MITRE ATT&CK® Framework for Enterprise

MITRE Techniques: 104

MITRE Sub-techniques: 96

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Phishing: Spearphishing Link External Remote Services Valid Accounts Drive-by Compromise Valid Accounts: Cloud Accounts Exploit Public Fasing Application Replication Through Removable Media Phishing	Windows Management Instrumentation Command and Scripting Interperter Scheduled Task/Job Inter-Process Communication System Services Exploitation for Client Execution User Execution Scheduled Task/Job: Scheduled Task Command and Scripting Interperter: PowerShell Software Deployment Tools Scheduled Task/Job: At (Windows)	Pre-OS Boot Boot or Logon Initialization Scripts Create Account Create or Modify System Process External Remote Services Valid Accounts Hijack Execution Flow Server Software Component: Web Shell Account Manipulation BITS Jobs Create or Modify System Process: Windows Service Scheduled Task/Job Create Account: Create: Cloud Account Server Software Component Event Triggered Execution Boot or Logon Autostart Execution Create Account: Create: Local Account Account Manipulation: Exchange Email Delegate Permissions	Access Token Manipulation: Token Impersonation/Theft Boot or Logon Initialization Scripts Create or Modify System Process Valid Accounts Access Token Manipulation Exploitation for Privilege Escalation Hijack Execution Flow Group Policy Modification Process Injection Scheduled Task/Job Abuse Elevation Control Mechanism Event Triggered Execution Boot or Logon Autostart Execution Process Injection: Dynamic-link Library Injection Abuse Elevation Control Mechanism: Bypass User Account Control	Hide Artifacts Indirect Command Execution Impair Defenses Indicator Removal on Host: Clear Windows Event Logs Group Policy Modification Rogue Domain Controller Trusted Developer Utilities Proxy Execution Masquerading: Match Legitimate Name or Location Masquerading: Rename System Utilities File and Directory Permissions Modification: Windows File and Directory Permissions Modification Obfuscated Files or Information: Compile After Delivery Obfuscated Files or Information: Indicator Removal from Tools Hijack Execution Flow: DLL Side-Loading Indicator Removal on Host: File Deletion Masquerading Valid Accounts Modify Registry BITS Jobs Use Alternate Authentication Material Hide Artifacts: NTFS File Attributes Use Alternate Authentication Material: Pass the Hash Indicator Removal on Host Use Alternate Authentication Material: Pass the Ticket Pre-OS Boot File and Directory Permissions Modification Deobfuscate/Decode Files or Information Abuse Elevation Control Mechanism Impair Defenses: Disable or Modify System Firewall Obfuscated Files or Information Signed Binary Proxy Execution: Compiled HTML File Access Token Manipulation Hijack Execution Flow Process Injection Valid Accounts: Local Accounts Signed Binary Proxy Execution: Msiexec Signed Binary Proxy Execution Signed Binary Proxy Execution: Regsvcs/Regasm Signed Binary Proxy Execution: CMSTP Unused/Unsupported Cloud Regions Signed Binary Proxy Execution: Control Panel Signed Binary Proxy Execution: InstallUtil Signed Binary Proxy Execution: Regsvr32 Trusted Developer Utilities Proxy Execution: MSBuild Signed Binary Proxy Execution: Rundll32	OS Credential Dumping Unsecured Credentials Brute Force Forced Authentication Steal or Forge Kerberos Tickets Credentials from Password Stores Steal or Forge Kerberos Tickets: Kerberoasting OS Credential Dumping: DCSync Network Sniffing	Network Service Scanning Account Discovery Domain Trust Discovery System Service Discovery System Network Connections Discovery Account Discovery: Local Account Account Discovery: Domain Account File and Directory Discovery Network Sniffing System Information Discovery Network Share Discovery Query Registry Process Discovery System Owner/User Discovery Software Discovery Remote System Discovery System Network Configuration Discovery	Exploitation of Remote Services Remote Service Session Hijacking Remote Services Remote Services: SMB/Windows Admin Shares Use Alternate Authentication Material Remote Services: Remote Desktop Protocol Software Deployment Tools Replication Through Removable Media Internal Spearphishing	Screen Capture Data from Information Repositories Email Collection Audio Capture Data from Cloud Storage Object Archive Collected Data Data Staged Email Collection: Email Forwarding Rule	Web Service Protocol Tunneling Application Layer Protocol: DNS Application Layer Protocol: File Transfer Protocols Application Layer Protocol: Web Protocols Remote Access Software Dynamic Resolution Ingress Tool Transfer Dynamic Resolution: Domain Generation Algorithms Proxy: Multi-hop Proxy Application Layer Protocol Proxy	Exfiltration Over Alternative Protocol Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration Over Physical Medium: Exfiltration over USB Exfiltration Over C2 Channel Exfiltration Over Physical Medium Automated Exfiltration Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration Over Web Service	Account Access Removal Data Destruction Resource Hijacking Data Encrypted for Impact Inhibit System Recovery

TTP Code	Technique: Sub-technique	Rules
T1003	OS Credential Dumping	31
T1003.001	T1003.001	9
T1003.002	T1003.002	4
T1003.003	T1003.003	7
T1003.005	T1003.005	1
T1003.006	OS Credential Dumping: DCSync	3
T1007	System Service Discovery	4
T1012	Query Registry	5
T1016	System Network Configuration Discovery	4
T1018	Remote System Discovery	8
T1020	Automated Exfiltration	1
T1021	Remote Services	77
T1021.001	Remote Services: Remote Desktop Protocol	4
T1021.002	Remote Services: SMB/Windows Admin Shares	12
T1021.003	T1021.003	6
T1021.006	T1021.006	1
T1027	Obfuscated Files or Information	34
T1027.004	Obfuscated Files or Information: Compile After Delivery	4
T1027.005	Obfuscated Files or Information: Indicator Removal from Tools	22
T1033	System Owner/User Discovery	2
T1036	Masquerading	13
T1036.003	Masquerading: Rename System Utilities	1
T1036.004	T1036.004	1
T1036.005	Masquerading: Match Legitimate Name or Location	3
T1037	Boot or Logon Initialization Scripts	2
T1040	Network Sniffing	10
T1041	Exfiltration Over C2 Channel	2
T1046	Network Service Scanning	4
T1047	Windows Management Instrumentation	12
T1048	Exfiltration Over Alternative Protocol	43
T1048.003	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	41
T1049	System Network Connections Discovery	4
T1052	Exfiltration Over Physical Medium	21
T1052.001	Exfiltration Over Physical Medium: Exfiltration over USB	16
T1053	Scheduled Task/Job	24
T1053.002	Scheduled Task/Job: At (Windows)	1
T1053.003	T1053.003	4
T1053.005	Scheduled Task/Job: Scheduled Task	13
T1055	Process Injection	3
T1055.001	Process Injection: Dynamic-link Library Injection	1
T1057	Process Discovery	4
T1059	Command and Scripting Interperter	72
T1059.001	Command and Scripting Interperter: PowerShell	49
T1059.003	T1059.003	14
T1059.005	T1059.005	5
T1059.007	T1059.007	3
T1068	Exploitation for Privilege Escalation	4
T1070	Indicator Removal on Host	10
T1070.001	Indicator Removal on Host: Clear Windows Event Logs	6
T1070.004	Indicator Removal on Host: File Deletion	1
T1071	Application Layer Protocol	64
T1071.001	Application Layer Protocol: Web Protocols	55
T1071.002	Application Layer Protocol: File Transfer Protocols	2
T1071.004	Application Layer Protocol: DNS	1
T1072	Software Deployment Tools	1
T1074	Data Staged	4
T1078	Valid Accounts	225
T1078.002	T1078.002	10
T1078.003	Valid Accounts: Local Accounts	7
T1078.004	Valid Accounts: Cloud Accounts	26
T1082	System Information Discovery	5
T1083	File and Directory Discovery	25
T1087	Account Discovery	10
T1087.001	Account Discovery: Local Account	5
T1087.002	Account Discovery: Domain Account	4
T1087.004	T1087.004	1
T1090	Proxy	13
T1090.003	Proxy: Multi-hop Proxy	12
T1091	Replication Through Removable Media	13
T1098	Account Manipulation	41
T1098.002	Account Manipulation: Exchange Email Delegate Permissions	4
T1102	Web Service	1
T1105	Ingress Tool Transfer	3
T1110	Brute Force	15
T1110.003	T1110.003	1
T1112	Modify Registry	5
T1113	Screen Capture	3
T1114	Email Collection	4
T1114.001	T1114.001	1
T1114.003	Email Collection: Email Forwarding Rule	3
T1123	Audio Capture	2
T1127	Trusted Developer Utilities Proxy Execution	9
T1127.001	Trusted Developer Utilities Proxy Execution: MSBuild	6
T1133	External Remote Services	26
T1134	Access Token Manipulation	2
T1134.001	Access Token Manipulation: Token Impersonation/Theft	2
T1134.002	T1134.002	2
T1135	Network Share Discovery	5
T1136	Create Account	30
T1136.001	Create Account: Create: Local Account	8
T1136.002	T1136.002	2
T1136.003	Create Account: Create: Cloud Account	4
T1140	Deobfuscate/Decode Files or Information	3
T1187	Forced Authentication	1
T1189	Drive-by Compromise	1
T1190	Exploit Public Fasing Application	21
T1197	BITS Jobs	3
T1202	Indirect Command Execution	3
T1203	Exploitation for Client Execution	5
T1204	User Execution	15
T1204.001	T1204.001	1
T1204.002	T1204.002	7
T1204.003	T1204.003	4
T1207	Rogue Domain Controller	6
T1210	Exploitation of Remote Services	12
T1213	Data from Information Repositories	36
T1218	Signed Binary Proxy Execution	51
T1218.001	Signed Binary Proxy Execution: Compiled HTML File	2
T1218.002	Signed Binary Proxy Execution: Control Panel	3
T1218.003	Signed Binary Proxy Execution: CMSTP	2
T1218.004	Signed Binary Proxy Execution: InstallUtil	7
T1218.005	T1218.005	12
T1218.007	Signed Binary Proxy Execution: Msiexec	2
T1218.008	T1218.008	2
T1218.009	Signed Binary Proxy Execution: Regsvcs/Regasm	1
T1218.010	Signed Binary Proxy Execution: Regsvr32	9
T1218.011	Signed Binary Proxy Execution: Rundll32	15
T1219	Remote Access Software	13
T1222	File and Directory Permissions Modification	2
T1222.001	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	2
T1482	Domain Trust Discovery	2
T1484	Group Policy Modification	43
T1484.001	T1484.001	2
T1485	Data Destruction	1
T1486	Data Encrypted for Impact	2
T1490	Inhibit System Recovery	4
T1496	Resource Hijacking	5
T1505	Server Software Component	5
T1505.003	Server Software Component: Web Shell	5
T1518	Software Discovery	1
T1518.001	T1518.001	1
T1530	Data from Cloud Storage Object	13
T1531	Account Access Removal	3
T1534	Internal Spearphishing	2
T1535	Unused/Unsupported Cloud Regions	7
T1542	Pre-OS Boot	1
T1542.003	T1542.003	1
T1543	Create or Modify System Process	25
T1543.003	Create or Modify System Process: Windows Service	27
T1546	Event Triggered Execution	7
T1546.001	T1546.001	1
T1546.003	T1546.003	5
T1546.011	T1546.011	1
T1547	Boot or Logon Autostart Execution	10
T1547.001	T1547.001	9
T1547.002	T1547.002	1
T1548	Abuse Elevation Control Mechanism	4
T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	4
T1550	Use Alternate Authentication Material	19
T1550.002	Use Alternate Authentication Material: Pass the Hash	13
T1550.003	Use Alternate Authentication Material: Pass the Ticket	8
T1552	Unsecured Credentials	3
T1552.001	T1552.001	1
T1552.006	T1552.006	2
T1555	Credentials from Password Stores	12
T1555.005	T1555.005	11
T1558	Steal or Forge Kerberos Tickets	14
T1558.003	Steal or Forge Kerberos Tickets: Kerberoasting	5
T1559	Inter-Process Communication	1
T1559.002	T1559.002	1
T1560	Archive Collected Data	1
T1562	Impair Defenses	12
T1562.001	T1562.001	1
T1562.002	T1562.002	3
T1562.004	Impair Defenses: Disable or Modify System Firewall	5
T1562.006	T1562.006	2
T1563	Remote Service Session Hijacking	2
T1563.002	T1563.002	2
T1564	Hide Artifacts	6
T1564.001	T1564.001	4
T1564.002	T1564.002	1
T1564.004	Hide Artifacts: NTFS File Attributes	1
T1566	Phishing	6
T1566.001	T1566.001	1
T1566.002	Phishing: Spearphishing Link	3
T1567	Exfiltration Over Web Service	5
T1567.002	Exfiltration Over Web Service: Exfiltration to Cloud Storage	4
T1568	Dynamic Resolution	10
T1568.002	Dynamic Resolution: Domain Generation Algorithms	9
T1569	System Services	4
T1569.002	T1569.002	3
T1572	Protocol Tunneling	1
T1574	Hijack Execution Flow	10
T1574.002	Hijack Execution Flow: DLL Side-Loading	4
T1574.010	T1574.010	2
T1574.011	T1574.011	3
T1580	T1580	4
T1583	T1583	1
T1583.001	T1583.001	1
T1598	T1598	2
T1598.003	T1598.003	2
TA0001	TA0001	1
TA0002	TA0002	53
TA0003	TA0003	1
TA0004	TA0004	36
TA0007	TA0007	2
TA0008	TA0008	4
TA0009	TA0009	11
TA0010	TA0010	63
TA0011	TA0011	55

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

MitreMap.md

MitreMap.md

MITRE ATT&CK® Framework for Enterprise

MITRE Techniques: 104

MITRE Sub-techniques: 96

Files

MitreMap.md

Latest commit

History

MitreMap.md

File metadata and controls

MITRE ATT&CK® Framework for Enterprise

MITRE Techniques: 104

MITRE Sub-techniques: 96