Please enable JavaScript.
Coggle requires JavaScript to display documents.
MITRE ATT&CK® Matrix for Enterprise (July 2020 Update) v0.2 Jai…
MITRE ATT&CK® Matrix for Enterprise (July 2020 Update) v0.2
Jai Minton |
CyberRaiju
Defense Evasion
Abuse Elevation Control Mechanism
T1548
Access Token Manipulation
T1134
BITS Jobs
T1197
Deobfuscate/Decode Files or Information
T1140
Direct Volume Access
T1006
Execution Guardrails
T1480
Sub-techniques
Environmental Keying
T1480.001
Exploitation for Defense Evasion
T1211
File and Directory Permissions Modification
T1222
Sub-techniques
Windows File and Directory Permissions Modification
T1222.001
Linux and Mac File and Directory Permissions Modification
T1222.002
Group Policy Modification
T1484
Hide Artifacts
T1564
Sub-techniques
Hidden Files and Directories
T1564.001
Hidden Users
T1564.002
Hidden Window
T1564.003
NTFS File Attributes
T1564.004
Hidden File System
T1564.005
Run Virtual Instance
T1564.006
Hijack Execution Flow
T1574
Impair Defenses
T1562
Sub-techniques
Disable or Modify Tools
T1562.001
Disable Windows Event Logging
T1562.002
HISTCONTROL
T1562.003
Disable or Modify System Firewall
T1562.004
Indicator Blocking
T1562.006
Disable or Modify Cloud Firewall
T1562.007
Indicator Removal on Host
T1070
Sub-techniques
Clear Windows Event Logs
T1070.001
Clear Linux or Mac System Logs
T1070.002
Clear Command History
T1070.003
File Deletion
T1070.004
Network Share Connection Removal
T1070.005
Timestomp
T1070.006
Indirect Command Execution
T1202
Masquerading
T1036
Sub-techniques
Invalid Code Signature
T1036.001
Right-to-Left Override
T1036.002
Rename System Utilities
T1036.003
Masquerade Task or Service
T1036.004
Match Legitimate Name or Location
T1036.005
Space after Filename
T1036.006
Modify Authentication Process
T1556
Sub-techniques
Domain Controller Authentication
T1556.001
Password Filter DLL
T1556.002
Modify Cloud Compute Infrastructure
T1578
Sub-techniques
Create Snapshot
T1578.001
Create Cloud Instance
T1578.002
Delete Cloud Instance
T1578.003
Revert Cloud Instance
T1578.004
Modify Registry
T1112
Obfuscated Files or Information
T1027
Sub-techniques
Binary Padding
T1027.001
Software Packing
T1027.002
Steganography
T1027.003
Compile After Delivery
T1027.004
Indicator Removal from Tools
T1027.005
Pre-OS Boot
T1542
Process Injection
T1055
Revert Cloud Instance
T1536
Rogue Domain Controller
T1207
Rootkit
T1014
Signed Binary Proxy Execution
T1218
Sub-techniques
Compiled HTML File
T1218.001
Control Panel
T1218.002
CMSTP
T1218.003
InstallUtil
T1218.004
Mshta
T1218.005
Msiexec
T1218.007
Odbcconf
T1218.008
Regsvcs/Regasm
T1218.009
Regsvr32
T1218.010
Rundll32
T1218.011
Signed Script Proxy Execution
T1216
Sub-techniques
PubPrn
T1216.001
Subvert Trust Controls
T1553
Sub-techniques
Gatekeeper Bypass
T1553.001
Code Signing
T1553.002
SIP and Trust Provider Hijacking
T1553.003
Install Root Certificate
T1553.004
Template Injection
T1221
Traffic Signaling
T1205
Trusted Developer Utilities Proxy Execution
T1127
Sub-techniques
MSBuild
T1127.001
Unused/Unsupported Cloud Regions
T1535
Use Alternate Authentication Material
T1550
Sub-techniques
Application Access Token
T1550.001
Pass the Hash
T1550.002
Pass the Ticket
T1550.003
Web Session Cookie
T1550.004
Valid Accounts
T1078
Virtualization/Sandbox Evasion
T1497
Sub-techniques
System Checks
T1497.001
User Activity Based Checks
T1497.002
Time Based Evasion
T1497.003
XSL Script Processing
T1220
Privilege Escalation
Abuse Elevation Control Mechanism
T1548
Sub-techniques
Setuid and Setgid
T1548.001
Bypass User Access Control
T1548.002
Sudo and Sudo Caching
T1548.003
Elevated Execution with Prompt
T1548.004
Access Token Manipulation
T1134
Sub-techniques
Token Impersonation/Theft
T1134.001
Create Process with Token
T1134.002
Make and Impersonate Token
T1134.003
Parent PID Spoofing
T1134.004
SID-History Injection
T1134.005
Boot or Logon Autostart Execution
T1547
Boot or Logon Initialization Scripts
T1037
Create or Modify System Process
T1543
Event Triggered Execution
T1546
Exploitation for Privilege Escalation
T1068
Group Policy Modification
T1484
Hijack Execution Flow
T1574
Process Injection
T1055
Sub-techniques
Dynamic-link Library Injection
T1055.001
Portable Executable Injection
T1055.002
Thread Execution Hijacking
T1055.003
Asynchronous Procedure Call
T1055.004
Thread Local Storage
T1055.005
Ptrace System Calls
T1055.008
Proc Memory
T1055.009
Extra Window Memory Injection
T1055.011
Process Hollowing
T1055.012
Process Doppelgänging
T1055.013
VDSO Hijacking
T1055.014
Scheduled Task/Job
T1053
Valid Accounts
T1078
Persistence
Account Manipulation
T1098
Sub-techniques
Additional Azure Service Principal Credentials
T1098.001
Exchange Email Delegate Permissions
T1098.002
Add Office 365 Global Administrator Role
T1098.003
SSH Authorized Keys
T1098.004
BITS Jobs
T1197
Boot or Logon Autostart Execution
T1547
Sub-techniques
Registry Run Keys / Startup Folder
T1547.001
Authentication Package
T1547.002
Time Providers
T1547.003
Winlogon Helper DLL
T1547.004
Security Support Provider
T1547.005
Kernel Modules and Extensions
T1547.006
Re-opened Applications
T1547.007
LSASS Driver
T1547.008
Shortcut Modification
T1547.009
Port Monitors
T1547.010
Plist Modification
T1547.011
Boot or Logon Initialization Scripts
T1037
Sub-techniques
Logon Script (Windows)
T1037.001
Logon Script (Mac)
T1037.002
Network Logon Script
T1037.003
Rc.common
T1037.004
Startup Items
T1037.005
Browser Extensions
T1176
Compromise Client Software Binary
T1554
Create Account
T1136
Sub-techniques
Local Account
T1136.001
Domain Account
T1136.002
Cloud Account
T1136.003
Create or Modify System Process
T1543
Sub-techniques
Launch Agent
T1543.001
Systemd Service
T1543.002
Windows Service
T1543.003
Launch Daemon
T1543.004
Event Triggered Execution
T1546
Sub-techniques
Change Default File Association
T1546.001
Screensaver
T1546.002
Windows Management Instrumentation Event Subscription
T1546.003
.bash_profile and .bashrc
T1546.004
Trap
T1546.005
LC_LOAD_DYLIB Addition
T1546.006
Netsh Helper DLL
T1546.007
Accessibility Features
T1546.008
AppCert DLLs
T1546.009
AppInit DLLs
T1546.010
Application Shimming
T1546.011
Image File Execution Options Injection
T1546.012
PowerShell Profile
T1546.013
Emond
T1546.014
Component Object Model Hijacking
T1546.015
External Remote Services
T1133
Hijack Execution Flow
T1574
Sub-techniques
DLL Search Order Hijacking
T1574.001
DLL Side-Loading
T1574.002
Dylib Hijacking
T1574.004
Executable Installer File Permissions Weakness
T1574.005
LD_PRELOAD
T1574.006
Path Interception by PATH Environment Variable
T1574.007
Path Interception by Search Order Hijacking
T1574.008
Path Interception by Unquoted Path
T1574.009
Services File Permissions Weakness
T1574.010
Services Registry Permissions Weakness
T1574.011
COR_PROFILER
T1574.012
Implant Container Image
T1525
Office Application Startup
T1137
Sub-techniques
Office Template Macros
T1137.001
Office Test
T1137.002
Outlook Forms
T1137.003
Outlook Home Page
T1137.004
Outlook Rules
T1137.005
Add-ins
T1137.006
Pre-OS Boot
T1542
Sub-techniques
System Firmware
T1542.001
Component Firmware
T1542.002
Bootkit
T1542.003
Scheduled Task/Job
T1053
Server Software Component
T1505
Sub-techniques
SQL Stored Procedures
T1505.001
Transport Agent
T1505.001
Web Shell
T1505.001
Traffic Signaling
T1205
Sub-techniques
Port Knocking
T1205.001
Valid Accounts
T1078
Execution
Command and Scripting Interpreter
T1059
Sub-techniques
PowerShell
T1059.001
AppleScript
T1059.002
Windows Command Shell
T1059.003
Unix Shell
T1059.004
VBScript
T1059.005
Python
T1059.006
Javascript/Jscript
T1059.007
Exploitation for Client Execution
T1203
Inter-Process Communication
T1559
Sub-techniques
Component Object Model
T1559.001
Dynamic Data Exchange
T1559.002
Native API
T1106
Scheduled Task/Job
T1053
Sub-techniques
At (Linux)
T1053.001
At (Windows)
T1053.002
Cron
T1053.003
Launchd
T1053.004
Scheduled Task
T1053.005
Shared Modules
T1129
Software Deployment Tools
T1072
System Services
T1569
Sub-techniques
Launchctl
T1569.001
Service Execution
T1569.002
User Execution
T1204
Sub-techniques
Malicious Link
T1204.001
Malicious File
T1204.002
Windows Management Instrumentation
T1047
Initial Access
Drive-by Compromise
T1189
Exploit Public-Facing Application
T1190
External Remote Services
T1133
Hardware Additions
T1200
Phishing
T1566
Sub-techniques
Spearphishing Attachment
T1566.001
Spearphishing Link
T1566.002
Spearphishing via Service
T1566.003
Replication Through Removable Media
T1091
Supply Chain Compromise
T1195
Sub-techniques
Compromise Software Dependencies and Development Tools
T1195.001
Compromise Software Supply Chain
T1195.002
Compromise Hardware Supply Chain
T1195.003
Trusted Relationship
T1199
Valid Accounts
T1078
Sub-techniques
Default Accounts
T1078.001
Domain Accounts
T1078.002
Local Accounts
T1078.003
Cloud Accounts
T1078.004
Colour schema based off of "The ATT&CK Rainbow of Tactics" -
olafhartong
Clipart from Pixabay
Discovery
Account Discovery
T1087
Sub-techniques
Local Account
T1087.001
Domain Account
T1087.002
Email Account
T1087.003
Cloud Account
T1087.004
Application Window Discovery
T1010
Browser Bookmark Discovery
T1217
Cloud Service Dashboard
T1538
Cloud Service Discovery
T1526
Domain Trust Discovery
T1482
File and Directory Discovery
T1083
Network Service Scanning
T1046
Network Share Discovery
T1135
Network Sniffing
T1040
Password Policy Discovery
T1201
Peripheral Device Discovery
T1120
Permission Groups Discovery
T1069
Sub-techniques
Local Groups
T1069.001
Domain Groups
T1069.002
Cloud Groups
T1069.003
Process Discovery
T1057
Query Registry
T1012
Remote System Discovery
T1018
Software Discovery
T1518
Sub-techniques
Security Software Discovery
T1518.001
System Information Discovery
T1082
System Network Configuration Discovery
T1016
System Network Connections Discovery
T1049
System Owner/User Discovery
T1033
System Service Discovery
T1007
System Time Discovery
T1124
Lateral Movement
Exploitation of Remote Services
T1210
Internal Spearphishing
T1534
Lateral Tool Transfer
T1570
Remote Service Session Hijacking
T1563
Sub-techniques
SSH Hijacking
T1563.001
RDP Hijacking
T1563.002
Remote Services
T1021
Sub-techniques
Remote Desktop Protocol
T1021.001
SMB/Windows Admin Shares
T1021.002
Distributed Component Object Model
T1021.003
SSH
T1021.004
VNC
T1021.005
Windows Remote Management
T1021.006
Replication Through Removable Media
T1091
Software Deployment Tools
T1072
Taint Shared Content
T1080
Use Alternate Authentication Material
T1550
Collection
Archive Collected Data
T1560
Sub-techniques
Archive via Utility
T1560.001
Archive via Library
T1560.002
Archive via Custom Method
T1560.003
Audio Capture
T1123
Automated Collection
T1119
Clipboard Data
T1115
Data from Cloud Storage Object
T1530
Data from Information Repositories
T1213
Sub-techniques
Confluence
T1213.001
Sharepoint
T1213.002
Data from Local System
T1005
Data from Network Shared Drive
T1039
Data from Removable Media
T1025
Data Staged
T1074
Sub-techniques
Local Data Staging
T1074.001
Remote Data Staging
T1074.002
Email Collection
T1114
Sub-techniques
Local Email Collection
T1114.001
Remote Email Collection
T1114.002
Email Forwarding Rule
T1114.003
Input Capture
T1056
Man in the Browser
T1185
Man-in-the-Middle
T1557
Screen Capture
T1113
Video Capture
T1125
Command and Control
Application Layer Protocol
T1071
Sub-techniques
Web Protocols
T1071.001
File Transfer Protocols
T1071.002
Mail Protocols
T1071.003
DNS
T1071.004
Communication Through Removable Media
T1092
Data Encoding
T1132
Sub-techniques
Standard Encoding
T1132.001
Non-Standard Encoding
T1132.002
Data Obfuscation
T1001
Sub-techniques
Junk Data
T1001.001
Steganography
T1001.002
Protocol Impersonation
T1001.003
Dynamic Resolution
T1568
Sub-techniques
Fast Flux DNS
T1568.001
Domain Generation Algorithms
T1568.002
DNS Calculation
T1568.003
Encrypted Channel
T1573
Sub-techniques
Symmetric Cryptography
T1573.001
Asymmetric Cryptography
T1573.002
Fallback Channels
T1008
Ingress Tool Transfer
T1105
Multi-Stage Channels
T1104
Non-Application Layer Protocol
T1095
Non-Standard Port
T1571
Protocol Tunneling
T1572
Proxy
T1090
Sub-techniques
Internal Proxy
T1090.001
External Proxy
T1090.002
Multi-hop Proxy
T1090.003
Domain Fronting
T1090.004
Remote Access Software
T1219
Traffic Signaling
T1205
Web Service
T1102
Sub-techniques
Dead Drop Resolver
T1102.001
Bidirectional Communication
T1102.002
One-Way Communication
T1102.003
Exfiltration
Automated Exfiltration
T1020
Data Transfer Size Limits
T1030
Exfiltration Over Alternative Protocol
T1048
Sub-techniques
Exfiltration Over Symmetric Encrypted Non-C2 Protocol
T1048.001
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
T1048.002
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1048.003
Exfiltration Over C2 Channel
T1041
Exfiltration Over Other Network Medium
T1011
Sub-techniques
Exfiltration Over Bluetooth
T1011.001
Exfiltration Over Physical Medium
T1052
Sub-techniques
Exfiltration over USB
T1052.001
Exfiltration Over Web Service
T1567
Sub-techniques
Exfiltration to Code Repository
T1567.001
Exfiltration to Cloud Storage
T1567.002
Scheduled Transfer
T1029
Transfer Data to Cloud Account
T1537
Impact
Account Access Removal
T1531
Data Destruction
T1485
Data Encrypted for Impact
T1486
Data Manipulation
T1565
Sub-techniques
Stored Data Manipulation
T1565.001
Transmitted Data Manipulation
T1565.002
Runtime Data Manipulation
T1565.003
Defacement
T1491
Sub-techniques
Internal Defacement
T1491.001
External Defacement
T1491.002
Disk Wipe
T1561
Sub-techniques
Disk Content Wipe
T1561.001
Disk Structure Wipe
T1561.002
Endpoint Denial of Service
T1499
Sub-techniques
OS Exhaustion Flood
T1499.001
Service Exhaustion Flood
T1499.002
Application Exhaustion Flood
T1499.003
Application or System Exploitation
T1499.004
Firmware Corruption
T1495
Inhibit System Recovery
T1490
Network Denial of Service
T1498
Sub-techniques
Direct Network Flood
T1498.001
Reflection Amplification
T1498.002
Resource Hijacking
T1496
Service Stop
T1489
System Shutdown/Reboot
T1529
Credential Access
Brute Force
T1110
Sub-techniques
Password Guessing
T1110.001
Password Cracking
T1110.002
Password Spraying
T1110.003
Credential Stuffing
T1110.004
Credentials from Password Stores
T1555
Sub-techniques
Keychain
T1555.001
Securityd Memory
T1555.002
Credentials from Web Browsers
T1555.003
Exploitation for Credential Access
T1212
Forced Authentication
T1187
Input Capture
T1056
Sub-techniques
Keylogging
T1056.001
GUI Input Capture
T1056.002
Web Portal Capture
T1056.003
Credential API Hooking
T1056.004
Man-in-the-Middle
T1557
Sub-techniques
LLMNR/NBT-NS Poisoning and SMB Relay
T1557.001
Modify Authentication Process
T1556
Sub-techniques
Domain Controller Authentication
T1556.001
Password Filter DLL
T1556.002
Pluggable Authentication Modules
T1556.003
Network Sniffing
T1040
OS Credential Dumping
T1003
Sub-techniques
LSASS Memory
T1003.001
Security Account Manager
T1003.002
NTDS
T1003.003
LSA Secrets
T1003.004
Cached Domain Credentials
T1003.005
DCSync
T1003.006
Proc Filesystem
T1003.007
/etc/passwd and /etc/shadow
T1003.008
Steal Application Access Token
T1528
Steal or Forge Kerberos Tickets
T1558
Sub-techniques
Golden Ticket
T1558.001
Silver Ticket
T1558.002
Kerberoasting
T1558.003
Steal Web Session Cookie
T1539
Two-Factor Authentication Interception
T1111
Unsecured Credentials
T1552
Sub-techniques
Credentials In Files
T1552.001
Credentials in Registry
T1552.002
Bash History
T1552.003
Private Keys
T1552.004
Cloud Instance Metadata API
T1552.005
Group Policy Preferences
T1552.006