
Steal Web Session Cookie
=
Unsecured Credentials (8)
=
Account Discovery (4)
Browser Information Discovery
Cloud Infrastructure Discovery
Cloud Service Dashboard
Cloud Service Discovery
Cloud Storage Object Discovery
Cloud/Organization Policy Discovery
Container and Resource Discovery
Device Driver Discovery
File and Directory Discovery
Ground Network Sniffing
Key Management Policy Discovery
Link segment Sniffing
Local Storage Discovery
Log Enumeration
Network Service Discovery
Network Share Discovery
Password Policy Discovery
Peripheral Device Discovery
=
Permission Groups Discovery (3)
Process Discovery
Remote System Discovery
Remote System Information Discovery
=
Software Discovery (2)
System Information Discovery
=
System Location Discovery (1)
=
System Network Configuration Discovery (2)
System Network Connections Discovery
System Owner/User Discovery
System Service Discovery
Trust Relationships Discovery
Virtual Machine Discovery
Default Credentials
Hardcoded Credentials
Internal Spearphishing
Lateral Tool Transfer
=
Remote Service Session Hijacking (2)
Software Deployment Tools
Taint Shared Content
=
Use Alternate Authentication Material (4)
Use/Exploitation of Remote Services
=
Valid Accounts (4)
Virtualization Escape
=
Adversary in the Middle (7)
=
Archive Collected Data (3)
Audio Capture
Automated Collection
Browser Session Hijacking
Clipboard Data
Data from Cloud Storage
=
Data from Configuration Repository (2)
=
Data from Information Repositories (6)
=
Data from link eavesdropping (3)
Data from Local System
Data from Network Shared Drive
=
Data Staged (2)
=
Email Collection (3)
=
Input Capture (4)
Screen Capture
Video Capture
Wireless Sniffing
Content Injection
=
Data Encoding (2)
=
Data Obfuscation (3)
=
Dynamic Resolution (3)
=
Encrypted Channel (2)
Fallback Channels
Hide Infrastructure
Ingress Tool Transfer
Multi-Stage Channels
Non-Application Layer Protocol
Protocol Tunnelling
=
Proxy (4)
=
Remote Access Tools (3)
Standard Application Layer Protocol
=
Traffic Signaling (2)
=
Web Service (3)
=
Automated Exfiltration (1)
Data Transfer Size Limits
=
Exfiltration Over Alternative Protocol (3)
Exfiltration Over C2 Channel
=
Exfiltration Over Other Network Medium (1)
Exfiltration Over Payload Channel
=
Exfiltration Over Web Service (4)
=
Modify Communications Configuration (2)
Physical Layer Exfiltration
Replay Exfiltration
Scheduled Transfer
=
Side-Channel Exfiltration (4)
Transfer Data to Cloud Account
Account Access Removal
=
Data Destruction (1)
Data Encrypted for Impact
=
Data Manipulation (3)
=
Defacement (2)
Degradation of infrastructure
Denial of Service
=
Endpoint Denial of Service (4)
Financial Theft
Inhibit System Recovery
KMS Key Disablement / Replacement
Loss of Control
Loss of Intellectual property/proprietary data
Loss of Productivity and Revenue
Loss of Protection
Loss of View
Physical Destruction
=
Resource Hijacking (3)
Unauthorized Command Message

ATAGS Techniques Explorer

Filter techniques by Responsibility and Targeted Components.

ID Name Tactic Parent Technique Responsibility Targeted Components
ATAGS-T1000 Active Scanning of Provider Infrastructure Reconnaissance Provider Hardware/Network Transport
ATAGS-T1001 G2S Eavesdropping Reconnaissance Shared Satellite Communications
ATAGS-T1002 G2U Eavesdropping Reconnaissance Provider Satellite Communications
ATAGS-T1003 Gather Customer Network Information Reconnaissance Customer Network Transport
ATAGS-T1004 Gather Customer Org Information Reconnaissance Customer Mission, Personnel & Identity
ATAGS-T1005 Gather Ground Station Communications Information Reconnaissance Provider Satellite Communications
ATAGS-T1006 Gather Ground Station Logical and Cloud Design Information Reconnaissance Provider Hardware/Software/Network Transport/Cloud Control Plane
ATAGS-T1007 Gather Ground Station Physical Architecture Information Reconnaissance Provider Hardware
ATAGS-T1008 Gather Mission Profile Configuration Reconnaissance Provider Mission, Personnel & Identity
ATAGS-T1009 Gather Mission Schedule / LEOP Timeline Reconnaissance Customer Mission, Personnel & Identity
ATAGS-T1010 Gather Mission that uses GSaaS Information Reconnaissance Customer Mission, Personnel & Identity
ATAGS-T1011 Gather Provider Org Information Reconnaissance Provider Mission, Personnel & Identity
ATAGS-T1012 Gather Supply Chain Information Reconnaissance Shared Supply Chain
ATAGS-T1012.001 Business Relationships Reconnaissance ATAGS-T1012 – Gather Supply Chain Information Shared Supply Chain
ATAGS-T1012.002 Hardware Recon Reconnaissance ATAGS-T1012 – Gather Supply Chain Information Shared Supply Chain
ATAGS-T1012.003 Known Vulnerabilities Reconnaissance ATAGS-T1012 – Gather Supply Chain Information Shared Supply Chain
ATAGS-T1012.004 Software Recon Reconnaissance ATAGS-T1012 – Gather Supply Chain Information Shared Supply Chain
ATAGS-T1013 Phishing for Information Reconnaissance Shared Mission, Personnel & Identity
ATAGS-T1013.001 Spear Phishing to Ground Segment Operators Reconnaissance ATAGS-T1013 – Phishing for Information Shared Mission, Personnel & Identity
ATAGS-T1013.002 Spear Phishing to Industry/Space Agencies Reconnaissance ATAGS-T1013 – Phishing for Information Shared Mission, Personnel & Identity
ATAGS-T1013.003 Spearphishing Attachment Reconnaissance ATAGS-T1013 – Phishing for Information Shared Mission, Personnel & Identity
ATAGS-T1013.004 Spearphishing Link Reconnaissance ATAGS-T1013 – Phishing for Information Shared Mission, Personnel & Identity
ATAGS-T1013.005 Spearphishing Service Reconnaissance ATAGS-T1013 – Phishing for Information Shared Mission, Personnel & Identity
ATAGS-T1013.006 Spearphishing Voice Reconnaissance ATAGS-T1013 – Phishing for Information Shared Mission, Personnel & Identity
ATAGS-T1014 Acquire Access Resource Development Provider Mission, Personnel & Identity
ATAGS-T1015 Acquire or Build Infrastructure Resource Development Provider Hardware / Satellite Communication
ATAGS-T1015.001 Acquire Ground-station/ Ground segment Resource Development ATAGS-T1015 – Acquire or Build Infrastructure Provider Hardware / Satellite Communication
ATAGS-T1015.002 Acquire jamming equipment Resource Development ATAGS-T1015 – Acquire or Build Infrastructure Provider Hardware / Satellite Communication
ATAGS-T1015.003 Acquire Satellite Resource Development ATAGS-T1015 – Acquire or Build Infrastructure Provider Hardware / Satellite Communication
ATAGS-T1015.004 Rent ground segment as a service Resource Development ATAGS-T1015 – Acquire or Build Infrastructure Provider Hardware / Satellite Communication
ATAGS-T1016 Compromise Infrastructure Resource Development Provider Hardware / Satellite Communication
ATAGS-T1016.001 3rd Party Ground System Resource Development ATAGS-T1016 – Compromise Infrastructure Provider Hardware / Satellite Communication
ATAGS-T1016.002 3rd-Party Spacecraft Resource Development ATAGS-T1016 – Compromise Infrastructure Provider Hardware / Satellite Communication
ATAGS-T1016.003 Botnet Resource Development ATAGS-T1016 – Compromise Infrastructure Provider Hardware / Satellite Communication
ATAGS-T1016.004 Compromise Ground Segment Resource Development ATAGS-T1016 – Compromise Infrastructure Provider Hardware / Satellite Communication
ATAGS-T1016.005 Compromise Satellite(s) Resource Development ATAGS-T1016 – Compromise Infrastructure Provider Hardware / Satellite Communication
ATAGS-T1016.006 DNS Server Resource Development ATAGS-T1016 – Compromise Infrastructure Provider Hardware / Satellite Communication
ATAGS-T1016.007 Domains Resource Development ATAGS-T1016 – Compromise Infrastructure Provider Hardware / Satellite Communication
ATAGS-T1016.008 Malvertising Resource Development ATAGS-T1016 – Compromise Infrastructure Provider Hardware / Satellite Communication
ATAGS-T1016.009 Mission-Operated Ground System Resource Development ATAGS-T1016 – Compromise Infrastructure Provider Hardware / Satellite Communication
ATAGS-T1016.010 Network Devices Resource Development ATAGS-T1016 – Compromise Infrastructure Provider Hardware / Satellite Communication
ATAGS-T1016.011 Server Resource Development ATAGS-T1016 – Compromise Infrastructure Provider Hardware / Satellite Communication
ATAGS-T1016.012 Serverless Resource Development ATAGS-T1016 – Compromise Infrastructure Provider Hardware / Satellite Communication
ATAGS-T1016.013 Virtual Private Server Resource Development ATAGS-T1016 – Compromise Infrastructure Provider Hardware / Satellite Communication
ATAGS-T1016.014 Web Services Resource Development ATAGS-T1016 – Compromise Infrastructure Provider Hardware / Satellite Communication
ATAGS-T1017 Compromise or Establish Accounts Resource Development Provider Mission, Personnel & Identity
ATAGS-T1018 Develop or Obtain Cyber Capabilities Resource Development Provider Software
ATAGS-T1019 Develop or Obtain Non-Cyber Capabilities Resource Development Provider Mission, Personnel & Identity
ATAGS-T1020 Stage Capabilities Resource Development Provider Software
ATAGS-T1020.001 Drive-by Target Resource Development ATAGS-T1020 – Stage Capabilities Provider Software
ATAGS-T1020.002 Identify/Select Delivery Mechanism Resource Development ATAGS-T1020 – Stage Capabilities Provider Software
ATAGS-T1020.003 Install Digital Certificate Resource Development ATAGS-T1020 – Stage Capabilities Provider Software
ATAGS-T1020.004 Link Target Resource Development ATAGS-T1020 – Stage Capabilities Provider Software
ATAGS-T1020.005 SEO Poisoning Resource Development ATAGS-T1020 – Stage Capabilities Provider Software
ATAGS-T1020.006 Upload Exploit/Payload Resource Development ATAGS-T1020 – Stage Capabilities Provider Software
ATAGS-T1020.007 Upload Malware Resource Development ATAGS-T1020 – Stage Capabilities Provider Software
ATAGS-T1020.008 Upload Tool Resource Development ATAGS-T1020 – Stage Capabilities Provider Software
ATAGS-T1021 Assembly, Test, and Launch Operation Compromise Initial Access Provider Mission, Personnel & Identity
ATAGS-T1022 Content Injection Initial Access Shared Network transport
ATAGS-T1023 Direct Attack to Space Communication Links Initial Access Provider Satellite Communications
ATAGS-T1023.001 Record and replay TC/TM or mission specific packets Initial Access ATAGS-T1023 – Direct Attack to Space Communication Links Provider Satellite Communications
ATAGS-T1024 Drive-by Compromise Initial Access Customer Mission, Personnel & Identity
ATAGS-T1025 Exploit Public-Facing Application Initial Access Provider Software
ATAGS-T1026 Ground Segment Compromise Initial Access Provider Mission, Personnel & Identity
ATAGS-T1026.001 Logical compromise Initial Access ATAGS-T1026 – Ground Segment Compromise Provider Mission, Personnel & Identity
ATAGS-T1026.002 Physical compromise Initial Access ATAGS-T1026 – Ground Segment Compromise Provider Mission, Personnel & Identity
ATAGS-T1027 Hardware Additions Initial Access Provider Hardware
ATAGS-T1028 Internet Accessible Device Initial Access Provider Mission, Personnel & Identity
ATAGS-T1029 Phishing Initial Access Shared Mission, Personnel & Identity
ATAGS-T1029.001 Spearphishing Link Initial Access ATAGS-T1029 – Phishing Shared Mission, Personnel & Identity
ATAGS-T1029.002 Spearphishing Voice Initial Access ATAGS-T1029 – Phishing Shared Mission, Personnel & Identity
ATAGS-T1029.003 Phishing Attachment Initial Access ATAGS-T1029 – Phishing Shared Mission, Personnel & Identity
ATAGS-T1029.004 Spearphishing via Service Initial Access ATAGS-T1029 – Phishing Shared Mission, Personnel & Identity
ATAGS-T1030 Remote Services Compromise Initial Access Provider Network transport
ATAGS-T1031 Remote Services Exploitation Initial Access Provider Software
ATAGS-T1032 Replication Through Removable Media Initial Access Provider Mission, Personnel & Identity
ATAGS-T1033 Rogue Master Initial Access Provider Network transport
ATAGS-T1034 Secondary/Backup Communication Channel Compromise Initial Access Provider Network transport
ATAGS-T1035 Software Defined Radio Compromise Initial Access Shared Hardware
ATAGS-T1036 Spacecraft Compromise Initial Access Shared Satellite Communications
ATAGS-T1037 Supply Chain Compromise Initial Access Provider Supply Chain
ATAGS-T1038 Transient Cyber Asset Initial Access Provider Mission, Personnel & Identity
ATAGS-T1039 Trusted Relationship Exploitation Initial Access Shared Mission, Personnel & Identity
ATAGS-T1040 Valid Accounts Exploitation Initial Access Shared Mission, Personnel & Identity
ATAGS-T1041 Wireless Compromise Initial Access Provider Network transport
ATAGS-T1042 Autorun Image Execution Provider Software
ATAGS-T1043 Cloud Administration Command Execution Provider Cloud Control Plane
ATAGS-T1044 Cloud API execution Execution Provider Cloud Control Plane
ATAGS-T1045 Code Flaws Exploit Execution Provider Software
ATAGS-T1046 Command and Scripting Interpreter Execution Provider Software
ATAGS-T1046.001 AppleScript Execution ATAGS-T1046 – Command and Scripting Interpreter Provider Software
ATAGS-T1046.002 AutoHotKey & AutoIT Execution ATAGS-T1046 – Command and Scripting Interpreter Provider Software
ATAGS-T1046.003 Cloud API Execution ATAGS-T1046 – Command and Scripting Interpreter Provider Software
ATAGS-T1046.004 Container CLI/API Execution ATAGS-T1046 – Command and Scripting Interpreter Provider Software
ATAGS-T1046.005 Hypervisor CLI Execution ATAGS-T1046 – Command and Scripting Interpreter Provider Software
ATAGS-T1046.006 JavaScript Execution ATAGS-T1046 – Command and Scripting Interpreter Provider Software
ATAGS-T1046.007 Lua Execution ATAGS-T1046 – Command and Scripting Interpreter Provider Software
ATAGS-T1046.008 Network Device CLI Execution ATAGS-T1046 – Command and Scripting Interpreter Provider Software
ATAGS-T1046.009 Powershell Execution ATAGS-T1046 – Command and Scripting Interpreter Provider Software
ATAGS-T1046.010 Python Execution ATAGS-T1046 – Command and Scripting Interpreter Provider Software
ATAGS-T1046.011 Unix Shell Execution ATAGS-T1046 – Command and Scripting Interpreter Provider Software
ATAGS-T1046.012 Visual Basic Execution ATAGS-T1046 – Command and Scripting Interpreter Provider Software
ATAGS-T1046.013 Windows Command Shell Execution ATAGS-T1046 – Command and Scripting Interpreter Provider Software
ATAGS-T1047 Encryption Disable/Bypass Execution Provider Software
ATAGS-T1048 Exploit Hardware/Firmware Corruption Execution Provider Hardware
ATAGS-T1048.001 Design Flaws Execution ATAGS-T1048 – Exploit Hardware/Firmware Corruption Provider Hardware
ATAGS-T1048.002 Malicious Use of Hardware Commands Execution ATAGS-T1048 – Exploit Hardware/Firmware Corruption Provider Hardware
ATAGS-T1049 Flooding Execution Provider Network Transport
ATAGS-T1049.001 Erroneous Input Execution ATAGS-T1049 – Flooding Provider Network Transport
ATAGS-T1049.002 Valid Commands Execution ATAGS-T1049 – Flooding Provider Network Transport
ATAGS-T1050 Hooking Execution Provider Software
ATAGS-T1051 Input Injection Execution Customer Software
ATAGS-T1052 Jamming Execution Provider Satellite Communication
ATAGS-T1052.001 Downlink Jamming Execution ATAGS-T1052 – Jamming Provider Satellite Communication
ATAGS-T1052.002 Uplink Jamming Execution ATAGS-T1052 – Jamming Provider Satellite Communication
ATAGS-T1053 Kinetic Physical Attack Execution Provider Hardware
ATAGS-T1054 Malicious Code Execution Provider Software
ATAGS-T1054.001 Bootkit Execution ATAGS-T1054 – Malicious Code Provider Software
ATAGS-T1054.002 Ransomware Execution ATAGS-T1054 – Malicious Code Provider Software
ATAGS-T1054.003 Rootkit Execution ATAGS-T1054 – Malicious Code Provider Software
ATAGS-T1054.004 Wiper Malware Execution ATAGS-T1054 – Malicious Code Provider Software
ATAGS-T1055 Modify Authentication Process Execution Provider Cloud Control Plane
ATAGS-T1055.001 Domain Controller Authentication Execution ATAGS-T1055 – Modify Authentication Process Provider Cloud Control Plane
ATAGS-T1055.002 Multi-Factor Authentication Execution ATAGS-T1055 – Modify Authentication Process Provider Cloud Control Plane
ATAGS-T1055.003 Network Device Authentication Execution ATAGS-T1055 – Modify Authentication Process Provider Cloud Control Plane
ATAGS-T1055.004 Network Provider DLL Execution ATAGS-T1055 – Modify Authentication Process Provider Cloud Control Plane
ATAGS-T1055.005 Password Filter DLL Execution ATAGS-T1055 – Modify Authentication Process Provider Cloud Control Plane
ATAGS-T1055.006 Pluggable Authentication Modules Execution ATAGS-T1055 – Modify Authentication Process Provider Cloud Control Plane
ATAGS-T1055.007 Reversible Encryption Execution ATAGS-T1055 – Modify Authentication Process Provider Cloud Control Plane
ATAGS-T1055.008 Conditional Access Policies Execution ATAGS-T1055 – Modify Authentication Process Provider Cloud Control Plane
ATAGS-T1055.009 Hybrid Identity Execution ATAGS-T1055 – Modify Authentication Process Provider Cloud Control Plane
ATAGS-T1056 Modify Controller Tasking Execution Provider Cloud Control Plane
ATAGS-T1057 Non-Kinetic Physical Attack Execution Provider Hardware
ATAGS-T1057.001 Electromagnetic Pulse (EMP) Execution ATAGS-T1057 – Non-Kinetic Physical Attack Provider Hardware
ATAGS-T1057.002 High-Powered Laser Execution ATAGS-T1057 – Non-Kinetic Physical Attack Provider Hardware
ATAGS-T1057.003 High-Powered Microwave Execution ATAGS-T1057 – Non-Kinetic Physical Attack Provider Hardware
ATAGS-T1058 Replay Execution Provider Network Transport
ATAGS-T1058.001 Command Packets Execution ATAGS-T1058 – Replay Provider Network Transport
ATAGS-T1059 Scheduled Task/Job Execution Provider Cloud Control Plane
ATAGS-T1059.001 At Execution ATAGS-T1059 – Scheduled Task/Job Provider Cloud Control Plane
ATAGS-T1059.002 Container Orchestration Job Execution ATAGS-T1059 – Scheduled Task/Job Provider Cloud Control Plane
ATAGS-T1059.003 Cron Execution ATAGS-T1059 – Scheduled Task/Job Provider Cloud Control Plane
ATAGS-T1059.004 Scheduled Task Execution ATAGS-T1059 – Scheduled Task/Job Provider Cloud Control Plane
ATAGS-T1059.005 Systemd Timers Execution ATAGS-T1059 – Scheduled Task/Job Provider Cloud Control Plane
ATAGS-T1060 Serverless Execution Execution Provider Software
ATAGS-T1061 Side-Channel Attack Execution Provider Hardware
ATAGS-T1062 Software Deployment Tools Execution Provider Software
ATAGS-T1063 Spoofing Execution Provider Network Transport
ATAGS-T1063.001 Sensor Data Execution ATAGS-T1063 – Spoofing Provider Network Transport
ATAGS-T1063.002 Time Spoof Execution ATAGS-T1063 – Spoofing Provider Network Transport
ATAGS-T1064 System Services Execution Provider Software
ATAGS-T1064.001 Launchctl Execution ATAGS-T1064 – System Services Provider Software
ATAGS-T1064.002 Service Execution Execution ATAGS-T1064 – System Services Provider Software
ATAGS-T1064.003 Systemctl Execution ATAGS-T1064 – System Services Provider Software
ATAGS-T1065 User Execution Execution Provider Software
ATAGS-T1065.001 Malicious Copy and Paste Execution ATAGS-T1065 – User Execution Provider Software
ATAGS-T1065.002 Malicious File Execution ATAGS-T1065 – User Execution Provider Software
ATAGS-T1065.003 Malicious Image Execution ATAGS-T1065 – User Execution Provider Software
ATAGS-T1065.004 Malicious Library Execution ATAGS-T1065 – User Execution Provider Software
ATAGS-T1065.005 Malicious Link Execution ATAGS-T1065 – User Execution Provider Software
ATAGS-T1066 Backdoor Persistence Shared Software
ATAGS-T1066.001 Hardware Backdoor Persistence ATAGS-T1066 – Backdoor Shared Software
ATAGS-T1066.002 Software Backdoor Persistence ATAGS-T1066 – Backdoor Shared Software
ATAGS-T1067 Cloud Application Integration Persistence Shared Cloud Control Plane
ATAGS-T1068 Cloud Scheduled Task / Jobs Persistence Provider Cloud Control Plane
ATAGS-T1069 Event Triggered Execution Persistence Provider Software
ATAGS-T1069.001 Accessibility Features Persistence ATAGS-T1069 – Event Triggered Execution Provider Software
ATAGS-T1069.002 AppCert DLLs Persistence ATAGS-T1069 – Event Triggered Execution Provider Software
ATAGS-T1069.003 AppInit DLLs Persistence ATAGS-T1069 – Event Triggered Execution Provider Software
ATAGS-T1069.004 Application Shimming Persistence ATAGS-T1069 – Event Triggered Execution Provider Software
ATAGS-T1069.005 Change Default File Association Persistence ATAGS-T1069 – Event Triggered Execution Provider Software
ATAGS-T1069.006 Component Object Model Hijacking Persistence ATAGS-T1069 – Event Triggered Execution Provider Software
ATAGS-T1069.007 Emond Persistence ATAGS-T1069 – Event Triggered Execution Provider Software
ATAGS-T1069.008 Image File Execution Options Injection Persistence ATAGS-T1069 – Event Triggered Execution Provider Software
ATAGS-T1069.009 Installer Packages Persistence ATAGS-T1069 – Event Triggered Execution Provider Software
ATAGS-T1069.010 LC_LOAD_DYLIB Addition Persistence ATAGS-T1069 – Event Triggered Execution Provider Software
ATAGS-T1069.011 Netsh Helper DLL Persistence ATAGS-T1069 – Event Triggered Execution Provider Software
ATAGS-T1069.012 PowerShell Profile Persistence ATAGS-T1069 – Event Triggered Execution Provider Software
ATAGS-T1069.013 Python Startup Hooks Persistence ATAGS-T1069 – Event Triggered Execution Provider Software
ATAGS-T1069.014 Screensaver Persistence ATAGS-T1069 – Event Triggered Execution Provider Software
ATAGS-T1069.015 Trap Persistence ATAGS-T1069 – Event Triggered Execution Provider Software
ATAGS-T1069.016 Udev Rules Persistence ATAGS-T1069 – Event Triggered Execution Provider Software
ATAGS-T1069.017 Unix Shell Configuration Modification Persistence ATAGS-T1069 – Event Triggered Execution Provider Software
ATAGS-T1069.018 Windows Management Instrumentation Event Subscription Persistence ATAGS-T1069 – Event Triggered Execution Provider Software
ATAGS-T1070 External Remote Services Persistence Provider Software
ATAGS-T1071 Implant Internal Image Persistence Provider Software
ATAGS-T1072 Infrastructure File Infection Persistence Provider Software
ATAGS-T1073 KMS Key Disablement / Replacement Impact Shared Cloud Control Plane
ATAGS-T1074 Server Software Component Persistence Provider Software
ATAGS-T1074.001 IIS Components Persistence ATAGS-T1074 – Server Software Component Provider Software
ATAGS-T1074.002 SQL Stored Procedures Persistence ATAGS-T1074 – Server Software Component Provider Software
ATAGS-T1074.003 Terminal Services DLL Persistence ATAGS-T1074 – Server Software Component Provider Software
ATAGS-T1074.004 Transport Agent Persistence ATAGS-T1074 – Server Software Component Provider Software
ATAGS-T1074.005 vSphere Installation Bundles Persistence ATAGS-T1074 – Server Software Component Provider Software
ATAGS-T1074.006 Web Shell Persistence ATAGS-T1074 – Server Software Component Provider Software
ATAGS-T1075 Software Extentions Persistence Provider Software
ATAGS-T1075.001 Browser Extentions Persistence ATAGS-T1075 – Software Extentions Provider Software
ATAGS-T1075.002 Hybrid Identity Persistence ATAGS-T1075 – Software Extentions Provider Software
ATAGS-T1075.003 IDE extentions Persistence ATAGS-T1075 – Software Extentions Provider Software
ATAGS-T1076 Traffic Signaling Persistence Provider Network Transport
ATAGS-T1076.001 Port Knocking Persistence ATAGS-T1076 – Traffic Signaling Provider Network Transport
ATAGS-T1076.002 Socket Filters Persistence ATAGS-T1076 – Traffic Signaling Provider Network Transport
ATAGS-T1077 Valid Credentialed Persistence Persistence Provider Mission, Personnel & Identity
ATAGS-T1078 Abuse Elevation Control Mechanism Privilege Escalation Provider Software
ATAGS-T1078.001 Bypass User Account Control Privilege Escalation ATAGS-T1078 – Abuse Elevation Control Mechanism Provider Software
ATAGS-T1078.002 Elevated Execution with Prompt Privilege Escalation ATAGS-T1078 – Abuse Elevation Control Mechanism Provider Software
ATAGS-T1078.003 Setuid and Setgid Privilege Escalation ATAGS-T1078 – Abuse Elevation Control Mechanism Provider Software
ATAGS-T1078.004 Sudo and Sudo Caching Privilege Escalation ATAGS-T1078 – Abuse Elevation Control Mechanism Provider Software
ATAGS-T1078.005 TCC Manipulation Privilege Escalation ATAGS-T1078 – Abuse Elevation Control Mechanism Provider Software
ATAGS-T1078.006 Temporary Elevated Cloud Access Privilege Escalation ATAGS-T1078 – Abuse Elevation Control Mechanism Provider Software
ATAGS-T1079 Access Token Manipulation Privilege Escalation Provider Software
ATAGS-T1079.001 Create Process with Token Privilege Escalation ATAGS-T1079 – Access Token Manipulation Provider Software
ATAGS-T1079.002 Make and Impersonate Token Privilege Escalation ATAGS-T1079 – Access Token Manipulation Provider Software
ATAGS-T1079.003 Parent PID Spoofing Privilege Escalation ATAGS-T1079 – Access Token Manipulation Provider Software
ATAGS-T1079.004 SID-History Injection Privilege Escalation ATAGS-T1079 – Access Token Manipulation Provider Software
ATAGS-T1079.005 Token Impersonation/Theft Privilege Escalation ATAGS-T1079 – Access Token Manipulation Provider Software
ATAGS-T1080 Account Manipulation Privilege Escalation Provider Cloud Control Plane
ATAGS-T1080.001 Additional Cloud Credentials Privilege Escalation ATAGS-T1080 – Account Manipulation Provider Cloud Control Plane
ATAGS-T1080.002 Additional Cloud Roles Privilege Escalation ATAGS-T1080 – Account Manipulation Provider Cloud Control Plane
ATAGS-T1080.003 Additional Container Cluster Roles Privilege Escalation ATAGS-T1080 – Account Manipulation Provider Cloud Control Plane
ATAGS-T1080.004 Additional Email Delegate Permissions Privilege Escalation ATAGS-T1080 – Account Manipulation Provider Cloud Control Plane
ATAGS-T1080.005 Additional Local or Domain Groups Privilege Escalation ATAGS-T1080 – Account Manipulation Provider Cloud Control Plane
ATAGS-T1080.006 Device Registration Privilege Escalation ATAGS-T1080 – Account Manipulation Provider Cloud Control Plane
ATAGS-T1080.007 SSH Authorized Keys Privilege Escalation ATAGS-T1080 – Account Manipulation Provider Cloud Control Plane
ATAGS-T1081 Domain or Tenant Policy Modification Privilege Escalation Provider Cloud Control Plane
ATAGS-T1081.001 Group Policy Modification Privilege Escalation ATAGS-T1081 – Domain or Tenant Policy Modification Provider Cloud Control Plane
ATAGS-T1081.002 Trust Modification Privilege Escalation ATAGS-T1081 – Domain or Tenant Policy Modification Provider Cloud Control Plane
ATAGS-T1082 Escape to Host Privilege Escalation Provider Software
ATAGS-T1082.001 Exploitation of vulnerabilities Privilege Escalation ATAGS-T1082 – Escape to Host Provider Software
ATAGS-T1083 Exploitation for Privilege Escalation Privilege Escalation Provider Software
ATAGS-T1084 Process Injection Privilege Escalation Provider Software
ATAGS-T1084.001 Asynchronous Procedure Call Privilege Escalation ATAGS-T1084 – Process Injection Provider Software
ATAGS-T1084.002 Dynamic-link Library Injection Privilege Escalation ATAGS-T1084 – Process Injection Provider Software
ATAGS-T1084.003 Extra Window Memory Injection Privilege Escalation ATAGS-T1084 – Process Injection Provider Software
ATAGS-T1084.004 ListPlanting Privilege Escalation ATAGS-T1084 – Process Injection Provider Software
ATAGS-T1084.005 Portable Executable Injection Privilege Escalation ATAGS-T1084 – Process Injection Provider Software
ATAGS-T1084.006 Proc Memory Privilege Escalation ATAGS-T1084 – Process Injection Provider Software
ATAGS-T1084.007 Process Doppelgänging Privilege Escalation ATAGS-T1084 – Process Injection Provider Software
ATAGS-T1084.008 Process Hollowing Privilege Escalation ATAGS-T1084 – Process Injection Provider Software
ATAGS-T1084.009 Ptrace System Calls Privilege Escalation ATAGS-T1084 – Process Injection Provider Software
ATAGS-T1084.010 Thread Execution Hijacking Privilege Escalation ATAGS-T1084 – Process Injection Provider Software
ATAGS-T1084.011 Thread Local Storage Privilege Escalation ATAGS-T1084 – Process Injection Provider Software
ATAGS-T1084.012 VDSO Hijacking Privilege Escalation ATAGS-T1084 – Process Injection Provider Software
ATAGS-T1085 Scheduled Task/job Privilege Escalation Provider Cloud Control Plane
ATAGS-T1086 Valid Accounts Privilege Escalation Shared Mission, Personnel & Identity
ATAGS-T1086.001 Cloud Accounts Privilege Escalation ATAGS-T1086 – Valid Accounts Shared Mission, Personnel & Identity
ATAGS-T1086.002 Default Accounts Privilege Escalation ATAGS-T1086 – Valid Accounts Shared Mission, Personnel & Identity
ATAGS-T1086.003 Domain Accounts Privilege Escalation ATAGS-T1086 – Valid Accounts Shared Mission, Personnel & Identity
ATAGS-T1086.004 Local Accounts Privilege Escalation ATAGS-T1086 – Valid Accounts Shared Mission, Personnel & Identity
ATAGS-T1087 Build Image on Host Defense Evasion Provider Software
ATAGS-T1088 Component Collusion Defense Evasion Provider Software
ATAGS-T1089 Debugger Evasion Defense Evasion Provider Software
ATAGS-T1090 Delay Execution Defense Evasion Provider Software
ATAGS-T1091 Deobfuscate/Decode Files or Information Defense Evasion Provider Software
ATAGS-T1092 Deploy Container Defense Evasion Provider Software
ATAGS-T1093 Execution Guardrails Defense Evasion Provider Software
ATAGS-T1093.001 Environmental Keying Defense Evasion ATAGS-T1093 – Execution Guardrails Provider Software
ATAGS-T1093.002 Mutual Exclusion Defense Evasion ATAGS-T1093 – Execution Guardrails Provider Software
ATAGS-T1094 Exploitation for Defense Evasion Defense Evasion Provider Software
ATAGS-T1095 File and Directory Permission Modification Defense Evasion Provider Software
ATAGS-T1095.001 Linux and Mac File and Directory Permissions Modification Defense Evasion ATAGS-T1095 – File and Directory Permission Modification Provider Software
ATAGS-T1095.002 Windows File and Directory Permissions Modification Defense Evasion ATAGS-T1095 – File and Directory Permission Modification Provider Software
ATAGS-T1096 Hide Artifacts Defense Evasion Provider Software
ATAGS-T1096.001 Bind Mounts Defense Evasion ATAGS-T1096 – Hide Artifacts Provider Software
ATAGS-T1096.002 Email Hiding Rules Defense Evasion ATAGS-T1096 – Hide Artifacts Provider Software
ATAGS-T1096.003 Extended Attributes Defense Evasion ATAGS-T1096 – Hide Artifacts Provider Software
ATAGS-T1096.004 File/Path Exclusions Defense Evasion ATAGS-T1096 – Hide Artifacts Provider Software
ATAGS-T1096.005 Hidden File System Defense Evasion ATAGS-T1096 – Hide Artifacts Provider Software
ATAGS-T1096.006 Hidden Files and Directories Defense Evasion ATAGS-T1096 – Hide Artifacts Provider Software
ATAGS-T1096.007 Hidden Users Defense Evasion ATAGS-T1096 – Hide Artifacts Provider Software
ATAGS-T1096.008 Hidden Window Defense Evasion ATAGS-T1096 – Hide Artifacts Provider Software
ATAGS-T1096.009 Ignore Process Interrupts Defense Evasion ATAGS-T1096 – Hide Artifacts Provider Software
ATAGS-T1096.010 NTFS File Attributes Defense Evasion ATAGS-T1096 – Hide Artifacts Provider Software
ATAGS-T1096.011 Process Argument Spoofing Defense Evasion ATAGS-T1096 – Hide Artifacts Provider Software
ATAGS-T1096.012 Resource Forking Defense Evasion ATAGS-T1096 – Hide Artifacts Provider Software
ATAGS-T1096.013 Run Virtual Instance Defense Evasion ATAGS-T1096 – Hide Artifacts Provider Software
ATAGS-T1096.014 VBA Stomping Defense Evasion ATAGS-T1096 – Hide Artifacts Provider Software
ATAGS-T1097 Impair Defenses Defense Evasion Provider Software
ATAGS-T1097.001 Triggering the clear mode Defense Evasion ATAGS-T1097 – Impair Defenses Provider Software
ATAGS-T1097.002 Disable or Modify Cloud Firewall Defense Evasion ATAGS-T1097 – Impair Defenses Provider Software
ATAGS-T1097.003 Disable or Modify Cloud Logs Defense Evasion ATAGS-T1097 – Impair Defenses Provider Software
ATAGS-T1097.004 Disable or Modify Linux Audit System Defense Evasion ATAGS-T1097 – Impair Defenses Provider Software
ATAGS-T1097.005 Disable or Modify Network Device Firewall Defense Evasion ATAGS-T1097 – Impair Defenses Provider Software
ATAGS-T1097.006 Disable or Modify System Firewall Defense Evasion ATAGS-T1097 – Impair Defenses Provider Software
ATAGS-T1097.007 Disable or Modify Tools Defense Evasion ATAGS-T1097 – Impair Defenses Provider Software
ATAGS-T1097.008 Disable Windows Event Logging Defense Evasion ATAGS-T1097 – Impair Defenses Provider Software
ATAGS-T1097.009 Downgrade Attack Defense Evasion ATAGS-T1097 – Impair Defenses Provider Software
ATAGS-T1097.010 Impair Command History Logging Defense Evasion ATAGS-T1097 – Impair Defenses Provider Software
ATAGS-T1097.011 Indicator Blocking Defense Evasion ATAGS-T1097 – Impair Defenses Provider Software
ATAGS-T1097.012 Safe Mode Boot Defense Evasion ATAGS-T1097 – Impair Defenses Provider Software
ATAGS-T1097.013 Spoof Security Alerting Defense Evasion ATAGS-T1097 – Impair Defenses Provider Software
ATAGS-T1098 Impersonation Defense Evasion Provider Mission, Personnel & Identity
ATAGS-T1099 Indicator Removal Defense Evasion Provider Software
ATAGS-T1099.001 Clear Command History Defense Evasion ATAGS-T1099 – Indicator Removal Provider Software
ATAGS-T1099.002 Clear Linux or Mac System Logs Defense Evasion ATAGS-T1099 – Indicator Removal Provider Software
ATAGS-T1099.003 Clear Mailbox Data Defense Evasion ATAGS-T1099 – Indicator Removal Provider Software
ATAGS-T1099.004 Clear Network Connection History and Configurations Defense Evasion ATAGS-T1099 – Indicator Removal Provider Software
ATAGS-T1099.005 Clear Persistence Defense Evasion ATAGS-T1099 – Indicator Removal Provider Software
ATAGS-T1099.006 Clear Windows Event Logs Defense Evasion ATAGS-T1099 – Indicator Removal Provider Software
ATAGS-T1099.007 File Deletion Defense Evasion ATAGS-T1099 – Indicator Removal Provider Software
ATAGS-T1099.008 Network Share Connection Removal Defense Evasion ATAGS-T1099 – Indicator Removal Provider Software
ATAGS-T1099.009 Relocate Malware Defense Evasion ATAGS-T1099 – Indicator Removal Provider Software
ATAGS-T1099.010 Timestomp Defense Evasion ATAGS-T1099 – Indicator Removal Provider Software
ATAGS-T1100 Masquerading Defense Evasion Provider Software
ATAGS-T1100.001 Break Process Trees Defense Evasion ATAGS-T1100 – Masquerading Provider Software
ATAGS-T1100.002 Browser Fingerprint Defense Evasion ATAGS-T1100 – Masquerading Provider Software
ATAGS-T1100.003 Double File Extension Defense Evasion ATAGS-T1100 – Masquerading Provider Software
ATAGS-T1100.004 Invalid Code Signature Defense Evasion ATAGS-T1100 – Masquerading Provider Software
ATAGS-T1100.005 Masquerade Account Name Defense Evasion ATAGS-T1100 – Masquerading Provider Software
ATAGS-T1100.006 Masquerade File Type Defense Evasion ATAGS-T1100 – Masquerading Provider Software
ATAGS-T1100.007 Masquerade Task or Service Defense Evasion ATAGS-T1100 – Masquerading Provider Software
ATAGS-T1100.008 Match Legitimate Resource Name or Location Defense Evasion ATAGS-T1100 – Masquerading Provider Software
ATAGS-T1100.009 Overwrite Process Arguments Defense Evasion ATAGS-T1100 – Masquerading Provider Software
ATAGS-T1100.010 Rename Legitimate Utilities Defense Evasion ATAGS-T1100 – Masquerading Provider Software
ATAGS-T1100.011 Right-to-Left Override Defense Evasion ATAGS-T1100 – Masquerading Provider Software
ATAGS-T1100.012 Space after Filename Defense Evasion ATAGS-T1100 – Masquerading Provider Software
ATAGS-T1101 Modify Cloud Compute Infrastructure Defense Evasion Provider Cloud Control Plane
ATAGS-T1101.001 Create Cloud Instance Defense Evasion ATAGS-T1101 – Modify Cloud Compute Infrastructure Provider Cloud Control Plane
ATAGS-T1101.002 Create Snapshot Defense Evasion ATAGS-T1101 – Modify Cloud Compute Infrastructure Provider Cloud Control Plane
ATAGS-T1101.003 Delete Cloud Instance Defense Evasion ATAGS-T1101 – Modify Cloud Compute Infrastructure Provider Cloud Control Plane
ATAGS-T1101.004 Modify Cloud Compute Configurations Defense Evasion ATAGS-T1101 – Modify Cloud Compute Infrastructure Provider Cloud Control Plane
ATAGS-T1101.005 Revert Cloud Instance Defense Evasion ATAGS-T1101 – Modify Cloud Compute Infrastructure Provider Cloud Control Plane
ATAGS-T1102 Modify Cloud Resource Hierarchy Defense Evasion Provider Cloud Control Plane
ATAGS-T1103 Modify Whitelist Defense Evasion Provider Software
ATAGS-T1104 Obfuscated Files or Information Defense Evasion Provider Software
ATAGS-T1104.001 Binary Padding Defense Evasion ATAGS-T1104 – Obfuscated Files or Information Provider Software
ATAGS-T1104.002 Command Obfuscation Defense Evasion ATAGS-T1104 – Obfuscated Files or Information Provider Software
ATAGS-T1104.003 Compile After Delivery Defense Evasion ATAGS-T1104 – Obfuscated Files or Information Provider Software
ATAGS-T1104.004 Compression Defense Evasion ATAGS-T1104 – Obfuscated Files or Information Provider Software
ATAGS-T1104.005 Dynamic API Resolution Defense Evasion ATAGS-T1104 – Obfuscated Files or Information Provider Software
ATAGS-T1104.006 Embedded Payloads Defense Evasion ATAGS-T1104 – Obfuscated Files or Information Provider Software
ATAGS-T1104.007 Encrypted/Encoded File Defense Evasion ATAGS-T1104 – Obfuscated Files or Information Provider Software
ATAGS-T1104.008 Fileless Storage Defense Evasion ATAGS-T1104 – Obfuscated Files or Information Provider Software
ATAGS-T1104.009 HTML Smuggling Defense Evasion ATAGS-T1104 – Obfuscated Files or Information Provider Software
ATAGS-T1104.010 Indicator Removal from Tools Defense Evasion ATAGS-T1104 – Obfuscated Files or Information Provider Software
ATAGS-T1104.011 Junk Code Insertion Defense Evasion ATAGS-T1104 – Obfuscated Files or Information Provider Software
ATAGS-T1104.012 LNK Icon Smuggling Defense Evasion ATAGS-T1104 – Obfuscated Files or Information Provider Software
ATAGS-T1104.013 Polymorphic Code Defense Evasion ATAGS-T1104 – Obfuscated Files or Information Provider Software
ATAGS-T1104.014 Software Packing Defense Evasion ATAGS-T1104 – Obfuscated Files or Information Provider Software
ATAGS-T1104.015 Steganography Defense Evasion ATAGS-T1104 – Obfuscated Files or Information Provider Software
ATAGS-T1104.016 Stripped Payloads Defense Evasion ATAGS-T1104 – Obfuscated Files or Information Provider Software
ATAGS-T1104.017 SVG Smuggling Defense Evasion ATAGS-T1104 – Obfuscated Files or Information Provider Software
ATAGS-T1105 Rootkit Defense Evasion Provider Software
ATAGS-T1106 Spoof Reporting Message Defense Evasion Provider Software
ATAGS-T1107 Subvert Trust Controls Defense Evasion Provider Software
ATAGS-T1107.001 Code Signing Defense Evasion ATAGS-T1107 – Subvert Trust Controls Provider Software
ATAGS-T1107.002 Code Signing Policy Modification Defense Evasion ATAGS-T1107 – Subvert Trust Controls Provider Software
ATAGS-T1107.003 Gatekeeper Bypass Defense Evasion ATAGS-T1107 – Subvert Trust Controls Provider Software
ATAGS-T1107.004 Install Root Certificate Defense Evasion ATAGS-T1107 – Subvert Trust Controls Provider Software
ATAGS-T1107.005 Mark-of-the-Web Bypass Defense Evasion ATAGS-T1107 – Subvert Trust Controls Provider Software
ATAGS-T1107.006 SIP and Trust Provider Hijacking Defense Evasion ATAGS-T1107 – Subvert Trust Controls Provider Software
ATAGS-T1108 Trusted Developer Utilities Proxy Execution Defense Evasion Provider Supply Chain
ATAGS-T1108.001 ClickOnce Defense Evasion ATAGS-T1108 – Trusted Developer Utilities Proxy Execution Provider Supply Chain
ATAGS-T1108.002 JamPlus Defense Evasion ATAGS-T1108 – Trusted Developer Utilities Proxy Execution Provider Supply Chain
ATAGS-T1108.003 MSBuild Defense Evasion ATAGS-T1108 – Trusted Developer Utilities Proxy Execution Provider Supply Chain
ATAGS-T1109 Use Alternate Authentication Material Defense Evasion Provider Cloud Control Plane
ATAGS-T1109.001 Application Access Token Defense Evasion ATAGS-T1109 – Use Alternate Authentication Material Provider Cloud Control Plane
ATAGS-T1109.002 Pass the Hash Defense Evasion ATAGS-T1109 – Use Alternate Authentication Material Provider Cloud Control Plane
ATAGS-T1109.003 Pass the Ticket Defense Evasion ATAGS-T1109 – Use Alternate Authentication Material Provider Cloud Control Plane
ATAGS-T1109.004 Web Session Cookie Defense Evasion ATAGS-T1109 – Use Alternate Authentication Material Provider Cloud Control Plane
ATAGS-T1110 Valid Accounts Evasion Defense Evasion Provider Mission, Personnel & Identity
ATAGS-T1111 Adversary in the Middle Credential Access Shared Mission, Personnel & Identity
ATAGS-T1111.001 Lower Orbit Satellites, or Drones Credential Access ATAGS-T1111 – Adversary in the Middle Shared Mission, Personnel & Identity
ATAGS-T1111.002 ARP Cache Poisoning Credential Access ATAGS-T1111 – Adversary in the Middle Shared Mission, Personnel & Identity
ATAGS-T1111.003 DHCP Spoofing Credential Access ATAGS-T1111 – Adversary in the Middle Shared Mission, Personnel & Identity
ATAGS-T1111.004 Evil Twin Credential Access ATAGS-T1111 – Adversary in the Middle Shared Mission, Personnel & Identity
ATAGS-T1111.005 LLMNR/NBT-NS Poisoning and SMB Relay Credential Access ATAGS-T1111 – Adversary in the Middle Shared Mission, Personnel & Identity
ATAGS-T1111.006 Unauthenticated gateway or unauthenticated interplanetary node Credential Access ATAGS-T1111 – Adversary in the Middle Shared Mission, Personnel & Identity
ATAGS-T1111.007 Satellite constellation Credential Access ATAGS-T1111 – Adversary in the Middle Shared Mission, Personnel & Identity
ATAGS-T1112 Brute Force Credential Access Shared Mission, Personnel & Identity
ATAGS-T1112.001 TC Brute Forcing Credential Access ATAGS-T1112 – Brute Force Shared Mission, Personnel & Identity
ATAGS-T1112.002 Credential Stuffing Credential Access ATAGS-T1112 – Brute Force Shared Mission, Personnel & Identity
ATAGS-T1112.003 Password Cracking Credential Access ATAGS-T1112 – Brute Force Shared Mission, Personnel & Identity
ATAGS-T1112.004 Password Guessing Credential Access ATAGS-T1112 – Brute Force Shared Mission, Personnel & Identity
ATAGS-T1112.005 Password Spraying Credential Access ATAGS-T1112 – Brute Force Shared Mission, Personnel & Identity
ATAGS-T1113 Credentials from Password Stores Credential Access Shared Mission, Personnel & Identity
ATAGS-T1113.001 Cloud Secrets Management Stores Credential Access ATAGS-T1113 – Credentials from Password Stores Shared Mission, Personnel & Identity
ATAGS-T1113.002 Credentials from Web Browsers Credential Access ATAGS-T1113 – Credentials from Password Stores Shared Mission, Personnel & Identity
ATAGS-T1113.003 Keychain Credential Access ATAGS-T1113 – Credentials from Password Stores Shared Mission, Personnel & Identity
ATAGS-T1113.004 Password Managers Credential Access ATAGS-T1113 – Credentials from Password Stores Shared Mission, Personnel & Identity
ATAGS-T1113.005 Securityd Memory Credential Access ATAGS-T1113 – Credentials from Password Stores Shared Mission, Personnel & Identity
ATAGS-T1113.006 Windows Credential Manager Credential Access ATAGS-T1113 – Credentials from Password Stores Shared Mission, Personnel & Identity
ATAGS-T1114 Exploitation for Credential Access Credential Access Shared Mission, Personnel & Identity
ATAGS-T1115 Forced Authentication Credential Access Shared Mission, Personnel & Identity
ATAGS-T1116 Forge Web Credentials Credential Access Shared Mission, Personnel & Identity
ATAGS-T1116.001 SAML Tokens Credential Access ATAGS-T1116 – Forge Web Credentials Shared Mission, Personnel & Identity
ATAGS-T1116.002 Web Cookies Credential Access ATAGS-T1116 – Forge Web Credentials Shared Mission, Personnel & Identity
ATAGS-T1117 Input Capture Credential Access Shared Mission, Personnel & Identity
ATAGS-T1117.001 Credential API Hooking Credential Access ATAGS-T1117 – Input Capture Shared Mission, Personnel & Identity
ATAGS-T1117.002 GUI Input Capture Credential Access ATAGS-T1117 – Input Capture Shared Mission, Personnel & Identity
ATAGS-T1117.003 Keylogging Credential Access ATAGS-T1117 – Input Capture Shared Mission, Personnel & Identity
ATAGS-T1117.004 Web Portal Capture Credential Access ATAGS-T1117 – Input Capture Shared Mission, Personnel & Identity
ATAGS-T1118 Multi-Factor Authentication Interception Credential Access Shared Mission, Personnel & Identity
ATAGS-T1119 Multi-Factor Authentication Request Generation Credential Access Shared Mission, Personnel & Identity
ATAGS-T1120 Network Sniffing Credential Access Shared Mission, Personnel & Identity
ATAGS-T1121 OS Credential Dumping Credential Access Shared Mission, Personnel & Identity
ATAGS-T1121.001 /etc/passwd and /etc/shadow Credential Access ATAGS-T1121 – OS Credential Dumping Shared Mission, Personnel & Identity
ATAGS-T1121.002 Cached Domain Credentials Credential Access ATAGS-T1121 – OS Credential Dumping Shared Mission, Personnel & Identity
ATAGS-T1121.003 DCSync Credential Access ATAGS-T1121 – OS Credential Dumping Shared Mission, Personnel & Identity
ATAGS-T1121.004 LSA Secrets Credential Access ATAGS-T1121 – OS Credential Dumping Shared Mission, Personnel & Identity
ATAGS-T1121.005 LSASS Memory Credential Access ATAGS-T1121 – OS Credential Dumping Shared Mission, Personnel & Identity
ATAGS-T1121.006 NTDS Credential Access ATAGS-T1121 – OS Credential Dumping Shared Mission, Personnel & Identity
ATAGS-T1121.007 Proc Filesystem Credential Access ATAGS-T1121 – OS Credential Dumping Shared Mission, Personnel & Identity
ATAGS-T1121.008 Security Account Manager Credential Access ATAGS-T1121 – OS Credential Dumping Shared Mission, Personnel & Identity
ATAGS-T1122 Phishing for credentials Credential Access Shared Mission, Personnel & Identity
ATAGS-T1123 Steal Application Access Token Credential Access Shared Mission, Personnel & Identity
ATAGS-T1124 Steal or Forge Authentication Certificates Credential Access Shared Mission, Personnel & Identity
ATAGS-T1125 Steal Web Session Cookie Credential Access Shared Mission, Personnel & Identity
ATAGS-T1126 Unsecured Credentials Credential Access Shared Mission, Personnel & Identity
ATAGS-T1126.001 Chat Messages Credential Access ATAGS-T1126 – Unsecured Credentials Shared Mission, Personnel & Identity
ATAGS-T1126.002 Cloud Instance Metadata API Credential Access ATAGS-T1126 – Unsecured Credentials Shared Mission, Personnel & Identity
ATAGS-T1126.003 Container API Credential Access ATAGS-T1126 – Unsecured Credentials Shared Mission, Personnel & Identity
ATAGS-T1126.004 Credentials In Files Credential Access ATAGS-T1126 – Unsecured Credentials Shared Mission, Personnel & Identity
ATAGS-T1126.005 Credentials in Registry Credential Access ATAGS-T1126 – Unsecured Credentials Shared Mission, Personnel & Identity
ATAGS-T1126.006 Group Policy Preferences Credential Access ATAGS-T1126 – Unsecured Credentials Shared Mission, Personnel & Identity
ATAGS-T1126.007 Private Keys Credential Access ATAGS-T1126 – Unsecured Credentials Shared Mission, Personnel & Identity
ATAGS-T1126.008 Shell History Credential Access ATAGS-T1126 – Unsecured Credentials Shared Mission, Personnel & Identity
ATAGS-T1127 Account Discovery Discovery Shared Mission, Personnel & Identity
ATAGS-T1127.001 Local Account Discovery ATAGS-T1127 – Account Discovery Shared Mission, Personnel & Identity
ATAGS-T1127.002 Domain Account Discovery ATAGS-T1127 – Account Discovery Shared Mission, Personnel & Identity
ATAGS-T1127.003 Email Account Discovery ATAGS-T1127 – Account Discovery Shared Mission, Personnel & Identity
ATAGS-T1127.004 Cloud Account Discovery ATAGS-T1127 – Account Discovery Shared Mission, Personnel & Identity
ATAGS-T1128 Browser Information Discovery Discovery Customer Software
ATAGS-T1129 Cloud Infrastructure Discovery Discovery Provider Cloud Control Plane
ATAGS-T1130 Cloud Service Dashboard Discovery Provider Cloud Control Plane
ATAGS-T1131 Cloud Service Discovery Discovery Provider Cloud Control Plane
ATAGS-T1132 Cloud Storage Object Discovery Discovery Provider Cloud Control Plane
ATAGS-T1133 Cloud/Organization Policy Discovery Discovery Provider Cloud Control Plane
ATAGS-T1134 Container and Resource Discovery Discovery Provider Cloud Control Plane
ATAGS-T1135 Device Driver Discovery Discovery Shared Mission, Personnel & Identity
ATAGS-T1136 File and Directory Discovery Discovery Shared Software
ATAGS-T1137 Ground Network Sniffing Discovery Provider Network Transport
ATAGS-T1138 Key Management Policy Discovery Discovery Provider Cloud Control Plane
ATAGS-T1139 Link segment Sniffing Discovery Provider Network Transport
ATAGS-T1140 Local Storage Discovery Discovery Shared Mission, Personnel & Identity
ATAGS-T1141 Log Enumeration Discovery Provider Mission, Personnel & Identity
ATAGS-T1142 Network Service Discovery Discovery Provider Network Transport
ATAGS-T1143 Network Share Discovery Discovery Shared Mission, Personnel & Identity
ATAGS-T1144 Password Policy Discovery Discovery Shared Mission, Personnel & Identity
ATAGS-T1145 Peripheral Device Discovery Discovery Customer Mission, Personnel & Identity
ATAGS-T1146 Permission Groups Discovery Discovery Provider Cloud Control Plane
ATAGS-T1146.001 Local Groups Discovery ATAGS-T1146 – Permission Groups Discovery Provider Cloud Control Plane
ATAGS-T1146.002 Domain Groups Discovery ATAGS-T1146 – Permission Groups Discovery Provider Cloud Control Plane
ATAGS-T1146.003 Cloud Groups Discovery ATAGS-T1146 – Permission Groups Discovery Provider Cloud Control Plane
ATAGS-T1147 Process Discovery Discovery Provider Software
ATAGS-T1148 Remote System Discovery Discovery Provider Cloud Control Plane
ATAGS-T1149 Remote System Information Discovery Discovery Provider Cloud Control Plane
ATAGS-T1150 Software Discovery Discovery Provider Mission, Personnel & Identity
ATAGS-T1150.001 Security Software Discovery Discovery ATAGS-T1150 – Software Discovery Provider Mission, Personnel & Identity
ATAGS-T1150.002 Backup Software Discovery Discovery ATAGS-T1150 – Software Discovery Provider Mission, Personnel & Identity
ATAGS-T1151 System Information Discovery Discovery Provider Mission, Personnel & Identity
ATAGS-T1152 System Location Discovery Discovery Provider Mission, Personnel & Identity
ATAGS-T1152.001 System Language Discovery Discovery ATAGS-T1152 – System Location Discovery Provider Mission, Personnel & Identity
ATAGS-T1153 System Network Configuration Discovery Discovery Provider Network Transport
ATAGS-T1153.001 Internet Connection Discovery Discovery ATAGS-T1153 – System Network Configuration Discovery Provider Network Transport
ATAGS-T1153.002 Wi-Fi Discovery Discovery ATAGS-T1153 – System Network Configuration Discovery Provider Network Transport
ATAGS-T1154 System Network Connections Discovery Discovery Provider Network Transport
ATAGS-T1155 System Owner/User Discovery Discovery Provider Mission, Personnel & Identity
ATAGS-T1156 System Service Discovery Discovery Provider Software
ATAGS-T1157 Trust Relationships Discovery Discovery Shared Mission, Personnel & Identity
ATAGS-T1158 Virtual Machine Discovery Discovery Provider Software
ATAGS-T1159 Default Credentials Lateral Movement Provider Mission, Personnel & Identity
ATAGS-T1160 Hardcoded Credentials Lateral Movement Provider Software
ATAGS-T1161 Internal Spearphishing Lateral Movement Shared Mission, Personnel & Identity
ATAGS-T1162 Lateral Tool Transfer Lateral Movement Provider Software
ATAGS-T1163 Remote Service Session Hijacking Lateral Movement Shared Software
ATAGS-T1163.001 SSH Hijacking Lateral Movement ATAGS-T1163 – Remote Service Session Hijacking Shared Software
ATAGS-T1163.002 RDP Hijacking Lateral Movement ATAGS-T1163 – Remote Service Session Hijacking Shared Software
ATAGS-T1164 Taint Shared Content Lateral Movement Shared Software
ATAGS-T1165 Use/Exploitation of Remote Services Lateral Movement Provider Software
ATAGS-T1166 Virtualization Escape Lateral Movement Provider Software
ATAGS-T1167 Archive Collected Data Collection Shared Software
ATAGS-T1167.001 Archive via Utility Collection ATAGS-T1167 – Archive Collected Data Shared Software
ATAGS-T1167.002 Archive via Library Collection ATAGS-T1167 – Archive Collected Data Shared Software
ATAGS-T1167.003 Archive via Custom Method Collection ATAGS-T1167 – Archive Collected Data Shared Software
ATAGS-T1168 Audio Capture Collection Shared Mission, Personnel & Identity
ATAGS-T1169 Automated Collection Collection Shared Software
ATAGS-T1170 Browser Session Hijacking Collection Shared Software
ATAGS-T1171 Clipboard Data Collection Shared Mission, Personnel & Identity
ATAGS-T1172 Data from Cloud Storage Collection Provider Software
ATAGS-T1173 Data from Configuration Repository Collection Provider Software
ATAGS-T1173.001 SNMP (MIB Dump) Collection ATAGS-T1173 – Data from Configuration Repository Provider Software
ATAGS-T1173.002 Network Device Configuration Dump Collection ATAGS-T1173 – Data from Configuration Repository Provider Software
ATAGS-T1174 Data from Information Repositories Collection Provider Software
ATAGS-T1174.001 Confluence Collection ATAGS-T1174 – Data from Information Repositories Provider Software
ATAGS-T1174.002 Sharepoint Collection ATAGS-T1174 – Data from Information Repositories Provider Software
ATAGS-T1174.003 Code Repositories Collection ATAGS-T1174 – Data from Information Repositories Provider Software
ATAGS-T1174.004 Customer Relationship Management Software Collection ATAGS-T1174 – Data from Information Repositories Provider Software
ATAGS-T1174.005 Messaging Applications Collection ATAGS-T1174 – Data from Information Repositories Provider Software
ATAGS-T1174.006 Databases Collection ATAGS-T1174 – Data from Information Repositories Provider Software
ATAGS-T1175 Data from link eavesdropping Collection Provider Satellite Communications
ATAGS-T1175.001 Payload eavesdropping Collection ATAGS-T1175 – Data from link eavesdropping Provider Satellite Communications
ATAGS-T1175.002 Range Data eavesdropping Collection ATAGS-T1175 – Data from link eavesdropping Provider Satellite Communications
ATAGS-T1175.003 TC/TM eavesdropping Collection ATAGS-T1175 – Data from link eavesdropping Provider Satellite Communications
ATAGS-T1176 Data from Local System Collection Provider Software
ATAGS-T1177 Data from Network Shared Drive Collection Shared Software
ATAGS-T1178 Data Staged Collection Shared Software
ATAGS-T1178.001 Local Data Staging Collection ATAGS-T1178 – Data Staged Shared Software
ATAGS-T1178.002 Remote Data Staging Collection ATAGS-T1178 – Data Staged Shared Software
ATAGS-T1179 Email Collection Collection Shared Software
ATAGS-T1179.001 Local Email Collection Collection ATAGS-T1179 – Email Collection Shared Software
ATAGS-T1179.002 Remote Email Collection Collection ATAGS-T1179 – Email Collection Shared Software
ATAGS-T1179.003 Email Forwarding Rule Collection ATAGS-T1179 – Email Collection Shared Software
ATAGS-T1180 Screen Capture Collection Shared Mission, Personnel & Identity
ATAGS-T1181 Video Capture Collection Shared Mission, Personnel & Identity
ATAGS-T1182 Wireless Sniffing Collection Provider Hardware
ATAGS-T1183 Data Encoding Command And Control Provider Software
ATAGS-T1183.001 Standard Encoding Command And Control ATAGS-T1183 – Data Encoding Provider Software
ATAGS-T1183.002 Non-Standard Encoding Command And Control ATAGS-T1183 – Data Encoding Provider Software
ATAGS-T1184 Data Obfuscation Command And Control Provider Software
ATAGS-T1184.001 Junk Data Command And Control ATAGS-T1184 – Data Obfuscation Provider Software
ATAGS-T1184.002 Steganography Command And Control ATAGS-T1184 – Data Obfuscation Provider Software
ATAGS-T1184.003 Protocol or Service Impersonation Command And Control ATAGS-T1184 – Data Obfuscation Provider Software
ATAGS-T1185 Dynamic Resolution Command And Control Provider Software
ATAGS-T1185.001 Fast Flux DNS Command And Control ATAGS-T1185 – Dynamic Resolution Provider Software
ATAGS-T1185.002 Domain Generation Algorithms Command And Control ATAGS-T1185 – Dynamic Resolution Provider Software
ATAGS-T1185.003 DNS Calculation Command And Control ATAGS-T1185 – Dynamic Resolution Provider Software
ATAGS-T1186 Encrypted Channel Command And Control Provider Network Transport
ATAGS-T1186.001 Symmetric Cryptography Command And Control ATAGS-T1186 – Encrypted Channel Provider Network Transport
ATAGS-T1186.002 Asymmetric Cryptography Command And Control ATAGS-T1186 – Encrypted Channel Provider Network Transport
ATAGS-T1187 Fallback Channels Command And Control Provider Network Transport
ATAGS-T1188 Hide Infrastructure Command And Control Provider Network Transport
ATAGS-T1189 Ingress Tool Transfer Command And Control Provider Software
ATAGS-T1190 Multi-Stage Channels Command And Control Provider Software
ATAGS-T1191 Non-Application Layer Protocol Command And Control Provider Network Transport
ATAGS-T1192 Protocol Tunnelling Command And Control Shared Network Transport
ATAGS-T1193 Proxy Command And Control Provider Software
ATAGS-T1193.001 Internal Proxy Command And Control ATAGS-T1193 – Proxy Provider Software
ATAGS-T1193.002 External Proxy Command And Control ATAGS-T1193 – Proxy Provider Software
ATAGS-T1193.003 Multi-hop Proxy Command And Control ATAGS-T1193 – Proxy Provider Software
ATAGS-T1193.004 Domain Fronting Command And Control ATAGS-T1193 – Proxy Provider Software
ATAGS-T1194 Remote Access Tools Command And Control Shared Software
ATAGS-T1194.001 IDE Tunneling Command And Control ATAGS-T1194 – Remote Access Tools Shared Software
ATAGS-T1194.002 Remote Desktop Software Command And Control ATAGS-T1194 – Remote Access Tools Shared Software
ATAGS-T1194.003 Remote Access Hardware Command And Control ATAGS-T1194 – Remote Access Tools Shared Software
ATAGS-T1195 Standard Application Layer Protocol Command And Control Provider Network Transport
ATAGS-T1196 Web Service Command And Control Provider Software
ATAGS-T1196.001 Dead Drop Resolver Command And Control ATAGS-T1196 – Web Service Provider Software
ATAGS-T1196.002 Bidirectional Communication Command And Control ATAGS-T1196 – Web Service Provider Software
ATAGS-T1196.003 One-Way Communication Command And Control ATAGS-T1196 – Web Service Provider Software
ATAGS-T1197 Automated Exfiltration Exfiltration Shared Software
ATAGS-T1197.001 Traffic Duplication Exfiltration ATAGS-T1197 – Automated Exfiltration Shared Software
ATAGS-T1198 Data Transfer Size Limits Exfiltration Shared Software
ATAGS-T1199 Exfiltration Over Alternative Protocol Exfiltration Shared Network Transport
ATAGS-T1199.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration ATAGS-T1199 – Exfiltration Over Alternative Protocol Shared Network Transport
ATAGS-T1199.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration ATAGS-T1199 – Exfiltration Over Alternative Protocol Shared Network Transport
ATAGS-T1199.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration ATAGS-T1199 – Exfiltration Over Alternative Protocol Shared Network Transport
ATAGS-T1200 Exfiltration Over C2 Channel Exfiltration Shared Network Transport
ATAGS-T1201 Exfiltration Over Other Network Medium Exfiltration Shared Network Transport
ATAGS-T1201.001 Exfiltration Over Bluetooth Exfiltration ATAGS-T1201 – Exfiltration Over Other Network Medium Shared Network Transport
ATAGS-T1202 Exfiltration Over Payload Channel Exfiltration Shared Satellite Communications
ATAGS-T1203 Exfiltration Over Web Service Exfiltration Shared Network Transport
ATAGS-T1203.001 Exfiltration to Code Repository Exfiltration ATAGS-T1203 – Exfiltration Over Web Service Shared Network Transport
ATAGS-T1203.002 Exfiltration to Cloud Storage Exfiltration ATAGS-T1203 – Exfiltration Over Web Service Shared Network Transport
ATAGS-T1203.003 Exfiltration to Text Storage Sites Exfiltration ATAGS-T1203 – Exfiltration Over Web Service Shared Network Transport
ATAGS-T1203.004 Exfiltration Over Webhook Exfiltration ATAGS-T1203 – Exfiltration Over Web Service Shared Network Transport
ATAGS-T1204 Modify Communications Configuration Exfiltration Provider Hardware/Software
ATAGS-T1204.001 Software Defined Radio Exfiltration ATAGS-T1204 – Modify Communications Configuration Provider Hardware/Software
ATAGS-T1204.002 Transponder Exfiltration ATAGS-T1204 – Modify Communications Configuration Provider Hardware/Software
ATAGS-T1205 Physical Layer Exfiltration Exfiltration Provider Satellite Communications
ATAGS-T1206 Replay Exfiltration Exfiltration Shared Software
ATAGS-T1207 Scheduled Transfer Exfiltration Shared Software
ATAGS-T1208 Side-Channel Exfiltration Exfiltration Shared Hardware
ATAGS-T1208.001 Power Analysis Attacks Exfiltration ATAGS-T1208 – Side-Channel Exfiltration Shared Hardware
ATAGS-T1208.002 Electromagnetic Leakage Attacks Exfiltration ATAGS-T1208 – Side-Channel Exfiltration Shared Hardware
ATAGS-T1208.003 Traffic Analysis Attacks Exfiltration ATAGS-T1208 – Side-Channel Exfiltration Shared Hardware
ATAGS-T1208.004 Timing Attacks Exfiltration ATAGS-T1208 – Side-Channel Exfiltration Shared Hardware
ATAGS-T1209 Transfer Data to Cloud Account Exfiltration Shared Network Transport
ATAGS-T1210 Account Access Removal Impact Provider Mission, Personnel & Identity
ATAGS-T1211 Data Destruction Impact Shared Software
ATAGS-T1211.001 Lifecycle-Triggered Deletion Impact ATAGS-T1211 – Data Destruction Provider Software
ATAGS-T1212 Data Encrypted for Impact Impact Shared Software
ATAGS-T1213 Data Manipulation Impact Shared Software
ATAGS-T1213.001 Runtime Data Manipulation Impact ATAGS-T1213 – Data Manipulation Provider Software
ATAGS-T1213.002 Stored Data Manipulation Impact ATAGS-T1213 – Data Manipulation Provider Software
ATAGS-T1213.003 Transmitted Data Manipulation Impact ATAGS-T1213 – Data Manipulation Provider Software
ATAGS-T1214 Defacement Impact Provider Software
ATAGS-T1214.001 External Defacement Impact ATAGS-T1214 – Defacement Provider Software
ATAGS-T1214.002 Internal Defacement Impact ATAGS-T1214 – Defacement Provider Software
ATAGS-T1215 Degradation of infrastructure Impact Provider Hardware
ATAGS-T1216 Denial of Service Impact Provider Software
ATAGS-T1217 Endpoint Denial of Service Impact Provider Software
ATAGS-T1217.001 Application Exhaustion Flood Impact ATAGS-T1217 – Endpoint Denial of Service Provider Software
ATAGS-T1217.002 Application or System Exploitation Impact ATAGS-T1217 – Endpoint Denial of Service Provider Software
ATAGS-T1217.003 OS Exhaustion Flood Impact ATAGS-T1217 – Endpoint Denial of Service Provider Software
ATAGS-T1217.004 Service Exhaustion Flood Impact ATAGS-T1217 – Endpoint Denial of Service Provider Software
ATAGS-T1218 Financial Theft Impact Provider Mission, Personnel & Identity
ATAGS-T1219 Inhibit System Recovery Impact Provider Cloud Control Plane
ATAGS-T1220 Loss of Control Impact Provider Cloud Control Plane
ATAGS-T1221 Loss of Intellectual property/proprietary data Impact Shared Mission, Personnel & Identity
ATAGS-T1222 Loss of Productivity and Revenue Impact Provider Mission, Personnel & Identity
ATAGS-T1223 Loss of Protection Impact Provider Software
ATAGS-T1224 Loss of View Impact Provider Mission, Personnel & Identity
ATAGS-T1225 Physical Destruction Impact Provider Hardware
ATAGS-T1226 Resource Hijacking Impact Provider Cloud Control Plane
ATAGS-T1226.001 Bandwidth Hijacking Impact ATAGS-T1226 – Resource Hijacking Provider Cloud Control Plane
ATAGS-T1226.002 Cloud Service Hijacking Impact ATAGS-T1226 – Resource Hijacking Provider Cloud Control Plane
ATAGS-T1226.003 Compute Hijacking Impact ATAGS-T1226 – Resource Hijacking Provider Cloud Control Plane
ATAGS-T1227 Unauthorized Command Message Impact Provider Cloud Control Plane