ATT&CK Matrix

Enterprise tactics and techniques. Click any technique to view detection rules.

14 Tactics | 216 Techniques | 475 Sub-techniques

reconnaissance

Reconnaissance

11 techniques

Gather Victim Identity Information

Gather Victim Network Information

Gather Victim Org Information

Gather Victim Host Information

Search Open Websites/Domains

Search Victim-Owned Websites

Active Scanning

Search Open Technical Databases

Search Closed Sources

Phishing for Information

Search Threat Vendor Data

resource-development

Resource Development

8 techniques

Acquire Infrastructure

Compromise Infrastructure

Establish Accounts

Compromise Accounts

Develop Capabilities

Obtain Capabilities

Stage Capabilities

initial-access

Initial Access

11 techniques

Replication Through Removable Media

External Remote Services

Drive-by Compromise

Exploit Public-Facing Application

Supply Chain Compromise

Trusted Relationship

Hardware Additions

Content Injection

execution

Execution

17 techniques

Windows Management Instrumentation

Scheduled Task/Job

Command and Scripting Interpreter

Software Deployment Tools

Exploitation for Client Execution

Inter-Process Communication

System Services

Container Administration Command

Deploy Container

Serverless Execution

Cloud Administration Command

Input Injection

ESXi Administration Command

Poisoned Pipeline Execution

persistence

Persistence

23 techniques

Boot or Logon Initialization Scripts

Scheduled Task/Job

Account Manipulation

Modify Registry

External Remote Services

Office Application Startup

Software Extensions

Traffic Signaling

Server Software Component

Implant Internal Image

Create or Modify System Process

Event Triggered Execution

Boot or Logon Autostart Execution

Compromise Host Software Binary

Modify Authentication Process

Hijack Execution Flow

Exclusive Control

Cloud Application Integration

privilege-escalation

Privilege Escalation

14 techniques

Boot or Logon Initialization Scripts

Scheduled Task/Job

Process Injection

Exploitation for Privilege Escalation

Account Manipulation

Access Token Manipulation

Domain or Tenant Policy Modification

Create or Modify System Process

Event Triggered Execution

Boot or Logon Autostart Execution

Abuse Elevation Control Mechanism

Hijack Execution Flow

defense-evasion

Defense Evasion

47 techniques

Direct Volume Access

Obfuscated Files or Information

Process Injection

Indicator Removal

Modify Registry

Trusted Developer Utilities Proxy Execution

Access Token Manipulation

Deobfuscate/Decode Files or Information

Indirect Command Execution

Traffic Signaling

Rogue Domain Controller

Exploitation for Defense Evasion

System Script Proxy Execution

System Binary Proxy Execution

XSL Script Processing

Template Injection

File and Directory Permissions Modification

Execution Guardrails

Domain or Tenant Policy Modification

Virtualization/Sandbox Evasion

Unused/Unsupported Cloud Regions

Abuse Elevation Control Mechanism

Use Alternate Authentication Material

Subvert Trust Controls

Modify Authentication Process

Impair Defenses

Hijack Execution Flow

Modify Cloud Compute Infrastructure

Network Boundary Bridging

Weaken Encryption

Modify System Image

Deploy Container

Build Image on Host

Reflective Code Loading

Debugger Evasion

Plist File Modification

Modify Cloud Resource Hierarchy

Delay Execution

Selective Exclusion

credential-access

Credential Access

17 techniques

OS Credential Dumping

Network Sniffing

Multi-Factor Authentication Interception

Forced Authentication

Exploitation for Credential Access

Steal Application Access Token

Steal Web Session Cookie

Unsecured Credentials

Credentials from Password Stores

Modify Authentication Process

Adversary-in-the-Middle

Steal or Forge Kerberos Tickets

Forge Web Credentials

Multi-Factor Authentication Request Generation

Steal or Forge Authentication Certificates

discovery

Discovery

34 techniques

System Service Discovery

Application Window Discovery

System Network Configuration Discovery

Remote System Discovery

System Owner/User Discovery

Network Sniffing

Network Service Discovery

System Network Connections Discovery

Process Discovery

Permission Groups Discovery

System Information Discovery

File and Directory Discovery

Account Discovery

Peripheral Device Discovery

System Time Discovery

Network Share Discovery

Password Policy Discovery

Browser Information Discovery

Domain Trust Discovery

Virtualization/Sandbox Evasion

Software Discovery

Cloud Service Discovery

Cloud Service Dashboard

Cloud Infrastructure Discovery

Container and Resource Discovery

System Location Discovery

Group Policy Discovery

Cloud Storage Object Discovery

Debugger Evasion

Device Driver Discovery

Log Enumeration

Virtual Machine Discovery

Local Storage Discovery

lateral-movement

Lateral Movement

9 techniques

Remote Services

Software Deployment Tools

Taint Shared Content

Replication Through Removable Media

Exploitation of Remote Services

Internal Spearphishing

Use Alternate Authentication Material

Remote Service Session Hijacking

Lateral Tool Transfer

collection

Collection

17 techniques

Data from Local System

Data from Removable Media

Data from Network Shared Drive

Email Collection

Automated Collection

Browser Session Hijacking

Data from Information Repositories

Data from Cloud Storage

Adversary-in-the-Middle

Archive Collected Data

Data from Configuration Repository

command-and-control

Command and Control

18 techniques

Data Obfuscation

Fallback Channels

Application Layer Protocol

Communication Through Removable Media

Non-Application Layer Protocol

Multi-Stage Channels

Ingress Tool Transfer

Traffic Signaling

Remote Access Tools

Dynamic Resolution

Non-Standard Port

Protocol Tunneling

Encrypted Channel

Content Injection

Hide Infrastructure

exfiltration

Exfiltration

9 techniques

Exfiltration Over Other Network Medium

Automated Exfiltration

Scheduled Transfer

Data Transfer Size Limits

Exfiltration Over C2 Channel

Exfiltration Over Alternative Protocol

Exfiltration Over Physical Medium

Transfer Data to Cloud Account

Exfiltration Over Web Service

impact

Impact

15 techniques

Data Destruction

Data Encrypted for Impact

Inhibit System Recovery

Firmware Corruption

Resource Hijacking

Network Denial of Service

Endpoint Denial of Service

System Shutdown/Reboot

Account Access Removal

Data Manipulation

Financial Theft