Check out the results from our first round of ATT&CK Evaluations at!

Enterprise Matrix - Windows

The matrix below includes techniques spanning the Windows platform. The full Enterprise ATT&CK matrix along with the matrices for macOS and Linux are also available for navigation.

Last Modified: 2018-12-05T17:37:12.426Z
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Drive-by CompromiseCMSTPAccessibility FeaturesAccess Token ManipulationAccess Token ManipulationAccount ManipulationAccount DiscoveryApplication Deployment SoftwareAudio CaptureAutomated ExfiltrationCommonly Used Port
Exploit Public-Facing ApplicationCommand-Line InterfaceAccount ManipulationAccessibility FeaturesBITS JobsBrute ForceApplication Window DiscoveryDistributed Component Object ModelAutomated CollectionData CompressedCommunication Through Removable Media
Hardware AdditionsCompiled HTML FileAppCert DLLsAppCert DLLsBinary PaddingCredential DumpingBrowser Bookmark DiscoveryExploitation of Remote ServicesClipboard DataData EncryptedConnection Proxy
Replication Through Removable MediaControl Panel ItemsAppInit DLLsAppInit DLLsBypass User Account ControlCredentials in FilesFile and Directory DiscoveryLogon ScriptsData StagedData Transfer Size LimitsCustom Command and Control Protocol
Spearphishing AttachmentDynamic Data ExchangeApplication ShimmingApplication ShimmingCMSTPCredentials in RegistryNetwork Service ScanningPass the HashData from Information RepositoriesExfiltration Over Alternative ProtocolCustom Cryptographic Protocol
Spearphishing LinkExecution through APIAuthentication PackageBypass User Account ControlCode SigningExploitation for Credential AccessNetwork Share DiscoveryPass the TicketData from Local SystemExfiltration Over Command and Control ChannelData Encoding
Spearphishing via ServiceExecution through Module LoadBITS JobsDLL Search Order HijackingCompiled HTML FileForced AuthenticationNetwork SniffingRemote Desktop ProtocolData from Network Shared DriveExfiltration Over Other Network MediumData Obfuscation
Supply Chain CompromiseExploitation for Client ExecutionBootkitExploitation for Privilege EscalationComponent FirmwareHookingPassword Policy DiscoveryRemote File CopyData from Removable MediaExfiltration Over Physical MediumDomain Fronting
Trusted RelationshipGraphical User InterfaceBrowser ExtensionsExtra Window Memory InjectionComponent Object Model HijackingInput CapturePeripheral Device DiscoveryRemote ServicesEmail CollectionScheduled TransferFallback Channels
Valid AccountsInstallUtilChange Default File AssociationFile System Permissions WeaknessControl Panel ItemsKerberoastingPermission Groups DiscoveryReplication Through Removable MediaInput CaptureMulti-Stage Channels
LSASS DriverComponent FirmwareHookingDCShadowLLMNR/NBT-NS PoisoningProcess DiscoveryShared WebrootMan in the BrowserMulti-hop Proxy
MshtaComponent Object Model HijackingImage File Execution Options InjectionDLL Search Order HijackingNetwork SniffingQuery RegistryTaint Shared ContentScreen CaptureMultiband Communication
PowerShellCreate AccountNew ServiceDLL Side-LoadingPassword Filter DLLRemote System DiscoveryThird-party SoftwareVideo CaptureMultilayer Encryption
Regsvcs/RegasmDLL Search Order HijackingPath InterceptionDeobfuscate/Decode Files or InformationPrivate KeysSecurity Software DiscoveryWindows Admin SharesRemote Access Tools
Regsvr32External Remote ServicesPort MonitorsDisabling Security ToolsTwo-Factor Authentication InterceptionSystem Information DiscoveryWindows Remote ManagementRemote File Copy
Rundll32File System Permissions WeaknessProcess InjectionExploitation for Defense EvasionSystem Network Configuration DiscoveryStandard Application Layer Protocol
Scheduled TaskHidden Files and DirectoriesSID-History InjectionExtra Window Memory InjectionSystem Network Connections DiscoveryStandard Cryptographic Protocol
ScriptingHookingScheduled TaskFile DeletionSystem Owner/User DiscoveryStandard Non-Application Layer Protocol
Service ExecutionHypervisorService Registry Permissions WeaknessFile Permissions ModificationSystem Service DiscoveryUncommonly Used Port
Signed Binary Proxy ExecutionImage File Execution Options InjectionValid AccountsFile System Logical OffsetsSystem Time DiscoveryWeb Service
Signed Script Proxy ExecutionLSASS DriverWeb ShellHidden Files and Directories
Third-party SoftwareLogon ScriptsImage File Execution Options Injection
Trusted Developer UtilitiesModify Existing ServiceIndicator Blocking
User ExecutionNetsh Helper DLLIndicator Removal from Tools
Windows Management InstrumentationNew ServiceIndicator Removal on Host
Windows Remote ManagementOffice Application StartupIndirect Command Execution
XSL Script ProcessingPath InterceptionInstall Root Certificate
Port MonitorsInstallUtil
Redundant AccessMasquerading
Registry Run Keys / Startup FolderModify Registry
SIP and Trust Provider HijackingMshta
Scheduled TaskNTFS File Attributes
ScreensaverNetwork Share Connection Removal
Security Support ProviderObfuscated Files or Information
Service Registry Permissions WeaknessProcess Doppelgänging
Shortcut ModificationProcess Hollowing
System FirmwareProcess Injection
Time ProvidersRedundant Access
Valid AccountsRegsvcs/Regasm
Web ShellRegsvr32
Windows Management Instrumentation Event SubscriptionRootkit
Winlogon Helper DLLRundll32
SIP and Trust Provider Hijacking
Signed Binary Proxy Execution
Signed Script Proxy Execution
Software Packing
Template Injection
Trusted Developer Utilities
Valid Accounts
Web Service
XSL Script Processing