MITRE ATT&CK® Framework for Enterprise MITRE Techniques: 88 MITRE Sub-techniques: 96 Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact Phishing: Spearphishing LinkExternal Remote ServicesValid AccountsDrive-by CompromiseValid Accounts: Cloud AccountsExploit Public Fasing ApplicationReplication Through Removable MediaPhishing Windows Management InstrumentationCommand and Scripting InterperterScheduled Task/JobInter-Process CommunicationSystem ServicesExploitation for Client ExecutionUser ExecutionScheduled Task/Job: Scheduled TaskCommand and Scripting Interperter: PowerShellSoftware Deployment ToolsScheduled Task/Job: At (Windows) Pre-OS BootBoot or Logon Initialization ScriptsCreate AccountCreate or Modify System ProcessExternal Remote ServicesValid AccountsHijack Execution FlowServer Software Component: Web ShellAccount ManipulationBITS JobsCreate or Modify System Process: Windows ServiceScheduled Task/JobCreate Account: Create: Cloud AccountServer Software ComponentEvent Triggered ExecutionBoot or Logon Autostart ExecutionCreate Account: Create: Local AccountAccount Manipulation: Exchange Email Delegate Permissions Access Token Manipulation: Token Impersonation/TheftBoot or Logon Initialization ScriptsCreate or Modify System ProcessValid AccountsAccess Token ManipulationExploitation for Privilege EscalationHijack Execution FlowGroup Policy ModificationProcess InjectionScheduled Task/JobAbuse Elevation Control MechanismEvent Triggered ExecutionBoot or Logon Autostart ExecutionProcess Injection: Dynamic-link Library InjectionAbuse Elevation Control Mechanism: Bypass User Account Control Hide ArtifactsIndirect Command ExecutionImpair DefensesIndicator Removal on Host: Clear Windows Event LogsGroup Policy ModificationRogue Domain ControllerTrusted Developer Utilities Proxy ExecutionMasquerading: Match Legitimate Name or LocationMasquerading: Rename System UtilitiesFile and Directory Permissions Modification: Windows File and Directory Permissions ModificationObfuscated Files or Information: Compile After DeliveryObfuscated Files or Information: Indicator Removal from ToolsHijack Execution Flow: DLL Side-LoadingIndicator Removal on Host: File DeletionMasqueradingValid AccountsModify RegistryBITS JobsUse Alternate Authentication MaterialHide Artifacts: NTFS File AttributesUse Alternate Authentication Material: Pass the HashIndicator Removal on HostUse Alternate Authentication Material: Pass the TicketPre-OS BootFile and Directory Permissions ModificationDeobfuscate/Decode Files or InformationAbuse Elevation Control MechanismImpair Defenses: Disable or Modify System FirewallObfuscated Files or InformationSigned Binary Proxy Execution: Compiled HTML FileAccess Token ManipulationHijack Execution FlowProcess InjectionValid Accounts: Local AccountsSigned Binary Proxy Execution: MsiexecSigned Binary Proxy ExecutionSigned Binary Proxy Execution: Regsvcs/RegasmSigned Binary Proxy Execution: CMSTPUnused/Unsupported Cloud RegionsSigned Binary Proxy Execution: Control PanelSigned Binary Proxy Execution: InstallUtilSigned Binary Proxy Execution: Regsvr32Trusted Developer Utilities Proxy Execution: MSBuildSigned Binary Proxy Execution: Rundll32 OS Credential DumpingUnsecured CredentialsBrute ForceForced AuthenticationSteal or Forge Kerberos TicketsCredentials from Password StoresSteal or Forge Kerberos Tickets: KerberoastingOS Credential Dumping: DCSyncNetwork Sniffing Network Service ScanningAccount DiscoveryDomain Trust DiscoverySystem Service DiscoverySystem Network Connections DiscoveryAccount Discovery: Local AccountAccount Discovery: Domain AccountFile and Directory DiscoveryNetwork SniffingSystem Information DiscoveryNetwork Share DiscoveryQuery RegistryProcess DiscoverySystem Owner/User DiscoverySoftware DiscoveryRemote System DiscoverySystem Network Configuration Discovery Exploitation of Remote ServicesRemote Service Session HijackingRemote ServicesRemote Services: SMB/Windows Admin SharesUse Alternate Authentication MaterialRemote Services: Remote Desktop ProtocolSoftware Deployment ToolsReplication Through Removable MediaInternal Spearphishing Screen CaptureData from Information RepositoriesEmail CollectionAudio CaptureData from Cloud Storage ObjectArchive Collected DataData StagedEmail Collection: Email Forwarding Rule Web ServiceProtocol TunnelingApplication Layer Protocol: DNSApplication Layer Protocol: File Transfer ProtocolsApplication Layer Protocol: Web ProtocolsRemote Access SoftwareDynamic ResolutionIngress Tool TransferDynamic Resolution: Domain Generation AlgorithmsProxy: Multi-hop ProxyApplication Layer ProtocolProxy Exfiltration Over Alternative ProtocolExfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolExfiltration Over Physical Medium: Exfiltration over USBExfiltration Over C2 ChannelExfiltration Over Physical MediumAutomated ExfiltrationExfiltration Over Web Service: Exfiltration to Cloud StorageExfiltration Over Web Service Account Access RemovalData DestructionResource HijackingData Encrypted for ImpactInhibit System Recovery TTP Code Technique: Sub-technique Rules T1003 OS Credential Dumping 13 T1003.001 T1003.001 18 T1003.002 T1003.002 5 T1003.003 T1003.003 7 T1003.005 T1003.005 1 T1003.006 OS Credential Dumping: DCSync 3 T1007 System Service Discovery 6 T1012 Query Registry 7 T1016 System Network Configuration Discovery 4 T1018 Remote System Discovery 10 T1020 Automated Exfiltration 1 T1021 Remote Services 54 T1021.001 Remote Services: Remote Desktop Protocol 6 T1021.002 Remote Services: SMB/Windows Admin Shares 19 T1021.003 T1021.003 12 T1021.006 T1021.006 2 T1027 Obfuscated Files or Information 11 T1027.004 Obfuscated Files or Information: Compile After Delivery 6 T1027.005 Obfuscated Files or Information: Indicator Removal from Tools 24 T1033 System Owner/User Discovery 2 T1036 Masquerading 12 T1036.003 Masquerading: Rename System Utilities 2 T1036.004 T1036.004 2 T1036.005 Masquerading: Match Legitimate Name or Location 6 T1037 Boot or Logon Initialization Scripts 2 T1040 Network Sniffing 16 T1041 Exfiltration Over C2 Channel 3 T1046 Network Service Scanning 4 T1047 Windows Management Instrumentation 15 T1048 Exfiltration Over Alternative Protocol 4 T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 41 T1049 System Network Connections Discovery 6 T1052 Exfiltration Over Physical Medium 5 T1052.001 Exfiltration Over Physical Medium: Exfiltration over USB 16 T1053 Scheduled Task/Job 4 T1053.002 Scheduled Task/Job: At (Windows) 2 T1053.003 T1053.003 4 T1053.005 Scheduled Task/Job: Scheduled Task 16 T1055 Process Injection 3 T1055.001 Process Injection: Dynamic-link Library Injection 2 T1057 Process Discovery 6 T1059 Command and Scripting Interperter 15 T1059.001 Command and Scripting Interperter: PowerShell 69 T1059.003 T1059.003 23 T1059.005 T1059.005 9 T1059.007 T1059.007 6 T1068 Exploitation for Privilege Escalation 6 T1070 Indicator Removal on Host 6 T1070.001 Indicator Removal on Host: Clear Windows Event Logs 8 T1070.004 Indicator Removal on Host: File Deletion 1 T1071 Application Layer Protocol 6 T1071.001 Application Layer Protocol: Web Protocols 58 T1071.002 Application Layer Protocol: File Transfer Protocols 2 T1071.004 Application Layer Protocol: DNS 2 T1072 Software Deployment Tools 1 T1074 Data Staged 4 T1078 Valid Accounts 183 T1078.002 T1078.002 10 T1078.003 Valid Accounts: Local Accounts 7 T1078.004 Valid Accounts: Cloud Accounts 29 T1082 System Information Discovery 8 T1083 File and Directory Discovery 26 T1087 Account Discovery 5 T1087.001 Account Discovery: Local Account 7 T1087.002 Account Discovery: Domain Account 6 T1087.004 T1087.004 1 T1090 Proxy 2 T1090.003 Proxy: Multi-hop Proxy 13 T1091 Replication Through Removable Media 13 T1098 Account Manipulation 38 T1098.002 Account Manipulation: Exchange Email Delegate Permissions 4 T1102 Web Service 1 T1105 Ingress Tool Transfer 6 T1110 Brute Force 14 T1110.003 T1110.003 1 T1112 Modify Registry 5 T1113 Screen Capture 4 T1114.001 T1114.001 1 T1114.003 Email Collection: Email Forwarding Rule 3 T1123 Audio Capture 4 T1127 Trusted Developer Utilities Proxy Execution 6 T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild 10 T1133 External Remote Services 26 T1134.001 Access Token Manipulation: Token Impersonation/Theft 2 T1134.002 T1134.002 2 T1135 Network Share Discovery 8 T1136 Create Account 16 T1136.001 Create Account: Create: Local Account 8 T1136.002 T1136.002 2 T1136.003 Create Account: Create: Cloud Account 7 T1140 Deobfuscate/Decode Files or Information 5 T1187 Forced Authentication 2 T1189 Drive-by Compromise 1 T1190 Exploit Public Fasing Application 24 T1197 BITS Jobs 6 T1202 Indirect Command Execution 5 T1203 Exploitation for Client Execution 9 T1204 User Execution 3 T1204.001 T1204.001 1 T1204.002 T1204.002 10 T1204.003 T1204.003 4 T1207 Rogue Domain Controller 6 T1210 Exploitation of Remote Services 13 T1213 Data from Information Repositories 38 T1218 Signed Binary Proxy Execution 14 T1218.001 Signed Binary Proxy Execution: Compiled HTML File 3 T1218.002 Signed Binary Proxy Execution: Control Panel 4 T1218.003 Signed Binary Proxy Execution: CMSTP 4 T1218.004 Signed Binary Proxy Execution: InstallUtil 13 T1218.005 T1218.005 23 T1218.007 Signed Binary Proxy Execution: Msiexec 4 T1218.008 T1218.008 4 T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm 2 T1218.010 Signed Binary Proxy Execution: Regsvr32 15 T1218.011 Signed Binary Proxy Execution: Rundll32 24 T1219 Remote Access Software 25 T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 3 T1482 Domain Trust Discovery 4 T1484 Group Policy Modification 41 T1484.001 T1484.001 2 T1485 Data Destruction 1 T1486 Data Encrypted for Impact 2 T1490 Inhibit System Recovery 5 T1496 Resource Hijacking 7 T1505.003 Server Software Component: Web Shell 8 T1518.001 T1518.001 1 T1530 Data from Cloud Storage Object 28 T1531 Account Access Removal 3 T1534 Internal Spearphishing 3 T1535 Unused/Unsupported Cloud Regions 7 T1542.003 T1542.003 2 T1543.003 Create or Modify System Process: Windows Service 34 T1546.001 T1546.001 2 T1546.003 T1546.003 6 T1546.011 T1546.011 2 T1547.001 T1547.001 10 T1547.002 T1547.002 1 T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 8 T1550 Use Alternate Authentication Material 2 T1550.002 Use Alternate Authentication Material: Pass the Hash 16 T1550.003 Use Alternate Authentication Material: Pass the Ticket 9 T1552.001 T1552.001 2 T1552.006 T1552.006 2 T1555 Credentials from Password Stores 2 T1555.005 T1555.005 11 T1558 Steal or Forge Kerberos Tickets 9 T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 8 T1559.002 T1559.002 2 T1560 Archive Collected Data 2 T1562 Impair Defenses 3 T1562.001 T1562.001 2 T1562.002 T1562.002 3 T1562.004 Impair Defenses: Disable or Modify System Firewall 7 T1562.006 T1562.006 3 T1563.002 T1563.002 3 T1564.001 T1564.001 8 T1564.002 T1564.002 2 T1564.004 Hide Artifacts: NTFS File Attributes 2 T1566 Phishing 2 T1566.001 T1566.001 2 T1566.002 Phishing: Spearphishing Link 4 T1567 Exfiltration Over Web Service 1 T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage 4 T1568 Dynamic Resolution 1 T1568.002 Dynamic Resolution: Domain Generation Algorithms 9 T1569 System Services 2 T1569.002 T1569.002 3 T1572 Protocol Tunneling 2 T1574 Hijack Execution Flow 5 T1574.002 Hijack Execution Flow: DLL Side-Loading 6 T1574.010 T1574.010 2 T1574.011 T1574.011 4 T1580 T1580 4 T1583.001 T1583.001 1 T1598.003 T1598.003 3 TA0001 TA0001 3 TA0002 TA0002 59 TA0003 TA0003 1 TA0004 TA0004 36 TA0007 TA0007 2 TA0008 TA0008 4 TA0009 TA0009 11 TA0010 TA0010 63 TA0011 TA0011 55