Home
ATT&CK Techniques

ATT&CK Techniques

Techniques represent 'how' an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.

View information about techniques, how techniques and tactics interact, and the Center for Threat-Informed Defense's mappings coverage of MITRE ATT&CK® techniques in the Mappings Explorer matrix view.

SELECT VERSIONS

ATT&CK Version

ATT&CK Domain

ATT&CK Techniques

ATT&CK ID	ATT&CK Name	Number of Mappings	Number of Subtechniques
T1003	OS Credential Dumping	11	4
T1564.004	NTFS File Attributes	2	0
T1007	System Service Discovery	2	0
T1110.002	Password Cracking	1	0
T1571	Non-Standard Port	2	0
T1589.001	Credentials	1	0
T1098	Account Manipulation	2	2
T1027.001	Binary Padding	2	0
T1218	System Binary Proxy Execution	3	0
T1195.002	Compromise Software Supply Chain	3	0
T1027.009	Embedded Payloads	2	0
T1025	Data from Removable Media	2	0
T1547.010	Port Monitors	1	0
T1555.003	Credentials from Web Browsers	1	0
T1106	Native API	5	0
T1566.001	Spearphishing Attachment	6	0
T1033	System Owner/User Discovery	2	0
T1555.005	Password Managers	1	0
T1005	Data from Local System	32	0
T1210	Exploitation of Remote Services	5	0
T1556.008	Network Provider DLL	1	0
T1189	Drive-by Compromise	19	0
T1550.002	Pass the Hash	2	0
T1055.002	Portable Executable Injection	2	0
T1547.002	Authentication Package	1	0
T1068	Exploitation for Privilege Escalation	37	0
T1556	Modify Authentication Process	4	3
T1057	Process Discovery	1	0
T1611	Escape to Host	1	0
T1550	Use Alternate Authentication Material	2	2
T1589	Gather Victim Identity Information	1	1
T1564.006	Run Virtual Instance	1	0
T1553.006	Code Signing Policy Modification	3	0
T1203	Exploitation for Client Execution	25	0
T1552.002	Credentials in Registry	1	0
T1204	User Execution	3	2
T1222	File and Directory Permissions Modification	2	0
T1110.001	Password Guessing	1	0
T1204.002	Malicious File	36	0
T1059.003	Windows Command Shell	5	0
T1036.001	Invalid Code Signature	2	0
T1027.007	Dynamic API Resolution	2	0
T1550.003	Pass the Ticket	2	0
T1212	Exploitation for Credential Access	4	0
T1056.004	Credential API Hooking	1	0
T1069	Permission Groups Discovery	3	0
T1102	Web Service	1	0
T1027.005	Indicator Removal from Tools	2	0
T1547.001	Registry Run Keys / Startup Folder	2	0
T1110.003	Password Spraying	2	0
T1055.001	Dynamic-link Library Injection	3	0
T1546	Event Triggered Execution	1	0
T1027.002	Software Packing	3	0
T1027.008	Stripped Payloads	2	0
T1555.004	Windows Credential Manager	1	0
T1083	File and Directory Discovery	4	0
T1115	Clipboard Data	1	0
T1542	Pre-OS Boot	2	4
T1021.001	Remote Desktop Protocol	2	0
T1105	Ingress Tool Transfer	33	0
T1055.011	Extra Window Memory Injection	2	0
T1565.001	Stored Data Manipulation	2	0
T1547.004	Winlogon Helper DLL	1	0
T1556.006	Multi-Factor Authentication	1	0
T1056.003	Web Portal Capture	1	0
T1110.004	Credential Stuffing	1	0
T1071	Application Layer Protocol	2	2
T1027	Obfuscated Files or Information	9	11
T1018	Remote System Discovery	2	0
T1078.001	Default Accounts	1	0
T1543	Create or Modify System Process	4	1
T1070	Indicator Removal	4	2
T1518	Software Discovery	1	0
T1049	System Network Connections Discovery	2	0
T1021.002	SMB/Windows Admin Shares	1	0
T1021	Remote Services	4	3
T1136	Create Account	11	3
T1569	System Services	1	1
T1496	Resource Hijacking	19	0
T1098.002	Additional Email Delegate Permissions	1	0
T1036.002	Right-to-Left Override	1	0
T1566	Phishing	5	2
T1003.002	Security Account Manager	1	0
T1574	Hijack Execution Flow	17	0
T1553	Subvert Trust Controls	3	3
T1059.001	PowerShell	4	0
T1136.001	Local Account	3	0
T1495	Firmware Corruption	2	0
T1074	Data Staged	1	1
T1110	Brute Force	7	4
T1547.005	Security Support Provider	1	0
T1082	System Information Discovery	8	0
T1560	Archive Collected Data	1	1
T1012	Query Registry	1	0
T1140	Deobfuscate/Decode Files or Information	6	0
T1601.001	Patch System Image	1	0
T1547.008	LSASS Driver	5	0
T1047	Windows Management Instrumentation	3	0
T1136.002	Domain Account	1	0
T1070.004	File Deletion	5	0
T1055.003	Thread Execution Hijacking	2	0
T1556.002	Password Filter DLL	1	0
T1489	Service Stop	2	0
T1114	Email Collection	2	1
T1570	Lateral Tool Transfer	1	0
T1074.001	Local Data Staging	1	0
T1560.001	Archive via Utility	3	0
T1558	Steal or Forge Kerberos Tickets	1	0
T1552.001	Credentials In Files	5	0
T1027.004	Compile After Delivery	3	0
T1190	Exploit Public-Facing Application	128	0
T1567	Exfiltration Over Web Service	2	0
T1078.003	Local Accounts	2	0
T1486	Data Encrypted for Impact	17	0
T1211	Exploitation for Defense Evasion	3	0
T1055	Process Injection	4	5
T1136.003	Cloud Account	1	0
T1542.001	System Firmware	2	0
T1134.002	Create Process with Token	1	0
T1056	Input Capture	3	3
T1016	System Network Configuration Discovery	2	0
T1552.004	Private Keys	1	0
T1534	Internal Spearphishing	1	0
T1564	Hide Artifacts	2	2
T1119	Automated Collection	2	0
T1195	Supply Chain Compromise	2	2
T1027.010	Command Obfuscation	2	0
T1036	Masquerading	5	3
T1134	Access Token Manipulation	1	2
T1548.002	Bypass User Account Control	2	0
T1552	Unsecured Credentials	5	3
T1041	Exfiltration Over C2 Channel	8	0
T1087.002	Domain Account	7	0
T1132	Data Encoding	3	0
T1547	Boot or Logon Autostart Execution	7	6
T1055.012	Process Hollowing	1	0
T1621	Multi-Factor Authentication Request Generation	1	0
T1573	Encrypted Channel	1	1
T1078	Valid Accounts	41	3
T1021.006	Windows Remote Management	1	0
T1078.002	Domain Accounts	1	0
T1095	Non-Application Layer Protocol	1	0
T1059	Command and Scripting Interpreter	108	5
T1542.002	Component Firmware	2	0
T1027.003	Steganography	2	0
T1553.003	SIP and Trust Provider Hijacking	1	0
T1112	Modify Registry	3	0
T1548	Abuse Elevation Control Mechanism	4	1
T1087	Account Discovery	4	2
T1014	Rootkit	5	0
T1543.003	Windows Service	3	0
T1059.005	Visual Basic	1	0
T1027.013	Encrypted/Encoded File	2	0
T1027.011	Fileless Storage	2	0
T1195.003	Compromise Hardware Supply Chain	2	0
T1542.003	Bootkit	2	0
T1056.001	Keylogging	1	0
T1113	Screen Capture	1	0
T1059.007	JavaScript	13	0
T1598.002	Spearphishing Attachment	1	0
T1498	Network Denial of Service	7	0
T1562.001	Disable or Modify Tools	2	0
T1003.003	NTDS	3	0
T1114.002	Remote Email Collection	1	0
T1204.001	Malicious Link	11	0
T1003.008	/etc/passwd and /etc/shadow	1	0
T1505	Server Software Component	1	1
T1555	Credentials from Password Stores	3	3
T1542.005	TFTP Boot	1	0
T1530	Data from Cloud Storage	1	0
T1601	Modify System Image	1	1
T1484.001	Group Policy Modification	1	0
T1098.004	SSH Authorized Keys	1	0
T1485	Data Destruction	3	0
T1557.001	LLMNR/NBT-NS Poisoning and SMB Relay	1	0
T1185	Browser Session Hijacking	2	0
T1071.001	Web Protocols	9	0
T1003.001	LSASS Memory	1	0
T1505.003	Web Shell	20	0
T1499	Endpoint Denial of Service	5	2
T1592	Gather Victim Host Information	1	0
T1573.001	Symmetric Cryptography	3	0
T1090	Proxy	3	1
T1217	Browser Information Discovery	1	0
T1219	Remote Access Software	1	0
T1133	External Remote Services	21	0
T1608.001	Upload Malware	5	0
T1053.005	Scheduled Task	2	0
T1531	Account Access Removal	1	0
T1584.005	Botnet	2	0
T1622	Debugger Evasion	2	0
T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol	1	0
T1070.001	Clear Windows Event Logs	1	0
T1588.001	Malware	1	0
T1202	Indirect Command Execution	9	0
T1046	Network Service Discovery	5	0
T1653	Power Settings	1	0
T1569.002	Service Execution	1	0
T1090.001	Internal Proxy	1	0
T1497	Virtualization/Sandbox Evasion	2	0
T1036.005	Match Legitimate Name or Location	1	0
T1040	Network Sniffing	1	0
T1048	Exfiltration Over Alternative Protocol	4	1
T1071.002	File Transfer Protocols	1	0
T1037	Boot or Logon Initialization Scripts	1	0
T1553.005	Mark-of-the-Web Bypass	1	0
T1499.004	Application or System Exploitation	1	0
T1557	Adversary-in-the-Middle	2	1
T1059.004	Unix Shell	9	0
T1566.002	Spearphishing Link	1	0
T1482	Domain Trust Discovery	2	0
T1490	Inhibit System Recovery	1	0
T1053	Scheduled Task/Job	1	1
T1213	Data from Information Repositories	2	0
T1491.002	External Defacement	1	0
T1087.001	Local Account	1	0
T1221	Template Injection	3	0
T1565	Data Manipulation	1	1
T1499.002	Service Exhaustion Flood	2	0
T1134.001	Token Impersonation/Theft	1	0