MITRE ATT&CK MATRIX
209 techniques used by 121 tracked groups
209 techniques
Initial Access
(7)
(7)
T1078
Valid Accounts 29
Valid Accounts 29
T1133
External Remote Services 20
External Remote Services 20
T1189
Drive-by Compromise 16
Drive-by Compromise 16
T1190
Exploit Public-Facing Application 19
Exploit Public-Facing Application 19
T1195.002
Compromise Software Supply Chain 17
Compromise Software Supply Chain 17
T1566.001
Spearphishing Attachment 19
Spearphishing Attachment 19
T1566.002
Spearphishing Link 14
Spearphishing Link 14
Execution
(8)
(8)
T1047
Windows Management Instrumentation 17
Windows Management Instrumentation 17
T1053.005
Scheduled Task 19
Scheduled Task 19
T1059.001
PowerShell 21
PowerShell 21
T1059.003
Windows Command Shell 21
Windows Command Shell 21
T1059.005
Visual Basic 14
Visual Basic 14
T1059.006
Python 20
Python 20
T1204.001
Malicious Link 21
Malicious Link 21
T1204.002
Malicious File 20
Malicious File 20
Persistence
(5)
(5)
T1098
Account Manipulation 24
Account Manipulation 24
T1136.001
Local Account 18
Local Account 18
T1543.003
Windows Service 16
Windows Service 16
T1547.001
Registry Run Keys 24
Registry Run Keys 24
T1547.009
Shortcut Modification 22
Shortcut Modification 22
Privilege Escalation
(3)
(3)
T1068
Exploitation for Privilege Escalation 24
Exploitation for Privilege Escalation 24
T1134
Access Token Manipulation 17
Access Token Manipulation 17
T1548.002
Bypass UAC 15
Bypass UAC 15
Defense Evasion
(9)
(9)
T1027
Obfuscated Files or Information 20
Obfuscated Files or Information 20
T1036.005
Match Legitimate Name or Location 26
Match Legitimate Name or Location 26
T1055
Process Injection 20
Process Injection 20
T1070.004
File Deletion 25
File Deletion 25
T1140
Deobfuscate/Decode Files 22
Deobfuscate/Decode Files 22
T1218.011
Rundll32 16
Rundll32 16
T1562.001
Disable or Modify Tools 16
Disable or Modify Tools 16
T1562.004
Disable or Modify System Firewall 23
Disable or Modify System Firewall 23
T1562.009
Safe Mode Boot 22
Safe Mode Boot 22
Credential Access
(7)
(7)
T1003.001
LSASS Memory 21
LSASS Memory 21
T1003.003
NTDS 19
NTDS 19
T1110.001
Password Guessing 23
Password Guessing 23
T1110.003
Password Spraying 18
Password Spraying 18
T1552.001
Credentials In Files 16
Credentials In Files 16
T1555.003
Credentials from Web Browsers 20
Credentials from Web Browsers 20
T1558.003
Kerberoasting 19
Kerberoasting 19
Discovery
(8)
(8)
T1016
System Network Configuration Discovery 17
System Network Configuration Discovery 17
T1018
Remote System Discovery 21
Remote System Discovery 21
T1049
System Network Connections Discovery 29
System Network Connections Discovery 29
T1069
Permission Groups Discovery 21
Permission Groups Discovery 21
T1082
System Information Discovery 21
System Information Discovery 21
T1083
File and Directory Discovery 15
File and Directory Discovery 15
T1087
Account Discovery 24
Account Discovery 24
T1135
Network Share Discovery 19
Network Share Discovery 19
Lateral Movement
(5)
(5)
T1021.001
Remote Desktop Protocol 19
Remote Desktop Protocol 19
T1021.002
SMB/Windows Admin Shares 14
SMB/Windows Admin Shares 14
T1021.004
SSH 19
SSH 19
T1080
Taint Shared Content 15
Taint Shared Content 15
T1570
Lateral Tool Transfer 18
Lateral Tool Transfer 18
Collection
(4)
(4)
T1005
Data from Local System 19
Data from Local System 19
T1039
Data from Network Shared Drive 23
Data from Network Shared Drive 23
T1074.001
Local Data Staging 23
Local Data Staging 23
T1560.001
Archive via Utility 20
Archive via Utility 20
Command and Control
(6)
(6)
T1071.001
Web Protocols 26
Web Protocols 26
T1090
Proxy 15
Proxy 15
T1105
Ingress Tool Transfer 25
Ingress Tool Transfer 25
T1219
Remote Access Software 26
Remote Access Software 26
T1572
Protocol Tunneling 26
Protocol Tunneling 26
T1573.002
Asymmetric Cryptography 13
Asymmetric Cryptography 13
Exfiltration
(3)
(3)
T1041
Exfiltration Over C2 Channel 21
Exfiltration Over C2 Channel 21
T1048.003
Exfiltration Over Unencrypted Non-C2 Protocol 14
Exfiltration Over Unencrypted Non-C2 Protocol 14
T1567.002
Exfiltration to Cloud Storage 22
Exfiltration to Cloud Storage 22
Impact
(8)
(8)
T1485
Data Destruction 14
Data Destruction 14
T1486
Data Encrypted for Impact 27
Data Encrypted for Impact 27
T1489
Service Stop 22
Service Stop 22
T1490
Inhibit System Recovery 17
Inhibit System Recovery 17
T1491.001
Internal Defacement 23
Internal Defacement 23
T1529
System Shutdown/Reboot 20
System Shutdown/Reboot 20
T1531
Account Access Removal 20
Account Access Removal 20
T1561.001
Disk Wipe 20
Disk Wipe 20
Other
(136)
(136)
T1005
Data from Local System 2
Data from Local System 2
T1560.002
Archive via Library 1
Archive via Library 1
T1560.003
Archive via Custom Method 1
Archive via Custom Method 1
T1056.001
Keylogging 1
Keylogging 1
T1071.001
Web Protocols 6
Web Protocols 6
T1090
Proxy 1
Proxy 1
T1090.003
Multi-hop Proxy 1
Multi-hop Proxy 1
T1095
Non-Application Layer Protocol 1
Non-Application Layer Protocol 1
T1105
Ingress Tool Transfer 5
Ingress Tool Transfer 5
T1132.001
Standard Encoding 1
Standard Encoding 1
T1132.002
Non-Standard Encoding 1
Non-Standard Encoding 1
T1568
Dynamic Resolution 1
Dynamic Resolution 1
T1571
Non-Standard Port 1
Non-Standard Port 1
T1572
Protocol Tunneling 1
Protocol Tunneling 1
T1573.001
Symmetric Cryptography 2
Symmetric Cryptography 2
T1573.002
Asymmetric Cryptography 2
Asymmetric Cryptography 2
T1003.001
LSASS Memory 2
LSASS Memory 2
T1110
Brute Force 1
Brute Force 1
T1552.001
Credentials In Files 1
Credentials In Files 1
T1552.004
Private Keys 1
Private Keys 1
T1040
Network Sniffing 1
Network Sniffing 1
T1014
Rootkit 1
Rootkit 1
T1027
Obfuscated Files or Information 5
Obfuscated Files or Information 5
T1027.001
Binary Padding 1
Binary Padding 1
T1027.002
Software Packing 4
Software Packing 4
T1027.003
Steganography 1
Steganography 1
T1027.004
Compile After Delivery 1
Compile After Delivery 1
T1027.007
Dynamic API Resolution 1
Dynamic API Resolution 1
T1027.011
Fileless Storage 1
Fileless Storage 1
T1027.013
Encrypted/Encoded File 6
Encrypted/Encoded File 6
T1027.016
Junk Code Insertion 1
Junk Code Insertion 1
T1036
Masquerading 2
Masquerading 2
T1036.004
Masquerade Task or Service 2
Masquerade Task or Service 2
T1036.005
Match Legitimate Resource Name or Location 7
Match Legitimate Resource Name or Location 7
T1036.008
Masquerade File Type 1
Masquerade File Type 1
T1070
Indicator Removal 1
Indicator Removal 1
T1070.001
Clear Windows Event Logs 4
Clear Windows Event Logs 4
T1070.004
File Deletion 7
File Deletion 7
T1070.006
Timestomp 1
Timestomp 1
T1140
Deobfuscate/Decode Files or Information 10
Deobfuscate/Decode Files or Information 10
T1218.003
CMSTP 1
CMSTP 1
T1218.007
Msiexec 3
Msiexec 3
T1218.010
Regsvr32 1
Regsvr32 1
T1218.011
Rundll32 1
Rundll32 1
T1222
File and Directory Permissions Modification 1
File and Directory Permissions Modification 1
T1222.001
Windows File and Directory Permissions Modification 2
Windows File and Directory Permissions Modification 2
T1222.002
Linux and Mac File and Directory Permissions Modification 1
Linux and Mac File and Directory Permissions Modification 1
T1480
Execution Guardrails 4
Execution Guardrails 4
T1480.002
Mutual Exclusion 4
Mutual Exclusion 4
T1553.002
Code Signing 2
Code Signing 2
T1562.001
Disable or Modify Tools 11
Disable or Modify Tools 11
T1562.004
Disable or Modify System Firewall 1
Disable or Modify System Firewall 1
T1562.009
Safe Mode Boot 6
Safe Mode Boot 6
T1564.003
Hidden Window 4
Hidden Window 4
T1564.006
Run Virtual Instance 2
Run Virtual Instance 2
T1620
Reflective Code Loading 2
Reflective Code Loading 2
T1679
Selective Exclusion 1
Selective Exclusion 1
T1497
Virtualization/Sandbox Evasion 1
Virtualization/Sandbox Evasion 1
T1497.001
System Checks 1
System Checks 1
T1497.003
Time Based Checks 2
Time Based Checks 2
T1622
Debugger Evasion 2
Debugger Evasion 2
T1550
Use Alternate Authentication Material 1
Use Alternate Authentication Material 1
T1112
Modify Registry 7
Modify Registry 7
T1205
Traffic Signaling 1
Traffic Signaling 1
T1078.002
Domain Accounts 1
Domain Accounts 1
T1078.003
Local Accounts 1
Local Accounts 1
T1055
Process Injection 2
Process Injection 2
T1055.001
Dynamic-link Library Injection 3
Dynamic-link Library Injection 3
T1134
Access Token Manipulation 4
Access Token Manipulation 4
T1134.001
Token Impersonation/Theft 1
Token Impersonation/Theft 1
T1134.002
Create Process with Token 1
Create Process with Token 1
T1484.001
Group Policy Modification 2
Group Policy Modification 2
T1007
System Service Discovery 6
System Service Discovery 6
T1012
Query Registry 2
Query Registry 2
T1016
System Network Configuration Discovery 7
System Network Configuration Discovery 7
T1018
Remote System Discovery 5
Remote System Discovery 5
T1033
System Owner/User Discovery 2
System Owner/User Discovery 2
T1046
Network Service Discovery 2
Network Service Discovery 2
T1049
System Network Connections Discovery 4
System Network Connections Discovery 4
T1057
Process Discovery 15
Process Discovery 15
T1069.002
Domain Groups 2
Domain Groups 2
T1082
System Information Discovery 11
System Information Discovery 11
T1083
File and Directory Discovery 18
File and Directory Discovery 18
T1087.001
Local Account 1
Local Account 1
T1087.002
Domain Account 1
Domain Account 1
T1120
Peripheral Device Discovery 3
Peripheral Device Discovery 3
T1124
System Time Discovery 2
System Time Discovery 2
T1135
Network Share Discovery 13
Network Share Discovery 13
T1518.001
Security Software Discovery 2
Security Software Discovery 2
T1614
System Location Discovery 1
System Location Discovery 1
T1614.001
System Language Discovery 6
System Language Discovery 6
T1652
Device Driver Discovery 1
Device Driver Discovery 1
T1654
Log Enumeration 1
Log Enumeration 1
T1673
Virtual Machine Discovery 1
Virtual Machine Discovery 1
T1680
Local Storage Discovery 11
Local Storage Discovery 11
T1047
Windows Management Instrumentation 7
Windows Management Instrumentation 7
T1059.001
PowerShell 9
PowerShell 9
T1059.003
Windows Command Shell 14
Windows Command Shell 14
T1059.005
Visual Basic 1
Visual Basic 1
T1059.006
Python 1
Python 1
T1059.012
Hypervisor CLI 1
Hypervisor CLI 1
T1106
Native API 16
Native API 16
T1129
Shared Modules 1
Shared Modules 1
T1204.001
Malicious Link 1
Malicious Link 1
T1204.002
Malicious File 3
Malicious File 3
T1559
Inter-Process Communication 2
Inter-Process Communication 2
T1569.002
Service Execution 3
Service Execution 3
T1053.005
Scheduled Task 4
Scheduled Task 4
T1041
Exfiltration Over C2 Channel 3
Exfiltration Over C2 Channel 3
T1485
Data Destruction 2
Data Destruction 2
T1486
Data Encrypted for Impact 20
Data Encrypted for Impact 20
T1489
Service Stop 18
Service Stop 18
T1490
Inhibit System Recovery 18
Inhibit System Recovery 18
T1491.001
Internal Defacement 6
Internal Defacement 6
T1529
System Shutdown/Reboot 4
System Shutdown/Reboot 4
T1561.001
Disk Content Wipe 1
Disk Content Wipe 1
T1189
Drive-by Compromise 1
Drive-by Compromise 1
T1190
Exploit Public-Facing Application 1
Exploit Public-Facing Application 1
T1566
Phishing 2
Phishing 2
T1566.001
Spearphishing Attachment 2
Spearphishing Attachment 2
T1566.002
Spearphishing Link 1
Spearphishing Link 1
T1021.001
Remote Desktop Protocol 1
Remote Desktop Protocol 1
T1021.002
SMB/Windows Admin Shares 6
SMB/Windows Admin Shares 6
T1080
Taint Shared Content 1
Taint Shared Content 1
T1563.001
SSH Hijacking 1
SSH Hijacking 1
T1570
Lateral Tool Transfer 2
Lateral Tool Transfer 2
T1136
Create Account 1
Create Account 1
T1542.002
Component Firmware 1
Component Firmware 1
T1037.004
RC Scripts 1
RC Scripts 1
T1543
Create or Modify System Process 1
Create or Modify System Process 1
T1543.003
Windows Service 5
Windows Service 5
T1547.001
Registry Run Keys / Startup Folder 6
Registry Run Keys / Startup Folder 6
T1547.004
Winlogon Helper DLL 2
Winlogon Helper DLL 2
T1574.001
DLL 1
DLL 1
T1574.006
Dynamic Linker Hijacking 1
Dynamic Linker Hijacking 1
T1548.002
Bypass User Account Control 3
Bypass User Account Control 3