Home
ATT&CK Techniques

ATT&CK Techniques

Techniques represent 'how' an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.

View information about techniques, how techniques and tactics interact, and the Center for Threat-Informed Defense's mappings coverage of MITRE ATT&CK® techniques in the Mappings Explorer matrix view.

SELECT VERSIONS

ATT&CK Version

ATT&CK Domain

ATT&CK Techniques

ATT&CK ID	ATT&CK Name	Number of Mappings	Number of Subtechniques
T1005	Data from Local System	32	0
T1036.002	Right-to-Left Override	1	0
T1553.003	SIP and Trust Provider Hijacking	1	0
T1552	Unsecured Credentials	5	3
T1542.002	Component Firmware	2	0
T1552.002	Credentials in Registry	1	0
T1055.002	Portable Executable Injection	2	0
T1548.002	Bypass User Account Control	2	0
T1083	File and Directory Discovery	4	0
T1571	Non-Standard Port	2	0
T1565.001	Stored Data Manipulation	2	0
T1195.003	Compromise Hardware Supply Chain	2	0
T1195.002	Compromise Software Supply Chain	3	0
T1055	Process Injection	4	5
T1055.011	Extra Window Memory Injection	2	0
T1621	Multi-Factor Authentication Request Generation	1	0
T1102	Web Service	1	0
T1564.004	NTFS File Attributes	2	0
T1110.003	Password Spraying	2	0
T1542.001	System Firmware	2	0
T1027.013	Encrypted/Encoded File	2	0
T1203	Exploitation for Client Execution	25	0
T1014	Rootkit	5	0
T1140	Deobfuscate/Decode Files or Information	6	0
T1556	Modify Authentication Process	4	3
T1547.004	Winlogon Helper DLL	1	0
T1113	Screen Capture	1	0
T1068	Exploitation for Privilege Escalation	37	0
T1550.002	Pass the Hash	2	0
T1204.002	Malicious File	36	0
T1552.004	Private Keys	1	0
T1027.011	Fileless Storage	2	0
T1110.004	Credential Stuffing	1	0
T1110.002	Password Cracking	1	0
T1110.001	Password Guessing	1	0
T1190	Exploit Public-Facing Application	128	0
T1589.001	Credentials	1	0
T1555.004	Windows Credential Manager	1	0
T1556.008	Network Provider DLL	1	0
T1036	Masquerading	5	3
T1550	Use Alternate Authentication Material	2	2
T1218	System Binary Proxy Execution	3	0
T1518	Software Discovery	1	0
T1027.007	Dynamic API Resolution	2	0
T1082	System Information Discovery	8	0
T1134.002	Create Process with Token	1	0
T1546	Event Triggered Execution	1	0
T1112	Modify Registry	3	0
T1212	Exploitation for Credential Access	4	0
T1558	Steal or Forge Kerberos Tickets	1	0
T1560	Archive Collected Data	1	1
T1560.001	Archive via Utility	3	0
T1056.003	Web Portal Capture	1	0
T1027.009	Embedded Payloads	2	0
T1489	Service Stop	2	0
T1570	Lateral Tool Transfer	1	0
T1496	Resource Hijacking	19	0
T1195	Supply Chain Compromise	2	2
T1543	Create or Modify System Process	4	1
T1547.010	Port Monitors	1	0
T1114	Email Collection	2	1
T1542	Pre-OS Boot	2	4
T1087	Account Discovery	4	2
T1021.002	SMB/Windows Admin Shares	1	0
T1098	Account Manipulation	2	2
T1027.005	Indicator Removal from Tools	2	0
T1059.001	PowerShell	4	0
T1025	Data from Removable Media	2	0
T1027.001	Binary Padding	2	0
T1003	OS Credential Dumping	11	4
T1098.002	Additional Email Delegate Permissions	1	0
T1027.008	Stripped Payloads	2	0
T1136.001	Local Account	3	0
T1078	Valid Accounts	41	3
T1074.001	Local Data Staging	1	0
T1132	Data Encoding	3	0
T1027.010	Command Obfuscation	2	0
T1573	Encrypted Channel	1	1
T1110	Brute Force	7	4
T1547.008	LSASS Driver	5	0
T1547.002	Authentication Package	1	0
T1550.003	Pass the Ticket	2	0
T1136.003	Cloud Account	1	0
T1056.001	Keylogging	1	0
T1564	Hide Artifacts	2	2
T1070.004	File Deletion	5	0
T1495	Firmware Corruption	2	0
T1007	System Service Discovery	2	0
T1564.006	Run Virtual Instance	1	0
T1136.002	Domain Account	1	0
T1552.001	Credentials In Files	5	0
T1074	Data Staged	1	1
T1222	File and Directory Permissions Modification	2	0
T1115	Clipboard Data	1	0
T1055.001	Dynamic-link Library Injection	3	0
T1027.002	Software Packing	3	0
T1569	System Services	1	1
T1021.006	Windows Remote Management	1	0
T1211	Exploitation for Defense Evasion	3	0
T1095	Non-Application Layer Protocol	1	0
T1553	Subvert Trust Controls	3	3
T1134	Access Token Manipulation	1	2
T1547.005	Security Support Provider	1	0
T1566.001	Spearphishing Attachment	6	0
T1204	User Execution	3	2
T1534	Internal Spearphishing	1	0
T1047	Windows Management Instrumentation	3	0
T1556.002	Password Filter DLL	1	0
T1119	Automated Collection	2	0
T1486	Data Encrypted for Impact	17	0
T1078.003	Local Accounts	2	0
T1021	Remote Services	4	3
T1210	Exploitation of Remote Services	5	0
T1041	Exfiltration Over C2 Channel	8	0
T1012	Query Registry	1	0
T1056.004	Credential API Hooking	1	0
T1078.002	Domain Accounts	1	0
T1055.012	Process Hollowing	1	0
T1057	Process Discovery	1	0
T1056	Input Capture	3	3
T1059	Command and Scripting Interpreter	108	5
T1567	Exfiltration Over Web Service	2	0
T1136	Create Account	11	3
T1070	Indicator Removal	4	2
T1033	System Owner/User Discovery	2	0
T1071	Application Layer Protocol	2	2
T1087.002	Domain Account	7	0
T1601.001	Patch System Image	1	0
T1542.003	Bootkit	2	0
T1547.001	Registry Run Keys / Startup Folder	2	0
T1555.005	Password Managers	1	0
T1566	Phishing	5	2
T1069	Permission Groups Discovery	3	0
T1105	Ingress Tool Transfer	33	0
T1589	Gather Victim Identity Information	1	1
T1027.004	Compile After Delivery	3	0
T1049	System Network Connections Discovery	2	0
T1548	Abuse Elevation Control Mechanism	4	1
T1611	Escape to Host	1	0
T1027	Obfuscated Files or Information	9	11
T1553.006	Code Signing Policy Modification	3	0
T1059.005	Visual Basic	1	0
T1016	System Network Configuration Discovery	2	0
T1021.001	Remote Desktop Protocol	2	0
T1036.001	Invalid Code Signature	2	0
T1018	Remote System Discovery	2	0
T1003.002	Security Account Manager	1	0
T1555.003	Credentials from Web Browsers	1	0
T1543.003	Windows Service	3	0
T1189	Drive-by Compromise	19	0
T1574	Hijack Execution Flow	17	0
T1059.003	Windows Command Shell	5	0
T1547	Boot or Logon Autostart Execution	7	6
T1556.006	Multi-Factor Authentication	1	0
T1106	Native API	5	0
T1027.003	Steganography	2	0
T1055.003	Thread Execution Hijacking	2	0
T1078.001	Default Accounts	1	0
T1202	Indirect Command Execution	9	0
T1592	Gather Victim Host Information	1	0
T1553.005	Mark-of-the-Web Bypass	1	0
T1566.002	Spearphishing Link	1	0
T1499.002	Service Exhaustion Flood	2	0
T1053	Scheduled Task/Job	1	1
T1090	Proxy	3	1
T1059.004	Unix Shell	9	0
T1114.002	Remote Email Collection	1	0
T1531	Account Access Removal	1	0
T1584.005	Botnet	2	0
T1003.003	NTDS	3	0
T1213	Data from Information Repositories	2	0
T1505.003	Web Shell	20	0
T1588.001	Malware	1	0
T1653	Power Settings	1	0
T1046	Network Service Discovery	5	0
T1491.002	External Defacement	1	0
T1040	Network Sniffing	1	0
T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol	1	0
T1219	Remote Access Software	1	0
T1087.001	Local Account	1	0
T1048	Exfiltration Over Alternative Protocol	4	1
T1562.001	Disable or Modify Tools	2	0
T1497	Virtualization/Sandbox Evasion	2	0
T1134.001	Token Impersonation/Theft	1	0
T1565	Data Manipulation	1	1
T1090.001	Internal Proxy	1	0
T1573.001	Symmetric Cryptography	3	0
T1505	Server Software Component	1	1
T1036.005	Match Legitimate Name or Location	1	0
T1221	Template Injection	3	0
T1059.007	JavaScript	13	0
T1542.005	TFTP Boot	1	0
T1530	Data from Cloud Storage	1	0
T1499.004	Application or System Exploitation	1	0
T1071.002	File Transfer Protocols	1	0
T1003.008	/etc/passwd and /etc/shadow	1	0
T1484.001	Group Policy Modification	1	0
T1070.001	Clear Windows Event Logs	1	0
T1098.004	SSH Authorized Keys	1	0
T1071.001	Web Protocols	9	0
T1204.001	Malicious Link	11	0
T1499	Endpoint Denial of Service	5	2
T1037	Boot or Logon Initialization Scripts	1	0
T1485	Data Destruction	3	0
T1482	Domain Trust Discovery	2	0
T1601	Modify System Image	1	1
T1598.002	Spearphishing Attachment	1	0
T1557.001	LLMNR/NBT-NS Poisoning and SMB Relay	1	0
T1003.001	LSASS Memory	1	0
T1185	Browser Session Hijacking	2	0
T1622	Debugger Evasion	2	0
T1490	Inhibit System Recovery	1	0
T1498	Network Denial of Service	7	0
T1569.002	Service Execution	1	0
T1053.005	Scheduled Task	2	0
T1133	External Remote Services	21	0
T1555	Credentials from Password Stores	3	3
T1608.001	Upload Malware	5	0
T1557	Adversary-in-the-Middle	2	1
T1217	Browser Information Discovery	1	0