Enterprise ATT&CK Matrix¶

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Impact
Drive-by Compromise	AppleScript	.bash_profile and .bashrc Modifications of .bash_profile and .bashrc (l, m)	Exploitation for Privilege Escalation	Access Token Manipulation	Account Manipulation	Account Discovery Account Discovery via Built-In Tools (l, m, w) Discovery and Enumeration of System Information via Rundll32 (w)	Application Deployment Software	Audio Capture Audio Capture via PowerShell (w) Audio Capture via SoundRecorder (w)	Automated Exfiltration	Commonly Used Port	Data Destruction
Exploit Public-Facing Application	Command-Line Interface	Accessibility Features Image Debuggers for Accessibility Features (w)	Image File Execution Options Injection Image Debuggers for Accessibility Features (w)	BITS Jobs Suspicious Bitsadmin Job via bitsadmin.exe (w) Suspicious Bitsadmin Job via PowerShell (w)	Bash History	Application Window Discovery	Distributed Component Object Model	Automated Collection	Data Compressed Command-Line Creation of a RAR file (w)	Communication Through Removable Media	Data Encrypted for Impact
Hardware Additions	Dynamic Data Exchange Executable Written and Executed by Microsoft Office Applications (w)	AppCert DLLs AppCert DLLs Registry Modification (w)	SID-History Injection	Binary Padding	Brute Force	Browser Bookmark Discovery	Exploitation of Remote Services	Clipboard Data Reading the Clipboard with pbpaste (m)	Data Encrypted	Connection Proxy	Defacement
Spearphishing Attachment	Execution through API	AppInit DLLs Persistence via AppInit DLL (w)	Setuid and Setgid	Bypass User Account Control Bypass UAC via CMSTP (w)	Credential Dumping Suspicious Process Loading Credential Vault DLL (w) Credential Enumeration via Credential Vault CLI (w) LSASS Memory Dumping (w) AD Dumping via Ntdsutil.exe (w) LSASS Memory Dumping via ProcDump.exe (w) SAM Dumping via Reg.exe (w)	Domain Trust Discovery Domain Trust Discovery via Nltest.exe (w) Domain Trust Discovery (w)	Logon Scripts Modification of Logon Scripts from Registry (w)	Data Staged WMI Execution with Command Line Redirection (w) Creation of an Archive with Common Archivers (l, m)	Data Transfer Size Limits	Custom Command and Control Protocol	Disk Content Wipe
Spearphishing Link	Execution through Module Load	Application Shimming Installing Custom Shim Databases (w)	Sudo	CMSTP Execution via cmstp.exe (w) Bypass UAC via CMSTP (w)	Credentials in Files Searching for Passwords in Files (l, m) Searching for Passwords in Files (w)	File and Directory Discovery	Pass the Hash	Data from Information Repositories	Exfiltration Over Alternative Protocol	Custom Cryptographic Protocol	Disk Structure Wipe
Spearphishing via Service	Exploitation for Client Execution	Authentication Package LSA Authentication Package (w)	Sudo Caching	Clear Command History	Credentials in Registry	Network Service Scanning Network Service Scanning via Port (l, m, w)	Pass the Ticket	Data from Local System	Exfiltration Over Command and Control Channel	Data Encoding	Endpoint Denial of Service
Supply Chain Compromise	Graphical User Interface	Bootkit		Code Signing	Exploitation for Credential Access	Network Share Discovery Enumeration of Local Shares (w) Enumeration of Remote Shares (w)	Remote Desktop Protocol Remote Desktop Protocol Hijack (w)	Data from Network Shared Drive	Exfiltration Over Other Network Medium	Data Obfuscation	Firmware Corruption
Trusted Relationship	LSASS Driver	Browser Extensions Suspicious File Creation via Browser Extensions (m, w)		Compile After Delivery	Forced Authentication	Password Policy Discovery Password Policy Enumeration (l)	Remote Services Remote Terminal Sessions (l, m, w)	Data from Removable Media	Exfiltration Over Physical Medium	Domain Fronting	Inhibit System Recovery Modification of Boot Configuration (w) Volume Shadow Copy Deletion via VssAdmin (w) Volume Shadow Copy Deletion via WMIC (w)
	PowerShell	Change Default File Association Change Default File Association (w)		Compiled HTML File HH.exe execution (w)	Input Prompt	Peripheral Device Discovery	Replication Through Removable Media	Email Collection Access of Outlook Email Archives (w)	Scheduled Transfer	Domain Generation Algorithms	Network Denial of Service
	Scheduled Task Creation of Scheduled Task with schtasks.exe (w)	Create Account User Account Creation (w)		Component Firmware	Kerberoasting	Permission Groups Discovery Discovery of Domain Groups (l, m)	SSH Hijacking	Input Capture		Fallback Channels	Resource Hijacking
	Service Execution Execution of Existing Service via Command (w)	DLL Search Order Hijacking DLL Search Order Hijacking with known programs (w)		Component Object Model Hijacking COM Hijack via Script Object (w)	Keychain	Process Discovery Process Discovery via Built-In Applications (l, m) Process Discovery via Windows Tools (w)	Shared Webroot	Man in the Browser		Multi-Stage Channels	Runtime Data Manipulation
	Source	Dylib Hijacking		Control Panel Items Control Panel Items (w)	LLMNR/NBT-NS Poisoning and Relay	Query Registry	Taint Shared Content	Screen Capture		Multi-hop Proxy	Service Stop Service Stop or Disable with sc.exe (w) Stopping Services with net.exe (w)
	Third-party Software	External Remote Services		DCShadow	Network Sniffing	Remote System Discovery Windows Network Enumeration (w) Remote System Discovery Commands (w)	Windows Admin Shares Mounting Hidden Shares (w) Mounting Windows Hidden Shares with net.exe (w)	Video Capture		Multiband Communication	Stored Data Manipulation
	Trap Trap Signals Usage (l, m)	File System Permissions Weakness		DLL Side-Loading	Password Filter DLL Registration of a Password Filter DLL (w)	Security Software Discovery Process Discovery via Built-In Applications (l, m) Process Discovery via Windows Tools (w)				Multilayer Encryption	Transmitted Data Manipulation
	User Execution Executable Written and Executed by Microsoft Office Applications (w)	Hooking		Deobfuscate/Decode Files or Information Encoding or Decoding Files via CertUtil (w)	Private Keys	System Information Discovery Enumeration of System Information (l) Enumeration of System Information (w) System Information Discovery (w)				Remote Access Tools
	Windows Management Instrumentation WMI Execution via Microsoft Office Application (w) Remote Execution via WMIC (w)	Hypervisor		Disabling Security Tools Unload Sysmon Filter Driver with fltmc.exe (w)	Securityd Memory	System Network Configuration Discovery Discovery of Network Environment via Built-in Tools (l, m) Discovery of Network Environment via Built-in Tools (w)				Remote File Copy
	Windows Remote Management Incoming Remote PowerShell Sessions (w)	Kernel Modules and Extensions Creation of Kernel Module (l) Loading Kernel Modules with kextload (m)		Execution Guardrails	Two-Factor Authentication Interception	System Network Connections Discovery Enumeration of Mounted Shares (w) System Network Connections Discovery (l, m)				Standard Application Layer Protocol Non-browser processes making DNS requests to Dynamic DNS Providers (w)
		LC_LOAD_DYLIB Addition		Exploitation for Defense Evasion		System Owner/User Discovery System Owner and User Discovery (w) Discovery and Enumeration of System Information via Rundll32 (w)				Standard Cryptographic Protocol
		Launch Agent Persistent process via Launch Agent (m)		Extra Window Memory Injection		System Service Discovery				Standard Non-Application Layer Protocol
		Launch Daemon Launch Daemon Persistence (m)		File Deletion		System Time Discovery Discovery of a Remote System’s Time (w)				Uncommonly Used Port
		Local Job Scheduling Local Job Scheduling Paths (l, m) Local Job Scheduling Process (l, m)		File Permissions Modification Windows File Permissions Modification (w)						Web Service
		Login Item		File System Logical Offsets
		Modify Existing Service Service Path Modification with sc.exe (w)		Gatekeeper Bypass Potential Gatekeeper Bypass (m)
		Netsh Helper DLL Persistence via NetSh Key (w)		Group Policy Modification
		New Service		HISTCONTROL
		Office Application Startup Office Application Startup via Template File Modification (w) Office Application Startup via Template Registry Modification (w)		Hidden Files and Directories Adding the Hidden File Attribute with via attrib.exe (w)
		Path Interception		Hidden Users
		Port Monitors Installation of Port Monitor (w)		Hidden Window
		Rc.common Modification of rc.common Script (m)		Indicator Blocking
		Re-opened Applications Resumed Application on Reboot (m)		Indicator Removal from Tools
		Registry Run Keys / Startup Folder Startup Folder Execution via VBScript (w) Startup Folder Persistence with Shortcut/VBScript Files (w) Registry Persistence via Run Keys (w) Registry Persistence via Shell Folders (w)		Indicator Removal on Host Delete Volume USN Journal with fsutil (w) Host Artifact Deletion (w) Clearing Windows Event Logs with wevtutil (w)
		Screensaver Persistence via Screensaver (w)		Indirect Command Execution Indirect Command Execution (w)
		Security Support Provider Installation of Security Support Provider (w)		Install Root Certificate Root Certificate Install (w)
		Service Registry Permissions Weakness		InstallUtil InstallUtil Execution (w)
		Shortcut Modification		LC_MAIN Hijacking
		Startup Items		Launchctl
		System Firmware		Masquerading Processes Running with Unusual Extensions (w)
		Systemd Service Creation or Modification of Systemd Service (l)		Modify Registry Suspicious MS Office Registry Modifications (w)
		Time Providers Installation of Time Providers (w)		Mshta Mshta Descendant of Microsoft Office (w) Mshta Network Connections (w)
		Web Shell		NTFS File Attributes Suspicious ADS File Creation (w)
		Windows Management Instrumentation Event Subscription		Network Share Connection Removal Disconnecting from Network Shares with net.exe (w)
		Winlogon Helper DLL Registration of Winlogon Helper DLL (w)		Obfuscated Files or Information
				Plist Modification Plist Modification (m)
				Port Knocking
				Process Doppelgänging
				Process Hollowing Unusual Child Process (w)
				Process Injection Modification of ld.so.preload (l) Unusual Child Process (w)
				Redundant Access
				Regsvcs/Regasm
				Regsvr32 Suspicious Script Object Execution (w)
				Rootkit
				Rundll32
				SIP and Trust Provider Hijacking
				Scripting
				Signed Binary Proxy Execution
				Signed Script Proxy Execution Proxied Execution via Signed Scripts (w)
				Software Packing
				Space after Filename Processes with Trailing Spaces (l, m)
				Template Injection MS Office Template Injection (w)
				Timestomp
				Trusted Developer Utilities
				Valid Accounts
				Virtualization/Sandbox Evasion
				XSL Script Processing