Home
ATT&CK Techniques

ATT&CK Techniques

Techniques represent 'how' an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.

View information about techniques, how techniques and tactics interact, and the Center for Threat-Informed Defense's mappings coverage of MITRE ATT&CK® techniques in the Mappings Explorer matrix view.

SELECT VERSIONS

ATT&CK Version

ATT&CK Domain

ATT&CK Techniques

ATT&CK ID	ATT&CK Name	Number of Mappings	Number of Subtechniques
T1047	Windows Management Instrumentation	3	0
T1078	Valid Accounts	41	3
T1547.004	Winlogon Helper DLL	1	0
T1113	Screen Capture	1	0
T1134.002	Create Process with Token	1	0
T1018	Remote System Discovery	2	0
T1036.002	Right-to-Left Override	1	0
T1014	Rootkit	5	0
T1547.002	Authentication Package	1	0
T1555.004	Windows Credential Manager	1	0
T1078.002	Domain Accounts	1	0
T1195	Supply Chain Compromise	2	2
T1573	Encrypted Channel	1	1
T1119	Automated Collection	2	0
T1553.003	SIP and Trust Provider Hijacking	1	0
T1560.001	Archive via Utility	3	0
T1027	Obfuscated Files or Information	9	11
T1553	Subvert Trust Controls	3	3
T1543	Create or Modify System Process	4	1
T1069	Permission Groups Discovery	3	0
T1059	Command and Scripting Interpreter	108	5
T1055	Process Injection	4	5
T1486	Data Encrypted for Impact	17	0
T1078.003	Local Accounts	2	0
T1110.001	Password Guessing	1	0
T1546	Event Triggered Execution	1	0
T1112	Modify Registry	3	0
T1556	Modify Authentication Process	4	3
T1005	Data from Local System	32	0
T1012	Query Registry	1	0
T1055.011	Extra Window Memory Injection	2	0
T1574	Hijack Execution Flow	17	0
T1218	System Binary Proxy Execution	3	0
T1552.004	Private Keys	1	0
T1566	Phishing	5	2
T1601.001	Patch System Image	1	0
T1027.010	Command Obfuscation	2	0
T1204	User Execution	3	2
T1552.001	Credentials In Files	5	0
T1534	Internal Spearphishing	1	0
T1087	Account Discovery	4	2
T1070	Indicator Removal	4	2
T1027.004	Compile After Delivery	3	0
T1105	Ingress Tool Transfer	33	0
T1059.005	Visual Basic	1	0
T1098	Account Manipulation	2	2
T1115	Clipboard Data	1	0
T1021	Remote Services	4	3
T1495	Firmware Corruption	2	0
T1082	System Information Discovery	8	0
T1547.001	Registry Run Keys / Startup Folder	2	0
T1059.003	Windows Command Shell	5	0
T1132	Data Encoding	3	0
T1136.003	Cloud Account	1	0
T1542	Pre-OS Boot	2	4
T1542.001	System Firmware	2	0
T1071	Application Layer Protocol	2	2
T1095	Non-Application Layer Protocol	1	0
T1204.002	Malicious File	36	0
T1110.002	Password Cracking	1	0
T1489	Service Stop	2	0
T1083	File and Directory Discovery	4	0
T1027.002	Software Packing	3	0
T1056.001	Keylogging	1	0
T1055.003	Thread Execution Hijacking	2	0
T1556.008	Network Provider DLL	1	0
T1106	Native API	5	0
T1041	Exfiltration Over C2 Channel	8	0
T1110.004	Credential Stuffing	1	0
T1056.004	Credential API Hooking	1	0
T1027.008	Stripped Payloads	2	0
T1550	Use Alternate Authentication Material	2	2
T1087.002	Domain Account	7	0
T1078.001	Default Accounts	1	0
T1542.002	Component Firmware	2	0
T1189	Drive-by Compromise	19	0
T1027.007	Dynamic API Resolution	2	0
T1547.008	LSASS Driver	5	0
T1027.001	Binary Padding	2	0
T1547	Boot or Logon Autostart Execution	7	6
T1134	Access Token Manipulation	1	2
T1070.004	File Deletion	5	0
T1074.001	Local Data Staging	1	0
T1195.002	Compromise Software Supply Chain	3	0
T1136.001	Local Account	3	0
T1007	System Service Discovery	2	0
T1055.002	Portable Executable Injection	2	0
T1589.001	Credentials	1	0
T1195.003	Compromise Hardware Supply Chain	2	0
T1552.002	Credentials in Registry	1	0
T1033	System Owner/User Discovery	2	0
T1027.011	Fileless Storage	2	0
T1036	Masquerading	5	3
T1049	System Network Connections Discovery	2	0
T1055.012	Process Hollowing	1	0
T1542.003	Bootkit	2	0
T1110.003	Password Spraying	2	0
T1003.002	Security Account Manager	1	0
T1222	File and Directory Permissions Modification	2	0
T1016	System Network Configuration Discovery	2	0
T1021.006	Windows Remote Management	1	0
T1553.006	Code Signing Policy Modification	3	0
T1136	Create Account	11	3
T1190	Exploit Public-Facing Application	128	0
T1570	Lateral Tool Transfer	1	0
T1114	Email Collection	2	1
T1565.001	Stored Data Manipulation	2	0
T1212	Exploitation for Credential Access	4	0
T1564.004	NTFS File Attributes	2	0
T1496	Resource Hijacking	19	0
T1552	Unsecured Credentials	5	3
T1611	Escape to Host	1	0
T1027.005	Indicator Removal from Tools	2	0
T1621	Multi-Factor Authentication Request Generation	1	0
T1056	Input Capture	3	3
T1136.002	Domain Account	1	0
T1548.002	Bypass User Account Control	2	0
T1566.001	Spearphishing Attachment	6	0
T1027.013	Encrypted/Encoded File	2	0
T1569	System Services	1	1
T1102	Web Service	1	0
T1518	Software Discovery	1	0
T1550.003	Pass the Ticket	2	0
T1548	Abuse Elevation Control Mechanism	4	1
T1550.002	Pass the Hash	2	0
T1036.001	Invalid Code Signature	2	0
T1027.009	Embedded Payloads	2	0
T1555.005	Password Managers	1	0
T1558	Steal or Forge Kerberos Tickets	1	0
T1055.001	Dynamic-link Library Injection	3	0
T1560	Archive Collected Data	1	1
T1021.002	SMB/Windows Admin Shares	1	0
T1003	OS Credential Dumping	11	4
T1211	Exploitation for Defense Evasion	3	0
T1543.003	Windows Service	3	0
T1140	Deobfuscate/Decode Files or Information	6	0
T1056.003	Web Portal Capture	1	0
T1564.006	Run Virtual Instance	1	0
T1564	Hide Artifacts	2	2
T1567	Exfiltration Over Web Service	2	0
T1547.005	Security Support Provider	1	0
T1074	Data Staged	1	1
T1547.010	Port Monitors	1	0
T1098.002	Additional Email Delegate Permissions	1	0
T1556.006	Multi-Factor Authentication	1	0
T1025	Data from Removable Media	2	0
T1589	Gather Victim Identity Information	1	1
T1027.003	Steganography	2	0
T1203	Exploitation for Client Execution	25	0
T1068	Exploitation for Privilege Escalation	37	0
T1110	Brute Force	7	4
T1571	Non-Standard Port	2	0
T1556.002	Password Filter DLL	1	0
T1555.003	Credentials from Web Browsers	1	0
T1057	Process Discovery	1	0
T1059.001	PowerShell	4	0
T1021.001	Remote Desktop Protocol	2	0
T1210	Exploitation of Remote Services	5	0
T1498	Network Denial of Service	7	0
T1499.002	Service Exhaustion Flood	2	0
T1059.004	Unix Shell	9	0
T1653	Power Settings	1	0
T1217	Browser Information Discovery	1	0
T1622	Debugger Evasion	2	0
T1491.002	External Defacement	1	0
T1221	Template Injection	3	0
T1003.008	/etc/passwd and /etc/shadow	1	0
T1070.001	Clear Windows Event Logs	1	0
T1213	Data from Information Repositories	2	0
T1046	Network Service Discovery	5	0
T1555	Credentials from Password Stores	3	3
T1036.005	Match Legitimate Name or Location	1	0
T1608.001	Upload Malware	5	0
T1098.004	SSH Authorized Keys	1	0
T1584.005	Botnet	2	0
T1542.005	TFTP Boot	1	0
T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol	1	0
T1133	External Remote Services	21	0
T1037	Boot or Logon Initialization Scripts	1	0
T1482	Domain Trust Discovery	2	0
T1204.001	Malicious Link	11	0
T1588.001	Malware	1	0
T1048	Exfiltration Over Alternative Protocol	4	1
T1003.001	LSASS Memory	1	0
T1490	Inhibit System Recovery	1	0
T1484.001	Group Policy Modification	1	0
T1598.002	Spearphishing Attachment	1	0
T1090.001	Internal Proxy	1	0
T1562.001	Disable or Modify Tools	2	0
T1530	Data from Cloud Storage	1	0
T1601	Modify System Image	1	1
T1114.002	Remote Email Collection	1	0
T1592	Gather Victim Host Information	1	0
T1087.001	Local Account	1	0
T1566.002	Spearphishing Link	1	0
T1485	Data Destruction	3	0
T1185	Browser Session Hijacking	2	0
T1565	Data Manipulation	1	1
T1553.005	Mark-of-the-Web Bypass	1	0
T1059.007	JavaScript	13	0
T1219	Remote Access Software	1	0
T1573.001	Symmetric Cryptography	3	0
T1071.001	Web Protocols	9	0
T1053	Scheduled Task/Job	1	1
T1505.003	Web Shell	20	0
T1202	Indirect Command Execution	9	0
T1003.003	NTDS	3	0
T1090	Proxy	3	1
T1557	Adversary-in-the-Middle	2	1
T1071.002	File Transfer Protocols	1	0
T1557.001	LLMNR/NBT-NS Poisoning and SMB Relay	1	0
T1569.002	Service Execution	1	0
T1499.004	Application or System Exploitation	1	0
T1531	Account Access Removal	1	0
T1040	Network Sniffing	1	0
T1497	Virtualization/Sandbox Evasion	2	0
T1053.005	Scheduled Task	2	0
T1499	Endpoint Denial of Service	5	2
T1134.001	Token Impersonation/Theft	1	0
T1505	Server Software Component	1	1