MITRE ATT&CK Enterprise Techniques

Browse 697 adversary techniques organized by 15 tactics. Each technique includes detailed descriptions, mitigations, detection guidance, associated threat groups, and software.

697

Techniques

222

Parent

475

Sub-Techniques

15

Tactics

Showing 222 techniques across 15 tactics

Reconnaissance (12)

T1589 Gather Victim Identity Information +3 sub T1590 Gather Victim Network Information +6 sub T1591 Gather Victim Org Information +4 sub T1592 Gather Victim Host Information +4 sub T1593 Search Open Websites/Domains +3 sub T1594 Search Victim-Owned Websites T1595 Active Scanning +3 sub T1596 Search Open Technical Databases +5 sub T1597 Search Closed Sources +2 sub T1598 Phishing for Information +4 sub T1681 Search Threat Vendor Data T1682 Query Public AI Services

Resource Development (9)

T1583 Acquire Infrastructure +8 sub T1584 Compromise Infrastructure +8 sub T1585 Establish Accounts +3 sub T1586 Compromise Accounts +3 sub T1587 Develop Capabilities +4 sub T1588 Obtain Capabilities +7 sub T1608 Stage Capabilities +6 sub T1650 Acquire Access T1683 Generate Content +2 sub

Initial Access (11)

T1078 Valid Accounts +4 sub T1091 Replication Through Removable Media T1133 External Remote Services T1189 Drive-by Compromise T1190 Exploit Public-Facing Application T1195 Supply Chain Compromise +3 sub T1199 Trusted Relationship T1200 Hardware Additions T1566 Phishing +4 sub T1659 Content Injection T1669 Wi-Fi Networks

Execution (20)

T1047 Windows Management Instrumentation T1053 Scheduled Task/Job +5 sub T1059 Command and Scripting Interpreter +13 sub T1072 Software Deployment Tools T1106 Native API T1127 Trusted Developer Utilities Proxy Execution +3 sub T1129 Shared Modules T1197 BITS Jobs T1203 Exploitation for Client Execution T1204 User Execution +5 sub T1559 Inter-Process Communication +3 sub T1569 System Services +3 sub T1574 Hijack Execution Flow +12 sub T1609 Container Administration Command T1610 Deploy Container T1648 Serverless Execution T1651 Cloud Administration Command T1674 Input Injection T1675 ESXi Administration Command T1677 Poisoned Pipeline Execution

Persistence (22)

T1037 Boot or Logon Initialization Scripts +5 sub T1053 Scheduled Task/Job +5 sub T1078 Valid Accounts +4 sub T1098 Account Manipulation +7 sub T1112 Modify Registry T1133 External Remote Services T1136 Create Account +3 sub T1137 Office Application Startup +6 sub T1176 Software Extensions +2 sub T1197 BITS Jobs T1205 Traffic Signaling +2 sub T1505 Server Software Component +6 sub T1525 Implant Internal Image T1542 Pre-OS Boot +5 sub T1543 Create or Modify System Process +5 sub T1546 Event Triggered Execution +18 sub T1547 Boot or Logon Autostart Execution +14 sub T1554 Compromise Host Software Binary T1556 Modify Authentication Process +9 sub T1653 Power Settings T1668 Exclusive Control T1671 Cloud Application Integration

Privilege Escalation (13)

T1037 Boot or Logon Initialization Scripts +5 sub T1053 Scheduled Task/Job +5 sub T1055 Process Injection +12 sub T1068 Exploitation for Privilege Escalation T1078 Valid Accounts +4 sub T1098 Account Manipulation +7 sub T1134 Access Token Manipulation +5 sub T1484 Domain or Tenant Policy Modification +2 sub T1543 Create or Modify System Process +5 sub T1546 Event Triggered Execution +18 sub T1547 Boot or Logon Autostart Execution +14 sub T1548 Abuse Elevation Control Mechanism +6 sub T1611 Escape to Host

Defense Impairment (18)

T1112 Modify Registry T1207 Rogue Domain Controller T1222 File and Directory Permissions Modification +2 sub T1484 Domain or Tenant Policy Modification +2 sub T1553 Subvert Trust Controls +6 sub T1556 Modify Authentication Process +9 sub T1578 Modify Cloud Compute Infrastructure +5 sub T1599 Network Boundary Bridging +1 sub T1600 Weaken Encryption +2 sub T1601 Modify System Image +2 sub T1647 Plist File Modification T1666 Modify Cloud Resource Hierarchy T1685 Disable or Modify Tools +6 sub T1686 Disable or Modify System Firewall +3 sub T1687 Exploitation for Defense Impairment T1688 Safe Mode Boot T1689 Downgrade Attack T1690 Prevent Command History Logging

Stealth (30)

T1006 Direct Volume Access T1014 Rootkit T1027 Obfuscated Files or Information +18 sub T1036 Masquerading +12 sub T1055 Process Injection +12 sub T1070 Indicator Removal +8 sub T1078 Valid Accounts +4 sub T1127 Trusted Developer Utilities Proxy Execution +3 sub T1134 Access Token Manipulation +5 sub T1140 Deobfuscate/Decode Files or Information T1197 BITS Jobs T1202 Indirect Command Execution T1205 Traffic Signaling +2 sub T1211 Exploitation for Stealth T1216 System Script Proxy Execution +2 sub T1218 System Binary Proxy Execution +14 sub T1220 XSL Script Processing T1221 Template Injection T1480 Execution Guardrails +2 sub T1497 Virtualization/Sandbox Evasion +3 sub T1535 Unused/Unsupported Cloud Regions T1542 Pre-OS Boot +5 sub T1564 Hide Artifacts +14 sub T1574 Hijack Execution Flow +12 sub T1612 Build Image on Host T1620 Reflective Code Loading T1622 Debugger Evasion T1678 Delay Execution T1679 Selective Exclusion T1684 Social Engineering +2 sub

Credential Access (17)

T1003 OS Credential Dumping +8 sub T1040 Network Sniffing T1056 Input Capture +4 sub T1110 Brute Force +4 sub T1111 Multi-Factor Authentication Interception T1187 Forced Authentication T1212 Exploitation for Credential Access T1528 Steal Application Access Token T1539 Steal Web Session Cookie T1552 Unsecured Credentials +8 sub T1555 Credentials from Password Stores +6 sub T1556 Modify Authentication Process +9 sub T1557 Adversary-in-the-Middle +4 sub T1558 Steal or Forge Kerberos Tickets +5 sub T1606 Forge Web Credentials +2 sub T1621 Multi-Factor Authentication Request Generation T1649 Steal or Forge Authentication Certificates

Discovery (34)

T1007 System Service Discovery T1010 Application Window Discovery T1012 Query Registry T1016 System Network Configuration Discovery +2 sub T1018 Remote System Discovery T1033 System Owner/User Discovery T1040 Network Sniffing T1046 Network Service Discovery T1049 System Network Connections Discovery T1057 Process Discovery T1069 Permission Groups Discovery +3 sub T1082 System Information Discovery T1083 File and Directory Discovery T1087 Account Discovery +4 sub T1120 Peripheral Device Discovery T1124 System Time Discovery T1135 Network Share Discovery T1201 Password Policy Discovery T1217 Browser Information Discovery T1482 Domain Trust Discovery T1497 Virtualization/Sandbox Evasion +3 sub T1518 Software Discovery +2 sub T1526 Cloud Service Discovery T1538 Cloud Service Dashboard T1580 Cloud Infrastructure Discovery T1613 Container and Resource Discovery T1614 System Location Discovery +1 sub T1615 Group Policy Discovery T1619 Cloud Storage Object Discovery T1622 Debugger Evasion T1652 Device Driver Discovery T1654 Log Enumeration T1673 Virtual Machine Discovery T1680 Local Storage Discovery

Lateral Movement (9)

T1021 Remote Services +8 sub T1072 Software Deployment Tools T1080 Taint Shared Content T1091 Replication Through Removable Media T1210 Exploitation of Remote Services T1534 Internal Spearphishing T1550 Use Alternate Authentication Material +4 sub T1563 Remote Service Session Hijacking +2 sub T1570 Lateral Tool Transfer

Collection (17)

T1005 Data from Local System T1025 Data from Removable Media T1039 Data from Network Shared Drive T1056 Input Capture +4 sub T1074 Data Staged +2 sub T1113 Screen Capture T1114 Email Collection +3 sub T1115 Clipboard Data T1119 Automated Collection T1123 Audio Capture T1125 Video Capture T1185 Browser Session Hijacking T1213 Data from Information Repositories +6 sub T1530 Data from Cloud Storage T1557 Adversary-in-the-Middle +4 sub T1560 Archive Collected Data +3 sub T1602 Data from Configuration Repository +2 sub

Command and Control (18)

T1001 Data Obfuscation +3 sub T1008 Fallback Channels T1071 Application Layer Protocol +5 sub T1090 Proxy +4 sub T1092 Communication Through Removable Media T1095 Non-Application Layer Protocol T1102 Web Service +3 sub T1104 Multi-Stage Channels T1105 Ingress Tool Transfer T1132 Data Encoding +2 sub T1205 Traffic Signaling +2 sub T1219 Remote Access Tools +3 sub T1568 Dynamic Resolution +3 sub T1571 Non-Standard Port T1572 Protocol Tunneling T1573 Encrypted Channel +2 sub T1659 Content Injection T1665 Hide Infrastructure

Exfiltration (9)

T1011 Exfiltration Over Other Network Medium +1 sub T1020 Automated Exfiltration +1 sub T1029 Scheduled Transfer T1030 Data Transfer Size Limits T1041 Exfiltration Over C2 Channel T1048 Exfiltration Over Alternative Protocol +3 sub T1052 Exfiltration Over Physical Medium +1 sub T1537 Transfer Data to Cloud Account T1567 Exfiltration Over Web Service +4 sub

Impact (15)

T1485 Data Destruction +1 sub T1486 Data Encrypted for Impact T1489 Service Stop T1490 Inhibit System Recovery T1491 Defacement +2 sub T1495 Firmware Corruption T1496 Resource Hijacking +4 sub T1498 Network Denial of Service +2 sub T1499 Endpoint Denial of Service +4 sub T1529 System Shutdown/Reboot T1531 Account Access Removal T1561 Disk Wipe +2 sub T1565 Data Manipulation +3 sub T1657 Financial Theft T1667 Email Bombing