Home
ATT&CK Techniques

ATT&CK Techniques

Techniques represent 'how' an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.

View information about techniques, how techniques and tactics interact, and the Center for Threat-Informed Defense's mappings coverage of MITRE ATT&CK® techniques in the Mappings Explorer matrix view.

SELECT VERSIONS

ATT&CK Version

ATT&CK Domain

ATT&CK Techniques

ATT&CK ID	ATT&CK Name	Number of Mappings	Number of Subtechniques
T1007	System Service Discovery	2	0
T1564	Hide Artifacts	2	2
T1119	Automated Collection	2	0
T1489	Service Stop	2	0
T1569	System Services	1	1
T1110.004	Credential Stuffing	1	0
T1027.010	Command Obfuscation	2	0
T1068	Exploitation for Privilege Escalation	37	0
T1552.001	Credentials In Files	5	0
T1566.001	Spearphishing Attachment	6	0
T1041	Exfiltration Over C2 Channel	8	0
T1021.002	SMB/Windows Admin Shares	1	0
T1204	User Execution	3	2
T1021.001	Remote Desktop Protocol	2	0
T1136	Create Account	11	3
T1102	Web Service	1	0
T1106	Native API	5	0
T1110.001	Password Guessing	1	0
T1547.008	LSASS Driver	5	0
T1556.002	Password Filter DLL	1	0
T1132	Data Encoding	3	0
T1074.001	Local Data Staging	1	0
T1190	Exploit Public-Facing Application	128	0
T1210	Exploitation of Remote Services	5	0
T1005	Data from Local System	32	0
T1070.004	File Deletion	5	0
T1611	Escape to Host	1	0
T1218	System Binary Proxy Execution	3	0
T1547.001	Registry Run Keys / Startup Folder	2	0
T1534	Internal Spearphishing	1	0
T1189	Drive-by Compromise	19	0
T1589	Gather Victim Identity Information	1	1
T1565.001	Stored Data Manipulation	2	0
T1564.006	Run Virtual Instance	1	0
T1078	Valid Accounts	41	3
T1204.002	Malicious File	36	0
T1542	Pre-OS Boot	2	4
T1033	System Owner/User Discovery	2	0
T1621	Multi-Factor Authentication Request Generation	1	0
T1548	Abuse Elevation Control Mechanism	4	1
T1552	Unsecured Credentials	5	3
T1211	Exploitation for Defense Evasion	3	0
T1195.003	Compromise Hardware Supply Chain	2	0
T1134.002	Create Process with Token	1	0
T1021	Remote Services	4	3
T1552.002	Credentials in Registry	1	0
T1025	Data from Removable Media	2	0
T1087.002	Domain Account	7	0
T1055	Process Injection	4	5
T1495	Firmware Corruption	2	0
T1027	Obfuscated Files or Information	9	11
T1095	Non-Application Layer Protocol	1	0
T1082	System Information Discovery	8	0
T1601.001	Patch System Image	1	0
T1564.004	NTFS File Attributes	2	0
T1071	Application Layer Protocol	2	2
T1059.003	Windows Command Shell	5	0
T1027.008	Stripped Payloads	2	0
T1027.013	Encrypted/Encoded File	2	0
T1566	Phishing	5	2
T1056.001	Keylogging	1	0
T1558	Steal or Forge Kerberos Tickets	1	0
T1098.002	Additional Email Delegate Permissions	1	0
T1553	Subvert Trust Controls	3	3
T1021.006	Windows Remote Management	1	0
T1055.003	Thread Execution Hijacking	2	0
T1027.011	Fileless Storage	2	0
T1570	Lateral Tool Transfer	1	0
T1195.002	Compromise Software Supply Chain	3	0
T1027.005	Indicator Removal from Tools	2	0
T1556.008	Network Provider DLL	1	0
T1055.001	Dynamic-link Library Injection	3	0
T1542.002	Component Firmware	2	0
T1543	Create or Modify System Process	4	1
T1047	Windows Management Instrumentation	3	0
T1110.003	Password Spraying	2	0
T1112	Modify Registry	3	0
T1556	Modify Authentication Process	4	3
T1059.001	PowerShell	4	0
T1113	Screen Capture	1	0
T1556.006	Multi-Factor Authentication	1	0
T1134	Access Token Manipulation	1	2
T1003	OS Credential Dumping	11	4
T1203	Exploitation for Client Execution	25	0
T1087	Account Discovery	4	2
T1057	Process Discovery	1	0
T1486	Data Encrypted for Impact	17	0
T1056.004	Credential API Hooking	1	0
T1115	Clipboard Data	1	0
T1552.004	Private Keys	1	0
T1547	Boot or Logon Autostart Execution	7	6
T1567	Exfiltration Over Web Service	2	0
T1078.003	Local Accounts	2	0
T1548.002	Bypass User Account Control	2	0
T1069	Permission Groups Discovery	3	0
T1543.003	Windows Service	3	0
T1055.012	Process Hollowing	1	0
T1136.001	Local Account	3	0
T1542.001	System Firmware	2	0
T1059	Command and Scripting Interpreter	108	5
T1027.002	Software Packing	3	0
T1553.006	Code Signing Policy Modification	3	0
T1110	Brute Force	7	4
T1553.003	SIP and Trust Provider Hijacking	1	0
T1027.003	Steganography	2	0
T1110.002	Password Cracking	1	0
T1574	Hijack Execution Flow	17	0
T1036.002	Right-to-Left Override	1	0
T1140	Deobfuscate/Decode Files or Information	6	0
T1547.005	Security Support Provider	1	0
T1098	Account Manipulation	2	2
T1056	Input Capture	3	3
T1074	Data Staged	1	1
T1027.001	Binary Padding	2	0
T1222	File and Directory Permissions Modification	2	0
T1547.002	Authentication Package	1	0
T1059.005	Visual Basic	1	0
T1518	Software Discovery	1	0
T1036	Masquerading	5	3
T1546	Event Triggered Execution	1	0
T1036.001	Invalid Code Signature	2	0
T1027.009	Embedded Payloads	2	0
T1136.003	Cloud Account	1	0
T1555.005	Password Managers	1	0
T1550	Use Alternate Authentication Material	2	2
T1555.004	Windows Credential Manager	1	0
T1078.001	Default Accounts	1	0
T1018	Remote System Discovery	2	0
T1550.002	Pass the Hash	2	0
T1083	File and Directory Discovery	4	0
T1027.007	Dynamic API Resolution	2	0
T1571	Non-Standard Port	2	0
T1560.001	Archive via Utility	3	0
T1055.002	Portable Executable Injection	2	0
T1212	Exploitation for Credential Access	4	0
T1003.002	Security Account Manager	1	0
T1027.004	Compile After Delivery	3	0
T1056.003	Web Portal Capture	1	0
T1555.003	Credentials from Web Browsers	1	0
T1105	Ingress Tool Transfer	33	0
T1049	System Network Connections Discovery	2	0
T1195	Supply Chain Compromise	2	2
T1012	Query Registry	1	0
T1589.001	Credentials	1	0
T1136.002	Domain Account	1	0
T1496	Resource Hijacking	19	0
T1550.003	Pass the Ticket	2	0
T1070	Indicator Removal	4	2
T1055.011	Extra Window Memory Injection	2	0
T1014	Rootkit	5	0
T1547.004	Winlogon Helper DLL	1	0
T1560	Archive Collected Data	1	1
T1114	Email Collection	2	1
T1573	Encrypted Channel	1	1
T1078.002	Domain Accounts	1	0
T1016	System Network Configuration Discovery	2	0
T1547.010	Port Monitors	1	0
T1542.003	Bootkit	2	0
T1090.001	Internal Proxy	1	0
T1565	Data Manipulation	1	1
T1557	Adversary-in-the-Middle	2	1
T1569.002	Service Execution	1	0
T1499.004	Application or System Exploitation	1	0
T1542.005	TFTP Boot	1	0
T1037	Boot or Logon Initialization Scripts	1	0
T1622	Debugger Evasion	2	0
T1071.002	File Transfer Protocols	1	0
T1497	Virtualization/Sandbox Evasion	2	0
T1498	Network Denial of Service	7	0
T1070.001	Clear Windows Event Logs	1	0
T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol	1	0
T1530	Data from Cloud Storage	1	0
T1219	Remote Access Software	1	0
T1185	Browser Session Hijacking	2	0
T1491.002	External Defacement	1	0
T1071.001	Web Protocols	9	0
T1090	Proxy	3	1
T1485	Data Destruction	3	0
T1553.005	Mark-of-the-Web Bypass	1	0
T1053	Scheduled Task/Job	1	1
T1505.003	Web Shell	20	0
T1573.001	Symmetric Cryptography	3	0
T1601	Modify System Image	1	1
T1505	Server Software Component	1	1
T1653	Power Settings	1	0
T1221	Template Injection	3	0
T1053.005	Scheduled Task	2	0
T1566.002	Spearphishing Link	1	0
T1036.005	Match Legitimate Name or Location	1	0
T1003.001	LSASS Memory	1	0
T1213	Data from Information Repositories	2	0
T1098.004	SSH Authorized Keys	1	0
T1531	Account Access Removal	1	0
T1584.005	Botnet	2	0
T1003.003	NTDS	3	0
T1482	Domain Trust Discovery	2	0
T1204.001	Malicious Link	11	0
T1592	Gather Victim Host Information	1	0
T1588.001	Malware	1	0
T1114.002	Remote Email Collection	1	0
T1202	Indirect Command Execution	9	0
T1059.004	Unix Shell	9	0
T1059.007	JavaScript	13	0
T1484.001	Group Policy Modification	1	0
T1499	Endpoint Denial of Service	5	2
T1598.002	Spearphishing Attachment	1	0
T1040	Network Sniffing	1	0
T1134.001	Token Impersonation/Theft	1	0
T1217	Browser Information Discovery	1	0
T1555	Credentials from Password Stores	3	3
T1562.001	Disable or Modify Tools	2	0
T1608.001	Upload Malware	5	0
T1490	Inhibit System Recovery	1	0
T1048	Exfiltration Over Alternative Protocol	4	1
T1087.001	Local Account	1	0
T1499.002	Service Exhaustion Flood	2	0
T1133	External Remote Services	21	0
T1046	Network Service Discovery	5	0
T1003.008	/etc/passwd and /etc/shadow	1	0
T1557.001	LLMNR/NBT-NS Poisoning and SMB Relay	1	0