1. Home
  2. Matrices
  3. Windows

Windows Matrix

Below are the tactics and techniques representing the MITRE ATT&CK® Matrix for Enterprise. The Matrix contains information for the Windows platform.

View on the ATT&CK® Navigator
Version Permalink
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
9 techniques 10 techniques 18 techniques 13 techniques 34 techniques 16 techniques 26 techniques 9 techniques 15 techniques 16 techniques 8 techniques 13 techniques
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Phishing (3)
=
Replication Through Removable Media
Supply Chain Compromise (3)
=
Trusted Relationship
Valid Accounts (3)
=
Command and Scripting Interpreter (5)
=
Exploitation for Client Execution
Inter-Process Communication (2)
=
Native API
Scheduled Task/Job (2)
=
Shared Modules
Software Deployment Tools
System Services (1)
=
User Execution (2)
=
Windows Management Instrumentation
Account Manipulation (2)
=
BITS Jobs
Boot or Logon Autostart Execution (10)
=
Boot or Logon Initialization Scripts (2)
=
Browser Extensions
Compromise Client Software Binary
Create Account (2)
=
Create or Modify System Process (1)
=
Event Triggered Execution (12)
=
External Remote Services
Hijack Execution Flow (10)
=
Modify Authentication Process (6)
=
Office Application Startup (6)
=
Pre-OS Boot (3)
=
Scheduled Task/Job (2)
=
Server Software Component (5)
=
Traffic Signaling (2)
=
Valid Accounts (3)
=
Abuse Elevation Control Mechanism (1)
=
Access Token Manipulation (5)
=
Boot or Logon Autostart Execution (10)
=
Boot or Logon Initialization Scripts (2)
=
Create or Modify System Process (1)
=
Domain Policy Modification (2)
=
Escape to Host
Event Triggered Execution (12)
=
Exploitation for Privilege Escalation
Hijack Execution Flow (10)
=
Process Injection (9)
=
Scheduled Task/Job (2)
=
Valid Accounts (3)
=
Abuse Elevation Control Mechanism (1)
=
Access Token Manipulation (5)
=
BITS Jobs
Debugger Evasion
Deobfuscate/Decode Files or Information
Direct Volume Access
Domain Policy Modification (2)
=
Execution Guardrails (1)
=
Exploitation for Defense Evasion
File and Directory Permissions Modification (1)
=
Hide Artifacts (9)
=
Hijack Execution Flow (10)
=
Impair Defenses (8)
=
Indicator Removal (8)
=
Indirect Command Execution
Masquerading (7)
=
Modify Authentication Process (6)
=
Modify Registry
Obfuscated Files or Information (11)
=
Pre-OS Boot (3)
=
Process Injection (9)
=
Reflective Code Loading
Rogue Domain Controller
Rootkit
Subvert Trust Controls (5)
=
System Binary Proxy Execution (13)
=
System Script Proxy Execution (1)
=
Template Injection
Traffic Signaling (2)
=
Trusted Developer Utilities Proxy Execution (1)
=
Use Alternate Authentication Material (2)
=
Valid Accounts (3)
=
Virtualization/Sandbox Evasion (3)
=
XSL Script Processing
Adversary-in-the-Middle (3)
=
Brute Force (4)
=
Credentials from Password Stores (3)
=
Exploitation for Credential Access
Forced Authentication
Forge Web Credentials (2)
=
Input Capture (4)
=
Modify Authentication Process (6)
=
Multi-Factor Authentication Interception
Multi-Factor Authentication Request Generation
Network Sniffing
OS Credential Dumping (6)
=
Steal or Forge Authentication Certificates
Steal or Forge Kerberos Tickets (4)
=
Steal Web Session Cookie
Unsecured Credentials (4)
=
Account Discovery (3)
=
Application Window Discovery
Browser Information Discovery
Debugger Evasion
Device Driver Discovery
Domain Trust Discovery
File and Directory Discovery
Group Policy Discovery
Network Service Discovery
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery (2)
=
Process Discovery
Query Registry
Remote System Discovery
Software Discovery (1)
=
System Information Discovery
System Location Discovery (1)
=
System Network Configuration Discovery (1)
=
System Network Connections Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion (3)
=
Exploitation of Remote Services
Internal Spearphishing
Lateral Tool Transfer
Remote Service Session Hijacking (1)
=
Remote Services (5)
=
Replication Through Removable Media
Software Deployment Tools
Taint Shared Content
Use Alternate Authentication Material (2)
=
Adversary-in-the-Middle (3)
=
Archive Collected Data (3)
=
Audio Capture
Automated Collection
Browser Session Hijacking
Clipboard Data
Data from Information Repositories (1)
=
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged (2)
=
Email Collection (3)
=
Input Capture (4)
=
Screen Capture
Video Capture
Application Layer Protocol (4)
=
Communication Through Removable Media
Data Encoding (2)
=
Data Obfuscation (3)
=
Dynamic Resolution (3)
=
Encrypted Channel (2)
=
Fallback Channels
Ingress Tool Transfer
Multi-Stage Channels
Non-Application Layer Protocol
Non-Standard Port
Protocol Tunneling
Proxy (4)
=
Remote Access Software
Traffic Signaling (2)
=
Web Service (3)
=
Automated Exfiltration
Data Transfer Size Limits
Exfiltration Over Alternative Protocol (3)
=
Exfiltration Over C2 Channel
Exfiltration Over Other Network Medium (1)
=
Exfiltration Over Physical Medium (1)
=
Exfiltration Over Web Service (3)
=
Scheduled Transfer
Account Access Removal
Data Destruction
Data Encrypted for Impact
Data Manipulation (3)
=
Defacement (2)
=
Disk Wipe (2)
=
Endpoint Denial of Service (4)
=
Firmware Corruption
Inhibit System Recovery
Network Denial of Service (2)
=
Resource Hijacking
Service Stop
System Shutdown/Reboot
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
9 techniques 10 techniques 18 techniques 13 techniques 34 techniques 16 techniques 26 techniques 9 techniques 15 techniques 16 techniques 8 techniques 13 techniques
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
=
Phishing (3)
Replication Through Removable Media
=
Supply Chain Compromise (3)
Trusted Relationship
=
Valid Accounts (3)
=
Command and Scripting Interpreter (5)
Exploitation for Client Execution
=
Inter-Process Communication (2)
Native API
=
Scheduled Task/Job (2)
Shared Modules
Software Deployment Tools
=
System Services (1)
=
User Execution (2)
Windows Management Instrumentation
=
Account Manipulation (2)
BITS Jobs
=
Boot or Logon Autostart Execution (10)
=
Boot or Logon Initialization Scripts (2)
Browser Extensions
Compromise Client Software Binary
=
Create Account (2)
=
Create or Modify System Process (1)
=
Event Triggered Execution (12)
External Remote Services
=
Hijack Execution Flow (10)
=
Modify Authentication Process (6)
=
Office Application Startup (6)
=
Pre-OS Boot (3)
=
Scheduled Task/Job (2)
=
Server Software Component (5)
=
Traffic Signaling (2)
=
Valid Accounts (3)
=
Abuse Elevation Control Mechanism (1)
=
Access Token Manipulation (5)
=
Boot or Logon Autostart Execution (10)
=
Boot or Logon Initialization Scripts (2)
=
Create or Modify System Process (1)
=
Domain Policy Modification (2)
Escape to Host
=
Event Triggered Execution (12)
Exploitation for Privilege Escalation
=
Hijack Execution Flow (10)
=
Process Injection (9)
=
Scheduled Task/Job (2)
=
Valid Accounts (3)
=
Abuse Elevation Control Mechanism (1)
=
Access Token Manipulation (5)
BITS Jobs
Debugger Evasion
Deobfuscate/Decode Files or Information
Direct Volume Access
=
Domain Policy Modification (2)
=
Execution Guardrails (1)
Exploitation for Defense Evasion
=
File and Directory Permissions Modification (1)
=
Hide Artifacts (9)
=
Hijack Execution Flow (10)
=
Impair Defenses (8)
=
Indicator Removal (8)
Indirect Command Execution
=
Masquerading (7)
=
Modify Authentication Process (6)
Modify Registry
=
Obfuscated Files or Information (11)
=
Pre-OS Boot (3)
=
Process Injection (9)
Reflective Code Loading
Rogue Domain Controller
Rootkit
=
Subvert Trust Controls (5)
=
System Binary Proxy Execution (13)
=
System Script Proxy Execution (1)
Template Injection
=
Traffic Signaling (2)
=
Trusted Developer Utilities Proxy Execution (1)
=
Use Alternate Authentication Material (2)
=
Valid Accounts (3)
=
Virtualization/Sandbox Evasion (3)
XSL Script Processing
=
Adversary-in-the-Middle (3)
=
Brute Force (4)
=
Credentials from Password Stores (3)
Exploitation for Credential Access
Forced Authentication
=
Forge Web Credentials (2)
=
Input Capture (4)
=
Modify Authentication Process (6)
Multi-Factor Authentication Interception
Multi-Factor Authentication Request Generation
Network Sniffing
=
OS Credential Dumping (6)
Steal or Forge Authentication Certificates
=
Steal or Forge Kerberos Tickets (4)
Steal Web Session Cookie
=
Unsecured Credentials (4)
=
Account Discovery (3)
Application Window Discovery
Browser Information Discovery
Debugger Evasion
Device Driver Discovery
Domain Trust Discovery
File and Directory Discovery
Group Policy Discovery
Network Service Discovery
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
=
Permission Groups Discovery (2)
Process Discovery
Query Registry
Remote System Discovery
=
Software Discovery (1)
System Information Discovery
=
System Location Discovery (1)
=
System Network Configuration Discovery (1)
System Network Connections Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
=
Virtualization/Sandbox Evasion (3)
Exploitation of Remote Services
Internal Spearphishing
Lateral Tool Transfer
=
Remote Service Session Hijacking (1)
=
Remote Services (5)
Replication Through Removable Media
Software Deployment Tools
Taint Shared Content
=
Use Alternate Authentication Material (2)
=
Adversary-in-the-Middle (3)
=
Archive Collected Data (3)
Audio Capture
Automated Collection
Browser Session Hijacking
Clipboard Data
=
Data from Information Repositories (1)
Data from Local System
Data from Network Shared Drive
Data from Removable Media
=
Data Staged (2)
=
Email Collection (3)
=
Input Capture (4)
Screen Capture
Video Capture
=
Application Layer Protocol (4)
Communication Through Removable Media
=
Data Encoding (2)
=
Data Obfuscation (3)
=
Dynamic Resolution (3)
=
Encrypted Channel (2)
Fallback Channels
Ingress Tool Transfer
Multi-Stage Channels
Non-Application Layer Protocol
Non-Standard Port
Protocol Tunneling
=
Proxy (4)
Remote Access Software
=
Traffic Signaling (2)
=
Web Service (3)
Automated Exfiltration
Data Transfer Size Limits
=
Exfiltration Over Alternative Protocol (3)
Exfiltration Over C2 Channel
=
Exfiltration Over Other Network Medium (1)
=
Exfiltration Over Physical Medium (1)
=
Exfiltration Over Web Service (3)
Scheduled Transfer
Account Access Removal
Data Destruction
Data Encrypted for Impact
=
Data Manipulation (3)
=
Defacement (2)
=
Disk Wipe (2)
=
Endpoint Denial of Service (4)
Firmware Corruption
Inhibit System Recovery
=
Network Denial of Service (2)
Resource Hijacking
Service Stop
System Shutdown/Reboot