MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.



ATT&CK Matrix for Enterprise

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Drive-by CompromiseAppleScript.bash_profile and .bashrcAccess Token ManipulationAccess Token ManipulationAccount ManipulationAccount DiscoveryAppleScriptAudio CaptureCommonly Used PortAutomated ExfiltrationData Destruction
Exploit Public-Facing ApplicationCMSTPAccessibility FeaturesAccessibility FeaturesBITS JobsBash HistoryApplication Window DiscoveryApplication Deployment SoftwareAutomated CollectionCommunication Through Removable MediaData CompressedData Encrypted for Impact
External Remote ServicesCommand-Line InterfaceAccount ManipulationAppCert DLLsBinary PaddingBrute ForceBrowser Bookmark DiscoveryDistributed Component Object ModelClipboard DataConnection ProxyData EncryptedDefacement
Hardware AdditionsCompiled HTML FileAppCert DLLsAppInit DLLsBypass User Account ControlCredential DumpingDomain Trust DiscoveryExploitation of Remote ServicesData StagedCustom Command and Control ProtocolData Transfer Size LimitsDisk Content Wipe
Replication Through Removable MediaControl Panel ItemsAppInit DLLsApplication ShimmingCMSTPCredentials in FilesFile and Directory DiscoveryLogon ScriptsData from Information RepositoriesCustom Cryptographic ProtocolExfiltration Over Alternative ProtocolDisk Structure Wipe
Spearphishing AttachmentDynamic Data ExchangeApplication ShimmingBypass User Account ControlClear Command HistoryCredentials in RegistryNetwork Service ScanningPass the HashData from Local SystemData EncodingExfiltration Over Command and Control ChannelEndpoint Denial of Service
Spearphishing LinkExecution through APIAuthentication PackageDLL Search Order HijackingCode SigningExploitation for Credential AccessNetwork Share DiscoveryPass the TicketData from Network Shared DriveData ObfuscationExfiltration Over Other Network MediumFirmware Corruption
Spearphishing via ServiceExecution through Module LoadBITS JobsDylib HijackingCompile After DeliveryForced AuthenticationNetwork SniffingRemote Desktop ProtocolData from Removable MediaDomain FrontingExfiltration Over Physical MediumInhibit System Recovery
Supply Chain CompromiseExploitation for Client ExecutionBootkitExploitation for Privilege EscalationCompiled HTML FileHookingPassword Policy DiscoveryRemote File CopyEmail CollectionDomain Generation AlgorithmsScheduled TransferNetwork Denial of Service
Trusted RelationshipGraphical User InterfaceBrowser ExtensionsExtra Window Memory InjectionComponent FirmwareInput CapturePeripheral Device DiscoveryRemote ServicesInput CaptureFallback ChannelsResource Hijacking
Valid AccountsInstallUtilChange Default File AssociationFile System Permissions WeaknessComponent Object Model HijackingInput PromptPermission Groups DiscoveryReplication Through Removable MediaMan in the BrowserMulti-Stage ChannelsRuntime Data Manipulation
LSASS DriverComponent FirmwareHookingControl Panel ItemsKerberoastingProcess DiscoverySSH HijackingScreen CaptureMulti-hop ProxyService Stop
LaunchctlComponent Object Model HijackingImage File Execution Options InjectionDCShadowKeychainQuery RegistryShared WebrootVideo CaptureMultiband CommunicationStored Data Manipulation
Local Job SchedulingCreate AccountLaunch DaemonDLL Search Order HijackingLLMNR/NBT-NS Poisoning and RelayRemote System DiscoveryTaint Shared ContentMultilayer EncryptionTransmitted Data Manipulation
MshtaDLL Search Order HijackingNew ServiceDLL Side-LoadingNetwork SniffingSecurity Software DiscoveryThird-party SoftwarePort Knocking
PowerShellDylib HijackingPath InterceptionDeobfuscate/Decode Files or InformationPassword Filter DLLSystem Information DiscoveryWindows Admin SharesRemote Access Tools
Regsvcs/RegasmExternal Remote ServicesPlist ModificationDisabling Security ToolsPrivate KeysSystem Network Configuration DiscoveryWindows Remote ManagementRemote File Copy
Regsvr32File System Permissions WeaknessPort MonitorsExecution GuardrailsSecurityd MemorySystem Network Connections DiscoveryStandard Application Layer Protocol
Rundll32Hidden Files and DirectoriesProcess InjectionExploitation for Defense EvasionTwo-Factor Authentication InterceptionSystem Owner/User DiscoveryStandard Cryptographic Protocol
Scheduled TaskHookingSID-History InjectionExtra Window Memory InjectionSystem Service DiscoveryStandard Non-Application Layer Protocol
ScriptingHypervisorScheduled TaskFile DeletionSystem Time DiscoveryUncommonly Used Port
Service ExecutionImage File Execution Options InjectionService Registry Permissions WeaknessFile Permissions ModificationVirtualization/Sandbox EvasionWeb Service
Signed Binary Proxy ExecutionKernel Modules and ExtensionsSetuid and SetgidFile System Logical Offsets
Signed Script Proxy ExecutionLC_LOAD_DYLIB AdditionStartup ItemsGatekeeper Bypass
SourceLSASS DriverSudo CachingGroup Policy Modification
Space after FilenameLaunch AgentSudoHISTCONTROL
Third-party SoftwareLaunch DaemonValid AccountsHidden Files and Directories
TrapLaunchctlWeb ShellHidden Users
Trusted Developer UtilitiesLocal Job SchedulingHidden Window
User ExecutionLogin ItemImage File Execution Options Injection
Windows Management InstrumentationLogon ScriptsIndicator Blocking
Windows Remote ManagementModify Existing ServiceIndicator Removal from Tools
XSL Script ProcessingNetsh Helper DLLIndicator Removal on Host
New ServiceIndirect Command Execution
Office Application StartupInstall Root Certificate
Path InterceptionInstallUtil
Plist ModificationLC_MAIN Hijacking
Port KnockingLaunchctl
Port MonitorsMasquerading
Rc.commonModify Registry
Re-opened ApplicationsMshta
Redundant AccessNTFS File Attributes
Registry Run Keys / Startup FolderNetwork Share Connection Removal
SIP and Trust Provider HijackingObfuscated Files or Information
Scheduled TaskPlist Modification
ScreensaverPort Knocking
Security Support ProviderProcess Doppelgänging
Service Registry Permissions WeaknessProcess Hollowing
Setuid and SetgidProcess Injection
Shortcut ModificationRedundant Access
Startup ItemsRegsvcs/Regasm
System FirmwareRegsvr32
Systemd ServiceRootkit
Time ProvidersRundll32
TrapSIP and Trust Provider Hijacking
Valid AccountsScripting
Web ShellSigned Binary Proxy Execution
Windows Management Instrumentation Event SubscriptionSigned Script Proxy Execution
Winlogon Helper DLLSoftware Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing