Enterprise ATT&CK
Reconnaissance
Active Scanning
Gather Victim Host Information
Gather Victim Identity Information
Gather Victim Network Information
Gather Victim Org Information
Phishing for Information
Search Closed Sources
Search Open Technical Databases
Search Open Websites/Domains
Search Threat Vendor Data
Search Victim-Owned Websites
Resource Development
Acquire Access
Acquire Infrastructure
Compromise Accounts
Compromise Infrastructure
Develop Capabilities
Establish Accounts
Obtain Capabilities
Stage Capabilities
Initial Access
Content Injection
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Phishing
Replication Through Removable Media
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Wi-Fi Networks
Spearphishing Link
Spearphishing Attachment
Spearphishing via Service
Execution
Cloud Administration Command
Command and Scripting Interpreter
Container Administration Command
Deploy Container
ESXi Administration Command
Exploitation for Client Execution
Input Injection
Inter-Process Communication
Native API
Poisoned Pipeline Execution
Scheduled Task/Job
Serverless Execution
Shared Modules
Software Deployment Tools
System Services
User Execution
Windows Management Instrumentation
Regsvcs/Regasm
Source
Launchctl
AppleScript
Rundll32
Regsvr32
LSASS Driver
Component Object Model and Distributed COM
CMSTP
Scripting
Control Panel Items
Mshta
Graphical User Interface
Trap
Local Job Scheduling
Windows Remote Management
Compiled HTML File
Space after Filename
Dynamic Data Exchange
Service Execution
PowerShell
InstallUtil
Persistence
Account Manipulation
BITS Jobs
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Cloud Application Integration
Compromise Host Software Binary
Create Account
Create or Modify System Process
Event Triggered Execution
Exclusive Control
External Remote Services
Hijack Execution Flow
Implant Internal Image
Modify Authentication Process
Modify Registry
Office Application Startup
Power Settings
Pre-OS Boot
Scheduled Task/Job
Server Software Component
Software Extensions
Traffic Signaling
Valid Accounts
Malicious Shell Modification
Bootkit
LC_LOAD_DYLIB Addition
Plist Modification
File System Permissions Weakness
Systemd Service
Component Firmware
Rc.common
Port Monitors
Screensaver
Startup Items
AppInit DLLs
Login Item
Service Registry Permissions Weakness
DLL Search Order Hijacking
New Service
Hypervisor
AppCert DLLs
Winlogon Helper DLL
Authentication Package
Launchctl
Image File Execution Options Injection
Modify Existing Service
Hooking
System Firmware
Change Default File Association
Re-opened Applications
Redundant Access
Kernel Modules and Extensions
Security Support Provider
LSASS Driver
PowerShell Profile
SIP and Trust Provider Hijacking
Application Shimming
Registry Run Keys / Startup Folder
Shortcut Modification
Component Object Model Hijacking
Accessibility Features
Dylib Hijacking
Trap
Netsh Helper DLL
Local Job Scheduling
Setuid and Setgid
Web Shell
Path Interception
Emond
Hidden Files and Directories
Time Providers
Launch Agent
Windows Management Instrumentation Event Subscription
Launch Daemon
Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
Account Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create or Modify System Process
Domain or Tenant Policy Modification
Escape to Host
Event Triggered Execution
Exploitation for Privilege Escalation
Hijack Execution Flow
Process Injection
Scheduled Task/Job
Valid Accounts
Plist Modification
File System Permissions Weakness
Elevated Execution with Prompt
SID-History Injection
Port Monitors
Sudo Caching
Startup Items
AppInit DLLs
Service Registry Permissions Weakness
DLL Search Order Hijacking
New Service
AppCert DLLs
Extra Window Memory Injection
Image File Execution Options Injection
Hooking
PowerShell Profile
Application Shimming
Accessibility Features
Parent PID Spoofing
Sudo
Dylib Hijacking
Setuid and Setgid
Web Shell
Path Interception
Bypass User Account Control
Emond
Launch Daemon
Defense Evasion
Abuse Elevation Control Mechanism
Access Token Manipulation
BITS Jobs
Build Image on Host
Debugger Evasion
Delay Execution
Deobfuscate/Decode Files or Information
Deploy Container
Direct Volume Access
Domain or Tenant Policy Modification
Email Spoofing
Execution Guardrails
Exploitation for Defense Evasion
File and Directory Permissions Modification
Hide Artifacts
Hijack Execution Flow
Impair Defenses
Impersonation
Indicator Removal
Indirect Command Execution
Masquerading
Modify Authentication Process
Modify Cloud Compute Infrastructure
Modify Cloud Resource Hierarchy
Modify Registry
Modify System Image
Network Boundary Bridging
Obfuscated Files or Information
Plist File Modification
Pre-OS Boot
Process Injection
Reflective Code Loading
Rogue Domain Controller
Rootkit
Selective Exclusion
Subvert Trust Controls
System Binary Proxy Execution
System Script Proxy Execution
Template Injection
Traffic Signaling
Trusted Developer Utilities Proxy Execution
Unused/Unsupported Cloud Regions
Use Alternate Authentication Material
Valid Accounts
Virtualization/Sandbox Evasion
Weaken Encryption
XSL Script Processing
Indicator Removal from Tools
Hidden Window
Plist Modification
HISTCONTROL
Component Firmware
Timestomp
Code Signing
Process Hollowing
Regsvcs/Regasm
Application Access Token
Disabling Security Tools
Revert Cloud Instance
DLL Search Order Hijacking
Binary Padding
Extra Window Memory Injection
Launchctl
File Deletion
Image File Execution Options Injection
Rundll32
Regsvr32
Indicator Blocking
Redundant Access
Gatekeeper Bypass
Software Packing
SIP and Trust Provider Hijacking
CMSTP
Scripting
Control Panel Items
Component Object Model Hijacking
Parent PID Spoofing
LC_MAIN Hijacking
Mshta
DLL Side-Loading
Process Doppelgänging
Web Session Cookie
Bypass User Account Control
Hidden Users
Compile After Delivery
Compiled HTML File
Clear Command History
Install Root Certificate
Hidden Files and Directories
Space after Filename
Network Share Connection Removal
NTFS File Attributes
InstallUtil
Credential Access
Adversary-in-the-Middle
Brute Force
Credentials from Password Stores
Exploitation for Credential Access
Forced Authentication
Forge Web Credentials
Input Capture
Modify Authentication Process
Multi-Factor Authentication Interception
Multi-Factor Authentication Request Generation
Network Sniffing
OS Credential Dumping
Steal Application Access Token
Steal or Forge Authentication Certificates
Steal or Forge Kerberos Tickets
Steal Web Session Cookie
Unsecured Credentials
LLMNR/NBT-NS Poisoning and Relay
Cloud Instance Metadata API
Securityd Memory
Credentials in Registry
Bash History
Credentials from Web Browsers
Private Keys
Hooking
Input Prompt
Keychain
Kerberoasting
Password Filter DLL
Credentials in Files
Discovery
Account Discovery
Application Window Discovery
Browser Information Discovery
Cloud Infrastructure Discovery
Cloud Service Dashboard
Cloud Service Discovery
Cloud Storage Object Discovery
Container and Resource Discovery
Debugger Evasion
Device Driver Discovery
Domain Trust Discovery
File and Directory Discovery
Group Policy Discovery
Local Storage Discovery
Log Enumeration
Network Service Discovery
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Software Discovery
System Information Discovery
System Location Discovery
System Network Configuration Discovery
System Network Connections Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtual Machine Discovery
Virtualization/Sandbox Evasion
Security Software Discovery
Lateral Movement
Exploitation of Remote Services
Internal Spearphishing
Lateral Tool Transfer
Remote Service Session Hijacking
Remote Services
Replication Through Removable Media
Software Deployment Tools
Taint Shared Content
Use Alternate Authentication Material
Application Access Token
Application Deployment Software
Remote Desktop Protocol
Component Object Model and Distributed COM
Shared Webroot
Pass the Ticket
SSH Hijacking
Pass the Hash
Windows Remote Management
Web Session Cookie
Windows Admin Shares
Collection
Adversary-in-the-Middle
Archive Collected Data
Audio Capture
Automated Collection
Browser Session Hijacking
Clipboard Data
Data from Cloud Storage
Data from Configuration Repository
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Screen Capture
Video Capture
Command and Control
Application Layer Protocol
Communication Through Removable Media
Content Injection
Data Encoding
Data Obfuscation
Dynamic Resolution
Encrypted Channel
Fallback Channels
Hide Infrastructure
Ingress Tool Transfer
Multi-Stage Channels
Non-Application Layer Protocol
Non-Standard Port
Protocol Tunneling
Proxy
Remote Access Tools
Traffic Signaling
Web Service
Domain Fronting
Custom Cryptographic Protocol
Multilayer Encryption
Standard Cryptographic Protocol
Domain Generation Algorithms
Multi-hop Proxy
Multiband Communication
Uncommonly Used Port
Custom Command and Control Protocol
Commonly Used Port
Exfiltration
Automated Exfiltration
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over C2 Channel
Exfiltration Over Other Network Medium
Exfiltration Over Physical Medium
Exfiltration Over Web Service
Scheduled Transfer
Transfer Data to Cloud Account
Data Compressed
Data Encrypted
Impact
Account Access Removal
Data Destruction
Data Encrypted for Impact
Data Manipulation
Defacement
Disk Wipe
Email Bombing
Endpoint Denial of Service
Financial Theft
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Service Stop
System Shutdown/Reboot
Stored Data Manipulation
Disk Structure Wipe
Disk Content Wipe
Runtime Data Manipulation
Transmitted Data Manipulation
