Enterprise ATT&CK Matrix

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Impact
Drive-by Compromise AppleScript

.bash_profile and .bashrc

Exploitation for Privilege Escalation Access Token Manipulation Account Manipulation

Account Discovery

Application Deployment Software

Audio Capture

Automated Exfiltration Commonly Used Port Data Destruction
Exploit Public-Facing Application Command-Line Interface

Accessibility Features

Image File Execution Options Injection


Bash History Application Window Discovery Distributed Component Object Model Automated Collection

Data Compressed

Communication Through Removable Media Data Encrypted for Impact
Hardware Additions

Dynamic Data Exchange

AppCert DLLs

SID-History Injection Binary Padding Brute Force Browser Bookmark Discovery Exploitation of Remote Services

Clipboard Data

Data Encrypted Connection Proxy Defacement
Spearphishing Attachment Execution through API

AppInit DLLs

Setuid and Setgid

Bypass User Account Control

Credential Dumping

Domain Trust Discovery

Logon Scripts

Data Staged

Data Transfer Size Limits Custom Command and Control Protocol Disk Content Wipe
Spearphishing Link Execution through Module Load

Application Shimming



Credentials in Files

File and Directory Discovery Pass the Hash Data from Information Repositories Exfiltration Over Alternative Protocol Custom Cryptographic Protocol Disk Structure Wipe
Spearphishing via Service Exploitation for Client Execution

Authentication Package

Sudo Caching Clear Command History Credentials in Registry

Network Service Scanning

Pass the Ticket Data from Local System Exfiltration Over Command and Control Channel Data Encoding Endpoint Denial of Service
Supply Chain Compromise Graphical User Interface Bootkit   Code Signing Exploitation for Credential Access

Network Share Discovery

Remote Desktop Protocol

Data from Network Shared Drive Exfiltration Over Other Network Medium Data Obfuscation Firmware Corruption
Trusted Relationship LSASS Driver

Browser Extensions

  Compile After Delivery Forced Authentication

Password Policy Discovery

Remote Services

Data from Removable Media Exfiltration Over Physical Medium Domain Fronting

Inhibit System Recovery


Change Default File Association


Compiled HTML File

Input Prompt Peripheral Device Discovery Replication Through Removable Media

Email Collection

Scheduled Transfer Domain Generation Algorithms Network Denial of Service

Scheduled Task

Create Account

  Component Firmware Kerberoasting

Permission Groups Discovery

SSH Hijacking Input Capture   Fallback Channels Resource Hijacking

Service Execution

DLL Search Order Hijacking


Component Object Model Hijacking


Process Discovery

Shared Webroot Man in the Browser   Multi-Stage Channels Runtime Data Manipulation
  Source Dylib Hijacking  

Control Panel Items

LLMNR/NBT-NS Poisoning and Relay Query Registry Taint Shared Content Screen Capture   Multi-hop Proxy

Service Stop

  Third-party Software External Remote Services   DCShadow Network Sniffing

Remote System Discovery

Windows Admin Shares

Video Capture   Multiband Communication Stored Data Manipulation


File System Permissions Weakness   DLL Side-Loading

Password Filter DLL

Security Software Discovery

      Multilayer Encryption Transmitted Data Manipulation

User Execution


Deobfuscate/Decode Files or Information

Private Keys

System Information Discovery

      Remote Access Tools  

Windows Management Instrumentation


Disabling Security Tools

Securityd Memory

System Network Configuration Discovery

      Remote File Copy  

Windows Remote Management

Kernel Modules and Extensions

  Execution Guardrails Two-Factor Authentication Interception

System Network Connections Discovery


Standard Application Layer Protocol

    LC_LOAD_DYLIB Addition   Exploitation for Defense Evasion  

System Owner/User Discovery

      Standard Cryptographic Protocol  

Launch Agent

  Extra Window Memory Injection   System Service Discovery       Standard Non-Application Layer Protocol  

Launch Daemon

  File Deletion  

System Time Discovery

      Uncommonly Used Port  

Local Job Scheduling


File Permissions Modification

          Web Service  
    Login Item   File System Logical Offsets              

Modify Existing Service


Gatekeeper Bypass


Netsh Helper DLL

  Group Policy Modification              
    New Service   HISTCONTROL              

Office Application Startup


Hidden Files and Directories

    Path Interception   Hidden Users              

Port Monitors

  Hidden Window              


  Indicator Blocking              

Re-opened Applications

  Indicator Removal from Tools              

Registry Run Keys / Startup Folder


Indicator Removal on Host




Indirect Command Execution


Security Support Provider


Install Root Certificate

    Service Registry Permissions Weakness  


    Shortcut Modification   LC_MAIN Hijacking              
    Startup Items   Launchctl              
    System Firmware  



Systemd Service


Modify Registry


Time Providers



    Web Shell  

NTFS File Attributes

    Windows Management Instrumentation Event Subscription  

Network Share Connection Removal


Winlogon Helper DLL

  Obfuscated Files or Information              

Plist Modification

        Port Knocking              
        Process Doppelgänging              

Process Hollowing


Process Injection

        Redundant Access              


        SIP and Trust Provider Hijacking              
        Signed Binary Proxy Execution              

Signed Script Proxy Execution

        Software Packing              

Space after Filename


Template Injection

        Trusted Developer Utilities              
        Valid Accounts              
        Virtualization/Sandbox Evasion              
        XSL Script Processing