Home
ATT&CK Techniques

ATT&CK Techniques

Techniques represent 'how' an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.

View information about techniques, how techniques and tactics interact, and the Center for Threat-Informed Defense's mappings coverage of MITRE ATT&CK® techniques in the Mappings Explorer matrix view.

SELECT VERSIONS

ATT&CK Version

ATT&CK Domain

ATT&CK Techniques

ATT&CK ID	ATT&CK Name	Number of Mappings	Number of Subtechniques
T1621	Multi-Factor Authentication Request Generation	1	0
T1547.010	Port Monitors	1	0
T1095	Non-Application Layer Protocol	1	0
T1542.001	System Firmware	2	0
T1098.002	Additional Email Delegate Permissions	1	0
T1078.001	Default Accounts	1	0
T1558	Steal or Forge Kerberos Tickets	1	0
T1564	Hide Artifacts	2	2
T1078	Valid Accounts	41	3
T1550.003	Pass the Ticket	2	0
T1552.004	Private Keys	1	0
T1025	Data from Removable Media	2	0
T1113	Screen Capture	1	0
T1110	Brute Force	7	4
T1567	Exfiltration Over Web Service	2	0
T1195	Supply Chain Compromise	2	2
T1005	Data from Local System	32	0
T1560.001	Archive via Utility	3	0
T1069	Permission Groups Discovery	3	0
T1136	Create Account	11	3
T1134	Access Token Manipulation	1	2
T1027.011	Fileless Storage	2	0
T1548	Abuse Elevation Control Mechanism	4	1
T1027.003	Steganography	2	0
T1027.013	Encrypted/Encoded File	2	0
T1049	System Network Connections Discovery	2	0
T1082	System Information Discovery	8	0
T1566.001	Spearphishing Attachment	6	0
T1027.009	Embedded Payloads	2	0
T1556.008	Network Provider DLL	1	0
T1055.003	Thread Execution Hijacking	2	0
T1553	Subvert Trust Controls	3	3
T1211	Exploitation for Defense Evasion	3	0
T1036.002	Right-to-Left Override	1	0
T1027.008	Stripped Payloads	2	0
T1041	Exfiltration Over C2 Channel	8	0
T1534	Internal Spearphishing	1	0
T1110.003	Password Spraying	2	0
T1136.003	Cloud Account	1	0
T1548.002	Bypass User Account Control	2	0
T1021	Remote Services	4	3
T1110.004	Credential Stuffing	1	0
T1589.001	Credentials	1	0
T1547.004	Winlogon Helper DLL	1	0
T1195.003	Compromise Hardware Supply Chain	2	0
T1056	Input Capture	3	3
T1027	Obfuscated Files or Information	9	11
T1552	Unsecured Credentials	5	3
T1078.002	Domain Accounts	1	0
T1136.002	Domain Account	1	0
T1059	Command and Scripting Interpreter	108	5
T1552.002	Credentials in Registry	1	0
T1057	Process Discovery	1	0
T1098	Account Manipulation	2	2
T1027.001	Binary Padding	2	0
T1027.010	Command Obfuscation	2	0
T1556	Modify Authentication Process	4	3
T1550.002	Pass the Hash	2	0
T1547.005	Security Support Provider	1	0
T1203	Exploitation for Client Execution	25	0
T1102	Web Service	1	0
T1547.001	Registry Run Keys / Startup Folder	2	0
T1547	Boot or Logon Autostart Execution	7	6
T1552.001	Credentials In Files	5	0
T1556.002	Password Filter DLL	1	0
T1071	Application Layer Protocol	2	2
T1140	Deobfuscate/Decode Files or Information	6	0
T1056.003	Web Portal Capture	1	0
T1012	Query Registry	1	0
T1055.012	Process Hollowing	1	0
T1021.006	Windows Remote Management	1	0
T1070	Indicator Removal	4	2
T1136.001	Local Account	3	0
T1021.001	Remote Desktop Protocol	2	0
T1204.002	Malicious File	36	0
T1055.002	Portable Executable Injection	2	0
T1204	User Execution	3	2
T1553.003	SIP and Trust Provider Hijacking	1	0
T1195.002	Compromise Software Supply Chain	3	0
T1018	Remote System Discovery	2	0
T1055.011	Extra Window Memory Injection	2	0
T1083	File and Directory Discovery	4	0
T1543.003	Windows Service	3	0
T1014	Rootkit	5	0
T1021.002	SMB/Windows Admin Shares	1	0
T1555.004	Windows Credential Manager	1	0
T1222	File and Directory Permissions Modification	2	0
T1056.004	Credential API Hooking	1	0
T1566	Phishing	5	2
T1078.003	Local Accounts	2	0
T1027.005	Indicator Removal from Tools	2	0
T1027.004	Compile After Delivery	3	0
T1070.004	File Deletion	5	0
T1055.001	Dynamic-link Library Injection	3	0
T1059.003	Windows Command Shell	5	0
T1189	Drive-by Compromise	19	0
T1115	Clipboard Data	1	0
T1518	Software Discovery	1	0
T1495	Firmware Corruption	2	0
T1087	Account Discovery	4	2
T1589	Gather Victim Identity Information	1	1
T1132	Data Encoding	3	0
T1003	OS Credential Dumping	11	4
T1212	Exploitation for Credential Access	4	0
T1560	Archive Collected Data	1	1
T1218	System Binary Proxy Execution	3	0
T1489	Service Stop	2	0
T1542.003	Bootkit	2	0
T1003.002	Security Account Manager	1	0
T1027.007	Dynamic API Resolution	2	0
T1565.001	Stored Data Manipulation	2	0
T1553.006	Code Signing Policy Modification	3	0
T1134.002	Create Process with Token	1	0
T1573	Encrypted Channel	1	1
T1033	System Owner/User Discovery	2	0
T1105	Ingress Tool Transfer	33	0
T1068	Exploitation for Privilege Escalation	37	0
T1059.005	Visual Basic	1	0
T1547.008	LSASS Driver	5	0
T1007	System Service Discovery	2	0
T1486	Data Encrypted for Impact	17	0
T1047	Windows Management Instrumentation	3	0
T1112	Modify Registry	3	0
T1087.002	Domain Account	7	0
T1016	System Network Configuration Discovery	2	0
T1574	Hijack Execution Flow	17	0
T1036	Masquerading	5	3
T1564.006	Run Virtual Instance	1	0
T1027.002	Software Packing	3	0
T1556.006	Multi-Factor Authentication	1	0
T1564.004	NTFS File Attributes	2	0
T1110.001	Password Guessing	1	0
T1571	Non-Standard Port	2	0
T1542.002	Component Firmware	2	0
T1074.001	Local Data Staging	1	0
T1550	Use Alternate Authentication Material	2	2
T1074	Data Staged	1	1
T1543	Create or Modify System Process	4	1
T1055	Process Injection	4	5
T1059.001	PowerShell	4	0
T1190	Exploit Public-Facing Application	128	0
T1555.005	Password Managers	1	0
T1555.003	Credentials from Web Browsers	1	0
T1496	Resource Hijacking	19	0
T1110.002	Password Cracking	1	0
T1569	System Services	1	1
T1611	Escape to Host	1	0
T1210	Exploitation of Remote Services	5	0
T1056.001	Keylogging	1	0
T1546	Event Triggered Execution	1	0
T1570	Lateral Tool Transfer	1	0
T1036.001	Invalid Code Signature	2	0
T1542	Pre-OS Boot	2	4
T1601.001	Patch System Image	1	0
T1547.002	Authentication Package	1	0
T1106	Native API	5	0
T1119	Automated Collection	2	0
T1114	Email Collection	2	1
T1003.008	/etc/passwd and /etc/shadow	1	0
T1213	Data from Information Repositories	2	0
T1059.007	JavaScript	13	0
T1048	Exfiltration Over Alternative Protocol	4	1
T1053	Scheduled Task/Job	1	1
T1071.001	Web Protocols	9	0
T1046	Network Service Discovery	5	0
T1601	Modify System Image	1	1
T1204.001	Malicious Link	11	0
T1569.002	Service Execution	1	0
T1087.001	Local Account	1	0
T1497	Virtualization/Sandbox Evasion	2	0
T1592	Gather Victim Host Information	1	0
T1036.005	Match Legitimate Name or Location	1	0
T1653	Power Settings	1	0
T1053.005	Scheduled Task	2	0
T1505	Server Software Component	1	1
T1482	Domain Trust Discovery	2	0
T1566.002	Spearphishing Link	1	0
T1037	Boot or Logon Initialization Scripts	1	0
T1490	Inhibit System Recovery	1	0
T1622	Debugger Evasion	2	0
T1499.004	Application or System Exploitation	1	0
T1555	Credentials from Password Stores	3	3
T1542.005	TFTP Boot	1	0
T1562.001	Disable or Modify Tools	2	0
T1499	Endpoint Denial of Service	5	2
T1588.001	Malware	1	0
T1491.002	External Defacement	1	0
T1598.002	Spearphishing Attachment	1	0
T1557	Adversary-in-the-Middle	2	1
T1185	Browser Session Hijacking	2	0
T1133	External Remote Services	21	0
T1040	Network Sniffing	1	0
T1070.001	Clear Windows Event Logs	1	0
T1485	Data Destruction	3	0
T1584.005	Botnet	2	0
T1565	Data Manipulation	1	1
T1059.004	Unix Shell	9	0
T1071.002	File Transfer Protocols	1	0
T1557.001	LLMNR/NBT-NS Poisoning and SMB Relay	1	0
T1505.003	Web Shell	20	0
T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol	1	0
T1003.001	LSASS Memory	1	0
T1217	Browser Information Discovery	1	0
T1530	Data from Cloud Storage	1	0
T1098.004	SSH Authorized Keys	1	0
T1219	Remote Access Software	1	0
T1090.001	Internal Proxy	1	0
T1608.001	Upload Malware	5	0
T1531	Account Access Removal	1	0
T1090	Proxy	3	1
T1553.005	Mark-of-the-Web Bypass	1	0
T1114.002	Remote Email Collection	1	0
T1499.002	Service Exhaustion Flood	2	0
T1573.001	Symmetric Cryptography	3	0
T1134.001	Token Impersonation/Theft	1	0
T1202	Indirect Command Execution	9	0
T1221	Template Injection	3	0
T1484.001	Group Policy Modification	1	0
T1498	Network Denial of Service	7	0
T1003.003	NTDS	3	0