Matrices
Enterprise
Mobile
ICS
Tactics
Enterprise
Mobile
ICS
Techniques
Enterprise
Mobile
ICS
Data Sources
Mitigations
Enterprise
Mobile
ICS
Groups
Software
Campaigns
Resources
General Information
Getting Started
Training
ATT&CKcon
Working with ATT&CK
FAQ
Updates
Versions of ATT&CK
Related Projects
Brand Guide
Blog
Contribute
Search
Currently viewing
ATT&CK v13.1
which was live between April 25, 2023 and October 30, 2023.
Learn more about the versioning system
or
see the live site
.
TECHNIQUES
Enterprise
Reconnaissance
Active Scanning
Scanning IP Blocks
Vulnerability Scanning
Wordlist Scanning
Gather Victim Host Information
Hardware
Software
Firmware
Client Configurations
Gather Victim Identity Information
Credentials
Email Addresses
Employee Names
Gather Victim Network Information
Domain Properties
DNS
Network Trust Dependencies
Network Topology
IP Addresses
Network Security Appliances
Gather Victim Org Information
Determine Physical Locations
Business Relationships
Identify Business Tempo
Identify Roles
Phishing for Information
Spearphishing Service
Spearphishing Attachment
Spearphishing Link
Search Closed Sources
Threat Intel Vendors
Purchase Technical Data
Search Open Technical Databases
DNS/Passive DNS
WHOIS
Digital Certificates
CDNs
Scan Databases
Search Open Websites/Domains
Social Media
Search Engines
Code Repositories
Search Victim-Owned Websites
Resource Development
Acquire Access
Acquire Infrastructure
Domains
DNS Server
Virtual Private Server
Server
Botnet
Web Services
Serverless
Malvertising
Compromise Accounts
Social Media Accounts
Email Accounts
Cloud Accounts
Compromise Infrastructure
Domains
DNS Server
Virtual Private Server
Server
Botnet
Web Services
Serverless
Develop Capabilities
Malware
Code Signing Certificates
Digital Certificates
Exploits
Establish Accounts
Social Media Accounts
Email Accounts
Cloud Accounts
Obtain Capabilities
Malware
Tool
Code Signing Certificates
Digital Certificates
Exploits
Vulnerabilities
Stage Capabilities
Upload Malware
Upload Tool
Install Digital Certificate
Drive-by Target
Link Target
SEO Poisoning
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Phishing
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Replication Through Removable Media
Supply Chain Compromise
Compromise Software Dependencies and Development Tools
Compromise Software Supply Chain
Compromise Hardware Supply Chain
Trusted Relationship
Valid Accounts
Default Accounts
Domain Accounts
Local Accounts
Cloud Accounts
Execution
Cloud Administration Command
Command and Scripting Interpreter
PowerShell
AppleScript
Windows Command Shell
Unix Shell
Visual Basic
Python
JavaScript
Network Device CLI
Cloud API
Container Administration Command
Deploy Container
Exploitation for Client Execution
Inter-Process Communication
Component Object Model
Dynamic Data Exchange
XPC Services
Native API
Scheduled Task/Job
At
Cron
Scheduled Task
Systemd Timers
Container Orchestration Job
Serverless Execution
Shared Modules
Software Deployment Tools
System Services
Launchctl
Service Execution
User Execution
Malicious Link
Malicious File
Malicious Image
Windows Management Instrumentation
Persistence
Account Manipulation
Additional Cloud Credentials
Additional Email Delegate Permissions
Additional Cloud Roles
SSH Authorized Keys
Device Registration
BITS Jobs
Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder
Authentication Package
Time Providers
Winlogon Helper DLL
Security Support Provider
Kernel Modules and Extensions
Re-opened Applications
LSASS Driver
Shortcut Modification
Port Monitors
Print Processors
XDG Autostart Entries
Active Setup
Login Items
Boot or Logon Initialization Scripts
Logon Script (Windows)
Login Hook
Network Logon Script
RC Scripts
Startup Items
Browser Extensions
Compromise Client Software Binary
Create Account
Local Account
Domain Account
Cloud Account
Create or Modify System Process
Launch Agent
Systemd Service
Windows Service
Launch Daemon
Event Triggered Execution
Change Default File Association
Screensaver
Windows Management Instrumentation Event Subscription
Unix Shell Configuration Modification
Trap
LC_LOAD_DYLIB Addition
Netsh Helper DLL
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Image File Execution Options Injection
PowerShell Profile
Emond
Component Object Model Hijacking
Installer Packages
External Remote Services
Hijack Execution Flow
DLL Search Order Hijacking
DLL Side-Loading
Dylib Hijacking
Executable Installer File Permissions Weakness
Dynamic Linker Hijacking
Path Interception by PATH Environment Variable
Path Interception by Search Order Hijacking
Path Interception by Unquoted Path
Services File Permissions Weakness
Services Registry Permissions Weakness
COR_PROFILER
KernelCallbackTable
Implant Internal Image
Modify Authentication Process
Domain Controller Authentication
Password Filter DLL
Pluggable Authentication Modules
Network Device Authentication
Reversible Encryption
Multi-Factor Authentication
Hybrid Identity
Network Provider DLL
Office Application Startup
Office Template Macros
Office Test
Outlook Forms
Outlook Home Page
Outlook Rules
Add-ins
Pre-OS Boot
System Firmware
Component Firmware
Bootkit
ROMMONkit
TFTP Boot
Scheduled Task/Job
At
Cron
Scheduled Task
Systemd Timers
Container Orchestration Job
Server Software Component
SQL Stored Procedures
Transport Agent
Web Shell
IIS Components
Terminal Services DLL
Traffic Signaling
Port Knocking
Socket Filters
Valid Accounts
Default Accounts
Domain Accounts
Local Accounts
Cloud Accounts
Privilege Escalation
Abuse Elevation Control Mechanism
Setuid and Setgid
Bypass User Account Control
Sudo and Sudo Caching
Elevated Execution with Prompt
Access Token Manipulation
Token Impersonation/Theft
Create Process with Token
Make and Impersonate Token
Parent PID Spoofing
SID-History Injection
Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder
Authentication Package
Time Providers
Winlogon Helper DLL
Security Support Provider
Kernel Modules and Extensions
Re-opened Applications
LSASS Driver
Shortcut Modification
Port Monitors
Print Processors
XDG Autostart Entries
Active Setup
Login Items
Boot or Logon Initialization Scripts
Logon Script (Windows)
Login Hook
Network Logon Script
RC Scripts
Startup Items
Create or Modify System Process
Launch Agent
Systemd Service
Windows Service
Launch Daemon
Domain Policy Modification
Group Policy Modification
Domain Trust Modification
Escape to Host
Event Triggered Execution
Change Default File Association
Screensaver
Windows Management Instrumentation Event Subscription
Unix Shell Configuration Modification
Trap
LC_LOAD_DYLIB Addition
Netsh Helper DLL
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Image File Execution Options Injection
PowerShell Profile
Emond
Component Object Model Hijacking
Installer Packages
Exploitation for Privilege Escalation
Hijack Execution Flow
DLL Search Order Hijacking
DLL Side-Loading
Dylib Hijacking
Executable Installer File Permissions Weakness
Dynamic Linker Hijacking
Path Interception by PATH Environment Variable
Path Interception by Search Order Hijacking
Path Interception by Unquoted Path
Services File Permissions Weakness
Services Registry Permissions Weakness
COR_PROFILER
KernelCallbackTable
Process Injection
Dynamic-link Library Injection
Portable Executable Injection
Thread Execution Hijacking
Asynchronous Procedure Call
Thread Local Storage
Ptrace System Calls
Proc Memory
Extra Window Memory Injection
Process Hollowing
Process Doppelgänging
VDSO Hijacking
ListPlanting
Scheduled Task/Job
At
Cron
Scheduled Task
Systemd Timers
Container Orchestration Job
Valid Accounts
Default Accounts
Domain Accounts
Local Accounts
Cloud Accounts
Defense Evasion
Abuse Elevation Control Mechanism
Setuid and Setgid
Bypass User Account Control
Sudo and Sudo Caching
Elevated Execution with Prompt
Access Token Manipulation
Token Impersonation/Theft
Create Process with Token
Make and Impersonate Token
Parent PID Spoofing
SID-History Injection
BITS Jobs
Build Image on Host
Debugger Evasion
Deobfuscate/Decode Files or Information
Deploy Container
Direct Volume Access
Domain Policy Modification
Group Policy Modification
Domain Trust Modification
Execution Guardrails
Environmental Keying
Exploitation for Defense Evasion
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
Linux and Mac File and Directory Permissions Modification
Hide Artifacts
Hidden Files and Directories
Hidden Users
Hidden Window
NTFS File Attributes
Hidden File System
Run Virtual Instance
VBA Stomping
Email Hiding Rules
Resource Forking
Process Argument Spoofing
Hijack Execution Flow
DLL Search Order Hijacking
DLL Side-Loading
Dylib Hijacking
Executable Installer File Permissions Weakness
Dynamic Linker Hijacking
Path Interception by PATH Environment Variable
Path Interception by Search Order Hijacking
Path Interception by Unquoted Path
Services File Permissions Weakness
Services Registry Permissions Weakness
COR_PROFILER
KernelCallbackTable
Impair Defenses
Disable or Modify Tools
Disable Windows Event Logging
Impair Command History Logging
Disable or Modify System Firewall
