MITRE ATT&CK Coverage by Tactic

Initial Access

External Remote Services, Hardware Additions, Spearphishing via Service, Supply Chain Compromise, Trusted Relationship, Valid Accounts, Drive-by Compromise, Exploit Public-Facing Application, Replication Through Removable Media, Spearphishing Attachment, Spearphishing Link


Compiled HTML File, Exploitation for Client Execution, Graphical User Interface, Third-party Software, User Execution, XSL Script Processing, CMSTP, Command-Line Interface, Control Panel Items, Dynamic Data Exchange, Execution through API, Execution through Module Load, InstallUtil, LSASS Driver, Mshta, PowerShell, Regsvcs/Regasm, Regsvr32, Rundll32, Scheduled Task, Scripting, Service Execution, Signed Binary Proxy Execution, Signed Script Proxy Execution, Trusted Developer Utilities, Windows Management Instrumentation, Windows Remote Management


Component Object Model Hijacking, DLL Search Order Hijacking, External Remote Services, File System Permissions Weakness, Hypervisor, Valid Accounts, Accessibility Features, Account Manipulation, AppCert DLLs, AppInit DLLs, Application Shimming, Authentication Package, BITS Jobs, Bootkit, Browser Extensions, Change Default File Association, Create Account, Hidden Files and Directories, Hooking, Image File Execution Options Injection, Logon Scripts, LSASS Driver, Modify Existing Service, New Service, Office Application Startup, Path Interception, Port Monitors, Registry Run Keys / Startup Folder, Scheduled Task, Screensaver, Security Support Provider, Web Shell, Windows Management Instrumentation Event Subscription, Winlogon Helper DLL

Privilege Execution

DLL Search Order Hijacking, Extra Window Memory Injection, Valid Accounts,Access Token Manipulation, Accessibility Features, AppCert DLLs, AppInit DLLs, Application Shimming, Bypass User Account Control, Exploitation for Privilege Escalation, Hooking, Image File Execution Options Injection, New Service, Path Interception, Port Monitors, Process Injection, Scheduled Task, Web Shell

Defense Evasion

Binary Padding, Code Signing, Compile After Delivery, Compiled HTML File, Component Firmware, Component Object Model Hijacking,DLL Search Order Hijacking, Execution Guardrails, Exploitation for Defense Evasion, Extra Window Memory Injection, File Permissions Modification, File System Logical Offsets, Group Policy Modification, Access Token Manipulation, BITS Jobs, Bypass User Account Control, CMSTP, Control Panel Items, DCShadow, Deobfuscate/Decode Files or Information, Disabling Security Tools, DLL Side-Loading, File Deletion, Hidden Files and Directories, Image File Execution Options Injection, Indicator Blocking, Indicator Removal on Host, Indirect Command Execution, Install Root Certificate, InstallUtil, Masquerading, Modify Registry, Mshta, Network Share Connection Removal, NTFS File Attributes, Obfuscated Files or Information, Process Injection, Regsvcs/Regasm, Regsvr32, Rundll32,Scripting, Signed Binary Proxy Execution, Signed Script Proxy Execution, Timestomp, Trusted Developer Utilities, Web Service

Credential Access

Brute Force,Credentials in Files,Exploitation for Credential Access,Input Prompt,Kerberoasting,Network Sniffing,Password Filter DLL,Private Keys,Two-Factor Authentication Interception,Account Manipulation,Credential Dumping,Credentials in Registry,Forced Authentication,Hooking,Input Capture,LLMNR/NBT-NS Poisoning and Relay


Domain Trust Discovery,Network Sniffing,Permission Groups Discovery,Virtualization/Sandbox Evasion,Account Discovery,Application Window Discovery,File and Directory Discovery,Network Service Scanning,Network Share Discovery,Password Policy Discovery,Peripheral Device Discovery,Process Discovery,Query Registry,Remote System Discovery,Security Software Discovery,System Information Discovery,System Network Configuration Discovery,System Network Connections Discovery,System Owner/User Discovery,System Service Discovery,System Time Discovery

Lateral Movement

Shared Webroot, Taint Shared Content, Third-party Software, Exploitation of Remote Services, Logon Scripts, Pass the Hash, Pass the Ticket, Remote Desktop Protocol, Remote File Copy, Remote Services, Replication Through Removable Media, Windows Admin Shares, Windows Remote Management


Audio Capture,Automated Collection,Data from Information Repositories,Data from Local System,Data from Network Shared Drive,Data from Removable Media,Data Staged,Email Collection,Man in the Browser,Screen Capture,Video Capture,Clipboard Data,Input Capture

Command & Control

Commonly Used Port,Connection Proxy,Custom Cryptographic Protocol,Data Encoding,Data Obfuscation,Domain Fronting,Domain Generation Algorithms,Fallback Channels,Multi-hop Proxy,Multi-Stage Channels,Multiband Communication,Multilayer Encryption,Standard Application Layer Protocol,Standard Cryptographic Protocol,Uncommonly Used Port,Communication Through Removable Media,Custom Command and Control Protocol,Remote Access Tools,Remote File Copy,Standard Non-Application Layer Protocol,Web Service


Data Compressed,Data Transfer Size Limits,Exfiltration Over Alternative Protocol,Exfiltration Over Command and Control Channel,Exfiltration Over Other Network Medium,Exfiltration Over Physical Medium,Scheduled Transfer


Data Destruction,Data Encrypted for Impact,Defacement,Disk Content Wipe,Disk Structure Wipe,Endpoint Denial of Service,Firmware Corruption,Inhibit System Recovery,Network Denial of Service,Resource Hijacking,Runtime Data Manipulation,Service Stop,Stored Data Manipulation

Last updated