Mitre ATT&CK Navigator
This is work in progress. Nothing to see yet.
[]
reconnaissanceresource-developmentinitial-accessexecutionpersistenceprivilege-escalationdefense-evasioncredential-accessdiscoverylateral-movementcollectioncommand-and-controlexfiltrationimpact
Gather Victim Host Information
Phishing for Information
Active Scanning
Search Victim-Owned Websites
Gather Victim Identity Information
Search Open Technical Databases
Search Open Websites/Domains
Gather Victim Org Information
Gather Victim Network Information
Search Closed Sources
Acquire Infrastructure
Acquire Access
Compromise Accounts
Establish Accounts
Develop Capabilities
Compromise Infrastructure
Stage Capabilities
Obtain Capabilities
Valid Accounts
Spearphishing Link
Spearphishing Attachment
Spearphishing via Service
Drive-by Compromise
Hardware Additions
Supply Chain Compromise
Replication Through Removable Media
Phishing
Exploit Public-Facing Application
Content Injection
External Remote Services
Trusted Relationship
Regsvcs/Regasm
Cloud Administration Command
Launchctl
Regsvr32
Deploy Container
AppleScript
Space after Filename
Dynamic Data Exchange
Rundll32
Source
Native API
Container Administration Command
Shared Modules
Graphical User Interface
Trap
Windows Remote Management
System Services
Compiled HTML File
Scheduled Task/Job
Component Object Model and Distributed COM
LSASS Driver
Service Execution
PowerShell
InstallUtil
Command and Scripting Interpreter
Windows Management Instrumentation
User Execution
Serverless Execution
CMSTP
Control Panel Items
Mshta
Inter-Process Communication
Exploitation for Client Execution
Local Job Scheduling
Scripting
Software Deployment Tools
Path Interception
Valid Accounts
Boot or Logon Initialization Scripts
Rc.common
BITS Jobs
Port Monitors
LC_LOAD_DYLIB Addition
Office Application Startup
AppInit DLLs
Malicious Shell Modification
Bootkit
Hypervisor
Systemd Service
Traffic Signaling
Service Registry Permissions Weakness
New Service
Winlogon Helper DLL
Emond
AppCert DLLs
Change Default File Association
Authentication Package
Launchctl
Kernel Modules and Extensions
Hidden Files and Directories
Launch Agent
Hooking
System Firmware
Re-opened Applications
SIP and Trust Provider Hijacking
Power Settings
Application Shimming
Pre-OS Boot
Screensaver
Account Manipulation
Shortcut Modification
Component Object Model Hijacking
Registry Run Keys / Startup Folder
Boot or Logon Autostart Execution
Dylib Hijacking
Hijack Execution Flow
Netsh Helper DLL
Trap
Event Triggered Execution
Modify Existing Service
Web Shell
Server Software Component
Scheduled Task/Job
Time Providers
Create Account
Windows Management Instrumentation Event Subscription
Image File Execution Options Injection
LSASS Driver
Modify Authentication Process
Security Support Provider
PowerShell Profile
Plist Modification
Create or Modify System Process
External Remote Services
Setuid and Setgid
Browser Extensions
Implant Internal Image
Component Firmware
Redundant Access
Accessibility Features
DLL Search Order Hijacking
File System Permissions Weakness
Launch Daemon
Local Job Scheduling
Login Item
Startup Items
Compromise Client Software Binary
Exploitation for Privilege Escalation
Path Interception
Valid Accounts
Boot or Logon Initialization Scripts
Port Monitors
AppInit DLLs
Elevated Execution with Prompt
Service Registry Permissions Weakness
New Service
Emond
AppCert DLLs
Access Token Manipulation
Abuse Elevation Control Mechanism
Hooking
Domain Policy Modification
Application Shimming
Account Manipulation
Boot or Logon Autostart Execution
Parent PID Spoofing
Extra Window Memory Injection
Sudo
Dylib Hijacking
Hijack Execution Flow
Event Triggered Execution
Web Shell
Scheduled Task/Job
Image File Execution Options Injection
PowerShell Profile
Plist Modification
Create or Modify System Process
Setuid and Setgid
Sudo Caching
Accessibility Features
DLL Search Order Hijacking
SID-History Injection
File System Permissions Weakness
Launch Daemon
Bypass User Account Control
Process Injection
Escape to Host
Startup Items
Indicator Removal from Tools
Network Share Connection Removal
Direct Volume Access
Valid Accounts
Reflective Code Loading
Timestomp
Modify Cloud Compute Infrastructure
BITS Jobs
Process Hollowing
Regsvcs/Regasm
Disabling Security Tools
Impersonation
HISTCONTROL
Impair Defenses
Code Signing
Masquerading
Traffic Signaling
Binary Padding
Hidden Window
Access Token Manipulation
Gatekeeper Bypass
Launchctl
Regsvr32
Rootkit
Deploy Container
Space after Filename
Hidden Files and Directories
Abuse Elevation Control Mechanism
Rundll32
Install Root Certificate
Debugger Evasion
Revert Cloud Instance
SIP and Trust Provider Hijacking
Software Packing
System Binary Proxy Execution
Indicator Removal
Domain Policy Modification
Pre-OS Boot
Component Object Model Hijacking
Parent PID Spoofing
Obfuscated Files or Information
Extra Window Memory Injection
LC_MAIN Hijacking
Hide Artifacts
Modify System Image
DLL Side-Loading
Hijack Execution Flow
Subvert Trust Controls
Hidden Users
Compiled HTML File
File and Directory Permissions Modification
File Deletion
Image File Execution Options Injection
Modify Authentication Process
InstallUtil
System Script Proxy Execution
Clear Command History
Trusted Developer Utilities Proxy Execution
Plist Modification
Virtualization/Sandbox Evasion
Exploitation for Defense Evasion
Rogue Domain Controller
Unused/Unsupported Cloud Regions
Component Firmware
Redundant Access
CMSTP
Indicator Blocking
DLL Search Order Hijacking
Web Session Cookie
Control Panel Items
Compile After Delivery
Mshta
Network Boundary Bridging
Deobfuscate/Decode Files or Information
Plist File Modification
Bypass User Account Control
Process Injection
XSL Script Processing
Weaken Encryption
Process Doppelgänging
Build Image on Host
Application Access Token
Execution Guardrails
Scripting
NTFS File Attributes
Use Alternate Authentication Material
Template Injection
Indirect Command Execution
Modify Registry
OS Credential Dumping
Forced Authentication
Credentials in Registry
Steal or Forge Kerberos Tickets
Credentials from Password Stores
Bash History
Unsecured Credentials
LLMNR/NBT-NS Poisoning and Relay
Steal Web Session Cookie
Steal Application Access Token
Hooking
Keychain
Input Capture
Private Keys
Modify Authentication Process
Adversary-in-the-Middle
Brute Force
Cloud Instance Metadata API
Securityd Memory
Password Filter DLL
Credentials from Web Browsers
Multi-Factor Authentication Request Generation
Network Sniffing
Multi-Factor Authentication Interception
Input Prompt
Kerberoasting
Credentials in Files
Steal or Forge Authentication Certificates
Forge Web Credentials
Exploitation for Credential Access
Container and Resource Discovery
Password Policy Discovery
Permission Groups Discovery
Peripheral Device Discovery
System Service Discovery
Network Share Discovery
Cloud Service Discovery
Application Window Discovery
Browser Information Discovery
Debugger Evasion
Account Discovery
Process Discovery
Cloud Storage Object Discovery
Device Driver Discovery
Group Policy Discovery
System Location Discovery
Query Registry
System Information Discovery
Software Discovery
Network Service Discovery
Cloud Service Dashboard
File and Directory Discovery
System Owner/User Discovery
System Time Discovery
System Network Configuration Discovery
Virtualization/Sandbox Evasion
Cloud Infrastructure Discovery
Network Sniffing
Domain Trust Discovery
System Network Connections Discovery
Security Software Discovery
Remote System Discovery
Log Enumeration
Lateral Tool Transfer
Application Deployment Software
Remote Desktop Protocol
Windows Admin Shares
Exploitation of Remote Services
Internal Spearphishing
Pass the Ticket
Windows Remote Management
Pass the Hash
Component Object Model and Distributed COM
Replication Through Removable Media
Remote Services
SSH Hijacking
Remote Service Session Hijacking
Taint Shared Content
Web Session Cookie
Shared Webroot
Application Access Token
Use Alternate Authentication Material
Software Deployment Tools
Data from Information Repositories
Screen Capture
Data from Configuration Repository
Data from Removable Media
Clipboard Data
Audio Capture
Archive Collected Data
Video Capture
Input Capture
Data from Cloud Storage
Data from Local System
Adversary-in-the-Middle
Data Staged
Data from Network Shared Drive
Browser Session Hijacking
Email Collection
Automated Collection
Application Layer Protocol
Domain Fronting
Multilayer Encryption
Traffic Signaling
Standard Cryptographic Protocol
Domain Generation Algorithms
Communication Through Removable Media
Proxy
Multi-Stage Channels
Dynamic Resolution
Multi-hop Proxy
Multiband Communication
Data Obfuscation
Non-Standard Port
Custom Cryptographic Protocol
Encrypted Channel
Non-Application Layer Protocol
Uncommonly Used Port
Data Encoding
Ingress Tool Transfer
Fallback Channels
Custom Command and Control Protocol
Remote Access Software
Content Injection
Protocol Tunneling
Web Service
Commonly Used Port
Exfiltration Over Web Service
Scheduled Transfer
Exfiltration Over Other Network Medium
Automated Exfiltration
Exfiltration Over C2 Channel
Exfiltration Over Alternative Protocol
Data Compressed
Data Transfer Size Limits
Data Encrypted
Exfiltration Over Physical Medium
Transfer Data to Cloud Account
Stored Data Manipulation
Service Stop
Disk Structure Wipe
Network Denial of Service
Firmware Corruption
Data Manipulation
Inhibit System Recovery
Defacement
Endpoint Denial of Service
Runtime Data Manipulation
Data Destruction
Account Access Removal
Disk Wipe
System Shutdown/Reboot
Data Encrypted for Impact
Disk Content Wipe
Transmitted Data Manipulation
Financial Theft
Resource Hijacking