attack.mitre.org
Open in
urlscan Pro
185.199.111.153
Public Scan
Submitted URL: https://go.microsoft.com/fwlink/?linkid=2135034
Effective URL: https://attack.mitre.org/matrices/enterprise/
Submission: On September 15 via api from US — Scanned from DE
Effective URL: https://attack.mitre.org/matrices/enterprise/
Submission: On September 15 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
* Matrices * Tactics Enterprise Mobile * Techniques Enterprise Mobile * Mitigations Enterprise Mobile * Groups * Software * Resources General Information Getting Started Training ATT&CKcon Working with ATT&CK FAQ Updates Versions of ATT&CK Related Projects * Blog * Contribute * Search MATRICES Enterprise PRE Windows macOS Linux Cloud Office 365 Azure AD Google Workspace SaaS IaaS Network Containers Mobile Android iOS ICS 1. Home 2. Matrices 3. Enterprise ENTERPRISE MATRIX Below are the tactics and techniques representing the MITRE ATT&CK® Matrix for Enterprise. The Matrix contains information for the following platforms: Windows, macOS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Network, Containers. View on the ATT&CK® Navigator Version Permalink Live Version layout: side side flat show sub-techniques hide sub-techniques help Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact 10 techniques 7 techniques 9 techniques 12 techniques 19 techniques 13 techniques 39 techniques 15 techniques 27 techniques 9 techniques 17 techniques 16 techniques 9 techniques 13 techniques Active Scanning (2) = Scanning IP Blocks Vulnerability Scanning Gather Victim Host Information (4) = Hardware Software Firmware Client Configurations Gather Victim Identity Information (3) = Credentials Email Addresses Employee Names Gather Victim Network Information (6) = Domain Properties DNS Network Trust Dependencies Network Topology IP Addresses Network Security Appliances Gather Victim Org Information (4) = Business Relationships Determine Physical Locations Identify Business Tempo Identify Roles Phishing for Information (3) = Spearphishing Service Spearphishing Attachment Spearphishing Link Search Closed Sources (2) = Threat Intel Vendors Purchase Technical Data Search Open Technical Databases (5) = WHOIS DNS/Passive DNS Digital Certificates CDNs Scan Databases Search Open Websites/Domains (2) = Social Media Search Engines Search Victim-Owned Websites Acquire Infrastructure (6) = Domains DNS Server Virtual Private Server Server Botnet Web Services Compromise Accounts (2) = Social Media Accounts Email Accounts Compromise Infrastructure (6) = Domains DNS Server Virtual Private Server Server Botnet Web Services Develop Capabilities (4) = Malware Code Signing Certificates Digital Certificates Exploits Establish Accounts (2) = Social Media Accounts Email Accounts Obtain Capabilities (6) = Malware Tool Code Signing Certificates Digital Certificates Exploits Vulnerabilities Stage Capabilities (5) = Upload Malware Upload Tool Install Digital Certificate Drive-by Target Link Target Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Phishing (3) = Spearphishing Attachment Spearphishing Link Spearphishing via Service Replication Through Removable Media Supply Chain Compromise (3) = Compromise Software Dependencies and Development Tools Compromise Software Supply Chain Compromise Hardware Supply Chain Trusted Relationship Valid Accounts (4) = Default Accounts Domain Accounts Local Accounts Cloud Accounts Command and Scripting Interpreter (8) = PowerShell AppleScript Windows Command Shell Unix Shell Visual Basic Python JavaScript Network Device CLI Container Administration Command Deploy Container Exploitation for Client Execution Inter-Process Communication (2) = Component Object Model Dynamic Data Exchange Native API Scheduled Task/Job (7) = At (Windows) Scheduled Task At (Linux) Launchd Cron Systemd Timers Container Orchestration Job Shared Modules Software Deployment Tools System Services (2) = Launchctl Service Execution User Execution (3) = Malicious Link Malicious File Malicious Image Windows Management Instrumentation Account Manipulation (4) = Additional Cloud Credentials Exchange Email Delegate Permissions Add Office 365 Global Administrator Role SSH Authorized Keys BITS Jobs Boot or Logon Autostart Execution (14) = Registry Run Keys / Startup Folder Authentication Package Time Providers Winlogon Helper DLL Security Support Provider Kernel Modules and Extensions Re-opened Applications LSASS Driver Shortcut Modification Port Monitors Plist Modification Print Processors XDG Autostart Entries Active Setup Boot or Logon Initialization Scripts (5) = Logon Script (Windows) Logon Script (Mac) Network Logon Script RC Scripts Startup Items Browser Extensions Compromise Client Software Binary Create Account (3) = Local Account Domain Account Cloud Account Create or Modify System Process (4) = Launch Agent Systemd Service Windows Service Launch Daemon Event Triggered Execution (15) = Change Default File Association Screensaver Windows Management Instrumentation Event Subscription Unix Shell Configuration Modification Trap LC_LOAD_DYLIB Addition Netsh Helper DLL Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Image File Execution Options Injection PowerShell Profile Emond Component Object Model Hijacking External Remote Services Hijack Execution Flow (11) = Services File Permissions Weakness Executable Installer File Permissions Weakness Services Registry Permissions Weakness Path Interception by Unquoted Path Path Interception by PATH Environment Variable Path Interception by Search Order Hijacking DLL Search Order Hijacking DLL Side-Loading Dynamic Linker Hijacking Dylib Hijacking COR_PROFILER Implant Internal Image Modify Authentication Process (4) = Domain Controller Authentication Password Filter DLL Pluggable Authentication Modules Network Device Authentication Office Application Startup (6) = Add-ins Office Template Macros Outlook Forms Outlook Rules Outlook Home Page Office Test Pre-OS Boot (5) = System Firmware Component Firmware Bootkit ROMMONkit TFTP Boot Scheduled Task/Job (7) = At (Windows) Scheduled Task At (Linux) Launchd Cron Systemd Timers Container Orchestration Job Server Software Component (3) = SQL Stored Procedures Transport Agent Web Shell Traffic Signaling (1) = Port Knocking Valid Accounts (4) = Default Accounts Domain Accounts Local Accounts Cloud Accounts Abuse Elevation Control Mechanism (4) = Setuid and Setgid Bypass User Account Control Sudo and Sudo Caching Elevated Execution with Prompt Access Token Manipulation (5) = Token Impersonation/Theft Create Process with Token Make and Impersonate Token Parent PID Spoofing SID-History Injection Boot or Logon Autostart Execution (14) = Registry Run Keys / Startup Folder Authentication Package Time Providers Winlogon Helper DLL Security Support Provider Kernel Modules and Extensions Re-opened Applications LSASS Driver Shortcut Modification Port Monitors Plist Modification Print Processors XDG Autostart Entries Active Setup Boot or Logon Initialization Scripts (5) = Logon Script (Windows) Logon Script (Mac) Network Logon Script RC Scripts Startup Items Create or Modify System Process (4) = Launch Agent Systemd Service Windows Service Launch Daemon Domain Policy Modification (2) = Group Policy Modification Domain Trust Modification Escape to Host Event Triggered Execution (15) = Change Default File Association Screensaver Windows Management Instrumentation Event Subscription Unix Shell Configuration Modification Trap LC_LOAD_DYLIB Addition Netsh Helper DLL Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Image File Execution Options Injection PowerShell Profile Emond Component Object Model Hijacking Exploitation for Privilege Escalation Hijack Execution Flow (11) = Services File Permissions Weakness Executable Installer File Permissions Weakness Services Registry Permissions Weakness Path Interception by Unquoted Path Path Interception by PATH Environment Variable Path Interception by Search Order Hijacking DLL Search Order Hijacking DLL Side-Loading Dynamic Linker Hijacking Dylib Hijacking COR_PROFILER Process Injection (11) = Dynamic-link Library Injection Portable Executable Injection Thread Execution Hijacking Asynchronous Procedure Call Thread Local Storage Ptrace System Calls Proc Memory Extra Window Memory Injection Process Doppelgänging Process Hollowing VDSO Hijacking Scheduled Task/Job (7) = At (Windows) Scheduled Task At (Linux) Launchd Cron Systemd Timers Container Orchestration Job Valid Accounts (4) = Default Accounts Domain Accounts Local Accounts Cloud Accounts Abuse Elevation Control Mechanism (4) = Setuid and Setgid Bypass User Account Control Sudo and Sudo Caching Elevated Execution with Prompt Access Token Manipulation (5) = Token Impersonation/Theft Create Process with Token Make and Impersonate Token Parent PID Spoofing SID-History Injection BITS Jobs Build Image on Host Deobfuscate/Decode Files or Information Deploy Container Direct Volume Access Domain Policy Modification (2) = Group Policy Modification Domain Trust Modification Execution Guardrails (1) = Environmental Keying Exploitation for Defense Evasion File and Directory Permissions Modification (2) = Windows File and Directory Permissions Modification Linux and Mac File and Directory Permissions Modification Hide Artifacts (7) = Hidden Files and Directories Hidden Users Hidden Window NTFS File Attributes Hidden File System Run Virtual Instance VBA Stomping Hijack Execution Flow (11) = Services File Permissions Weakness Executable Installer File Permissions Weakness Services Registry Permissions Weakness Path Interception by Unquoted Path Path Interception by PATH Environment Variable Path Interception by Search Order Hijacking DLL Search Order Hijacking DLL Side-Loading Dynamic Linker Hijacking Dylib Hijacking COR_PROFILER Impair Defenses (7) = Disable or Modify Tools Disable Windows Event Logging Impair Command History Logging Disable or Modify System Firewall Indicator Blocking Disable or Modify Cloud Firewall Disable Cloud Logs Indicator Removal on Host (6) = Clear Windows Event Logs Clear Linux or Mac System Logs Clear Command History File Deletion Network Share Connection Removal Timestomp Indirect Command Execution Masquerading (6) = Invalid Code Signature Right-to-Left Override Rename System Utilities Masquerade Task or Service Match Legitimate Name or Location Space after Filename Modify Authentication Process (4) = Domain Controller Authentication Password Filter DLL Pluggable Authentication Modules Network Device Authentication Modify Cloud Compute Infrastructure (4) = Create Snapshot Create Cloud Instance Delete Cloud Instance Revert Cloud Instance Modify Registry Modify System Image (2) = Patch System Image Downgrade System Image Network Boundary Bridging (1) = Network Address Translation Traversal Obfuscated Files or Information (5) = Binary Padding Software Packing Steganography Compile After Delivery Indicator Removal from Tools Pre-OS Boot (5) = System Firmware Component Firmware Bootkit ROMMONkit TFTP Boot Process Injection (11) = Dynamic-link Library Injection Portable Executable Injection Thread Execution Hijacking Asynchronous Procedure Call Thread Local Storage Ptrace System Calls Proc Memory Extra Window Memory Injection Process Doppelgänging Process Hollowing VDSO Hijacking Rogue Domain Controller Rootkit Signed Binary Proxy Execution (11) = Rundll32 Compiled HTML File Control Panel CMSTP InstallUtil Mshta Regsvcs/Regasm Regsvr32 Msiexec Odbcconf Verclsid Signed Script Proxy Execution (1) = PubPrn Subvert Trust Controls (6) = Gatekeeper Bypass Code Signing SIP and Trust Provider Hijacking Install Root Certificate Mark-of-the-Web Bypass Code Signing Policy Modification Template Injection Traffic Signaling (1) = Port Knocking Trusted Developer Utilities Proxy Execution (1) = MSBuild Unused/Unsupported Cloud Regions Use Alternate Authentication Material (4) = Pass the Hash Pass the Ticket Application Access Token Web Session Cookie Valid Accounts (4) = Default Accounts Domain Accounts Local Accounts Cloud Accounts Virtualization/Sandbox Evasion (3) = System Checks User Activity Based Checks Time Based Evasion Weaken Encryption (2) = Reduce Key Space Disable Crypto Hardware XSL Script Processing Brute Force (4) = Password Guessing Password Cracking Password Spraying Credential Stuffing Credentials from Password Stores (5) = Keychain Securityd Memory Credentials from Web Browsers Windows Credential Manager Password Managers Exploitation for Credential Access Forced Authentication Forge Web Credentials (2) = Web Cookies SAML Tokens Input Capture (4) = Keylogging GUI Input Capture Web Portal Capture Credential API Hooking Man-in-the-Middle (2) = LLMNR/NBT-NS Poisoning and SMB Relay ARP Cache Poisoning Modify Authentication Process (4) = Domain Controller Authentication Password Filter DLL Pluggable Authentication Modules Network Device Authentication Network Sniffing OS Credential Dumping (8) = LSASS Memory Security Account Manager NTDS DCSync Proc Filesystem /etc/passwd and /etc/shadow Cached Domain Credentials LSA Secrets Steal Application Access Token Steal or Forge Kerberos Tickets (4) = Golden Ticket Silver Ticket Kerberoasting AS-REP Roasting Steal Web Session Cookie Two-Factor Authentication Interception Unsecured Credentials (7) = Credentials In Files Credentials in Registry Bash History Private Keys Cloud Instance Metadata API Group Policy Preferences Container API Account Discovery (4) = Local Account Domain Account Email Account Cloud Account Application Window Discovery Browser Bookmark Discovery Cloud Infrastructure Discovery Cloud Service Dashboard Cloud Service Discovery Container and Resource Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Sniffing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery (3) = Domain Groups Cloud Groups Local Groups Process Discovery Query Registry Remote System Discovery Software Discovery (1) = Security Software Discovery System Information Discovery System Location Discovery System Network Configuration Discovery (1) = Internet Connection Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion (3) = System Checks User Activity Based Checks Time Based Evasion Exploitation of Remote Services Internal Spearphishing Lateral Tool Transfer Remote Service Session Hijacking (2) = SSH Hijacking RDP Hijacking Remote Services (6) = Remote Desktop Protocol SMB/Windows Admin Shares Distributed Component Object Model SSH VNC Windows Remote Management Replication Through Removable Media Software Deployment Tools Taint Shared Content Use Alternate Authentication Material (4) = Pass the Hash Pass the Ticket Application Access Token Web Session Cookie Archive Collected Data (3) = Archive via Utility Archive via Library Archive via Custom Method Audio Capture Automated Collection Clipboard Data Data from Cloud Storage Object Data from Configuration Repository (2) = SNMP (MIB Dump) Network Device Configuration Dump Data from Information Repositories (2) = Confluence Sharepoint Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged (2) = Local Data Staging Remote Data Staging Email Collection (3) = Local Email Collection Remote Email Collection Email Forwarding Rule Input Capture (4) = Keylogging GUI Input Capture Web Portal Capture Credential API Hooking Man in the Browser Man-in-the-Middle (2) = LLMNR/NBT-NS Poisoning and SMB Relay ARP Cache Poisoning Screen Capture Video Capture Application Layer Protocol (4) = Web Protocols File Transfer Protocols Mail Protocols DNS Communication Through Removable Media Data Encoding (2) = Standard Encoding Non-Standard Encoding Data Obfuscation (3) = Junk Data Steganography Protocol Impersonation Dynamic Resolution (3) = Domain Generation Algorithms Fast Flux DNS DNS Calculation Encrypted Channel (2) = Symmetric Cryptography Asymmetric Cryptography Fallback Channels Ingress Tool Transfer Multi-Stage Channels Non-Application Layer Protocol Non-Standard Port Protocol Tunneling Proxy (4) = Internal Proxy External Proxy Multi-hop Proxy Domain Fronting Remote Access Software Traffic Signaling (1) = Port Knocking Web Service (3) = Dead Drop Resolver Bidirectional Communication One-Way Communication Automated Exfiltration (1) = Traffic Duplication Data Transfer Size Limits Exfiltration Over Alternative Protocol (3) = Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration Over C2 Channel Exfiltration Over Other Network Medium (1) = Exfiltration Over Bluetooth Exfiltration Over Physical Medium (1) = Exfiltration over USB Exfiltration Over Web Service (2) = Exfiltration to Code Repository Exfiltration to Cloud Storage Scheduled Transfer Transfer Data to Cloud Account Account Access Removal Data Destruction Data Encrypted for Impact Data Manipulation (3) = Stored Data Manipulation Transmitted Data Manipulation Runtime Data Manipulation Defacement (2) = Internal Defacement External Defacement Disk Wipe (2) = Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service (4) = OS Exhaustion Flood Service Exhaustion Flood Application Exhaustion Flood Application or System Exploitation Firmware Corruption Inhibit System Recovery Network Denial of Service (2) = Direct Network Flood Reflection Amplification Resource Hijacking Service Stop System Shutdown/Reboot Last modified: 29 April 2021 Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact 10 techniques 7 techniques 9 techniques 12 techniques 19 techniques 13 techniques 39 techniques 15 techniques 27 techniques 9 techniques 17 techniques 16 techniques 9 techniques 13 techniques = Active Scanning (2) Scanning IP Blocks Vulnerability Scanning = Gather Victim Host Information (4) Hardware Software Firmware Client Configurations = Gather Victim Identity Information (3) Credentials Email Addresses Employee Names = Gather Victim Network Information (6) Domain Properties DNS Network Trust Dependencies Network Topology IP Addresses Network Security Appliances = Gather Victim Org Information (4) Business Relationships Determine Physical Locations Identify Business Tempo Identify Roles = Phishing for Information (3) Spearphishing Service Spearphishing Attachment Spearphishing Link = Search Closed Sources (2) Threat Intel Vendors Purchase Technical Data = Search Open Technical Databases (5) WHOIS DNS/Passive DNS Digital Certificates CDNs Scan Databases = Search Open Websites/Domains (2) Social Media Search Engines Search Victim-Owned Websites = Acquire Infrastructure (6) Domains DNS Server Virtual Private Server Server Botnet Web Services = Compromise Accounts (2) Social Media Accounts Email Accounts = Compromise Infrastructure (6) Domains DNS Server Virtual Private Server Server Botnet Web Services = Develop Capabilities (4) Malware Code Signing Certificates Digital Certificates Exploits = Establish Accounts (2) Social Media Accounts Email Accounts = Obtain Capabilities (6) Malware Tool Code Signing Certificates Digital Certificates Exploits Vulnerabilities = Stage Capabilities (5) Upload Malware Upload Tool Install Digital Certificate Drive-by Target Link Target Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions = Phishing (3) Spearphishing Attachment Spearphishing Link Spearphishing via Service Replication Through Removable Media = Supply Chain Compromise (3) Compromise Software Dependencies and Development Tools Compromise Software Supply Chain Compromise Hardware Supply Chain Trusted Relationship = Valid Accounts (4) Default Accounts Domain Accounts Local Accounts Cloud Accounts = Command and Scripting Interpreter (8) PowerShell AppleScript Windows Command Shell Unix Shell Visual Basic Python JavaScript Network Device CLI Container Administration Command Deploy Container Exploitation for Client Execution = Inter-Process Communication (2) Component Object Model Dynamic Data Exchange Native API = Scheduled Task/Job (7) At (Windows) Scheduled Task At (Linux) Launchd Cron Systemd Timers Container Orchestration Job Shared Modules Software Deployment Tools = System Services (2) Launchctl Service Execution = User Execution (3) Malicious Link Malicious File Malicious Image Windows Management Instrumentation = Account Manipulation (4) Additional Cloud Credentials Exchange Email Delegate Permissions Add Office 365 Global Administrator Role SSH Authorized Keys BITS Jobs = Boot or Logon Autostart Execution (14) Registry Run Keys / Startup Folder Authentication Package Time Providers Winlogon Helper DLL Security Support Provider Kernel Modules and Extensions Re-opened Applications LSASS Driver Shortcut Modification Port Monitors Plist Modification Print Processors XDG Autostart Entries Active Setup = Boot or Logon Initialization Scripts (5) Logon Script (Windows) Logon Script (Mac) Network Logon Script RC Scripts Startup Items Browser Extensions Compromise Client Software Binary = Create Account (3) Local Account Domain Account Cloud Account = Create or Modify System Process (4) Launch Agent Systemd Service Windows Service Launch Daemon = Event Triggered Execution (15) Change Default File Association Screensaver Windows Management Instrumentation Event Subscription Unix Shell Configuration Modification Trap LC_LOAD_DYLIB Addition Netsh Helper DLL Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Image File Execution Options Injection PowerShell Profile Emond Component Object Model Hijacking External Remote Services = Hijack Execution Flow (11) Services File Permissions Weakness Executable Installer File Permissions Weakness Services Registry Permissions Weakness Path Interception by Unquoted Path Path Interception by PATH Environment Variable Path Interception by Search Order Hijacking DLL Search Order Hijacking DLL Side-Loading Dynamic Linker Hijacking Dylib Hijacking COR_PROFILER Implant Internal Image = Modify Authentication Process (4) Domain Controller Authentication Password Filter DLL Pluggable Authentication Modules Network Device Authentication = Office Application Startup (6) Add-ins Office Template Macros Outlook Forms Outlook Rules Outlook Home Page Office Test = Pre-OS Boot (5) System Firmware Component Firmware Bootkit ROMMONkit TFTP Boot = Scheduled Task/Job (7) At (Windows) Scheduled Task At (Linux) Launchd Cron Systemd Timers Container Orchestration Job = Server Software Component (3) SQL Stored Procedures Transport Agent Web Shell = Traffic Signaling (1) Port Knocking = Valid Accounts (4) Default Accounts Domain Accounts Local Accounts Cloud Accounts = Abuse Elevation Control Mechanism (4) Setuid and Setgid Bypass User Account Control Sudo and Sudo Caching Elevated Execution with Prompt = Access Token Manipulation (5) Token Impersonation/Theft Create Process with Token Make and Impersonate Token Parent PID Spoofing SID-History Injection = Boot or Logon Autostart Execution (14) Registry Run Keys / Startup Folder Authentication Package Time Providers Winlogon Helper DLL Security Support Provider Kernel Modules and Extensions Re-opened Applications LSASS Driver Shortcut Modification Port Monitors Plist Modification Print Processors XDG Autostart Entries Active Setup = Boot or Logon Initialization Scripts (5) Logon Script (Windows) Logon Script (Mac) Network Logon Script RC Scripts Startup Items = Create or Modify System Process (4) Launch Agent Systemd Service Windows Service Launch Daemon = Domain Policy Modification (2) Group Policy Modification Domain Trust Modification Escape to Host = Event Triggered Execution (15) Change Default File Association Screensaver Windows Management Instrumentation Event Subscription Unix Shell Configuration Modification Trap LC_LOAD_DYLIB Addition Netsh Helper DLL Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Image File Execution Options Injection PowerShell Profile Emond Component Object Model Hijacking Exploitation for Privilege Escalation = Hijack Execution Flow (11) Services File Permissions Weakness Executable Installer File Permissions Weakness Services Registry Permissions Weakness Path Interception by Unquoted Path Path Interception by PATH Environment Variable Path Interception by Search Order Hijacking DLL Search Order Hijacking DLL Side-Loading Dynamic Linker Hijacking Dylib Hijacking COR_PROFILER = Process Injection (11) Dynamic-link Library Injection Portable Executable Injection Thread Execution Hijacking Asynchronous Procedure Call Thread Local Storage Ptrace System Calls Proc Memory Extra Window Memory Injection Process Doppelgänging Process Hollowing VDSO Hijacking = Scheduled Task/Job (7) At (Windows) Scheduled Task At (Linux) Launchd Cron Systemd Timers Container Orchestration Job = Valid Accounts (4) Default Accounts Domain Accounts Local Accounts Cloud Accounts = Abuse Elevation Control Mechanism (4) Setuid and Setgid Bypass User Account Control Sudo and Sudo Caching Elevated Execution with Prompt = Access Token Manipulation (5) Token Impersonation/Theft Create Process with Token Make and Impersonate Token Parent PID Spoofing SID-History Injection BITS Jobs Build Image on Host Deobfuscate/Decode Files or Information Deploy Container Direct Volume Access = Domain Policy Modification (2) Group Policy Modification Domain Trust Modification = Execution Guardrails (1) Environmental Keying Exploitation for Defense Evasion = File and Directory Permissions Modification (2) Windows File and Directory Permissions Modification Linux and Mac File and Directory Permissions Modification = Hide Artifacts (7) Hidden Files and Directories Hidden Users Hidden Window NTFS File Attributes Hidden File System Run Virtual Instance VBA Stomping = Hijack Execution Flow (11) Services File Permissions Weakness Executable Installer File Permissions Weakness Services Registry Permissions Weakness Path Interception by Unquoted Path Path Interception by PATH Environment Variable Path Interception by Search Order Hijacking DLL Search Order Hijacking DLL Side-Loading Dynamic Linker Hijacking Dylib Hijacking COR_PROFILER = Impair Defenses (7) Disable or Modify Tools Disable Windows Event Logging Impair Command History Logging Disable or Modify System Firewall Indicator Blocking Disable or Modify Cloud Firewall Disable Cloud Logs = Indicator Removal on Host (6) Clear Windows Event Logs Clear Linux or Mac System Logs Clear Command History File Deletion Network Share Connection Removal Timestomp Indirect Command Execution = Masquerading (6) Invalid Code Signature Right-to-Left Override Rename System Utilities Masquerade Task or Service Match Legitimate Name or Location Space after Filename = Modify Authentication Process (4) Domain Controller Authentication Password Filter DLL Pluggable Authentication Modules Network Device Authentication = Modify Cloud Compute Infrastructure (4) Create Snapshot Create Cloud Instance Delete Cloud Instance Revert Cloud Instance Modify Registry = Modify System Image (2) Patch System Image Downgrade System Image = Network Boundary Bridging (1) Network Address Translation Traversal = Obfuscated Files or Information (5) Binary Padding Software Packing Steganography Compile After Delivery Indicator Removal from Tools = Pre-OS Boot (5) System Firmware Component Firmware Bootkit ROMMONkit TFTP Boot = Process Injection (11) Dynamic-link Library Injection Portable Executable Injection Thread Execution Hijacking Asynchronous Procedure Call Thread Local Storage Ptrace System Calls Proc Memory Extra Window Memory Injection Process Doppelgänging Process Hollowing VDSO Hijacking Rogue Domain Controller Rootkit = Signed Binary Proxy Execution (11) Rundll32 Compiled HTML File Control Panel CMSTP InstallUtil Mshta Regsvcs/Regasm Regsvr32 Msiexec Odbcconf Verclsid = Signed Script Proxy Execution (1) PubPrn = Subvert Trust Controls (6) Gatekeeper Bypass Code Signing SIP and Trust Provider Hijacking Install Root Certificate Mark-of-the-Web Bypass Code Signing Policy Modification Template Injection = Traffic Signaling (1) Port Knocking = Trusted Developer Utilities Proxy Execution (1) MSBuild Unused/Unsupported Cloud Regions = Use Alternate Authentication Material (4) Pass the Hash Pass the Ticket Application Access Token Web Session Cookie = Valid Accounts (4) Default Accounts Domain Accounts Local Accounts Cloud Accounts = Virtualization/Sandbox Evasion (3) System Checks User Activity Based Checks Time Based Evasion = Weaken Encryption (2) Reduce Key Space Disable Crypto Hardware XSL Script Processing = Brute Force (4) Password Guessing Password Cracking Password Spraying Credential Stuffing = Credentials from Password Stores (5) Keychain Securityd Memory Credentials from Web Browsers Windows Credential Manager Password Managers Exploitation for Credential Access Forced Authentication = Forge Web Credentials (2) Web Cookies SAML Tokens = Input Capture (4) Keylogging GUI Input Capture Web Portal Capture Credential API Hooking = Man-in-the-Middle (2) LLMNR/NBT-NS Poisoning and SMB Relay ARP Cache Poisoning = Modify Authentication Process (4) Domain Controller Authentication Password Filter DLL Pluggable Authentication Modules Network Device Authentication Network Sniffing = OS Credential Dumping (8) LSASS Memory Security Account Manager NTDS DCSync Proc Filesystem /etc/passwd and /etc/shadow Cached Domain Credentials LSA Secrets Steal Application Access Token = Steal or Forge Kerberos Tickets (4) Golden Ticket Silver Ticket Kerberoasting AS-REP Roasting Steal Web Session Cookie Two-Factor Authentication Interception = Unsecured Credentials (7) Credentials In Files Credentials in Registry Bash History Private Keys Cloud Instance Metadata API Group Policy Preferences Container API = Account Discovery (4) Local Account Domain Account Email Account Cloud Account Application Window Discovery Browser Bookmark Discovery Cloud Infrastructure Discovery Cloud Service Dashboard Cloud Service Discovery Container and Resource Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Sniffing Password Policy Discovery Peripheral Device Discovery = Permission Groups Discovery (3) Domain Groups Cloud Groups Local Groups Process Discovery Query Registry Remote System Discovery = Software Discovery (1) Security Software Discovery System Information Discovery System Location Discovery = System Network Configuration Discovery (1) Internet Connection Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery = Virtualization/Sandbox Evasion (3) System Checks User Activity Based Checks Time Based Evasion Exploitation of Remote Services Internal Spearphishing Lateral Tool Transfer = Remote Service Session Hijacking (2) SSH Hijacking RDP Hijacking = Remote Services (6) Remote Desktop Protocol SMB/Windows Admin Shares Distributed Component Object Model SSH VNC Windows Remote Management Replication Through Removable Media Software Deployment Tools Taint Shared Content = Use Alternate Authentication Material (4) Pass the Hash Pass the Ticket Application Access Token Web Session Cookie = Archive Collected Data (3) Archive via Utility Archive via Library Archive via Custom Method Audio Capture Automated Collection Clipboard Data Data from Cloud Storage Object = Data from Configuration Repository (2) SNMP (MIB Dump) Network Device Configuration Dump = Data from Information Repositories (2) Confluence Sharepoint Data from Local System Data from Network Shared Drive Data from Removable Media = Data Staged (2) Local Data Staging Remote Data Staging = Email Collection (3) Local Email Collection Remote Email Collection Email Forwarding Rule = Input Capture (4) Keylogging GUI Input Capture Web Portal Capture Credential API Hooking Man in the Browser = Man-in-the-Middle (2) LLMNR/NBT-NS Poisoning and SMB Relay ARP Cache Poisoning Screen Capture Video Capture = Application Layer Protocol (4) Web Protocols File Transfer Protocols Mail Protocols DNS Communication Through Removable Media = Data Encoding (2) Standard Encoding Non-Standard Encoding = Data Obfuscation (3) Junk Data Steganography Protocol Impersonation = Dynamic Resolution (3) Domain Generation Algorithms Fast Flux DNS DNS Calculation = Encrypted Channel (2) Symmetric Cryptography Asymmetric Cryptography Fallback Channels Ingress Tool Transfer Multi-Stage Channels Non-Application Layer Protocol Non-Standard Port Protocol Tunneling = Proxy (4) Internal Proxy External Proxy Multi-hop Proxy Domain Fronting Remote Access Software = Traffic Signaling (1) Port Knocking = Web Service (3) Dead Drop Resolver Bidirectional Communication One-Way Communication = Automated Exfiltration (1) Traffic Duplication Data Transfer Size Limits = Exfiltration Over Alternative Protocol (3) Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration Over C2 Channel = Exfiltration Over Other Network Medium (1) Exfiltration Over Bluetooth = Exfiltration Over Physical Medium (1) Exfiltration over USB = Exfiltration Over Web Service (2) Exfiltration to Code Repository Exfiltration to Cloud Storage Scheduled Transfer Transfer Data to Cloud Account Account Access Removal Data Destruction Data Encrypted for Impact = Data Manipulation (3) Stored Data Manipulation Transmitted Data Manipulation Runtime Data Manipulation = Defacement (2) Internal Defacement External Defacement = Disk Wipe (2) Disk Content Wipe Disk Structure Wipe = Endpoint Denial of Service (4) OS Exhaustion Flood Service Exhaustion Flood Application Exhaustion Flood Application or System Exploitation Firmware Corruption Inhibit System Recovery = Network Denial of Service (2) Direct Network Flood Reflection Amplification Resource Hijacking Service Stop System Shutdown/Reboot Last modified: 29 April 2021 × load more results © 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Privacy Policy Terms of Use ATT&CK v9.0 @MITREattack Contact