Home
ATT&CK Techniques

ATT&CK Techniques

Techniques represent 'how' an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.

View information about techniques, how techniques and tactics interact, and the Center for Threat-Informed Defense's mappings coverage of MITRE ATT&CK® techniques in the Mappings Explorer matrix view.

SELECT VERSIONS

ATT&CK Version

ATT&CK Domain

ATT&CK Techniques

ATT&CK ID	ATT&CK Name	Number of Mappings	Number of Subtechniques
T1195.002	Compromise Software Supply Chain	3	0
T1195.003	Compromise Hardware Supply Chain	2	0
T1552.004	Private Keys	1	0
T1047	Windows Management Instrumentation	3	0
T1564.006	Run Virtual Instance	1	0
T1547.008	LSASS Driver	5	0
T1566.001	Spearphishing Attachment	6	0
T1547.004	Winlogon Helper DLL	1	0
T1556	Modify Authentication Process	4	3
T1110	Brute Force	7	4
T1496	Resource Hijacking	19	0
T1136	Create Account	11	3
T1134	Access Token Manipulation	1	2
T1095	Non-Application Layer Protocol	1	0
T1087.002	Domain Account	7	0
T1068	Exploitation for Privilege Escalation	37	0
T1486	Data Encrypted for Impact	17	0
T1556.006	Multi-Factor Authentication	1	0
T1041	Exfiltration Over C2 Channel	8	0
T1222	File and Directory Permissions Modification	2	0
T1565.001	Stored Data Manipulation	2	0
T1564.004	NTFS File Attributes	2	0
T1007	System Service Discovery	2	0
T1189	Drive-by Compromise	19	0
T1564	Hide Artifacts	2	2
T1203	Exploitation for Client Execution	25	0
T1055.003	Thread Execution Hijacking	2	0
T1204.002	Malicious File	36	0
T1070	Indicator Removal	4	2
T1012	Query Registry	1	0
T1210	Exploitation of Remote Services	5	0
T1114	Email Collection	2	1
T1056.003	Web Portal Capture	1	0
T1573	Encrypted Channel	1	1
T1555.005	Password Managers	1	0
T1070.004	File Deletion	5	0
T1057	Process Discovery	1	0
T1055.011	Extra Window Memory Injection	2	0
T1098	Account Manipulation	2	2
T1621	Multi-Factor Authentication Request Generation	1	0
T1036	Masquerading	5	3
T1003.002	Security Account Manager	1	0
T1547.002	Authentication Package	1	0
T1140	Deobfuscate/Decode Files or Information	6	0
T1059.003	Windows Command Shell	5	0
T1027.008	Stripped Payloads	2	0
T1211	Exploitation for Defense Evasion	3	0
T1025	Data from Removable Media	2	0
T1102	Web Service	1	0
T1119	Automated Collection	2	0
T1195	Supply Chain Compromise	2	2
T1069	Permission Groups Discovery	3	0
T1021.002	SMB/Windows Admin Shares	1	0
T1027.004	Compile After Delivery	3	0
T1056.004	Credential API Hooking	1	0
T1056.001	Keylogging	1	0
T1136.002	Domain Account	1	0
T1542.002	Component Firmware	2	0
T1074.001	Local Data Staging	1	0
T1212	Exploitation for Credential Access	4	0
T1548	Abuse Elevation Control Mechanism	4	1
T1027.010	Command Obfuscation	2	0
T1018	Remote System Discovery	2	0
T1110.003	Password Spraying	2	0
T1548.002	Bypass User Account Control	2	0
T1014	Rootkit	5	0
T1553.006	Code Signing Policy Modification	3	0
T1071	Application Layer Protocol	2	2
T1082	System Information Discovery	8	0
T1132	Data Encoding	3	0
T1021.006	Windows Remote Management	1	0
T1059.005	Visual Basic	1	0
T1036.001	Invalid Code Signature	2	0
T1204	User Execution	3	2
T1078.003	Local Accounts	2	0
T1074	Data Staged	1	1
T1027.005	Indicator Removal from Tools	2	0
T1021	Remote Services	4	3
T1110.004	Credential Stuffing	1	0
T1078.002	Domain Accounts	1	0
T1027.003	Steganography	2	0
T1552.002	Credentials in Registry	1	0
T1136.003	Cloud Account	1	0
T1098.002	Additional Email Delegate Permissions	1	0
T1016	System Network Configuration Discovery	2	0
T1553	Subvert Trust Controls	3	3
T1543	Create or Modify System Process	4	1
T1055.002	Portable Executable Injection	2	0
T1110.002	Password Cracking	1	0
T1087	Account Discovery	4	2
T1059	Command and Scripting Interpreter	108	5
T1567	Exfiltration Over Web Service	2	0
T1112	Modify Registry	3	0
T1190	Exploit Public-Facing Application	128	0
T1571	Non-Standard Port	2	0
T1489	Service Stop	2	0
T1033	System Owner/User Discovery	2	0
T1115	Clipboard Data	1	0
T1550.003	Pass the Ticket	2	0
T1542.001	System Firmware	2	0
T1556.008	Network Provider DLL	1	0
T1550.002	Pass the Hash	2	0
T1059.001	PowerShell	4	0
T1027.009	Embedded Payloads	2	0
T1027.001	Binary Padding	2	0
T1027.002	Software Packing	3	0
T1021.001	Remote Desktop Protocol	2	0
T1547.001	Registry Run Keys / Startup Folder	2	0
T1552.001	Credentials In Files	5	0
T1105	Ingress Tool Transfer	33	0
T1555.004	Windows Credential Manager	1	0
T1055.012	Process Hollowing	1	0
T1546	Event Triggered Execution	1	0
T1027.011	Fileless Storage	2	0
T1078.001	Default Accounts	1	0
T1542	Pre-OS Boot	2	4
T1601.001	Patch System Image	1	0
T1005	Data from Local System	32	0
T1570	Lateral Tool Transfer	1	0
T1611	Escape to Host	1	0
T1049	System Network Connections Discovery	2	0
T1574	Hijack Execution Flow	17	0
T1552	Unsecured Credentials	5	3
T1113	Screen Capture	1	0
T1106	Native API	5	0
T1036.002	Right-to-Left Override	1	0
T1547.010	Port Monitors	1	0
T1083	File and Directory Discovery	4	0
T1218	System Binary Proxy Execution	3	0
T1056	Input Capture	3	3
T1550	Use Alternate Authentication Material	2	2
T1569	System Services	1	1
T1560	Archive Collected Data	1	1
T1495	Firmware Corruption	2	0
T1543.003	Windows Service	3	0
T1003	OS Credential Dumping	11	4
T1534	Internal Spearphishing	1	0
T1055.001	Dynamic-link Library Injection	3	0
T1589.001	Credentials	1	0
T1547.005	Security Support Provider	1	0
T1027.007	Dynamic API Resolution	2	0
T1542.003	Bootkit	2	0
T1136.001	Local Account	3	0
T1553.003	SIP and Trust Provider Hijacking	1	0
T1134.002	Create Process with Token	1	0
T1556.002	Password Filter DLL	1	0
T1555.003	Credentials from Web Browsers	1	0
T1560.001	Archive via Utility	3	0
T1547	Boot or Logon Autostart Execution	7	6
T1055	Process Injection	4	5
T1110.001	Password Guessing	1	0
T1027.013	Encrypted/Encoded File	2	0
T1566	Phishing	5	2
T1078	Valid Accounts	41	3
T1027	Obfuscated Files or Information	9	11
T1518	Software Discovery	1	0
T1558	Steal or Forge Kerberos Tickets	1	0
T1589	Gather Victim Identity Information	1	1
T1565	Data Manipulation	1	1
T1185	Browser Session Hijacking	2	0
T1557	Adversary-in-the-Middle	2	1
T1622	Debugger Evasion	2	0
T1498	Network Denial of Service	7	0
T1036.005	Match Legitimate Name or Location	1	0
T1048	Exfiltration Over Alternative Protocol	4	1
T1557.001	LLMNR/NBT-NS Poisoning and SMB Relay	1	0
T1553.005	Mark-of-the-Web Bypass	1	0
T1499	Endpoint Denial of Service	5	2
T1573.001	Symmetric Cryptography	3	0
T1569.002	Service Execution	1	0
T1497	Virtualization/Sandbox Evasion	2	0
T1040	Network Sniffing	1	0
T1653	Power Settings	1	0
T1046	Network Service Discovery	5	0
T1221	Template Injection	3	0
T1053.005	Scheduled Task	2	0
T1499.002	Service Exhaustion Flood	2	0
T1499.004	Application or System Exploitation	1	0
T1098.004	SSH Authorized Keys	1	0
T1003.003	NTDS	3	0
T1531	Account Access Removal	1	0
T1090	Proxy	3	1
T1204.001	Malicious Link	11	0
T1482	Domain Trust Discovery	2	0
T1555	Credentials from Password Stores	3	3
T1053	Scheduled Task/Job	1	1
T1071.002	File Transfer Protocols	1	0
T1566.002	Spearphishing Link	1	0
T1202	Indirect Command Execution	9	0
T1003.001	LSASS Memory	1	0
T1485	Data Destruction	3	0
T1562.001	Disable or Modify Tools	2	0
T1213	Data from Information Repositories	2	0
T1070.001	Clear Windows Event Logs	1	0
T1588.001	Malware	1	0
T1071.001	Web Protocols	9	0
T1133	External Remote Services	21	0
T1601	Modify System Image	1	1
T1090.001	Internal Proxy	1	0
T1217	Browser Information Discovery	1	0
T1114.002	Remote Email Collection	1	0
T1134.001	Token Impersonation/Theft	1	0
T1219	Remote Access Software	1	0
T1059.007	JavaScript	13	0
T1598.002	Spearphishing Attachment	1	0
T1592	Gather Victim Host Information	1	0
T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol	1	0
T1608.001	Upload Malware	5	0
T1059.004	Unix Shell	9	0
T1490	Inhibit System Recovery	1	0
T1542.005	TFTP Boot	1	0
T1087.001	Local Account	1	0
T1505	Server Software Component	1	1
T1484.001	Group Policy Modification	1	0
T1584.005	Botnet	2	0
T1530	Data from Cloud Storage	1	0
T1037	Boot or Logon Initialization Scripts	1	0
T1505.003	Web Shell	20	0
T1003.008	/etc/passwd and /etc/shadow	1	0
T1491.002	External Defacement	1	0