Stage	Technique	Mitigation
Collection	Archive Collected Data: Archive via Utility	M1047 Audit
Command and Control	Application Layer Protocol: File Transfer Protocols	M1031 Network Intrusion Prevention
	Non-Application Layer Protocol	M1030 Network Segmentation
		M1031 Network Intrusion Prevention
		M1037 Filter Network Traffic
	Protocol Tunneling	M1031 Network Intrusion Prevention
	Protocol Tunneling	M1037 Filter Network Traffic
	Remote Access Software	M1031 Network Intrusion Prevention
		M1037 Filter Network Traffic
		M1038 Execution Prevention
Credential Access	Brute Force	M1018 User Account Management
		M1027 Password Policies
		M1032 Multi-factor Authentication
		M1036 Account Use Policies
	Credentials from Password Stores: Credentials from Web Browsers	M1027 Password Policies
	Credentials from Password Stores: Windows Credential Manager	M1042 Disable or Remove Feature or Program
	OS Credential Dumping: LSASS Memory	M1017 User Training
		M1025 Privileged Process Integrity
		M1026 Privileged Account Management
		M1027 Password Policies
		M1028 Operating System Configuration
		M1040 Behavior Prevention on Endpoint
		M1043 Credential Access Protection
Defense Evasion	Abuse Elevation Control Mechanism: Bypass User Account Control	M1026 Privileged Account Management
		M1047 Audit
		M1051 Update Software
		M1052 User Account Control
	Domain Policy Modification: Group Policy Modification	M1018 User Account Management
		M1026 Privileged Account Management
		M1047 Audit
	Execution Guardrails: Environmental Keying	M1055 Do Not Mitigate
	Impair Defenses: Disable or Modify Tools	M1018 User Account Management
		M1022 Restrict File and Directory Permissions
		M1024 Restrict Registry Permissions
		M1038 Execution Prevention
	Indicator Removal: Clear Windows Event Logs	M1022 Restrict File and Directory Permissions
		M1029 Remote Data Storage
		M1041 Encrypt Sensitive Information
	Obfuscated Files or Information: Software Packing	M1049 Antivirus/Antimalware
	Valid Accounts	M1013 Application Developer Guidance
		M1015 Active Directory Configuration
		M1017 User Training
		M1018 User Account Management
		M1026 Privileged Account Management
		M1027 Password Policies
		M1036 Account Use Policies
Discovery	Network Service Discovery	M1030 Network Segmentation
		M1031 Network Intrusion Prevention
		M1042 Disable or Remove Feature or Program
Execution	Command and Scripting Interpreter: Windows Command Shell	M1038 Execution Prevention
	Software Deployment Tools	M1015 Active Directory Configuration
		M1017 User Training
		M1018 User Account Management
		M1026 Privileged Account Management
		M1027 Password Policies
		M1029 Remote Data Storage
		M1030 Network Segmentation
		M1032 Multi-factor Authentication
		M1033 Limit Software Installation
		M1051 Update Software
	System Services: Service Execution	M1022 Restrict File and Directory Permissions
		M1026 Privileged Account Management
		M1040 Behavior Prevention on Endpoint
Exfiltration	Exfiltration Over Web Service	M1021 Restrict Web-Based Content
Exfiltration	Exfiltration Over Web Service	M1057 Data Loss Prevention
Impact	Data Destruction	M1053 Data Backup
	Data Encrypted for Impact	M1040 Behavior Prevention on Endpoint
	Data Encrypted for Impact	M1053 Data Backup
	Defacement: Internal Defacement	M1053 Data Backup
	Inhibit System Recovery	M1018 User Account Management
		M1028 Operating System Configuration
		M1053 Data Backup
	Service Stop	M1018 User Account Management
		M1022 Restrict File and Directory Permissions
		M1024 Restrict Registry Permissions
		M1030 Network Segmentation
Initial Access	Drive-by Compromise	M1021 Restrict Web-Based Content
		M1048 Application Isolation and Sandboxing
		M1050 Exploit Protection
		M1051 Update Software
	Exploit Public-Facing Application	M1016 Vulnerability Scanning
		M1026 Privileged Account Management
		M1030 Network Segmentation
	External Remote Services	M1030 Network Segmentation
		M1032 Multi-factor Authentication
		M1035 Limit Access to Resource Over Network
		M1042 Disable or Remove Feature or Program
	Phishing	M1017 User Training
		M1021 Restrict Web-Based Content
		M1031 Network Intrusion Prevention
		M1049 Antivirus/Antimalware
		M1054 Software Configuration
	Valid Accounts	M1013 Application Developer Guidance
		M1015 Active Directory Configuration
		M1017 User Training
		M1018 User Account Management
		M1026 Privileged Account Management
		M1027 Password Policies
		M1036 Account Use Policies
Lateral Movement	Remote Services: Remote Desktop Protocol	M1018 User Account Management
		M1026 Privileged Account Management
		M1028 Operating System Configuration
		M1030 Network Segmentation
		M1032 Multi-factor Authentication
		M1035 Limit Access to Resource Over Network
		M1042 Disable or Remove Feature or Program
		M1047 Audit
	Remote Services: SMB/Windows Admin Shares	M1026 Privileged Account Management
		M1027 Password Policies
		M1035 Limit Access to Resource Over Network
		M1037 Filter Network Traffic
Persistence	External Remote Services	M1030 Network Segmentation
		M1032 Multi-factor Authentication
		M1035 Limit Access to Resource Over Network
		M1042 Disable or Remove Feature or Program
	Valid Accounts	M1013 Application Developer Guidance
		M1015 Active Directory Configuration
		M1017 User Training
		M1018 User Account Management
		M1026 Privileged Account Management
		M1027 Password Policies
		M1036 Account Use Policies
Privilege Escalation	Abuse Elevation Control Mechanism: Bypass User Account Control	M1026 Privileged Account Management
		M1047 Audit
		M1051 Update Software
		M1052 User Account Control
	Domain Policy Modification: Group Policy Modification	M1018 User Account Management
		M1026 Privileged Account Management
		M1047 Audit
	Valid Accounts	M1013 Application Developer Guidance
		M1015 Active Directory Configuration
		M1017 User Training
		M1018 User Account Management
		M1026 Privileged Account Management
		M1027 Password Policies
		M1036 Account Use Policies