MITRE ATT&CK Tactic and Technique Reference

The following list show the MITRE tactics and their associated techniques.

Active Scanning

Gather Victim Host Information

Gather Victim Identity Information

Gather Victim Network Information

Gather Victim Org Information

Phishing for Information

Search Closed Sources

Search Open Technical Databases

Search Open Websites/Domains

Search Victim-Owned Websites

Acquire Infrastructure

Compromise Accounts

Compromise Infrastructure

Develop Capabilities

Establish Accounts

Obtain Capabilities

Drive-by Compromise

Exploit Public-Facing Application

External Remote Services

Hardware Additions

Phishing,

Spearphishing Attachment

Spearphishing Link

Spearphishing via Service

Replication Through Removable Media

Supply Chain Compromise

Trusted Relationship

Valid Accounts

Command and Scripting Interpreter

Exploitation for Client Execution

Inter-Process Communication

Native API

Scheduled Task/Job

Shared Modules

Software Deployment Tools

System Services

User Execution

Windows Management Instrumentation

AppleScript

CMSTP

Command-Line Interface

Compiled HTML File

Component Object Model and Distributed COM

Control Panel Items

Dynamic Data Exchange

Execution through API

Execution through Module Load

Exploitation for Client Execution

Graphical User Interface

InstallUtil

Launchctl

Local Job Scheduling

LSASS Driver

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scheduled Task

Scripting

Service Execution

Signed Binary Proxy Execution

Signed Script Proxy Execution

Source

Space after Filename

Third-party Software

Trap

Trusted Developer Utilities

Windows Remote Management

XSL Script Processing

Account Manipulation

BITS Jobs

Boot or Logon Autostart Execution

Boot or Logon Initialization Scripts

Browser Extensions

Compromise Client Software Binary

Create Account

Create or Modify System Process

Event Triggered Execution

External Remote Services

Hijack Execution Flow

Implant Container Image

Office Application Startup

Pre-OS Boot

Scheduled Task/Job

Server Software Component

Traffic Signaling

Valid Accounts

.bash_profile and .bashrc

Accessibility Features

AppCert DLLs

AppInit DLLs

Application Shimming

Authentication Package

Bootkit

Change Default File Association

Component Firmware

Component Object Model Hijacking

DLL Search Order Hijacking

Dylib Hijacking

Emond

File System Permissions Weakness

Hidden Files and Directories

Hooking

Hypervisor

Image File Execution Options Injection

Kernel Modules and Extensions

Launch Agent

Launch Daemon

Launchctl

LC_LOAD_DYLIB Addition

Local Job Scheduling

Login Item

Logon Scripts

LSASS Driver

Modify Existing Service

Netsh Helper DLL

New Service

Path Interception

Plist Modification

Port Knocking

Port Monitors

PowerShell Profile

Rc.common

Re-opened Applications

Redundant Access

Registry Run Keys / Startup Folder

Scheduled Task

Screensaver

Security Support Provider

Service Registry Permissions Weakness

Setuid and Setgid

Shortcut Modification

SIP and Trust Provider Hijacking

Startup Items

System Firmware

Systemd Service

Time Providers

Trap

Valid Accounts

Web Shell

Windows Management Instrumentation Event Subscription

Winlogon Helper DLL

Abuse Elevation Control Mechanism

Access Token Manipulation

Boot or Logon Autostart Execution

Boot or Logon Initialization Scripts

Create or Modify System Process

Event Triggered Execution

Exploitation for Privilege Escalation

Group Policy Modification

Hijack Execution Flow

Process Injection

Scheduled Task/Job

Valid Accounts

Accessibility Features

AppCert DLLs

AppInit DLLs

Application Shimming

Bypass User Account Control

DLL Search Order Hijacking

Dylib Hijacking

Elevated Execution with Prompt

Emond

Extra Window Memory Injection

File System Permissions Weakness

Hooking

Image File Execution Options Injection

Launch Daemon

New Service

Parent PID Spoofing

Path Interception

Plist Modification

Port Monitors

PowerShell Profile

Scheduled Task

Service Registry Permissions Weakness

Setuid and Setgid

SID-History Injection

Startup Items

Sudo

Sudo Caching

Web Shell

Abuse Elevation Control Mechanism

Access Token Manipulation

BITS Jobs

Deobfuscate/Decode Files or Information

Direct Volume Access

Execution Guardrails

Exploitation for Defense Evasion

File and Directory Permissions Modification

Group Policy Modification

Hide Artifacts

Hijack Execution Flow

Impair Defenses

Indicator Removal on Host

Masquerading

Modify Authentication Process

Modify Cloud Compute Infrastructure

Modify Registry

Modify System Image

Network Boundary Bridging

Obfuscated Files or Information

Pre-OS Boot

Process Injection

Rogue Domain Controller

Rootkit

Signed Binary Proxy Execution

Signed Script Proxy Execution

Subvert Trust Controls

Template Injection

Traffic Signaling

Trusted Developer Utilities Proxy Execution

Unused/Unsupported Cloud Regions

Use Alternate Authentication Material

Valid Accounts

Virtualization/Sandbox Evasion

XSL Script Processing

Indirect Command Execution

Binary Padding

Bypass User Account Control

Clear Command History

CMSTP

Code Signing

Compile After Delivery

Compiled HTML File

Component Firmware

Component Object Model Hijacking

Connection Proxy

Control Panel Items

DCShadow

Disabling Security Tools

DLL Search Order Hijacking

DLL Side-Loading

Execution Guardrails

Extra Window Memory Injection

File Deletion

File System Logical Offsets

Gatekeeper Bypass

Hidden Files and Directories

Hidden Users

Hidden Window

HISTCONTROL

Image File Execution Options Injection

Indicator Blocking

Indicator Removal from Tools

Install Root Certificate

InstallUtil

Launchctl

LC_MAIN Hijacking

Mshta

Network Share Connection Removal

NTFS File Attributes

Parent PID Spoofing

Plist Modification

Port Knocking

Process Doppelgänging

Process Hollowing

Redundant Access

Regsvcs/Regasm

Regsvr32

Rundll32

Scripting

SIP and Trust Provider Hijacking

Software Packing

Space after Filename

Template Injection

Timestomp

Trusted Developer Utilities

Web Service

Brute Force

Credentials from Password Stores

Exploitation for Credential Access

Forced Authentication

Input Capture

Man-in-the-Middle

Modify Authentication Process

Network Sniffing

OS Credential Dumping

Steal Application Access Token

Steal or Forge Kerberos Tickets

Steal Web Session Cookie

Two-Factor Authentication Interception

Unsecured Credentials

Account Manipulation

Bash History

Credential Dumping

Credentials from Web Browsers

Credentials in Files

Credentials in Registry

Hooking

Input Prompt

Kerberoasting

Keychain

LLMNR/NBT-NS Poisoning and Relay

Password Filter DLL

Private Keys

Securityd Memory

Account Discovery

Application Window Discovery

Browser Bookmark Discovery

Cloud Infrastructure Discovery

Cloud Service Dashboard

Cloud Service Discovery

Domain Trust Discovery

File and Directory Discovery

Network Service Scanning

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery

Process Discovery

Query Registry

Remote System Discovery

Security Software Discovery

Software Discovery

System Information Discovery

System Network Configuration Discovery

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

Virtualization/Sandbox Evasion

Exploitation of Remote Services

Internal Spearphishing

Lateral Tool Transfer

Remote Service Session Hijacking

Remote Services

Replication Through Removable Media

Software Deployment Tools

Taint Shared Content

Use Alternate Authentication Material

AppleScript

Application Deployment Software

Component Object Model and Distributed COM

Logon Scripts

Pass the Hash

Pass the Ticket

Remote Desktop Protocol

Remote File Copy

Shared Webroot

SSH Hijacking

Third-party Software

Windows Admin Shares

Windows Remote Management

Archive Collected Data

Audio Capture

Automated Collection

Clipboard Data

Data from Cloud Storage Object

Data from Configuration Repository

Data from Information Repositories

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Data Staged

Email Collection

Input Capture

Man in the Browser

Man-in-the-Middle

Screen Capture

Video Capture

Application Layer Protocol

Communication Through Removable Media

Data Encoding

Data Obfuscation

Dynamic Resolution

Encrypted Channel

Fallback Channels

Ingress Tool Transfer

Multi-Stage Channels

Non-Application Layer Protocol

Non-Standard Port

Protocol Tunneling

Proxy

Remote Access Software

Traffic Signaling

Web Service

Commonly Used Port

Connection Proxy

Custom Command and Control Protocol

Custom Cryptographic Protocol

Domain Fronting

Domain Generation Algorithms

Multi-hop Proxy

Multiband Communication

Multilayer Encryption

Port Knocking

Remote Access Tools

Remote File Copy

Standard Application Layer Protocol

Standard Cryptographic Protocol

Uncommonly Used Port

Automated Exfiltration

Data Transfer Size Limits

Exfiltration Over Alternative Protocol

Exfiltration Over C2 Channel

Exfiltration Over Other Network Medium

Exfiltration Over Physical Medium

Exfiltration Over Web Service

Scheduled Transfer

Transfer Data to Cloud Account

Data Compressed

Data Encrypted

Exfiltration Over Command and Control Channel

Account Access Removal

Data Destruction

Data Encrypted for Impact

Data Manipulation

Defacement

Disk Wipe

Disk Content Wipe

Disk Structure Wipe

Endpoint Denial of Service

Firmware Corruption

Inhibit System Recovery

Network Denial of Service

Resource Hijacking

Service Stop

System Shutdown/Reboot

Runtime Data Manipulation

Stored Data Manipulation

Transmitted Data Manipulation