Tactic: Reconnaissance

Recoinnassance techniques ( Reconnaissance  [TA0443]) are those activities conducted by the adversary to obtain information with the aim of planning a cyber attack.

Techniques examples:
Network Scanning
Obtain information on the company perimeter

Tactic: Initial Access

“Initial Access” techniques ( Initial Access [TA0001] ) consist of activities conducted by criminals to access the Company network.

Techniques examples:

Sending emails containing malicious links or attachments. This allows the criminal to access the system or a service (mail).


Initiation of offensive activity to exploit a vulnerability present on a perimeter system. Citrix, Microsoft Exchange, Log4j among the most used ones.

Tactic: Execution

“Execution” techniques ( Execution [TA0002] ) are those activities conducted by the adversary to execute malicious code. In this way adversaries gain control of the system or a modification to it.

Techniques examples::
Commands and scripts interpreter

Execution of malicious commands or scripts. Often abused: Powershell, Windows Command, Unix Shell, Javascript, etc…

User Execution

Execution of malicious code through interaction with the victim user.


Tactic: Persistence

“Persistence” techniques ( Persistence [TA0003] ) consist of activities conducted by criminals to maintain persistent access to the system, infrastructure or service (email).

Techniques examples:
Scheduled Tasks

Use of Scheduled Tasks (Windows and Linux) to launch malicious code upon system reboot or at specific times.

Valid Accounts

Use of valid credentials to access the system (Active Directory Domain account), the Network (access via VPN) or the service (email access).

Tactic: Privilege Escalation

“Privilege Escalation” techniques ( Privilege Escalation [TA0004] ) are those activities conducted by the adversary to increase their privileges in the system or network. This way they gain greater control and freedom of movement.

Techniques examples:
Token Manipulation

Adversaries can manipulate access tokens to make a running process appear to be the child of a different process. In this case the process also takes on the security context associated with the new token.


Adversaries can exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a vulnerability occurs when an adversary exploits a programming flaw to execute adversary-controlled code.

Tactic: Defence Evasion

“Defence Evasion” techniques ( Defence Evasion [TA0005] ) consist of activities conducted by criminals to evade system or network defense tools.

Techniques examples:
Token Manipulation

Adversaries can modify access tokens to operate in a different system or user security context to perform actions and bypass access controls.

Valid Accounts

Adversaries can execute their own malicious payloads by hijacking how operating systems run programs.

Tactic: Credential Access

“Credential Access” techniques ( Credential Access [TA0006] ) are those activities conducted by the adversary to obtain access credentials to the system or service (username; password; token; etc.) in order to obtain legitimate access.

Techniques examples:
Brute Force

Adversaries can use brute force techniques to access accounts when passwords are unknown or when password hashes are obtained.

Credentials Dump

Adversaries can exfiltrate credentials after a system is compromised, obtaining hashes or plaintext information. Technique used to perform lateral movements.

Tactic: Discovery

“Discovery” techniques ( Discovery [TA0007] ) are those activities conducted by the adversary to obtain information about the IT environment. These are usually post-compromise activities performed by the adversary to understand how to move within the network.

Techniques examples:
Network Scanning

Adversaries often conduct post-compromise network scanning activities. In this way they identify new target systems for internal movements.

Domain discovery

Adversaries perform Active Directory environment enumeration tasks. In this way they can exploit AD logics to perform further movements.

Tactic: Lateral Movement

“Lateral Movement” techniques ( Lateral Movement [TA0008] ) are those activities conducted by the adversary post-compromise to move within the company network with internal pivoting activities. Typically the criminal’s goal is to gain access to more critical servers and maintain persistent access to the infrastructure.

Techniques examples:
Pass the hash

Adversaries can use alternative authentication methods, such as password hashes, to move laterally within an environment and bypass normal system access controls.

Remote Services

Adversaries can use Valid Accounts to access a service that accepts remote connections (telnet, SSH and VNC, SMB). The adversary can then perform actions as the logged in user.

Tactic: Collection

“Collection” techniques ( Collection [TA0009] ) are those activities conducted by the adversary for the collection of information and data. Activities carried out post-compromise to obtain information (passwords, strategic data, etc.).

Techniques examples:
Screen Capture

Opponents perform Screen Capture to obtain screenshots of the screen. Technique used to spy on the victim’s operations.

Audio Capture

Adversaries perform audio recording of the victim’s device to listen to conversations.

Final Stage

Tactic: Command & Control

“Command & Control” techniques ( Command & Control [TA0011] ) concern the communication methods implemented by the adversary for remote control of the compromised system. In this way the adversary transmits commands to the victim system.

Techniques examples:
Remote Access Software

Adversaries exploit legitimate third-party software for remote access (Team Viewer, LogMeIn, AmmyyAdmin, etc.).

Application Protocl

Adversaries use application protocols for transmitting commands to the victim system such as Web, MAIL, and DNS protocols.

Tactic: Exfiltration

“Exfiltration” techniques ( Exfiltration [TA0010] ) are those activities conducted by the adversary to extract data or information from the victim system.

Exfiltration consists of techniques that adversaries can use to steal data from the network. Techniques for extracting data from a target network include transfer through the command and control channel.

Techniques examples:
Exfiltration trough C2

Adversaries exfiltrate information using the same communication channel used to send commands to the system (Command and Control).

Exfiltration trough cloud account

Adversaries exfiltrate data through the use of cloud accounts and services.

Tactic: Impact

“Impact” techniques ( Impact [TA0040] ) are those activities carried out by adversaries to manipulate, interrupt or destroy systems or data (as in the Ransomware case).

Techniques examples:
Data Encryption

Adversaries can encrypt data on target systems to disrupt the availability of system and network resources.


Adversaries can modify the visual content available internally or externally to a corporate network (typically websites and hacktivism).