Windows Matrix

Below are the tactics and techniques representing the MITRE ATT&CK^® Windows platform. The techniques below are known to target hosts running Microsoft Windows operating systems. The Matrix contains information for the Windows platform.

View on the ATT&CK^® Navigator

Version Permalink

Live Version

11 techniques

21 techniques

14 techniques

36 techniques

16 techniques

28 techniques

9 techniques

15 techniques

18 techniques

8 techniques

15 techniques

Content Injection

Drive-by Compromise

Exploit Public-Facing Application

External Remote Services

Hardware Additions

Phishing ₍₄₎

Replication Through Removable Media

Supply Chain Compromise ₍₃₎

Trusted Relationship

Valid Accounts ₍₃₎

Wi-Fi Networks

Command and Scripting Interpreter ₍₇₎

Exploitation for Client Execution

Input Injection

Inter-Process Communication ₍₂₎

Native API

Scheduled Task/Job ₍₂₎

Shared Modules

Software Deployment Tools

System Services ₍₁₎

User Execution ₍₃₎

Windows Management Instrumentation

Account Manipulation ₍₃₎

BITS Jobs

Boot or Logon Autostart Execution ₍₁₀₎

Boot or Logon Initialization Scripts ₍₂₎

Compromise Host Software Binary

Create Account ₍₂₎

Create or Modify System Process ₍₁₎

Event Triggered Execution ₍₁₂₎

Exclusive Control

External Remote Services

Hijack Execution Flow ₍₁₀₎

Modify Authentication Process ₍₆₎

Modify Registry

Office Application Startup ₍₆₎

Power Settings

Pre-OS Boot ₍₃₎

Scheduled Task/Job ₍₂₎

Server Software Component ₍₅₎

Software Extensions ₍₂₎

Traffic Signaling ₍₂₎

Valid Accounts ₍₃₎

Abuse Elevation Control Mechanism ₍₁₎

Access Token Manipulation ₍₅₎

Account Manipulation ₍₃₎

Boot or Logon Autostart Execution ₍₁₀₎

Boot or Logon Initialization Scripts ₍₂₎

Create or Modify System Process ₍₁₎

Domain or Tenant Policy Modification ₍₂₎

Escape to Host

Event Triggered Execution ₍₁₂₎

Exploitation for Privilege Escalation

Hijack Execution Flow ₍₁₀₎

Process Injection ₍₉₎

Scheduled Task/Job ₍₂₎

Valid Accounts ₍₃₎

Abuse Elevation Control Mechanism ₍₁₎

Access Token Manipulation ₍₅₎

BITS Jobs

Debugger Evasion

Deobfuscate/Decode Files or Information

Direct Volume Access

Domain or Tenant Policy Modification ₍₂₎

Email Spoofing

Execution Guardrails ₍₂₎

Exploitation for Defense Evasion

File and Directory Permissions Modification ₍₁₎

Hide Artifacts ₍₁₁₎

Hijack Execution Flow ₍₁₀₎

Impair Defenses ₍₈₎

Impersonation

Indicator Removal ₍₉₎

Indirect Command Execution

Masquerading ₍₈₎

Modify Authentication Process ₍₆₎

Modify Registry

Obfuscated Files or Information ₍₁₇₎

Pre-OS Boot ₍₃₎

Process Injection ₍₉₎

Reflective Code Loading

Rogue Domain Controller

Rootkit

Subvert Trust Controls ₍₅₎

System Binary Proxy Execution ₍₁₄₎

System Script Proxy Execution ₍₂₎

Template Injection

Traffic Signaling ₍₂₎

Trusted Developer Utilities Proxy Execution ₍₃₎

Use Alternate Authentication Material ₍₂₎

Valid Accounts ₍₃₎

Virtualization/Sandbox Evasion ₍₃₎

XSL Script Processing

Adversary-in-the-Middle ₍₃₎

Brute Force ₍₄₎

Credentials from Password Stores ₍₃₎

Exploitation for Credential Access

Forced Authentication

Forge Web Credentials ₍₂₎

Input Capture ₍₄₎

Modify Authentication Process ₍₆₎

Multi-Factor Authentication Interception

Multi-Factor Authentication Request Generation

Network Sniffing

OS Credential Dumping ₍₆₎

Steal or Forge Authentication Certificates

Steal or Forge Kerberos Tickets ₍₄₎

Steal Web Session Cookie

Unsecured Credentials ₍₄₎

Account Discovery ₍₃₎

Application Window Discovery

Browser Information Discovery

Debugger Evasion

Device Driver Discovery

Domain Trust Discovery

File and Directory Discovery

Group Policy Discovery

Log Enumeration

Network Service Discovery

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery ₍₂₎

Process Discovery

Query Registry

Remote System Discovery

Software Discovery ₍₁₎

System Information Discovery

System Location Discovery ₍₁₎

System Network Configuration Discovery ₍₂₎

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

Virtual Machine Discovery

Virtualization/Sandbox Evasion ₍₃₎

Exploitation of Remote Services

Internal Spearphishing

Lateral Tool Transfer

Remote Service Session Hijacking ₍₁₎

Remote Services ₍₅₎

Replication Through Removable Media

Software Deployment Tools

Taint Shared Content

Use Alternate Authentication Material ₍₂₎

Adversary-in-the-Middle ₍₃₎

Archive Collected Data ₍₃₎

Audio Capture

Automated Collection

Browser Session Hijacking

Clipboard Data

Data from Information Repositories ₍₁₎

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Data Staged ₍₂₎

Email Collection ₍₃₎

Input Capture ₍₄₎

Screen Capture

Video Capture

Application Layer Protocol ₍₅₎

Communication Through Removable Media

Content Injection

Data Encoding ₍₂₎

Data Obfuscation ₍₃₎

Dynamic Resolution ₍₃₎

Encrypted Channel ₍₂₎

Fallback Channels

Hide Infrastructure

Ingress Tool Transfer

Multi-Stage Channels

Non-Application Layer Protocol

Non-Standard Port

Protocol Tunneling

Proxy ₍₄₎

Remote Access Tools ₍₃₎

Traffic Signaling ₍₂₎

Web Service ₍₃₎

Automated Exfiltration

Data Transfer Size Limits

Exfiltration Over Alternative Protocol ₍₃₎

Exfiltration Over C2 Channel

Exfiltration Over Other Network Medium ₍₁₎

Exfiltration Over Physical Medium ₍₁₎

Exfiltration Over Web Service ₍₄₎

Scheduled Transfer

Account Access Removal

Data Destruction

Data Encrypted for Impact

Data Manipulation ₍₃₎

Defacement ₍₂₎

Disk Wipe ₍₂₎

Email Bombing

Endpoint Denial of Service ₍₄₎

Financial Theft

Firmware Corruption

Inhibit System Recovery

Network Denial of Service ₍₂₎

Resource Hijacking ₍₂₎

Service Stop

System Shutdown/Reboot

11 techniques

21 techniques

14 techniques

36 techniques

16 techniques

28 techniques

9 techniques

15 techniques

18 techniques

8 techniques

15 techniques

Content Injection

Drive-by Compromise

Exploit Public-Facing Application

External Remote Services

Hardware Additions

=	Phishing ₍₄₎
	Spearphishing Attachment Spearphishing Link Spearphishing via Service Spearphishing Voice

Replication Through Removable Media

=	Supply Chain Compromise ₍₃₎
	Compromise Software Dependencies and Development Tools Compromise Software Supply Chain Compromise Hardware Supply Chain

Trusted Relationship

=	Valid Accounts ₍₃₎
	Default Accounts Domain Accounts Local Accounts

Wi-Fi Networks

=	Command and Scripting Interpreter ₍₇₎
	PowerShell Windows Command Shell Visual Basic Python JavaScript AutoHotKey & AutoIT Lua

Exploitation for Client Execution

Input Injection

=	Inter-Process Communication ₍₂₎
	Component Object Model Dynamic Data Exchange

Native API

=	Scheduled Task/Job ₍₂₎
	At Scheduled Task

Shared Modules

Software Deployment Tools

=	System Services ₍₁₎
	Service Execution

=	User Execution ₍₃₎
	Malicious Link Malicious File Malicious Copy and Paste

Windows Management Instrumentation

=	Account Manipulation ₍₃₎
	Additional Email Delegate Permissions Device Registration Additional Local or Domain Groups

BITS Jobs

=	Boot or Logon Autostart Execution ₍₁₀₎
	Registry Run Keys / Startup Folder Authentication Package Time Providers Winlogon Helper DLL Security Support Provider LSASS Driver Shortcut Modification Port Monitors Print Processors Active Setup

=	Boot or Logon Initialization Scripts ₍₂₎
	Logon Script (Windows) Network Logon Script

Compromise Host Software Binary

=	Create Account ₍₂₎
	Local Account Domain Account

=	Create or Modify System Process ₍₁₎
	Windows Service

=	Event Triggered Execution ₍₁₂₎
	Change Default File Association Screensaver Windows Management Instrumentation Event Subscription Netsh Helper DLL Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Image File Execution Options Injection PowerShell Profile Component Object Model Hijacking Installer Packages

Exclusive Control

External Remote Services

=	Hijack Execution Flow ₍₁₀₎
	DLL Executable Installer File Permissions Weakness Path Interception by PATH Environment Variable Path Interception by Search Order Hijacking Path Interception by Unquoted Path Services File Permissions Weakness Services Registry Permissions Weakness COR_PROFILER KernelCallbackTable AppDomainManager

=	Modify Authentication Process ₍₆₎
	Domain Controller Authentication Password Filter DLL Reversible Encryption Multi-Factor Authentication Hybrid Identity Network Provider DLL

Modify Registry

=	Office Application Startup ₍₆₎
	Office Template Macros Office Test Outlook Forms Outlook Home Page Outlook Rules Add-ins

Power Settings

=	Pre-OS Boot ₍₃₎
	System Firmware Component Firmware Bootkit

=	Scheduled Task/Job ₍₂₎
	At Scheduled Task

=	Server Software Component ₍₅₎
	SQL Stored Procedures Transport Agent Web Shell IIS Components Terminal Services DLL

=	Software Extensions ₍₂₎
	Browser Extensions IDE Extensions

=	Traffic Signaling ₍₂₎
	Port Knocking Socket Filters

=	Valid Accounts ₍₃₎
	Default Accounts Domain Accounts Local Accounts

=	Abuse Elevation Control Mechanism ₍₁₎
	Bypass User Account Control

=	Access Token Manipulation ₍₅₎
	Token Impersonation/Theft Create Process with Token Make and Impersonate Token Parent PID Spoofing SID-History Injection

=	Account Manipulation ₍₃₎
	Additional Email Delegate Permissions Device Registration Additional Local or Domain Groups

=	Boot or Logon Autostart Execution ₍₁₀₎
	Registry Run Keys / Startup Folder Authentication Package Time Providers Winlogon Helper DLL Security Support Provider LSASS Driver Shortcut Modification Port Monitors Print Processors Active Setup

=	Boot or Logon Initialization Scripts ₍₂₎
	Logon Script (Windows) Network Logon Script

=	Create or Modify System Process ₍₁₎
	Windows Service

=	Domain or Tenant Policy Modification ₍₂₎
	Group Policy Modification Trust Modification

Escape to Host

=	Event Triggered Execution ₍₁₂₎
	Change Default File Association Screensaver Windows Management Instrumentation Event Subscription Netsh Helper DLL Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Image File Execution Options Injection PowerShell Profile Component Object Model Hijacking Installer Packages

Exploitation for Privilege Escalation

=	Hijack Execution Flow ₍₁₀₎
	DLL Executable Installer File Permissions Weakness Path Interception by PATH Environment Variable Path Interception by Search Order Hijacking Path Interception by Unquoted Path Services File Permissions Weakness Services Registry Permissions Weakness COR_PROFILER KernelCallbackTable AppDomainManager

=	Process Injection ₍₉₎
	Dynamic-link Library Injection Portable Executable Injection Thread Execution Hijacking Asynchronous Procedure Call Thread Local Storage Extra Window Memory Injection Process Hollowing Process Doppelgänging ListPlanting

=	Scheduled Task/Job ₍₂₎
	At Scheduled Task

=	Valid Accounts ₍₃₎
	Default Accounts Domain Accounts Local Accounts

=	Abuse Elevation Control Mechanism ₍₁₎
	Bypass User Account Control

=	Access Token Manipulation ₍₅₎
	Token Impersonation/Theft Create Process with Token Make and Impersonate Token Parent PID Spoofing SID-History Injection

BITS Jobs

Debugger Evasion

Deobfuscate/Decode Files or Information

Direct Volume Access

=	Domain or Tenant Policy Modification ₍₂₎
	Group Policy Modification Trust Modification

Email Spoofing

=	Execution Guardrails ₍₂₎
	Environmental Keying Mutual Exclusion

Exploitation for Defense Evasion

=	File and Directory Permissions Modification ₍₁₎
	Windows File and Directory Permissions Modification

=	Hide Artifacts ₍₁₁₎
	Hidden Files and Directories Hidden Users Hidden Window NTFS File Attributes Hidden File System Run Virtual Instance VBA Stomping Email Hiding Rules Process Argument Spoofing Ignore Process Interrupts File/Path Exclusions

=	Hijack Execution Flow ₍₁₀₎
	DLL Executable Installer File Permissions Weakness Path Interception by PATH Environment Variable Path Interception by Search Order Hijacking Path Interception by Unquoted Path Services File Permissions Weakness Services Registry Permissions Weakness COR_PROFILER KernelCallbackTable AppDomainManager

=	Impair Defenses ₍₈₎
	Disable or Modify Tools Disable Windows Event Logging Impair Command History Logging Disable or Modify System Firewall Indicator Blocking Safe Mode Boot Downgrade Attack Spoof Security Alerting

Impersonation

=	Indicator Removal ₍₉₎
	Clear Windows Event Logs Clear Command History File Deletion Network Share Connection Removal Timestomp Clear Network Connection History and Configurations Clear Mailbox Data Clear Persistence Relocate Malware

Indirect Command Execution

=	Masquerading ₍₈₎
	Invalid Code Signature Right-to-Left Override Rename Legitimate Utilities Masquerade Task or Service Match Legitimate Resource Name or Location Double File Extension Masquerade File Type Masquerade Account Name

=	Modify Authentication Process ₍₆₎
	Domain Controller Authentication Password Filter DLL Reversible Encryption Multi-Factor Authentication Hybrid Identity Network Provider DLL

Modify Registry

=	Obfuscated Files or Information ₍₁₇₎
	Binary Padding Software Packing Steganography Compile After Delivery Indicator Removal from Tools HTML Smuggling Dynamic API Resolution Stripped Payloads Embedded Payloads Command Obfuscation Fileless Storage LNK Icon Smuggling Encrypted/Encoded File Polymorphic Code Compression Junk Code Insertion SVG Smuggling

=	Pre-OS Boot ₍₃₎
	System Firmware Component Firmware Bootkit

=	Process Injection ₍₉₎
	Dynamic-link Library Injection Portable Executable Injection Thread Execution Hijacking Asynchronous Procedure Call Thread Local Storage Extra Window Memory Injection Process Hollowing Process Doppelgänging ListPlanting

Reflective Code Loading

Rogue Domain Controller

Rootkit

=	Subvert Trust Controls ₍₅₎
	Code Signing SIP and Trust Provider Hijacking Install Root Certificate Mark-of-the-Web Bypass Code Signing Policy Modification

=	System Binary Proxy Execution ₍₁₄₎
	Compiled HTML File Control Panel CMSTP InstallUtil Mshta Msiexec Odbcconf Regsvcs/Regasm Regsvr32 Rundll32 Verclsid Mavinject MMC Electron Applications

=	System Script Proxy Execution ₍₂₎
	PubPrn SyncAppvPublishingServer

Template Injection

=	Traffic Signaling ₍₂₎
	Port Knocking Socket Filters

=	Trusted Developer Utilities Proxy Execution ₍₃₎
	MSBuild ClickOnce JamPlus

=	Use Alternate Authentication Material ₍₂₎
	Pass the Hash Pass the Ticket

=	Valid Accounts ₍₃₎
	Default Accounts Domain Accounts Local Accounts

=	Virtualization/Sandbox Evasion ₍₃₎
	System Checks User Activity Based Checks Time Based Evasion

XSL Script Processing

=	Adversary-in-the-Middle ₍₃₎
	LLMNR/NBT-NS Poisoning and SMB Relay ARP Cache Poisoning DHCP Spoofing

=	Brute Force ₍₄₎
	Password Guessing Password Cracking Password Spraying Credential Stuffing

=	Credentials from Password Stores ₍₃₎
	Credentials from Web Browsers Windows Credential Manager Password Managers

Exploitation for Credential Access

Forced Authentication

=	Forge Web Credentials ₍₂₎
	Web Cookies SAML Tokens

=	Input Capture ₍₄₎
	Keylogging GUI Input Capture Web Portal Capture Credential API Hooking

=	Modify Authentication Process ₍₆₎
	Domain Controller Authentication Password Filter DLL Reversible Encryption Multi-Factor Authentication Hybrid Identity Network Provider DLL

Multi-Factor Authentication Interception

Multi-Factor Authentication Request Generation

Network Sniffing

=	OS Credential Dumping ₍₆₎
	LSASS Memory Security Account Manager NTDS LSA Secrets Cached Domain Credentials DCSync

Steal or Forge Authentication Certificates

=	Steal or Forge Kerberos Tickets ₍₄₎
	Golden Ticket Silver Ticket Kerberoasting AS-REP Roasting

Steal Web Session Cookie

=	Unsecured Credentials ₍₄₎
	Credentials In Files Credentials in Registry Private Keys Group Policy Preferences

=	Account Discovery ₍₃₎
	Local Account Domain Account Email Account

Application Window Discovery

Browser Information Discovery

Debugger Evasion

Device Driver Discovery

Domain Trust Discovery

File and Directory Discovery

Group Policy Discovery

Log Enumeration

Network Service Discovery

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

=	Permission Groups Discovery ₍₂₎
	Local Groups Domain Groups

Process Discovery

Query Registry

Remote System Discovery

=	Software Discovery ₍₁₎
	Security Software Discovery

System Information Discovery

=	System Location Discovery ₍₁₎
	System Language Discovery

=	System Network Configuration Discovery ₍₂₎
	Internet Connection Discovery Wi-Fi Discovery

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

Virtual Machine Discovery

=	Virtualization/Sandbox Evasion ₍₃₎
	System Checks User Activity Based Checks Time Based Evasion

Exploitation of Remote Services

Internal Spearphishing

Lateral Tool Transfer

=	Remote Service Session Hijacking ₍₁₎
	RDP Hijacking

=	Remote Services ₍₅₎
	Remote Desktop Protocol SMB/Windows Admin Shares Distributed Component Object Model VNC Windows Remote Management

Replication Through Removable Media

Software Deployment Tools

Taint Shared Content

=	Use Alternate Authentication Material ₍₂₎
	Pass the Hash Pass the Ticket

=	Adversary-in-the-Middle ₍₃₎
	LLMNR/NBT-NS Poisoning and SMB Relay ARP Cache Poisoning DHCP Spoofing

=	Archive Collected Data ₍₃₎
	Archive via Utility Archive via Library Archive via Custom Method

Audio Capture

Automated Collection

Browser Session Hijacking

Clipboard Data

=	Data from Information Repositories ₍₁₎
	Sharepoint

Data from Local System

Data from Network Shared Drive

Data from Removable Media

=	Data Staged ₍₂₎
	Local Data Staging Remote Data Staging

=	Email Collection ₍₃₎
	Local Email Collection Remote Email Collection Email Forwarding Rule

=	Input Capture ₍₄₎
	Keylogging GUI Input Capture Web Portal Capture Credential API Hooking

Screen Capture

Video Capture

=	Application Layer Protocol ₍₅₎
	Web Protocols File Transfer Protocols Mail Protocols DNS Publish/Subscribe Protocols

Communication Through Removable Media

Content Injection

=	Data Encoding ₍₂₎
	Standard Encoding Non-Standard Encoding

=	Data Obfuscation ₍₃₎
	Junk Data Steganography Protocol or Service Impersonation

=	Dynamic Resolution ₍₃₎
	Fast Flux DNS Domain Generation Algorithms DNS Calculation

=	Encrypted Channel ₍₂₎
	Symmetric Cryptography Asymmetric Cryptography

Fallback Channels

Hide Infrastructure

Ingress Tool Transfer

Multi-Stage Channels

Non-Application Layer Protocol

Non-Standard Port

Protocol Tunneling

=	Proxy ₍₄₎
	Internal Proxy External Proxy Multi-hop Proxy Domain Fronting

=	Remote Access Tools ₍₃₎
	IDE Tunneling Remote Desktop Software Remote Access Hardware

=	Traffic Signaling ₍₂₎
	Port Knocking Socket Filters

=	Web Service ₍₃₎
	Dead Drop Resolver Bidirectional Communication One-Way Communication

Automated Exfiltration

Data Transfer Size Limits

=	Exfiltration Over Alternative Protocol ₍₃₎
	Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration Over Unencrypted Non-C2 Protocol

Exfiltration Over C2 Channel

=	Exfiltration Over Other Network Medium ₍₁₎
	Exfiltration Over Bluetooth

=	Exfiltration Over Physical Medium ₍₁₎
	Exfiltration over USB

=	Exfiltration Over Web Service ₍₄₎
	Exfiltration to Code Repository Exfiltration to Cloud Storage Exfiltration to Text Storage Sites Exfiltration Over Webhook

Scheduled Transfer

Account Access Removal

Data Destruction

Data Encrypted for Impact

=	Data Manipulation ₍₃₎
	Stored Data Manipulation Transmitted Data Manipulation Runtime Data Manipulation

=	Defacement ₍₂₎
	Internal Defacement External Defacement

=	Disk Wipe ₍₂₎
	Disk Content Wipe Disk Structure Wipe

Email Bombing

=	Endpoint Denial of Service ₍₄₎
	OS Exhaustion Flood Service Exhaustion Flood Application Exhaustion Flood Application or System Exploitation

Financial Theft

Firmware Corruption

Inhibit System Recovery

=	Network Denial of Service ₍₂₎
	Direct Network Flood Reflection Amplification

=	Resource Hijacking ₍₂₎
	Compute Hijacking Bandwidth Hijacking

Service Stop

System Shutdown/Reboot