ADVERSARY TACTICS & TECHNIQUES

MITRE ATT&CK
matrix.

The full Enterprise matrix — 365 techniques across 14 tactics. Click any technique for detection guidance, data sources, and mitigations. Or search with our ATT&CK lookup tool.

Reconnaissance

12 TECHNIQUES

T1589 Gather Victim Identity Information
T1590 Gather Victim Network Information
T1591 Gather Victim Org Information
T1592 Gather Victim Host Information
T1593 Search Open Websites/Domains
T1594 Search Victim-Owned Websites
T1595 Active Scanning
T1596 Search Open Technical Databases
T1597 Search Closed Sources
T1598 Phishing for Information
T1681 Search Threat Vendor Data
T1682 Query Public AI Services

Resource Development

9 TECHNIQUES

T1583 Acquire Infrastructure
T1584 Compromise Infrastructure
T1585 Establish Accounts
T1586 Compromise Accounts
T1587 Develop Capabilities
T1588 Obtain Capabilities
T1608 Stage Capabilities
T1650 Acquire Access
T1683 Generate Content

Initial Access

14 TECHNIQUES

T1078 Valid Accounts
T1091 Replication Through Removable Media
T1133 External Remote Services
T1189 Drive-by Compromise
T1190 Exploit Public-Facing Application
T1192 Spearphishing Link
T1193 Spearphishing Attachment
T1194 Spearphishing via Service
T1195 Supply Chain Compromise
T1199 Trusted Relationship
T1200 Hardware Additions
T1566 Phishing
T1659 Content Injection
T1669 Wi-Fi Networks

Execution

42 TECHNIQUES

T1028 Windows Remote Management
T1035 Service Execution
T1047 Windows Management Instrumentation
T1053 Scheduled Task/Job
T1059 Command and Scripting Interpreter
T1061 Graphical User Interface
T1064 Scripting
T1072 Software Deployment Tools
T1085 Rundll32
T1086 PowerShell
T1106 Native API
T1117 Regsvr32
T1118 InstallUtil
T1121 Regsvcs/Regasm
T1127 Trusted Developer Utilities Proxy Execution
T1129 Shared Modules
T1151 Space after Filename
T1152 Launchctl
T1153 Source
T1154 Trap
T1155 AppleScript
T1168 Local Job Scheduling
T1170 Mshta
T1173 Dynamic Data Exchange
T1175 Component Object Model and Distributed COM
T1177 LSASS Driver
T1191 CMSTP
T1196 Control Panel Items
T1197 BITS Jobs
T1203 Exploitation for Client Execution
T1204 User Execution
T1223 Compiled HTML File
T1559 Inter-Process Communication
T1569 System Services
T1574 Hijack Execution Flow
T1609 Container Administration Command
T1610 Deploy Container
T1648 Serverless Execution
T1651 Cloud Administration Command
T1674 Input Injection
T1675 ESXi Administration Command
T1677 Poisoned Pipeline Execution

Persistence

73 TECHNIQUES

T1004 Winlogon Helper DLL
T1013 Port Monitors
T1015 Accessibility Features
T1019 System Firmware
T1023 Shortcut Modification
T1031 Modify Existing Service
T1034 Path Interception
T1037 Boot or Logon Initialization Scripts
T1038 DLL Search Order Hijacking
T1042 Change Default File Association
T1044 File System Permissions Weakness
T1050 New Service
T1053 Scheduled Task/Job
T1058 Service Registry Permissions Weakness
T1060 Registry Run Keys / Startup Folder
T1062 Hypervisor
T1067 Bootkit
T1078 Valid Accounts
T1084 Windows Management Instrumentation Event Subscription
T1098 Account Manipulation
T1100 Web Shell
T1101 Security Support Provider
T1103 AppInit DLLs
T1108 Redundant Access
T1109 Component Firmware
T1112 Modify Registry
T1122 Component Object Model Hijacking
T1128 Netsh Helper DLL
T1131 Authentication Package
T1133 External Remote Services
T1136 Create Account
T1137 Office Application Startup
T1138 Application Shimming
T1150 Plist Modification
T1152 Launchctl
T1154 Trap
T1156 Malicious Shell Modification
T1157 Dylib Hijacking
T1158 Hidden Files and Directories
T1159 Launch Agent
T1160 Launch Daemon
T1161 LC_LOAD_DYLIB Addition
T1162 Login Item
T1163 Rc.common
T1164 Re-opened Applications
T1165 Startup Items
T1166 Setuid and Setgid
T1168 Local Job Scheduling
T1176 Software Extensions
T1177 LSASS Driver
T1179 Hooking
T1180 Screensaver
T1182 AppCert DLLs
T1183 Image File Execution Options Injection
T1197 BITS Jobs
T1198 SIP and Trust Provider Hijacking
T1205 Traffic Signaling
T1209 Time Providers
T1215 Kernel Modules and Extensions
T1501 Systemd Service
T1504 PowerShell Profile
T1505 Server Software Component
T1519 Emond
T1525 Implant Internal Image
T1542 Pre-OS Boot
T1543 Create or Modify System Process
T1546 Event Triggered Execution
T1547 Boot or Logon Autostart Execution
T1554 Compromise Host Software Binary
T1556 Modify Authentication Process
T1653 Power Settings
T1668 Exclusive Control
T1671 Cloud Application Integration

Privilege Escalation

40 TECHNIQUES

T1013 Port Monitors
T1015 Accessibility Features
T1034 Path Interception
T1037 Boot or Logon Initialization Scripts
T1038 DLL Search Order Hijacking
T1044 File System Permissions Weakness
T1050 New Service
T1053 Scheduled Task/Job
T1055 Process Injection
T1058 Service Registry Permissions Weakness
T1068 Exploitation for Privilege Escalation
T1078 Valid Accounts
T1088 Bypass User Account Control
T1098 Account Manipulation
T1100 Web Shell
T1103 AppInit DLLs
T1134 Access Token Manipulation
T1138 Application Shimming
T1150 Plist Modification
T1157 Dylib Hijacking
T1160 Launch Daemon
T1165 Startup Items
T1166 Setuid and Setgid
T1169 Sudo
T1178 SID-History Injection
T1179 Hooking
T1181 Extra Window Memory Injection
T1182 AppCert DLLs
T1183 Image File Execution Options Injection
T1206 Sudo Caching
T1484 Domain or Tenant Policy Modification
T1502 Parent PID Spoofing
T1504 PowerShell Profile
T1514 Elevated Execution with Prompt
T1519 Emond
T1543 Create or Modify System Process
T1546 Event Triggered Execution
T1547 Boot or Logon Autostart Execution
T1548 Abuse Elevation Control Mechanism
T1611 Escape to Host

Credential Access

30 TECHNIQUES

T1003 OS Credential Dumping
T1040 Network Sniffing
T1056 Input Capture
T1081 Credentials in Files
T1110 Brute Force
T1111 Multi-Factor Authentication Interception
T1139 Bash History
T1141 Input Prompt
T1142 Keychain
T1145 Private Keys
T1167 Securityd Memory
T1171 LLMNR/NBT-NS Poisoning and Relay
T1174 Password Filter DLL
T1179 Hooking
T1187 Forced Authentication
T1208 Kerberoasting
T1212 Exploitation for Credential Access
T1214 Credentials in Registry
T1503 Credentials from Web Browsers
T1522 Cloud Instance Metadata API
T1528 Steal Application Access Token
T1539 Steal Web Session Cookie
T1552 Unsecured Credentials
T1555 Credentials from Password Stores
T1556 Modify Authentication Process
T1557 Adversary-in-the-Middle
T1558 Steal or Forge Kerberos Tickets
T1606 Forge Web Credentials
T1621 Multi-Factor Authentication Request Generation
T1649 Steal or Forge Authentication Certificates

Discovery

35 TECHNIQUES

T1007 System Service Discovery
T1010 Application Window Discovery
T1012 Query Registry
T1016 System Network Configuration Discovery
T1018 Remote System Discovery
T1033 System Owner/User Discovery
T1040 Network Sniffing
T1046 Network Service Discovery
T1049 System Network Connections Discovery
T1057 Process Discovery
T1063 Security Software Discovery
T1069 Permission Groups Discovery
T1082 System Information Discovery
T1083 File and Directory Discovery
T1087 Account Discovery
T1120 Peripheral Device Discovery
T1124 System Time Discovery
T1135 Network Share Discovery
T1201 Password Policy Discovery
T1217 Browser Information Discovery
T1482 Domain Trust Discovery
T1497 Virtualization/Sandbox Evasion
T1518 Software Discovery
T1526 Cloud Service Discovery
T1538 Cloud Service Dashboard
T1580 Cloud Infrastructure Discovery
T1613 Container and Resource Discovery
T1614 System Location Discovery
T1615 Group Policy Discovery
T1619 Cloud Storage Object Discovery
T1622 Debugger Evasion
T1652 Device Driver Discovery
T1654 Log Enumeration
T1673 Virtual Machine Discovery
T1680 Local Storage Discovery

Lateral Movement

20 TECHNIQUES

T1017 Application Deployment Software
T1021 Remote Services
T1028 Windows Remote Management
T1051 Shared Webroot
T1072 Software Deployment Tools
T1075 Pass the Hash
T1076 Remote Desktop Protocol
T1077 Windows Admin Shares
T1080 Taint Shared Content
T1091 Replication Through Removable Media
T1097 Pass the Ticket
T1175 Component Object Model and Distributed COM
T1184 SSH Hijacking
T1210 Exploitation of Remote Services
T1506 Web Session Cookie
T1527 Application Access Token
T1534 Internal Spearphishing
T1550 Use Alternate Authentication Material
T1563 Remote Service Session Hijacking
T1570 Lateral Tool Transfer

Collection

17 TECHNIQUES

T1005 Data from Local System
T1025 Data from Removable Media
T1039 Data from Network Shared Drive
T1056 Input Capture
T1074 Data Staged
T1113 Screen Capture
T1114 Email Collection
T1115 Clipboard Data
T1119 Automated Collection
T1123 Audio Capture
T1125 Video Capture
T1185 Browser Session Hijacking
T1213 Data from Information Repositories
T1530 Data from Cloud Storage
T1557 Adversary-in-the-Middle
T1560 Archive Collected Data
T1602 Data from Configuration Repository

Command and Control

28 TECHNIQUES

T1001 Data Obfuscation
T1008 Fallback Channels
T1024 Custom Cryptographic Protocol
T1026 Multiband Communication
T1032 Standard Cryptographic Protocol
T1043 Commonly Used Port
T1065 Uncommonly Used Port
T1071 Application Layer Protocol
T1079 Multilayer Encryption
T1090 Proxy
T1092 Communication Through Removable Media
T1094 Custom Command and Control Protocol
T1095 Non-Application Layer Protocol
T1102 Web Service
T1104 Multi-Stage Channels
T1105 Ingress Tool Transfer
T1132 Data Encoding
T1172 Domain Fronting
T1188 Multi-hop Proxy
T1205 Traffic Signaling
T1219 Remote Access Tools
T1483 Domain Generation Algorithms
T1568 Dynamic Resolution
T1571 Non-Standard Port
T1572 Protocol Tunneling
T1573 Encrypted Channel
T1659 Content Injection
T1665 Hide Infrastructure

Exfiltration

11 TECHNIQUES

T1002 Data Compressed
T1011 Exfiltration Over Other Network Medium
T1020 Automated Exfiltration
T1022 Data Encrypted
T1029 Scheduled Transfer
T1030 Data Transfer Size Limits
T1041 Exfiltration Over C2 Channel
T1048 Exfiltration Over Alternative Protocol
T1052 Exfiltration Over Physical Medium
T1537 Transfer Data to Cloud Account
T1567 Exfiltration Over Web Service

Impact