MITRE ATT&CK Enterprise Matrix

Browse the full Enterprise matrix β€” or paste a file hash to light up the techniques that sample was observed using, heat-coloured by how rare (discriminating) each one is.
not observed observed Β· common technique observed Β· uncommon observed Β· rare / discriminating 441 techniques Β· 14 tactics
Credential Access
30 tech
T1003
OS Credential Dumping
T1040
Network Sniffing
T1056
Input Capture
T1081
Credentials in Files
T1110
Brute Force
T1111
Multi-Factor Authentication Interception
T1139
Bash History
T1141
Input Prompt
T1142
Keychain
T1145
Private Keys
T1167
Securityd Memory
T1171
LLMNR/NBT-NS Poisoning and Relay
T1174
Password Filter DLL
T1179
Hooking
T1187
Forced Authentication
T1208
Kerberoasting
T1212
Exploitation for Credential Access
T1214
Credentials in Registry
T1503
Credentials from Web Browsers
T1522
Cloud Instance Metadata API
T1528
Steal Application Access Token
T1539
Steal Web Session Cookie
T1552
Unsecured Credentials
T1555
Credentials from Password Stores
T1556
Modify Authentication Process
T1557
Adversary-in-the-Middle
T1558
Steal or Forge Kerberos Tickets
T1606
Forge Web Credentials
T1621
Multi-Factor Authentication Request Generation
T1649
Steal or Forge Authentication Certificates
Execution
39 tech
T1028
Windows Remote Management
T1035
Service Execution
T1047
Windows Management Instrumentation
T1053
Scheduled Task/Job
T1059
Command and Scripting Interpreter
T1061
Graphical User Interface
T1064
Scripting
T1072
Software Deployment Tools
T1085
Rundll32
T1086
PowerShell
T1106
Native API
T1117
Regsvr32
T1118
InstallUtil
T1121
Regsvcs/Regasm
T1129
Shared Modules
T1151
Space after Filename
T1152
Launchctl
T1153
Source
T1154
Trap
T1155
AppleScript
T1168
Local Job Scheduling
T1170
Mshta
T1173
Dynamic Data Exchange
T1175
Component Object Model and Distributed COM
T1177
LSASS Driver
T1191
CMSTP
T1196
Control Panel Items
T1203
Exploitation for Client Execution
T1204
User Execution
T1223
Compiled HTML File
T1559
Inter-Process Communication
T1569
System Services
T1609
Container Administration Command
T1610
Deploy Container
T1648
Serverless Execution
T1651
Cloud Administration Command
T1674
Input Injection
T1675
ESXi Administration Command
T1677
Poisoned Pipeline Execution
Impact
20 tech
T1485
Data Destruction
T1486
Data Encrypted for Impact
T1487
Disk Structure Wipe
T1488
Disk Content Wipe
T1489
Service Stop
T1490
Inhibit System Recovery
T1491
Defacement
T1492
Stored Data Manipulation
T1493
Transmitted Data Manipulation
T1494
Runtime Data Manipulation
T1495
Firmware Corruption
T1496
Resource Hijacking
T1498
Network Denial of Service
T1499
Endpoint Denial of Service
T1529
System Shutdown/Reboot
T1531
Account Access Removal
T1561
Disk Wipe
T1565
Data Manipulation
T1657
Financial Theft
T1667
Email Bombing
Persistence
74 tech
T1004
Winlogon Helper DLL
T1013
Port Monitors
T1015
Accessibility Features
T1019
System Firmware
T1023
Shortcut Modification
T1031
Modify Existing Service
T1034
Path Interception
T1037
Boot or Logon Initialization Scripts
T1038
DLL Search Order Hijacking
T1042
Change Default File Association
T1044
File System Permissions Weakness
T1050
New Service
T1053
Scheduled Task/Job
T1058
Service Registry Permissions Weakness
T1060
Registry Run Keys / Startup Folder
T1062
Hypervisor
T1067
Bootkit
T1078
Valid Accounts
T1084
Windows Management Instrumentation Event Subscription
T1098
Account Manipulation
T1100
Web Shell
T1101
Security Support Provider
T1103
AppInit DLLs
T1108
Redundant Access
T1109
Component Firmware
T1112
Modify Registry
T1122
Component Object Model Hijacking
T1128
Netsh Helper DLL
T1131
Authentication Package
T1133
External Remote Services
T1136
Create Account
T1137
Office Application Startup
T1138
Application Shimming
T1150
Plist Modification
T1152
Launchctl
T1154
Trap
T1156
Malicious Shell Modification
T1157
Dylib Hijacking
T1158
Hidden Files and Directories
T1159
Launch Agent
T1160
Launch Daemon
T1161
LC_LOAD_DYLIB Addition
T1162
Login Item
T1163
Rc.common
T1164
Re-opened Applications
T1165
Startup Items
T1166
Setuid and Setgid
T1168
Local Job Scheduling
T1176
Software Extensions
T1177
LSASS Driver
T1179
Hooking
T1180
Screensaver
T1182
AppCert DLLs
T1183
Image File Execution Options Injection
T1197
BITS Jobs
T1198
SIP and Trust Provider Hijacking
T1205
Traffic Signaling
T1209
Time Providers
T1215
Kernel Modules and Extensions
T1501
Systemd Service
T1504
PowerShell Profile
T1505
Server Software Component
T1519
Emond
T1525
Implant Internal Image
T1542
Pre-OS Boot
T1543
Create or Modify System Process
T1546
Event Triggered Execution
T1547
Boot or Logon Autostart Execution
T1554
Compromise Host Software Binary
T1556
Modify Authentication Process
T1574
Hijack Execution Flow
T1653
Power Settings
T1668
Exclusive Control
T1671
Cloud Application Integration
Privilege Escalation
41 tech
T1013
Port Monitors
T1015
Accessibility Features
T1034
Path Interception
T1037
Boot or Logon Initialization Scripts
T1038
DLL Search Order Hijacking
T1044
File System Permissions Weakness
T1050
New Service
T1053
Scheduled Task/Job
T1055
Process Injection
T1058
Service Registry Permissions Weakness
T1068
Exploitation for Privilege Escalation
T1078
Valid Accounts
T1088
Bypass User Account Control
T1098
Account Manipulation
T1100
Web Shell
T1103
AppInit DLLs
T1134
Access Token Manipulation
T1138
Application Shimming
T1150
Plist Modification
T1157
Dylib Hijacking
T1160
Launch Daemon
T1165
Startup Items
T1166
Setuid and Setgid
T1169
Sudo
T1178
SID-History Injection
T1179
Hooking
T1181
Extra Window Memory Injection
T1182
AppCert DLLs
T1183
Image File Execution Options Injection
T1206
Sudo Caching
T1484
Domain or Tenant Policy Modification
T1502
Parent PID Spoofing
T1504
PowerShell Profile
T1514
Elevated Execution with Prompt
T1519
Emond
T1543
Create or Modify System Process
T1546
Event Triggered Execution
T1547
Boot or Logon Autostart Execution
T1548
Abuse Elevation Control Mechanism
T1574
Hijack Execution Flow
T1611
Escape to Host
Lateral Movement
20 tech
T1017
Application Deployment Software
T1021
Remote Services
T1028
Windows Remote Management
T1051
Shared Webroot
T1072
Software Deployment Tools
T1075
Pass the Hash
T1076
Remote Desktop Protocol
T1077
Windows Admin Shares
T1080
Taint Shared Content
T1091
Replication Through Removable Media
T1097
Pass the Ticket
T1175
Component Object Model and Distributed COM
T1184
SSH Hijacking
T1210
Exploitation of Remote Services
T1506
Web Session Cookie
T1527
Application Access Token
T1534
Internal Spearphishing
T1550
Use Alternate Authentication Material
T1563
Remote Service Session Hijacking
T1570
Lateral Tool Transfer
Defense Evasion
93 tech
T1006
Direct Volume Access
T1009
Binary Padding
T1014
Rootkit
T1027
Obfuscated Files or Information
T1036
Masquerading
T1038
DLL Search Order Hijacking
T1045
Software Packing
T1054
Indicator Blocking
T1055
Process Injection
T1064
Scripting
T1066
Indicator Removal from Tools
T1070
Indicator Removal
T1073
DLL Side-Loading
T1078
Valid Accounts
T1085
Rundll32
T1088
Bypass User Account Control
T1089
Disabling Security Tools
T1093
Process Hollowing
T1096
NTFS File Attributes
T1099
Timestomp
T1107
File Deletion
T1108
Redundant Access
T1109
Component Firmware
T1112
Modify Registry
T1116
Code Signing
T1117
Regsvr32
T1118
InstallUtil
T1121
Regsvcs/Regasm
T1122
Component Object Model Hijacking
T1126
Network Share Connection Removal
T1127
Trusted Developer Utilities Proxy Execution
T1130
Install Root Certificate
T1134
Access Token Manipulation
T1140
Deobfuscate/Decode Files or Information
T1143
Hidden Window
T1144
Gatekeeper Bypass
T1146
Clear Command History
T1147
Hidden Users
T1148
HISTCONTROL
T1149
LC_MAIN Hijacking
T1150
Plist Modification
T1151
Space after Filename
T1152
Launchctl
T1158
Hidden Files and Directories
T1170
Mshta
T1181
Extra Window Memory Injection
T1183
Image File Execution Options Injection
T1186
Process DoppelgΓ€nging
T1191
CMSTP
T1196
Control Panel Items
T1197
BITS Jobs
T1198
SIP and Trust Provider Hijacking
T1202
Indirect Command Execution
T1205
Traffic Signaling
T1207
Rogue Domain Controller
T1211
Exploitation for Defense Evasion
T1216
System Script Proxy Execution
T1218
System Binary Proxy Execution
T1220
XSL Script Processing
T1221
Template Injection
T1222
File and Directory Permissions Modification
T1223
Compiled HTML File
T1480
Execution Guardrails
T1484
Domain or Tenant Policy Modification
T1497
Virtualization/Sandbox Evasion
T1500
Compile After Delivery
T1502
Parent PID Spoofing
T1506
Web Session Cookie
T1527
Application Access Token
T1535
Unused/Unsupported Cloud Regions
T1536
Revert Cloud Instance
T1542
Pre-OS Boot
T1548
Abuse Elevation Control Mechanism
T1550
Use Alternate Authentication Material
T1553
Subvert Trust Controls
T1556
Modify Authentication Process
T1562
Impair Defenses
T1564
Hide Artifacts
T1574
Hijack Execution Flow
T1578
Modify Cloud Compute Infrastructure
T1599
Network Boundary Bridging
T1600
Weaken Encryption
T1601
Modify System Image
T1610
Deploy Container
T1612
Build Image on Host
T1620
Reflective Code Loading
T1622
Debugger Evasion
T1647
Plist File Modification
T1656
Impersonation
T1666
Modify Cloud Resource Hierarchy
T1672
Email Spoofing
T1678
Delay Execution
T1679
Selective Exclusion
Exfiltration
11 tech
T1002
Data Compressed
T1011
Exfiltration Over Other Network Medium
T1020
Automated Exfiltration
T1022
Data Encrypted
T1029
Scheduled Transfer
T1030
Data Transfer Size Limits
T1041
Exfiltration Over C2 Channel
T1048
Exfiltration Over Alternative Protocol
T1052
Exfiltration Over Physical Medium
T1537
Transfer Data to Cloud Account
T1567
Exfiltration Over Web Service
Discovery
35 tech
T1007
System Service Discovery
T1010
Application Window Discovery
T1012
Query Registry
T1016
System Network Configuration Discovery
T1018
Remote System Discovery
T1033
System Owner/User Discovery
T1040
Network Sniffing
T1046
Network Service Discovery
T1049
System Network Connections Discovery
T1057
Process Discovery
T1063
Security Software Discovery
T1069
Permission Groups Discovery
T1082
System Information Discovery
T1083
File and Directory Discovery
T1087
Account Discovery
T1120
Peripheral Device Discovery
T1124
System Time Discovery
T1135
Network Share Discovery
T1201
Password Policy Discovery
T1217
Browser Information Discovery
T1482
Domain Trust Discovery
T1497
Virtualization/Sandbox Evasion
T1518
Software Discovery
T1526
Cloud Service Discovery
T1538
Cloud Service Dashboard
T1580
Cloud Infrastructure Discovery
T1613
Container and Resource Discovery
T1614
System Location Discovery
T1615
Group Policy Discovery
T1619
Cloud Storage Object Discovery
T1622
Debugger Evasion
T1652
Device Driver Discovery
T1654
Log Enumeration
T1673
Virtual Machine Discovery
T1680
Local Storage Discovery
Collection
17 tech
T1005
Data from Local System
T1025
Data from Removable Media
T1039
Data from Network Shared Drive
T1056
Input Capture
T1074
Data Staged
T1113
Screen Capture
T1114
Email Collection
T1115
Clipboard Data
T1119
Automated Collection
T1123
Audio Capture
T1125
Video Capture
T1185
Browser Session Hijacking
T1213
Data from Information Repositories
T1530
Data from Cloud Storage
T1557
Adversary-in-the-Middle
T1560
Archive Collected Data
T1602
Data from Configuration Repository
Resource Development
8 tech
T1583
Acquire Infrastructure
T1584
Compromise Infrastructure
T1585
Establish Accounts
T1586
Compromise Accounts
T1587
Develop Capabilities
T1588
Obtain Capabilities
T1608
Stage Capabilities
T1650
Acquire Access
Reconnaissance
11 tech
T1589
Gather Victim Identity Information
T1590
Gather Victim Network Information
T1591
Gather Victim Org Information
T1592
Gather Victim Host Information
T1593
Search Open Websites/Domains
T1594
Search Victim-Owned Websites
T1595
Active Scanning
T1596
Search Open Technical Databases
T1597
Search Closed Sources
T1598
Phishing for Information
T1681
Search Threat Vendor Data
Command and Control
28 tech
T1001
Data Obfuscation
T1008
Fallback Channels
T1024
Custom Cryptographic Protocol
T1026
Multiband Communication
T1032
Standard Cryptographic Protocol
T1043
Commonly Used Port
T1065
Uncommonly Used Port
T1071
Application Layer Protocol
T1079
Multilayer Encryption
T1090
Proxy
T1092
Communication Through Removable Media
T1094
Custom Command and Control Protocol
T1095
Non-Application Layer Protocol
T1102
Web Service
T1104
Multi-Stage Channels
T1105
Ingress Tool Transfer
T1132
Data Encoding
T1172
Domain Fronting
T1188
Multi-hop Proxy
T1205
Traffic Signaling
T1219
Remote Access Tools
T1483
Domain Generation Algorithms
T1568
Dynamic Resolution
T1571
Non-Standard Port
T1572
Protocol Tunneling
T1573
Encrypted Channel
T1659
Content Injection
T1665
Hide Infrastructure
Initial Access
14 tech
T1078
Valid Accounts
T1091
Replication Through Removable Media
T1133
External Remote Services
T1189
Drive-by Compromise
T1190
Exploit Public-Facing Application
T1192
Spearphishing Link
T1193
Spearphishing Attachment
T1194
Spearphishing via Service
T1195
Supply Chain Compromise
T1199
Trusted Relationship
T1200
Hardware Additions
T1566
Phishing
T1659
Content Injection
T1669
Wi-Fi Networks