Enterprise ATT&CK Matrix

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control
Drive-by Compromise AppleScript

.bash_profile and .bashrc

Exploitation for Privilege Escalation Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software

Audio Capture

Automated Exfiltration Commonly Used Port
Exploit Public-Facing Application Command-Line Interface

Accessibility Features

Image File Execution Options Injection


Bash History Application Window Discovery Distributed Component Object Model Automated Collection

Data Compressed

Communication Through Removable Media
Hardware Additions Dynamic Data Exchange AppCert DLLs SID-History Injection Binary Padding Brute Force Browser Bookmark Discovery Exploitation of Remote Services Clipboard Data Data Encrypted Connection Proxy
Spearphishing Attachment Execution through API

AppInit DLLs

Setuid and Setgid

Bypass User Account Control

Credential Dumping

File and Directory Discovery Logon Scripts Data Staged Data Transfer Size Limits Custom Command and Control Protocol
Spearphishing Link Execution through Module Load

Application Shimming



Credentials in Files Network Service Scanning Pass the Hash Data from Information Repositories Exfiltration Over Alternative Protocol Custom Cryptographic Protocol
Spearphishing via Service Exploitation for Client Execution Authentication Package Sudo Caching Clear Command History Credentials in Registry

Network Share Discovery

Pass the Ticket Data from Local System Exfiltration Over Command and Control Channel Data Encoding
Supply Chain Compromise Graphical User Interface Bootkit   Code Signing Exploitation for Credential Access Password Policy Discovery Remote Desktop Protocol Data from Network Shared Drive Exfiltration Over Other Network Medium Data Obfuscation
Trusted Relationship LSASS Driver Browser Extensions   Compiled HTML File Forced Authentication Peripheral Device Discovery Remote Services Data from Removable Media Exfiltration Over Physical Medium Domain Fronting

Change Default File Association

  Component Firmware Input Prompt Permission Groups Discovery Replication Through Removable Media Email Collection Scheduled Transfer Fallback Channels
  Scheduled Task

Create Account


Component Object Model Hijacking

Kerberoasting Process Discovery SSH Hijacking Input Capture   Multi-Stage Channels
  Service Execution DLL Search Order Hijacking   Control Panel Items Keychain Query Registry Shared Webroot Man in the Browser   Multi-hop Proxy
  Source Dylib Hijacking   DCShadow LLMNR/NBT-NS Poisoning

Remote System Discovery

Taint Shared Content Screen Capture   Multiband Communication
  Third-party Software External Remote Services   DLL Side-Loading Network Sniffing Security Software Discovery

Windows Admin Shares

Video Capture   Multilayer Encryption
  Trap File System Permissions Weakness  

Deobfuscate/Decode Files or Information

Password Filter DLL

System Information Discovery

      Remote Access Tools
  User Execution Hooking  

Disabling Security Tools

Private Keys System Network Configuration Discovery       Remote File Copy

Windows Management Instrumentation

Hypervisor   Exploitation for Defense Evasion Securityd Memory

System Network Connections Discovery

      Standard Application Layer Protocol
  Windows Remote Management Kernel Modules and Extensions   Extra Window Memory Injection Two-Factor Authentication Interception System Owner/User Discovery       Standard Cryptographic Protocol
    LC_LOAD_DYLIB Addition  

File Deletion

  System Service Discovery       Standard Non-Application Layer Protocol
    Launch Agent   File Permissions Modification  

System Time Discovery

      Uncommonly Used Port
    Launch Daemon   File System Logical Offsets           Web Service
    Local Job Scheduling   Gatekeeper Bypass            
    Login Item   HISTCONTROL            
    Modify Existing Service   Hidden Files and Directories            

Netsh Helper DLL

  Hidden Users            
    New Service   Hidden Window            
    Office Application Startup   Indicator Blocking            
    Path Interception   Indicator Removal from Tools            
    Port Monitors  

Indicator Removal on Host


Indirect Command Execution

    Re-opened Applications   Install Root Certificate            
    Registry Run Keys / Startup Folder   InstallUtil            


  LC_MAIN Hijacking            
    Security Support Provider   Launchctl            
    Service Registry Permissions Weakness   Masquerading            
    Shortcut Modification   Modify Registry            
    Startup Items  


    System Firmware  

NTFS File Attributes

    Time Providers   Network Share Connection Removal            
    Web Shell   Obfuscated Files or Information            
    Windows Management Instrumentation Event Subscription   Plist Modification            
    Winlogon Helper DLL   Port Knocking            
        Process Doppelgänging            

Process Hollowing


Process Injection

        Redundant Access            


        SIP and Trust Provider Hijacking            
        Signed Binary Proxy Execution            
        Signed Script Proxy Execution            
        Software Packing            
        Space after Filename            
        Template Injection            
        Trusted Developer Utilities            
        Valid Accounts            
        XSL Script Processing