| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder | Nebulae can achieve persistence through a Registry Run key.[1] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter:Windows Command Shell | |
| Enterprise | T1543 | .003 | Create or Modify System Process:Windows Service | |
| Enterprise | T1005 | Data from Local System | Nebulae has the capability to upload collected files to C2.[1] | |
| Enterprise | T1573 | .001 | Encrypted Channel:Symmetric Cryptography | Nebulae can use RC4 and XOR to encrypt C2 communications.[1] |
| Enterprise | T1083 | File and Directory Discovery | Nebulae can list files and directories on a compromised host.[1] | |
| Enterprise | T1574 | .001 | Hijack Execution Flow:DLL | |
| Enterprise | T1070 | .004 | Indicator Removal:File Deletion | |
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1680 | Local Storage Discovery | Nebulae can discover logical drive information including the drive type, free space, and volume information.[1] | |
| Enterprise | T1036 | .004 | Masquerading:Masquerade Task or Service | Nebulae has created a service named "Windows Update Agent1" to appear legitimate.[1] |
| .005 | Masquerading:Match Legitimate Resource Name or Location | Nebulae uses functions named | ||
| Enterprise | T1106 | Native API | Nebulae has the ability to use | |
| Enterprise | T1095 | Non-Application Layer Protocol | ||
| Enterprise | T1057 | Process Discovery | ||