MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.
ATT&CK Matrix for Enterprise
layout: sidesideflatshow sub-techniqueshide sub-techniques
| Tactic | Technique | Data Source | Mitigation |
|---|---|---|---|
| Reconnaissance | Active Scanning (3) Scanning IP Blocks Vulnerability Scanning Wordlist Scanning |
||
| Gather Victim Host Information (4) Hardware Software Firmware Client Configurations |
|||
| Gather Victim Identity Information (3) Credentials Email Addresses Employee Names |
|||
| Gather Victim Network Information (6) Domain Properties DNS Network Trust Dependencies Network Topology IP Addresses Network Security Appliances |
|||
| Gather Victim Org Information (4) Determine Physical Locations Business Relationships Identify Business Tempo Identify Roles |
|||
| Phishing for Information (4) Spearphishing Service Spearphishing Attachment Spearphishing Link Spearphishing Voice |
|||
| Search Closed Sources (2) Threat Intel Vendors Purchase Technical Data |
|||
| Search Open Technical Databases (5) DNS/Passive DNS WHOIS Digital Certificates CDNs Scan Databases |
|||
| Search Open Websites/Domains (3) Social Media Search Engines Code Repositories Search Victim-Owned Websites |
|||
| Acquire Access | Acquire Infrastructure (8) Domains DNS Server Virtual Private Server Server Botnet Web Services Serverless Malvertising |
||
| Compromise Accounts (3) Social Media Accounts Email Accounts Cloud Accounts |
|||
| Compromise Infrastructure (8) Domains DNS Server Virtual Private Server Server Botnet Web Services Serverless Network Devices |
|||
| Develop Capabilities (4) Malware Code Signing Certificates Digital Certificates Exploits |
|||
| Establish Accounts (3) Social Media Accounts Email Accounts Cloud Accounts |
|||
| Obtain Capabilities (7) Malware Tool Code Signing Certificates Digital Certificates Exploits Vulnerabilities Artificial Intelligence |
|||
| Stage Capabilities (6) Upload Malware Upload Tool Install Digital Certificate Drive-by Target Link Target SEO Poisoning |
|||
| Content Injection Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions |
|||
| Phishing (4) Spearphishing Attachment Spearphishing Link Spearphishing via Service Spearphishing Voice |
|||
| Replication Through Removable Media Supply Chain Compromise (3) Compromise Software Dependencies and Development Tools Compromise Software Supply Chain Compromise Hardware Supply Chain Trusted Relationship |
|||
| Persistence | Valid Accounts (4) Default Accounts Domain Accounts Local Accounts Cloud Accounts |
||
| Wi-Fi Networks Cloud Administration Command |
|||
| Command and Scripting Interpreter (12) PowerShell AppleScript Windows Command Shell Unix Shell Visual Basic Python JavaScript Network Device CLI Cloud API AutoHotKey & AutoIT Lua Hypervisor CLI Container Administration Command Deploy Container ESXi Administration Command |
|||
| Exploitation for Client Execution Input Injection Inter-Process Communication (3) Component Object Model Dynamic Data Exchange XPC Services Native API |
|||
| Scheduled Task/Job (5) At Cron Scheduled Task Systemd Timers Container Orchestration Job Serverless Execution |
|||
| Shared Modules Software Deployment Tools System Services (3) Launchctl Service Execution Systemctl User Execution (4) Malicious Link Malicious File Malicious Image Malicious Copy and Paste |
|||
| Windows Management Instrumentation Account Manipulation (7) Additional Cloud Credentials Additional Email Delegate Permissions Additional Cloud Roles SSH Authorized Keys Device Registration Additional Container Cluster Roles Additional Local or Domain Groups |
|||
| BITS Jobs Boot or Logon Autostart Execution (14) Registry Run Keys / Startup Folder Authentication Package Time Providers Winlogon Helper DLL Security Support Provider Kernel Modules and Extensions Re-opened Applications LSASS Driver Shortcut Modification Port Monitors Print Processors XDG Autostart Entries Active Setup Login Items |
|||
| Boot or Logon Initialization Scripts (5) Logon Script (Windows) Login Hook Network Logon Script RC Scripts Startup Items Cloud Application Integration Compromise Host Software Binary Create Account (3) Local Account Domain Account Cloud Account |
|||
| Create or Modify System Process (5) Launch Agent Systemd Service Windows Service Launch Daemon Container Service |
|||
| Event Triggered Execution (17) Change Default File Association Screensaver Windows Management Instrumentation Event Subscription Unix Shell Configuration Modification Trap LC_LOAD_DYLIB Addition Netsh Helper DLL Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Image File Execution Options Injection PowerShell Profile Emond Component Object Model Hijacking Installer Packages Udev Rules Exclusive Control External Remote Services |
|||
| Hijack Execution Flow (12) DLL Dylib Hijacking Executable Installer File Permissions Weakness Dynamic Linker Hijacking Path Interception by PATH Environment Variable Path Interception by Search Order Hijacking Path Interception by Unquoted Path Services File Permissions Weakness Services Registry Permissions Weakness COR_PROFILER KernelCallbackTable AppDomainManager Implant Internal Image |
|||
| Modify Authentication Process (9) Domain Controller Authentication Password Filter DLL Pluggable Authentication Modules Network Device Authentication Reversible Encryption Multi-Factor Authentication Hybrid Identity Network Provider DLL Conditional Access Policies |
|||
| Modify Registry Office Application Startup (6) Office Template Macros Office Test Outlook Forms Outlook Home Page Outlook Rules Add-ins |
|||
| Power Settings Pre-OS Boot (5) System Firmware Component Firmware Bootkit ROMMONkit TFTP Boot |
|||
| Scheduled Task/Job (5) At Cron Scheduled Task Systemd Timers Container Orchestration Job Server Software Component (6) SQL Stored Procedures Transport Agent Web Shell IIS Components Terminal Services DLL vSphere Installation Bundles |
|||
| Software Extensions (2) Browser Extensions IDE Extensions Traffic Signaling (2) Port Knocking Socket Filters |
|||
| Valid Accounts (4) Default Accounts Domain Accounts Local Accounts Cloud Accounts |
|||
| Privilege Escalation | Abuse Elevation Control Mechanism (6) Setuid and Setgid Bypass User Account Control Sudo and Sudo Caching Elevated Execution with Prompt Temporary Elevated Cloud Access TCC Manipulation |
||
| Access Token Manipulation (5) Token Impersonation/Theft Create Process with Token Make and Impersonate Token Parent PID Spoofing SID-History Injection Account Manipulation (7) Additional Cloud Credentials Additional Email Delegate Permissions Additional Cloud Roles SSH Authorized Keys Device Registration Additional Container Cluster Roles Additional Local or Domain Groups |
|||
| BITS Jobs Boot or Logon Autostart Execution (14) Registry Run Keys / Startup Folder Authentication Package Time Providers Winlogon Helper DLL Security Support Provider Kernel Modules and Extensions Re-opened Applications LSASS Driver Shortcut Modification Port Monitors Print Processors XDG Autostart Entries Active Setup Login Items |
|||
| Boot or Logon Initialization Scripts (5) Logon Script (Windows) Login Hook Network Logon Script RC Scripts Startup Items Create or Modify System Process (5) Launch Agent Systemd Service Windows Service Launch Daemon Container Service |
|||
| Domain or Tenant Policy Modification (2) Group Policy Modification Trust Modification Escape to Host |
|||
| Event Triggered Execution (17) Change Default File Association Screensaver Windows Management Instrumentation Event Subscription Unix Shell Configuration Modification Trap LC_LOAD_DYLIB Addition Netsh Helper DLL Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Image File Execution Options Injection PowerShell Profile Emond Component Object Model Hijacking Installer Packages Udev Rules |
|||
| Exploitation for Privilege Escalation Hijack Execution Flow (12) DLL Dylib Hijacking Executable Installer File Permissions Weakness Dynamic Linker Hijacking Path Interception by PATH Environment Variable Path Interception by Search Order Hijacking Path Interception by Unquoted Path Services File Permissions Weakness Services Registry Permissions Weakness COR_PROFILER KernelCallbackTable AppDomainManager |
|||
| Process Injection (12) Dynamic-link Library Injection Portable Executable Injection Thread Execution Hijacking Asynchronous Procedure Call Thread Local Storage Ptrace System Calls Proc Memory Extra Window Memory Injection Process Hollowing Process Doppelgänging VDSO Hijacking ListPlanting |
|||
| Scheduled Task/Job (5) At Cron Scheduled Task Systemd Timers Container Orchestration Job Valid Accounts (4) Default Accounts Domain Accounts Local Accounts Cloud Accounts |
|||
| Defense Evasion | Abuse Elevation Control Mechanism (6) Setuid and Setgid Bypass User Account Control Sudo and Sudo Caching Elevated Execution with Prompt Temporary Elevated Cloud Access TCC Manipulation |
||
| Access Token Manipulation (5) Token Impersonation/Theft Create Process with Token Make and Impersonate Token Parent PID Spoofing SID-History Injection |
|||
| BITS Jobs Build Image on Host Debugger Evasion Deobfuscate/Decode Files or Information Deploy Container Direct Volume Access Domain or Tenant Policy Modification (2) Group Policy Modification Trust Modification Email Spoofing |
|||
| Execution Guardrails (2) Environmental Keying Mutual Exclusion Exploitation for Defense Evasion File and Directory Permissions Modification (2) Windows File and Directory Permissions Modification Linux and Mac File and Directory Permissions Modification |
|||
| Hide Artifacts (14) Hidden Files and Directories Hidden Users Hidden Window NTFS File Attributes Hidden File System Run Virtual Instance VBA Stomping Email Hiding Rules Resource Forking Process Argument Spoofing Ignore Process Interrupts File/Path Exclusions Bind Mounts Extended Attributes |
|||
| Hijack Execution Flow (12) DLL Dylib Hijacking Executable Installer File Permissions Weakness Dynamic Linker Hijacking Path Interception by PATH Environment Variable Path Interception by Search Order Hijacking Path Interception by Unquoted Path Services File Permissions Weakness Services Registry Permissions Weakness COR_PROFILER KernelCallbackTable AppDomainManager |
|||
| Impair Defenses (11) Disable or Modify Tools Disable Windows Event Logging Impair Command History Logging Disable or Modify System Firewall Indicator Blocking Disable or Modify Cloud Firewall Disable or Modify Cloud Logs Safe Mode Boot Downgrade Attack Spoof Security Alerting Disable or Modify Linux Audit System Impersonation |
|||
| Indicator Removal (10) Clear Windows Event Logs Clear Linux or Mac System Logs Clear Command History File Deletion Network Share Connection Removal Timestomp Clear Network Connection History and Configurations Clear Mailbox Data Clear Persistence Relocate Malware Indirect Command Execution |
|||
| Masquerading (11) Invalid Code Signature Right-to-Left Override Rename Legitimate Utilities Masquerade Task or Service Match Legitimate Resource Name or Location Space after Filename Double File Extension Masquerade File Type Break Process Trees Masquerade Account Name Overwrite Process Arguments |
|||
| Modify Authentication Process (9) Domain Controller Authentication Password Filter DLL Pluggable Authentication Modules Network Device Authentication Reversible Encryption Multi-Factor Authentication Hybrid Identity Network Provider DLL Conditional Access Policies |
|||
| Modify Cloud Compute Infrastructure (5) Create Snapshot Create Cloud Instance Delete Cloud Instance Revert Cloud Instance Modify Cloud Compute Configurations Modify Cloud Resource Hierarchy Modify Registry |
|||
| Modify System Image (2) Patch System Image Downgrade System Image Network Boundary Bridging (1) Network Address Translation Traversal Obfuscated Files or Information (17) Binary Padding Software Packing Steganography Compile After Delivery Indicator Removal from Tools HTML Smuggling Dynamic API Resolution Stripped Payloads Embedded Payloads Command Obfuscation Fileless Storage LNK Icon Smuggling Encrypted/Encoded File Polymorphic Code Compression Junk Code Insertion SVG Smuggling Plist File Modification |
|||
| Pre-OS Boot (5) System Firmware Component Firmware Bootkit ROMMONkit TFTP Boot |
|||
| Process Injection (12) Dynamic-link Library Injection Portable Executable Injection Thread Execution Hijacking Asynchronous Procedure Call Thread Local Storage Ptrace System Calls Proc Memory Extra Window Memory Injection Process Hollowing Process Doppelgänging VDSO Hijacking ListPlanting |
|||
| Reflective Code Loading Rogue Domain Controller Rootkit Subvert Trust Controls (6) Gatekeeper Bypass Code Signing SIP and Trust Provider Hijacking Install Root Certificate Mark-of-the-Web Bypass Code Signing Policy Modification |
|||
| System Binary Proxy Execution (14) Compiled HTML File Control Panel CMSTP InstallUtil Mshta Msiexec Odbcconf Regsvcs/Regasm Regsvr32 Rundll32 Verclsid Mavinject MMCElectron Applications |
|||
| System Script Proxy Execution (2) PubPrn SyncAppvPublishing |
|||
| ServerTemplate Injection Traffic Signaling (2) Port Knocking Socket Filters Trusted Developer Utilities Proxy Execution (3) MSBuild ClickOnce JamPlus Unused/Unsupported Cloud Regions Use Alternate Authentication Material (4) Application Access Token Pass the Hash Pass the Ticket Web Session Cookie |
|||
| Valid Accounts (4) Default Accounts Domain Accounts Local Accounts Cloud Accounts |
|||
| Virtualization/Sandbox Evasion (3) System Checks User Activity Based Checks Time Based Evasion Weaken Encryption (2) Reduce Key Space Disable Crypto Hardware XSL Script Processing |
|||
| Credential Access | Adversary-in-the-Middle (4) LLMNR/NBT-NS Poisoning and SMB Relay ARP Cache Poisoning DHCP Spoofing Evil Twin Brute Force (4) Password Guessing Password Cracking Password Spraying Credential Stuffing |
||
| Credentials from Password Stores (6) Keychain Securityd Memory Credentials from Web Browsers Windows Credential Manager Password Managers Cloud Secrets Management Stores Exploitation for Credential Access Forced Authentication Forge Web Credentials (2) Web Cookies SAML Tokens |
Generate your own 90s page here!