Home
ATT&CK Techniques

ATT&CK Techniques

Techniques represent 'how' an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.

View information about techniques, how techniques and tactics interact, and the Center for Threat-Informed Defense's mappings coverage of MITRE ATT&CK® techniques in the Mappings Explorer matrix view.

SELECT VERSIONS

ATT&CK Version

ATT&CK Domain

ATT&CK Techniques

ATT&CK ID	ATT&CK Name	Number of Mappings	Number of Subtechniques
T1025	Data from Removable Media	2	0
T1552.004	Private Keys	1	0
T1211	Exploitation for Defense Evasion	3	0
T1078.002	Domain Accounts	1	0
T1027.009	Embedded Payloads	2	0
T1087	Account Discovery	4	2
T1212	Exploitation for Credential Access	4	0
T1047	Windows Management Instrumentation	3	0
T1036.001	Invalid Code Signature	2	0
T1027.003	Steganography	2	0
T1552.002	Credentials in Registry	1	0
T1547.010	Port Monitors	1	0
T1546	Event Triggered Execution	1	0
T1078.003	Local Accounts	2	0
T1055.011	Extra Window Memory Injection	2	0
T1189	Drive-by Compromise	19	0
T1059.001	PowerShell	4	0
T1556.006	Multi-Factor Authentication	1	0
T1542.002	Component Firmware	2	0
T1074	Data Staged	1	1
T1486	Data Encrypted for Impact	17	0
T1068	Exploitation for Privilege Escalation	37	0
T1543	Create or Modify System Process	4	1
T1021	Remote Services	4	3
T1589	Gather Victim Identity Information	1	1
T1110.004	Credential Stuffing	1	0
T1070.004	File Deletion	5	0
T1555.003	Credentials from Web Browsers	1	0
T1195	Supply Chain Compromise	2	2
T1059.003	Windows Command Shell	5	0
T1589.001	Credentials	1	0
T1574	Hijack Execution Flow	17	0
T1552.001	Credentials In Files	5	0
T1210	Exploitation of Remote Services	5	0
T1113	Screen Capture	1	0
T1110.001	Password Guessing	1	0
T1012	Query Registry	1	0
T1496	Resource Hijacking	19	0
T1136.003	Cloud Account	1	0
T1056.001	Keylogging	1	0
T1098	Account Manipulation	2	2
T1056.003	Web Portal Capture	1	0
T1027	Obfuscated Files or Information	9	11
T1547.008	LSASS Driver	5	0
T1140	Deobfuscate/Decode Files or Information	6	0
T1222	File and Directory Permissions Modification	2	0
T1027.001	Binary Padding	2	0
T1547.004	Winlogon Helper DLL	1	0
T1542.003	Bootkit	2	0
T1027.007	Dynamic API Resolution	2	0
T1548	Abuse Elevation Control Mechanism	4	1
T1098.002	Additional Email Delegate Permissions	1	0
T1556.002	Password Filter DLL	1	0
T1542	Pre-OS Boot	2	4
T1070	Indicator Removal	4	2
T1564.006	Run Virtual Instance	1	0
T1132	Data Encoding	3	0
T1556.008	Network Provider DLL	1	0
T1055.003	Thread Execution Hijacking	2	0
T1553.003	SIP and Trust Provider Hijacking	1	0
T1134	Access Token Manipulation	1	2
T1550.003	Pass the Ticket	2	0
T1055	Process Injection	4	5
T1016	System Network Configuration Discovery	2	0
T1071	Application Layer Protocol	2	2
T1110.003	Password Spraying	2	0
T1036.002	Right-to-Left Override	1	0
T1136	Create Account	11	3
T1534	Internal Spearphishing	1	0
T1552	Unsecured Credentials	5	3
T1055.012	Process Hollowing	1	0
T1078.001	Default Accounts	1	0
T1078	Valid Accounts	41	3
T1548.002	Bypass User Account Control	2	0
T1119	Automated Collection	2	0
T1542.001	System Firmware	2	0
T1547.005	Security Support Provider	1	0
T1027.010	Command Obfuscation	2	0
T1027.013	Encrypted/Encoded File	2	0
T1489	Service Stop	2	0
T1059	Command and Scripting Interpreter	108	5
T1611	Escape to Host	1	0
T1547	Boot or Logon Autostart Execution	7	6
T1105	Ingress Tool Transfer	33	0
T1564.004	NTFS File Attributes	2	0
T1033	System Owner/User Discovery	2	0
T1027.002	Software Packing	3	0
T1102	Web Service	1	0
T1056.004	Credential API Hooking	1	0
T1550.002	Pass the Hash	2	0
T1556	Modify Authentication Process	4	3
T1069	Permission Groups Discovery	3	0
T1115	Clipboard Data	1	0
T1014	Rootkit	5	0
T1021.001	Remote Desktop Protocol	2	0
T1543.003	Windows Service	3	0
T1041	Exfiltration Over C2 Channel	8	0
T1027.011	Fileless Storage	2	0
T1005	Data from Local System	32	0
T1195.003	Compromise Hardware Supply Chain	2	0
T1007	System Service Discovery	2	0
T1566.001	Spearphishing Attachment	6	0
T1074.001	Local Data Staging	1	0
T1564	Hide Artifacts	2	2
T1003.002	Security Account Manager	1	0
T1021.002	SMB/Windows Admin Shares	1	0
T1555.005	Password Managers	1	0
T1110	Brute Force	7	4
T1095	Non-Application Layer Protocol	1	0
T1558	Steal or Forge Kerberos Tickets	1	0
T1112	Modify Registry	3	0
T1573	Encrypted Channel	1	1
T1110.002	Password Cracking	1	0
T1566	Phishing	5	2
T1055.002	Portable Executable Injection	2	0
T1560	Archive Collected Data	1	1
T1553.006	Code Signing Policy Modification	3	0
T1059.005	Visual Basic	1	0
T1560.001	Archive via Utility	3	0
T1087.002	Domain Account	7	0
T1055.001	Dynamic-link Library Injection	3	0
T1083	File and Directory Discovery	4	0
T1218	System Binary Proxy Execution	3	0
T1027.008	Stripped Payloads	2	0
T1495	Firmware Corruption	2	0
T1136.001	Local Account	3	0
T1547.002	Authentication Package	1	0
T1114	Email Collection	2	1
T1036	Masquerading	5	3
T1569	System Services	1	1
T1049	System Network Connections Discovery	2	0
T1018	Remote System Discovery	2	0
T1571	Non-Standard Port	2	0
T1547.001	Registry Run Keys / Startup Folder	2	0
T1057	Process Discovery	1	0
T1106	Native API	5	0
T1570	Lateral Tool Transfer	1	0
T1204	User Execution	3	2
T1621	Multi-Factor Authentication Request Generation	1	0
T1204.002	Malicious File	36	0
T1134.002	Create Process with Token	1	0
T1056	Input Capture	3	3
T1195.002	Compromise Software Supply Chain	3	0
T1601.001	Patch System Image	1	0
T1027.004	Compile After Delivery	3	0
T1021.006	Windows Remote Management	1	0
T1553	Subvert Trust Controls	3	3
T1027.005	Indicator Removal from Tools	2	0
T1555.004	Windows Credential Manager	1	0
T1550	Use Alternate Authentication Material	2	2
T1003	OS Credential Dumping	11	4
T1203	Exploitation for Client Execution	25	0
T1518	Software Discovery	1	0
T1190	Exploit Public-Facing Application	128	0
T1567	Exfiltration Over Web Service	2	0
T1565.001	Stored Data Manipulation	2	0
T1082	System Information Discovery	8	0
T1136.002	Domain Account	1	0
T1569.002	Service Execution	1	0
T1482	Domain Trust Discovery	2	0
T1003.003	NTDS	3	0
T1090.001	Internal Proxy	1	0
T1608.001	Upload Malware	5	0
T1185	Browser Session Hijacking	2	0
T1059.007	JavaScript	13	0
T1499	Endpoint Denial of Service	5	2
T1219	Remote Access Software	1	0
T1134.001	Token Impersonation/Theft	1	0
T1592	Gather Victim Host Information	1	0
T1499.002	Service Exhaustion Flood	2	0
T1584.005	Botnet	2	0
T1491.002	External Defacement	1	0
T1484.001	Group Policy Modification	1	0
T1037	Boot or Logon Initialization Scripts	1	0
T1557.001	LLMNR/NBT-NS Poisoning and SMB Relay	1	0
T1557	Adversary-in-the-Middle	2	1
T1071.002	File Transfer Protocols	1	0
T1204.001	Malicious Link	11	0
T1098.004	SSH Authorized Keys	1	0
T1530	Data from Cloud Storage	1	0
T1003.008	/etc/passwd and /etc/shadow	1	0
T1040	Network Sniffing	1	0
T1505	Server Software Component	1	1
T1565	Data Manipulation	1	1
T1036.005	Match Legitimate Name or Location	1	0
T1497	Virtualization/Sandbox Evasion	2	0
T1087.001	Local Account	1	0
T1053	Scheduled Task/Job	1	1
T1499.004	Application or System Exploitation	1	0
T1133	External Remote Services	21	0
T1622	Debugger Evasion	2	0
T1003.001	LSASS Memory	1	0
T1598.002	Spearphishing Attachment	1	0
T1601	Modify System Image	1	1
T1221	Template Injection	3	0
T1573.001	Symmetric Cryptography	3	0
T1071.001	Web Protocols	9	0
T1053.005	Scheduled Task	2	0
T1217	Browser Information Discovery	1	0
T1653	Power Settings	1	0
T1048	Exfiltration Over Alternative Protocol	4	1
T1542.005	TFTP Boot	1	0
T1059.004	Unix Shell	9	0
T1213	Data from Information Repositories	2	0
T1553.005	Mark-of-the-Web Bypass	1	0
T1562.001	Disable or Modify Tools	2	0
T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol	1	0
T1490	Inhibit System Recovery	1	0
T1070.001	Clear Windows Event Logs	1	0
T1090	Proxy	3	1
T1114.002	Remote Email Collection	1	0
T1588.001	Malware	1	0
T1531	Account Access Removal	1	0
T1202	Indirect Command Execution	9	0
T1566.002	Spearphishing Link	1	0
T1555	Credentials from Password Stores	3	3
T1485	Data Destruction	3	0
T1505.003	Web Shell	20	0
T1046	Network Service Discovery	5	0
T1498	Network Denial of Service	7	0