The sub-techniques beta is now live! Read the release blog post for more info.

Enterprise Matrix

Below are the tactics and technique representing the MITRE ATT&CK® Matrix for Enterprise. The Matrix contains information for the following platforms: Windows, macOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS.

Last Modified: 2019-10-09 18:48:31.906000
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise AppleScript .bash_profile and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript Audio Capture Commonly Used Port Automated Exfiltration Account Access Removal
Exploit Public-Facing Application CMSTP Accessibility Features Accessibility Features Application Access Token Bash History Application Window Discovery Application Access Token Automated Collection Communication Through Removable Media Data Compressed Data Destruction
External Remote Services Command-Line Interface Account Manipulation AppCert DLLs Binary Padding Brute Force Browser Bookmark Discovery Application Deployment Software Clipboard Data Connection Proxy Data Encrypted Data Encrypted for Impact
Hardware Additions Compiled HTML File AppCert DLLs AppInit DLLs BITS Jobs Cloud Instance Metadata API Cloud Service Dashboard Component Object Model and Distributed COM Data from Cloud Storage Object Custom Command and Control Protocol Data Transfer Size Limits Defacement
Replication Through Removable Media Component Object Model and Distributed COM AppInit DLLs Application Shimming Bypass User Account Control Credential Dumping Cloud Service Discovery Exploitation of Remote Services Data from Information Repositories Custom Cryptographic Protocol Exfiltration Over Alternative Protocol Disk Content Wipe
Spearphishing Attachment Control Panel Items Application Shimming Bypass User Account Control Clear Command History Credentials from Web Browsers Domain Trust Discovery Internal Spearphishing Data from Local System Data Encoding Exfiltration Over Command and Control Channel Disk Structure Wipe
Spearphishing Link Dynamic Data Exchange Authentication Package DLL Search Order Hijacking CMSTP Credentials in Files File and Directory Discovery Logon Scripts Data from Network Shared Drive Data Obfuscation Exfiltration Over Other Network Medium Endpoint Denial of Service
Spearphishing via Service Execution through API BITS Jobs Dylib Hijacking Code Signing Credentials in Registry Network Service Scanning Pass the Hash Data from Removable Media Domain Fronting Exfiltration Over Physical Medium Firmware Corruption
Supply Chain Compromise Execution through Module Load Bootkit Elevated Execution with Prompt Compile After Delivery Exploitation for Credential Access Network Share Discovery Pass the Ticket Data Staged Domain Generation Algorithms Scheduled Transfer Inhibit System Recovery
Trusted Relationship Exploitation for Client Execution Browser Extensions Emond Compiled HTML File Forced Authentication Network Sniffing Remote Desktop Protocol Email Collection Fallback Channels Transfer Data to Cloud Account Network Denial of Service
Valid Accounts Graphical User Interface Change Default File Association Exploitation for Privilege Escalation Component Firmware Hooking Password Policy Discovery Remote File Copy Input Capture Multi-hop Proxy Resource Hijacking
InstallUtil Component Firmware Extra Window Memory Injection Component Object Model Hijacking Input Capture Peripheral Device Discovery Remote Services Man in the Browser Multi-Stage Channels Runtime Data Manipulation
Launchctl Component Object Model Hijacking File System Permissions Weakness Connection Proxy Input Prompt Permission Groups Discovery Replication Through Removable Media Screen Capture Multiband Communication Service Stop
Local Job Scheduling Create Account Hooking Control Panel Items Kerberoasting Process Discovery Shared Webroot Video Capture Multilayer Encryption Stored Data Manipulation
LSASS Driver DLL Search Order Hijacking Image File Execution Options Injection DCShadow Keychain Query Registry SSH Hijacking Port Knocking System Shutdown/Reboot
Mshta Dylib Hijacking Launch Daemon Deobfuscate/Decode Files or Information LLMNR/NBT-NS Poisoning and Relay Remote System Discovery Taint Shared Content Remote Access Tools Transmitted Data Manipulation
PowerShell Emond New Service Disabling Security Tools Network Sniffing Security Software Discovery Third-party Software Remote File Copy
Regsvcs/Regasm External Remote Services Parent PID Spoofing DLL Search Order Hijacking Password Filter DLL Software Discovery Web Session Cookie Standard Application Layer Protocol
Regsvr32 File System Permissions Weakness Path Interception DLL Side-Loading Private Keys System Information Discovery Windows Admin Shares Standard Cryptographic Protocol
Rundll32 Hidden Files and Directories Plist Modification Execution Guardrails Securityd Memory System Network Configuration Discovery Windows Remote Management Standard Non-Application Layer Protocol
Scheduled Task Hooking Port Monitors Exploitation for Defense Evasion Steal Application Access Token System Network Connections Discovery Uncommonly Used Port
Scripting Hypervisor PowerShell Profile Extra Window Memory Injection Steal Web Session Cookie System Owner/User Discovery Web Service
Service Execution Image File Execution Options Injection Process Injection File and Directory Permissions Modification Two-Factor Authentication Interception System Service Discovery
Signed Binary Proxy Execution Implant Container Image Scheduled Task File Deletion System Time Discovery
Signed Script Proxy Execution Kernel Modules and Extensions Service Registry Permissions Weakness File System Logical Offsets Virtualization/Sandbox Evasion
Source Launch Agent Setuid and Setgid Gatekeeper Bypass
Space after Filename Launch Daemon SID-History Injection Group Policy Modification
Third-party Software Launchctl Startup Items Hidden Files and Directories
Trap LC_LOAD_DYLIB Addition Sudo Hidden Users
Trusted Developer Utilities Local Job Scheduling Sudo Caching Hidden Window
User Execution Login Item Valid Accounts HISTCONTROL
Windows Management Instrumentation Logon Scripts Web Shell Image File Execution Options Injection
Windows Remote Management LSASS Driver Indicator Blocking
XSL Script Processing Modify Existing Service Indicator Removal from Tools
Netsh Helper DLL Indicator Removal on Host
New Service Indirect Command Execution
Office Application Startup Install Root Certificate
Path Interception InstallUtil
Plist Modification Launchctl
Port Knocking LC_MAIN Hijacking
Port Monitors Masquerading
PowerShell Profile Modify Registry
Rc.common Mshta
Re-opened Applications Network Share Connection Removal
Redundant Access NTFS File Attributes
Registry Run Keys / Startup Folder Obfuscated Files or Information
Scheduled Task Parent PID Spoofing
Screensaver Plist Modification
Security Support Provider Port Knocking
Server Software Component Process Doppelgänging
Service Registry Permissions Weakness Process Hollowing
Setuid and Setgid Process Injection
Shortcut Modification Redundant Access
SIP and Trust Provider Hijacking Regsvcs/Regasm
Startup Items Regsvr32
System Firmware Revert Cloud Instance
Systemd Service Rootkit
Time Providers Rundll32
Trap Scripting
Valid Accounts Signed Binary Proxy Execution
Web Shell Signed Script Proxy Execution
Windows Management Instrumentation Event Subscription SIP and Trust Provider Hijacking
Winlogon Helper DLL Software Packing
Space after Filename
Template Injection
Trusted Developer Utilities
Unused/Unsupported Cloud Regions
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
Web Session Cookie
XSL Script Processing