Enterprise ATT&CK Matrix

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control
Drive-by Compromise AppleScript

.bash_profile and .bashrc

Exploitation for Privilege Escalation Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software

Audio Capture

Automated Exfiltration Commonly Used Port
Exploit Public-Facing Application Command-Line Interface

Accessibility Features

Image File Execution Options Injection

BITS Jobs

Bash History Application Window Discovery Distributed Component Object Model Automated Collection

Data Compressed

Communication Through Removable Media
Hardware Additions Dynamic Data Exchange AppCert DLLs SID-History Injection Binary Padding Brute Force Browser Bookmark Discovery Exploitation of Remote Services Clipboard Data Data Encrypted Connection Proxy
Spearphishing Attachment Execution through API

AppInit DLLs

Setuid and Setgid

Bypass User Account Control

Credential Dumping

File and Directory Discovery Logon Scripts Data Staged Data Transfer Size Limits Custom Command and Control Protocol
Spearphishing Link Execution through Module Load

Application Shimming

Sudo

CMSTP

Credentials in Files Network Service Scanning Pass the Hash Data from Information Repositories Exfiltration Over Alternative Protocol Custom Cryptographic Protocol
Spearphishing via Service Exploitation for Client Execution Authentication Package Sudo Caching Clear Command History Credentials in Registry

Network Share Discovery

Pass the Ticket Data from Local System Exfiltration Over Command and Control Channel Data Encoding
Supply Chain Compromise Graphical User Interface Bootkit   Code Signing Exploitation for Credential Access Password Policy Discovery Remote Desktop Protocol Data from Network Shared Drive Exfiltration Over Other Network Medium Data Obfuscation
Trusted Relationship LSASS Driver Browser Extensions   Compiled HTML File Forced Authentication Peripheral Device Discovery Remote Services Data from Removable Media Exfiltration Over Physical Medium Domain Fronting
  PowerShell

Change Default File Association

  Component Firmware Input Prompt Permission Groups Discovery Replication Through Removable Media Email Collection Scheduled Transfer Fallback Channels
  Scheduled Task

Create Account

 

Component Object Model Hijacking

Kerberoasting Process Discovery SSH Hijacking Input Capture   Multi-Stage Channels
  Service Execution DLL Search Order Hijacking   Control Panel Items Keychain Query Registry Shared Webroot Man in the Browser   Multi-hop Proxy
  Source Dylib Hijacking   DCShadow LLMNR/NBT-NS Poisoning

Remote System Discovery

Taint Shared Content Screen Capture   Multiband Communication
  Third-party Software External Remote Services   DLL Side-Loading Network Sniffing Security Software Discovery

Windows Admin Shares

Video Capture   Multilayer Encryption
  Trap File System Permissions Weakness  

Deobfuscate/Decode Files or Information

Password Filter DLL

System Information Discovery

      Remote Access Tools
  User Execution Hooking  

Disabling Security Tools

Private Keys System Network Configuration Discovery       Remote File Copy
 

Windows Management Instrumentation

Hypervisor   Exploitation for Defense Evasion Securityd Memory

System Network Connections Discovery

      Standard Application Layer Protocol
  Windows Remote Management Kernel Modules and Extensions   Extra Window Memory Injection Two-Factor Authentication Interception System Owner/User Discovery       Standard Cryptographic Protocol
    LC_LOAD_DYLIB Addition  

File Deletion

  System Service Discovery       Standard Non-Application Layer Protocol
    Launch Agent   File Permissions Modification  

System Time Discovery

      Uncommonly Used Port
    Launch Daemon   File System Logical Offsets           Web Service
    Local Job Scheduling   Gatekeeper Bypass            
    Login Item   HISTCONTROL            
    Modify Existing Service   Hidden Files and Directories            
   

Netsh Helper DLL

  Hidden Users            
    New Service   Hidden Window            
    Office Application Startup   Indicator Blocking            
    Path Interception   Indicator Removal from Tools            
    Port Monitors  

Indicator Removal on Host

           
    Rc.common  

Indirect Command Execution

           
    Re-opened Applications   Install Root Certificate            
    Registry Run Keys / Startup Folder   InstallUtil            
   

Screensaver

  LC_MAIN Hijacking            
    Security Support Provider   Launchctl            
    Service Registry Permissions Weakness   Masquerading            
    Shortcut Modification   Modify Registry            
    Startup Items  

Mshta

           
    System Firmware  

NTFS File Attributes

           
    Time Providers   Network Share Connection Removal            
    Web Shell   Obfuscated Files or Information            
    Windows Management Instrumentation Event Subscription   Plist Modification            
    Winlogon Helper DLL   Port Knocking            
        Process Doppelgänging            
       

Process Hollowing

           
       

Process Injection

           
        Redundant Access            
        Regsvcs/Regasm            
       

Regsvr32

           
        Rootkit            
        Rundll32            
        SIP and Trust Provider Hijacking            
        Scripting            
        Signed Binary Proxy Execution            
        Signed Script Proxy Execution            
        Software Packing            
        Space after Filename            
        Template Injection            
        Timestomp            
        Trusted Developer Utilities            
        Valid Accounts            
        XSL Script Processing