Enterprise Matrix - Windows

The matrix below includes techniques spanning the Windows platform. The full Enterprise ATT&CK matrix along with the matrices for macOS and Linux are also available for navigation.

Last Modified: 2019-04-25 20:53:07.719000
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Drive-by CompromiseCMSTPAccessibility FeaturesAccess Token ManipulationAccess Token ManipulationAccount ManipulationAccount DiscoveryApplication Deployment SoftwareAudio CaptureCommonly Used PortAutomated ExfiltrationData Destruction
Exploit Public-Facing ApplicationCommand-Line InterfaceAccount ManipulationAccessibility FeaturesBITS JobsBrute ForceApplication Window DiscoveryDistributed Component Object ModelAutomated CollectionCommunication Through Removable MediaData CompressedData Encrypted for Impact
External Remote ServicesCompiled HTML FileAppCert DLLsAppCert DLLsBinary PaddingCredential DumpingBrowser Bookmark DiscoveryExploitation of Remote ServicesClipboard DataConnection ProxyData EncryptedDefacement
Hardware AdditionsControl Panel ItemsAppInit DLLsAppInit DLLsBypass User Account ControlCredentials in FilesDomain Trust DiscoveryLogon ScriptsData StagedCustom Command and Control ProtocolData Transfer Size LimitsDisk Content Wipe
Replication Through Removable MediaDynamic Data ExchangeApplication ShimmingApplication ShimmingCMSTPCredentials in RegistryFile and Directory DiscoveryPass the HashData from Information RepositoriesCustom Cryptographic ProtocolExfiltration Over Alternative ProtocolDisk Structure Wipe
Spearphishing AttachmentExecution through APIAuthentication PackageBypass User Account ControlCode SigningExploitation for Credential AccessNetwork Service ScanningPass the TicketData from Local SystemData EncodingExfiltration Over Command and Control ChannelEndpoint Denial of Service
Spearphishing LinkExecution through Module LoadBITS JobsDLL Search Order HijackingCompile After DeliveryForced AuthenticationNetwork Share DiscoveryRemote Desktop ProtocolData from Network Shared DriveData ObfuscationExfiltration Over Other Network MediumFirmware Corruption
Spearphishing via ServiceExploitation for Client ExecutionBootkitExploitation for Privilege EscalationCompiled HTML FileHookingNetwork SniffingRemote File CopyData from Removable MediaDomain FrontingExfiltration Over Physical MediumInhibit System Recovery
Supply Chain CompromiseGraphical User InterfaceBrowser ExtensionsExtra Window Memory InjectionComponent FirmwareInput CapturePassword Policy DiscoveryRemote ServicesEmail CollectionDomain Generation AlgorithmsScheduled TransferNetwork Denial of Service
Trusted RelationshipInstallUtilChange Default File AssociationFile System Permissions WeaknessComponent Object Model HijackingInput PromptPeripheral Device DiscoveryReplication Through Removable MediaInput CaptureFallback ChannelsResource Hijacking
Valid AccountsLSASS DriverComponent FirmwareHookingControl Panel ItemsKerberoastingPermission Groups DiscoveryShared WebrootMan in the BrowserMulti-Stage ChannelsRuntime Data Manipulation
MshtaComponent Object Model HijackingImage File Execution Options InjectionDCShadowLLMNR/NBT-NS Poisoning and RelayProcess DiscoveryTaint Shared ContentScreen CaptureMulti-hop ProxyService Stop
PowerShellCreate AccountNew ServiceDLL Search Order HijackingNetwork SniffingQuery RegistryThird-party SoftwareVideo CaptureMultiband CommunicationStored Data Manipulation
Regsvcs/RegasmDLL Search Order HijackingPath InterceptionDLL Side-LoadingPassword Filter DLLRemote System DiscoveryWindows Admin SharesMultilayer EncryptionTransmitted Data Manipulation
Regsvr32External Remote ServicesPort MonitorsDeobfuscate/Decode Files or InformationPrivate KeysSecurity Software DiscoveryWindows Remote ManagementRemote Access Tools
Rundll32File System Permissions WeaknessProcess InjectionDisabling Security ToolsTwo-Factor Authentication InterceptionSystem Information DiscoveryRemote File Copy
Scheduled TaskHidden Files and DirectoriesSID-History InjectionExecution GuardrailsSystem Network Configuration DiscoveryStandard Application Layer Protocol
ScriptingHookingScheduled TaskExploitation for Defense EvasionSystem Network Connections DiscoveryStandard Cryptographic Protocol
Service ExecutionHypervisorService Registry Permissions WeaknessExtra Window Memory InjectionSystem Owner/User DiscoveryStandard Non-Application Layer Protocol
Signed Binary Proxy ExecutionImage File Execution Options InjectionValid AccountsFile DeletionSystem Service DiscoveryUncommonly Used Port
Signed Script Proxy ExecutionLSASS DriverWeb ShellFile Permissions ModificationSystem Time DiscoveryWeb Service
Third-party SoftwareLogon ScriptsFile System Logical OffsetsVirtualization/Sandbox Evasion
Trusted Developer UtilitiesModify Existing ServiceGroup Policy Modification
User ExecutionNetsh Helper DLLHidden Files and Directories
Windows Management InstrumentationNew ServiceImage File Execution Options Injection
Windows Remote ManagementOffice Application StartupIndicator Blocking
XSL Script ProcessingPath InterceptionIndicator Removal from Tools
Port MonitorsIndicator Removal on Host
Redundant AccessIndirect Command Execution
Registry Run Keys / Startup FolderInstall Root Certificate
SIP and Trust Provider HijackingInstallUtil
Scheduled TaskMasquerading
ScreensaverModify Registry
Security Support ProviderMshta
Service Registry Permissions WeaknessNTFS File Attributes
Shortcut ModificationNetwork Share Connection Removal
System FirmwareObfuscated Files or Information
Time ProvidersProcess Doppelgänging
Valid AccountsProcess Hollowing
Web ShellProcess Injection
Windows Management Instrumentation Event SubscriptionRedundant Access
Winlogon Helper DLLRegsvcs/Regasm
Regsvr32
Rootkit
Rundll32
SIP and Trust Provider Hijacking
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
Software Packing
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing