MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.

ATT&CK Matrix for Enterprise

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Drive-by CompromiseAppleScript.bash_profile and .bashrcAccess Token ManipulationAccess Token ManipulationAccount ManipulationAccount DiscoveryAppleScriptAudio CaptureAutomated ExfiltrationCommonly Used Port
Exploit Public-Facing ApplicationCMSTPAccessibility FeaturesAccessibility FeaturesBITS JobsBash HistoryApplication Window DiscoveryApplication Deployment SoftwareAutomated CollectionData CompressedCommunication Through Removable Media
Hardware AdditionsCommand-Line InterfaceAccount ManipulationAppCert DLLsBinary PaddingBrute ForceBrowser Bookmark DiscoveryDistributed Component Object ModelClipboard DataData EncryptedConnection Proxy
Replication Through Removable MediaCompiled HTML FileAppCert DLLsAppInit DLLsBypass User Account ControlCredential DumpingFile and Directory DiscoveryExploitation of Remote ServicesData StagedData Transfer Size LimitsCustom Command and Control Protocol
Spearphishing AttachmentControl Panel ItemsAppInit DLLsApplication ShimmingCMSTPCredentials in FilesNetwork Service ScanningLogon ScriptsData from Information RepositoriesExfiltration Over Alternative ProtocolCustom Cryptographic Protocol
Spearphishing LinkDynamic Data ExchangeApplication ShimmingBypass User Account ControlClear Command HistoryCredentials in RegistryNetwork Share DiscoveryPass the HashData from Local SystemExfiltration Over Command and Control ChannelData Encoding
Spearphishing via ServiceExecution through APIAuthentication PackageDLL Search Order HijackingCode SigningExploitation for Credential AccessNetwork SniffingPass the TicketData from Network Shared DriveExfiltration Over Other Network MediumData Obfuscation
Supply Chain CompromiseExecution through Module LoadBITS JobsDylib HijackingCompiled HTML FileForced AuthenticationPassword Policy DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Physical MediumDomain Fronting
Trusted RelationshipExploitation for Client ExecutionBootkitExploitation for Privilege EscalationComponent FirmwareHookingPeripheral Device DiscoveryRemote File CopyEmail CollectionScheduled TransferFallback Channels
Valid AccountsGraphical User InterfaceBrowser ExtensionsExtra Window Memory InjectionComponent Object Model HijackingInput CapturePermission Groups DiscoveryRemote ServicesInput CaptureMulti-Stage Channels
InstallUtilChange Default File AssociationFile System Permissions WeaknessControl Panel ItemsInput PromptProcess DiscoveryReplication Through Removable MediaMan in the BrowserMulti-hop Proxy
LSASS DriverComponent FirmwareHookingDCShadowKerberoastingQuery RegistrySSH HijackingScreen CaptureMultiband Communication
LaunchctlComponent Object Model HijackingImage File Execution Options InjectionDLL Search Order HijackingKeychainRemote System DiscoveryShared WebrootVideo CaptureMultilayer Encryption
Local Job SchedulingCreate AccountLaunch DaemonDLL Side-LoadingLLMNR/NBT-NS PoisoningSecurity Software DiscoveryTaint Shared ContentPort Knocking
MshtaDLL Search Order HijackingNew ServiceDeobfuscate/Decode Files or InformationNetwork SniffingSystem Information DiscoveryThird-party SoftwareRemote Access Tools
PowerShellDylib HijackingPath InterceptionDisabling Security ToolsPassword Filter DLLSystem Network Configuration DiscoveryWindows Admin SharesRemote File Copy
Regsvcs/RegasmExternal Remote ServicesPlist ModificationExploitation for Defense EvasionPrivate KeysSystem Network Connections DiscoveryWindows Remote ManagementStandard Application Layer Protocol
Regsvr32File System Permissions WeaknessPort MonitorsExtra Window Memory InjectionSecurityd MemorySystem Owner/User DiscoveryStandard Cryptographic Protocol
Rundll32Hidden Files and DirectoriesProcess InjectionFile DeletionTwo-Factor Authentication InterceptionSystem Service DiscoveryStandard Non-Application Layer Protocol
Scheduled TaskHookingSID-History InjectionFile Permissions ModificationSystem Time DiscoveryUncommonly Used Port
ScriptingHypervisorScheduled TaskFile System Logical OffsetsWeb Service
Service ExecutionImage File Execution Options InjectionService Registry Permissions WeaknessGatekeeper Bypass
Signed Binary Proxy ExecutionKernel Modules and ExtensionsSetuid and SetgidHISTCONTROL
Signed Script Proxy ExecutionLC_LOAD_DYLIB AdditionStartup ItemsHidden Files and Directories
SourceLSASS DriverSudo CachingHidden Users
Space after FilenameLaunch AgentSudoHidden Window
Third-party SoftwareLaunch DaemonValid AccountsImage File Execution Options Injection
TrapLaunchctlWeb ShellIndicator Blocking
Trusted Developer UtilitiesLocal Job SchedulingIndicator Removal from Tools
User ExecutionLogin ItemIndicator Removal on Host
Windows Management InstrumentationLogon ScriptsIndirect Command Execution
Windows Remote ManagementModify Existing ServiceInstall Root Certificate
XSL Script ProcessingNetsh Helper DLLInstallUtil
New ServiceLC_MAIN Hijacking
Office Application StartupLaunchctl
Path InterceptionMasquerading
Plist ModificationModify Registry
Port KnockingMshta
Port MonitorsNTFS File Attributes
Rc.commonNetwork Share Connection Removal
Re-opened ApplicationsObfuscated Files or Information
Redundant AccessPlist Modification
Registry Run Keys / Startup FolderPort Knocking
SIP and Trust Provider HijackingProcess Doppelgänging
Scheduled TaskProcess Hollowing
ScreensaverProcess Injection
Security Support ProviderRedundant Access
Service Registry Permissions WeaknessRegsvcs/Regasm
Setuid and SetgidRegsvr32
Shortcut ModificationRootkit
Startup ItemsRundll32
System FirmwareSIP and Trust Provider Hijacking
Time ProvidersScripting
TrapSigned Binary Proxy Execution
Valid AccountsSigned Script Proxy Execution
Web ShellSoftware Packing
Windows Management Instrumentation Event SubscriptionSpace after Filename
Winlogon Helper DLLTemplate Injection
Trusted Developer Utilities
Valid Accounts
Web Service
XSL Script Processing