ATT&CK Matrix for Enterprise
 

10 techniques		 7 techniques 9 techniques 13 techniques 19 techniques 13 techniques 42 techniques 17 techniques 30 techniques 9 techniques 17 techniques 16 techniques 9 techniques 13 techniques
Active Scanning (3)
=
  
Gather Victim Host Information (4)
=
  
Gather Victim Identity Information (3)
=
  
Gather Victim Network Information (6)
=
  
Gather Victim Org Information (4)
=
  
Phishing for Information (3)
=
  
Search Closed Sources (2)
=
  
Search Open Technical Databases (5)
=
  
Search Open Websites/Domains (3)
=
  
Search Victim-Owned Websites
  
Acquire Infrastructure (7)
=
  
Compromise Accounts (3)
=
  
Compromise Infrastructure (7)
=
  
Develop Capabilities (4)
=
  
Establish Accounts (3)
=
  
Obtain Capabilities (6)
=
  
Stage Capabilities (6)
=
  
Drive-by Compromise
  
Exploit Public-Facing Application
  
External Remote Services
  
Hardware Additions
  
Phishing (3)
=
  
Replication Through Removable Media
  
Supply Chain Compromise (3)
=
  
Trusted Relationship
  
Valid Accounts (4)
=
  
Command and Scripting Interpreter (8)
=
  
Container Administration Command
  
Deploy Container
  
Exploitation for Client Execution
  
Inter-Process Communication (3)
=
  
Native API
  
Scheduled Task/Job (5)
=
  
Serverless Execution
  
Shared Modules
  
Software Deployment Tools
  
System Services (2)
=
  
User Execution (3)
=
  
Windows Management Instrumentation
  
Account Manipulation (5)
=
  
BITS Jobs
  
Boot or Logon Autostart Execution (14)
=
  
Boot or Logon Initialization Scripts (5)
=
  
Browser Extensions
  
Compromise Client Software Binary
  
Create Account (3)
=
  
Create or Modify System Process (4)
=
  
Event Triggered Execution (16)
=
  
External Remote Services
  
Hijack Execution Flow (12)
=
  
Implant Internal Image
  
Modify Authentication Process (7)
=
  
Office Application Startup (6)
=
  
Pre-OS Boot (5)
=
  
Scheduled Task/Job (5)
=
  
Server Software Component (5)
=
  
Traffic Signaling (2)
=
  
Valid Accounts (4)
=
  
Abuse Elevation Control Mechanism (4)
=
  
Access Token Manipulation (5)
=
  
Boot or Logon Autostart Execution (14)
=
  
Boot or Logon Initialization Scripts (5)
=
  
Create or Modify System Process (4)
=
  
Domain Policy Modification (2)
=
  
Escape to Host
  
Event Triggered Execution (16)
=
  
Exploitation for Privilege Escalation
  
Hijack Execution Flow (12)
=
  
Process Injection (12)
=
  
Scheduled Task/Job (5)
=
  
Valid Accounts (4)
=
  
Abuse Elevation Control Mechanism (4)
=
  
Access Token Manipulation (5)
=
  
BITS Jobs
  
Build Image on Host
  
Debugger Evasion
  
Deobfuscate/Decode Files or Information
  
Deploy Container
  
Direct Volume Access
  
Domain Policy Modification (2)
=
  
Execution Guardrails (1)
=
  
Exploitation for Defense Evasion
  
File and Directory Permissions Modification (2)
=
  
Hide Artifacts (10)
=
  
Hijack Execution Flow (12)
=
  
Impair Defenses (9)
=
  
Indicator Removal (9)
=
  
Indirect Command Execution
  
Masquerading (7)
=
  
Modify Authentication Process (7)
=
  
Modify Cloud Compute Infrastructure (4)
=
  
Modify Registry
  
Modify System Image (2)
=
  
Network Boundary Bridging (1)
=
  
Obfuscated Files or Information (9)
=
  
Plist File Modification
  
Pre-OS Boot (5)
=
  
Process Injection (12)
=
  
Reflective Code Loading
  
Rogue Domain Controller
  
Rootkit
  
Subvert Trust Controls (6)
=
  
System Binary Proxy Execution (13)
=
  
System Script Proxy Execution (1)
=
  
Template Injection
  
Traffic Signaling (2)
=
  
Trusted Developer Utilities Proxy Execution (1)
=
  
Unused/Unsupported Cloud Regions
  
Use Alternate Authentication Material (4)
=
  
Valid Accounts (4)
=
  
Virtualization/Sandbox Evasion (3)
=
  
Weaken Encryption (2)
=
  
XSL Script Processing
  
Adversary-in-the-Middle (3)
=
  
Brute Force (4)
=
  
Credentials from Password Stores (5)
=
  
Exploitation for Credential Access
  
Forced Authentication
  
Forge Web Credentials (2)
=
  
Input Capture (4)
=
  
Modify Authentication Process (7)
=
  
Multi-Factor Authentication Interception
  
Multi-Factor Authentication Request Generation
  
Network Sniffing
  
OS Credential Dumping (8)
=
  
Steal Application Access Token
  
Steal or Forge Authentication Certificates
  
Steal or Forge Kerberos Tickets (4)
=
  
Steal Web Session Cookie
  
Unsecured Credentials (7)
=
  
Account Discovery (4)
=
  
Application Window Discovery
  
Browser Bookmark Discovery
  
Cloud Infrastructure Discovery
  
Cloud Service Dashboard
  
Cloud Service Discovery
  
Cloud Storage Object Discovery
  
Container and Resource Discovery
  
Debugger Evasion
  
Domain Trust Discovery
  
File and Directory Discovery
  
Group Policy Discovery
  
Network Service Discovery
  
Network Share Discovery
  
Network Sniffing
  
Password Policy Discovery
  
Peripheral Device Discovery
  
Permission Groups Discovery (3)
=
  
Process Discovery
  
Query Registry
  
Remote System Discovery
  
Software Discovery (1)
=
  
System Information Discovery
  
System Location Discovery (1)
=
  
System Network Configuration Discovery (1)
=
  
System Network Connections Discovery
  
System Owner/User Discovery
  
System Service Discovery
  
System Time Discovery
  
Virtualization/Sandbox Evasion (3)
=
  
Exploitation of Remote Services
  
Internal Spearphishing
  
Lateral Tool Transfer
  
Remote Service Session Hijacking (2)
=
  
Remote Services (6)
=
  
Replication Through Removable Media
  
Software Deployment Tools
  
Taint Shared Content
  
Use Alternate Authentication Material (4)
=
  
Adversary-in-the-Middle (3)
=
  
Archive Collected Data (3)
=
  
Audio Capture
  
Automated Collection
  
Browser Session Hijacking
  
Clipboard Data
  
Data from Cloud Storage
  
Data from Configuration Repository (2)
=
  
Data from Information Repositories (3)
=
  
Data from Local System
  
Data from Network Shared Drive
  
Data from Removable Media
  
Data Staged (2)
=
  
Email Collection (3)
=
  
Input Capture (4)
=
  
Screen Capture
  
Video Capture
  
Application Layer Protocol (4)
=
  
Communication Through Removable Media
  
Data Encoding (2)
=
  
Data Obfuscation (3)
=
  
Dynamic Resolution (3)
=
  
Encrypted Channel (2)
=
  
Fallback Channels
  
Ingress Tool Transfer
  
Multi-Stage Channels
  
Non-Application Layer Protocol
  
Non-Standard Port
  
Protocol Tunneling
  
Proxy (4)
=
  
Remote Access Software
  
Traffic Signaling (2)
=
  
Web Service (3)
=
  
Automated Exfiltration (1)
=
  
Data Transfer Size Limits
  
Exfiltration Over Alternative Protocol (3)
=
  
Exfiltration Over C2 Channel
  
Exfiltration Over Other Network Medium (1)
=
  
Exfiltration Over Physical Medium (1)
=
  
Exfiltration Over Web Service (2)
=
  
Scheduled Transfer
  
Transfer Data to Cloud Account
  
Account Access Removal
  
Data Destruction
  
Data Encrypted for Impact
  
Data Manipulation (3)
=
  
Defacement (2)
=
  
Disk Wipe (2)
=
  
Endpoint Denial of Service (4)
=
  
Firmware Corruption
  
Inhibit System Recovery
  
Network Denial of Service (2)
=
  
Resource Hijacking
  
Service Stop
  
System Shutdown/Reboot