Home
ATT&CK Techniques

ATT&CK Techniques

Techniques represent 'how' an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.

View information about techniques, how techniques and tactics interact, and the Center for Threat-Informed Defense's mappings coverage of MITRE ATT&CK® techniques in the Mappings Explorer matrix view.

SELECT VERSIONS

ATT&CK Version

ATT&CK Domain

ATT&CK Techniques

ATT&CK ID	ATT&CK Name	Number of Mappings	Number of Subtechniques
T1203	Exploitation for Client Execution	25	0
T1114	Email Collection	2	1
T1553.006	Code Signing Policy Modification	3	0
T1534	Internal Spearphishing	1	0
T1074.001	Local Data Staging	1	0
T1070	Indicator Removal	4	2
T1082	System Information Discovery	8	0
T1546	Event Triggered Execution	1	0
T1556.006	Multi-Factor Authentication	1	0
T1566.001	Spearphishing Attachment	6	0
T1550.002	Pass the Hash	2	0
T1078.002	Domain Accounts	1	0
T1027.008	Stripped Payloads	2	0
T1027.011	Fileless Storage	2	0
T1012	Query Registry	1	0
T1518	Software Discovery	1	0
T1574	Hijack Execution Flow	17	0
T1564	Hide Artifacts	2	2
T1102	Web Service	1	0
T1098.002	Additional Email Delegate Permissions	1	0
T1055.001	Dynamic-link Library Injection	3	0
T1589	Gather Victim Identity Information	1	1
T1113	Screen Capture	1	0
T1195.002	Compromise Software Supply Chain	3	0
T1087.002	Domain Account	7	0
T1027.013	Encrypted/Encoded File	2	0
T1136	Create Account	11	3
T1110.002	Password Cracking	1	0
T1033	System Owner/User Discovery	2	0
T1553	Subvert Trust Controls	3	3
T1560	Archive Collected Data	1	1
T1556.008	Network Provider DLL	1	0
T1027.009	Embedded Payloads	2	0
T1132	Data Encoding	3	0
T1056.004	Credential API Hooking	1	0
T1087	Account Discovery	4	2
T1014	Rootkit	5	0
T1110	Brute Force	7	4
T1027	Obfuscated Files or Information	9	11
T1018	Remote System Discovery	2	0
T1548.002	Bypass User Account Control	2	0
T1003	OS Credential Dumping	11	4
T1005	Data from Local System	32	0
T1547.008	LSASS Driver	5	0
T1552.004	Private Keys	1	0
T1110.001	Password Guessing	1	0
T1542	Pre-OS Boot	2	4
T1556	Modify Authentication Process	4	3
T1115	Clipboard Data	1	0
T1547.005	Security Support Provider	1	0
T1134.002	Create Process with Token	1	0
T1003.002	Security Account Manager	1	0
T1110.004	Credential Stuffing	1	0
T1021	Remote Services	4	3
T1553.003	SIP and Trust Provider Hijacking	1	0
T1059.005	Visual Basic	1	0
T1027.010	Command Obfuscation	2	0
T1055.011	Extra Window Memory Injection	2	0
T1555.003	Credentials from Web Browsers	1	0
T1027.001	Binary Padding	2	0
T1552.002	Credentials in Registry	1	0
T1189	Drive-by Compromise	19	0
T1036.001	Invalid Code Signature	2	0
T1542.001	System Firmware	2	0
T1547.002	Authentication Package	1	0
T1021.002	SMB/Windows Admin Shares	1	0
T1496	Resource Hijacking	19	0
T1136.003	Cloud Account	1	0
T1110.003	Password Spraying	2	0
T1083	File and Directory Discovery	4	0
T1486	Data Encrypted for Impact	17	0
T1105	Ingress Tool Transfer	33	0
T1027.005	Indicator Removal from Tools	2	0
T1552	Unsecured Credentials	5	3
T1547	Boot or Logon Autostart Execution	7	6
T1136.002	Domain Account	1	0
T1573	Encrypted Channel	1	1
T1195	Supply Chain Compromise	2	2
T1560.001	Archive via Utility	3	0
T1589.001	Credentials	1	0
T1558	Steal or Forge Kerberos Tickets	1	0
T1047	Windows Management Instrumentation	3	0
T1555.004	Windows Credential Manager	1	0
T1078.003	Local Accounts	2	0
T1611	Escape to Host	1	0
T1543.003	Windows Service	3	0
T1495	Firmware Corruption	2	0
T1547.004	Winlogon Helper DLL	1	0
T1036	Masquerading	5	3
T1489	Service Stop	2	0
T1068	Exploitation for Privilege Escalation	37	0
T1025	Data from Removable Media	2	0
T1542.002	Component Firmware	2	0
T1078.001	Default Accounts	1	0
T1106	Native API	5	0
T1119	Automated Collection	2	0
T1550.003	Pass the Ticket	2	0
T1055	Process Injection	4	5
T1059	Command and Scripting Interpreter	108	5
T1565.001	Stored Data Manipulation	2	0
T1041	Exfiltration Over C2 Channel	8	0
T1074	Data Staged	1	1
T1095	Non-Application Layer Protocol	1	0
T1195.003	Compromise Hardware Supply Chain	2	0
T1036.002	Right-to-Left Override	1	0
T1056.001	Keylogging	1	0
T1098	Account Manipulation	2	2
T1071	Application Layer Protocol	2	2
T1571	Non-Standard Port	2	0
T1550	Use Alternate Authentication Material	2	2
T1555.005	Password Managers	1	0
T1190	Exploit Public-Facing Application	128	0
T1078	Valid Accounts	41	3
T1057	Process Discovery	1	0
T1212	Exploitation for Credential Access	4	0
T1570	Lateral Tool Transfer	1	0
T1552.001	Credentials In Files	5	0
T1021.001	Remote Desktop Protocol	2	0
T1027.004	Compile After Delivery	3	0
T1548	Abuse Elevation Control Mechanism	4	1
T1564.004	NTFS File Attributes	2	0
T1016	System Network Configuration Discovery	2	0
T1204	User Execution	3	2
T1027.002	Software Packing	3	0
T1056.003	Web Portal Capture	1	0
T1021.006	Windows Remote Management	1	0
T1222	File and Directory Permissions Modification	2	0
T1542.003	Bootkit	2	0
T1567	Exfiltration Over Web Service	2	0
T1027.003	Steganography	2	0
T1556.002	Password Filter DLL	1	0
T1211	Exploitation for Defense Evasion	3	0
T1547.001	Registry Run Keys / Startup Folder	2	0
T1055.002	Portable Executable Injection	2	0
T1059.003	Windows Command Shell	5	0
T1564.006	Run Virtual Instance	1	0
T1059.001	PowerShell	4	0
T1027.007	Dynamic API Resolution	2	0
T1210	Exploitation of Remote Services	5	0
T1569	System Services	1	1
T1134	Access Token Manipulation	1	2
T1566	Phishing	5	2
T1543	Create or Modify System Process	4	1
T1070.004	File Deletion	5	0
T1056	Input Capture	3	3
T1007	System Service Discovery	2	0
T1055.012	Process Hollowing	1	0
T1049	System Network Connections Discovery	2	0
T1055.003	Thread Execution Hijacking	2	0
T1218	System Binary Proxy Execution	3	0
T1112	Modify Registry	3	0
T1136.001	Local Account	3	0
T1069	Permission Groups Discovery	3	0
T1204.002	Malicious File	36	0
T1621	Multi-Factor Authentication Request Generation	1	0
T1140	Deobfuscate/Decode Files or Information	6	0
T1547.010	Port Monitors	1	0
T1601.001	Patch System Image	1	0
T1090.001	Internal Proxy	1	0
T1499.002	Service Exhaustion Flood	2	0
T1542.005	TFTP Boot	1	0
T1499.004	Application or System Exploitation	1	0
T1070.001	Clear Windows Event Logs	1	0
T1071.002	File Transfer Protocols	1	0
T1040	Network Sniffing	1	0
T1087.001	Local Account	1	0
T1003.001	LSASS Memory	1	0
T1530	Data from Cloud Storage	1	0
T1653	Power Settings	1	0
T1484.001	Group Policy Modification	1	0
T1482	Domain Trust Discovery	2	0
T1555	Credentials from Password Stores	3	3
T1213	Data from Information Repositories	2	0
T1053.005	Scheduled Task	2	0
T1601	Modify System Image	1	1
T1557	Adversary-in-the-Middle	2	1
T1505.003	Web Shell	20	0
T1003.008	/etc/passwd and /etc/shadow	1	0
T1485	Data Destruction	3	0
T1053	Scheduled Task/Job	1	1
T1048	Exfiltration Over Alternative Protocol	4	1
T1588.001	Malware	1	0
T1531	Account Access Removal	1	0
T1557.001	LLMNR/NBT-NS Poisoning and SMB Relay	1	0
T1499	Endpoint Denial of Service	5	2
T1114.002	Remote Email Collection	1	0
T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol	1	0
T1219	Remote Access Software	1	0
T1217	Browser Information Discovery	1	0
T1491.002	External Defacement	1	0
T1497	Virtualization/Sandbox Evasion	2	0
T1562.001	Disable or Modify Tools	2	0
T1003.003	NTDS	3	0
T1133	External Remote Services	21	0
T1037	Boot or Logon Initialization Scripts	1	0
T1608.001	Upload Malware	5	0
T1202	Indirect Command Execution	9	0
T1059.007	JavaScript	13	0
T1622	Debugger Evasion	2	0
T1036.005	Match Legitimate Name or Location	1	0
T1592	Gather Victim Host Information	1	0
T1071.001	Web Protocols	9	0
T1134.001	Token Impersonation/Theft	1	0
T1204.001	Malicious Link	11	0
T1566.002	Spearphishing Link	1	0
T1565	Data Manipulation	1	1
T1553.005	Mark-of-the-Web Bypass	1	0
T1221	Template Injection	3	0
T1185	Browser Session Hijacking	2	0
T1046	Network Service Discovery	5	0
T1090	Proxy	3	1
T1490	Inhibit System Recovery	1	0
T1505	Server Software Component	1	1
T1598.002	Spearphishing Attachment	1	0
T1059.004	Unix Shell	9	0
T1584.005	Botnet	2	0
T1498	Network Denial of Service	7	0
T1569.002	Service Execution	1	0
T1098.004	SSH Authorized Keys	1	0
T1573.001	Symmetric Cryptography	3	0