Mitre ATT&CK Navigator

This is work in progress. Nothing to see yet.

[]

reconnaissance	resource-development	initial-access	execution	persistence	privilege-escalation	defense-evasion	credential-access	discovery	lateral-movement	collection	command-and-control	exfiltration	impact
Gather Victim Host Information Hardware Client Configurations Firmware Software Gather Victim Host Information Phishing for Information Spearphishing Service Spearphishing Attachment Spearphishing Voice Spearphishing Link Phishing for Information Active Scanning Wordlist Scanning Scanning IP Blocks Vulnerability Scanning Active Scanning Search Victim-Owned Websites Gather Victim Identity Information Email Addresses Employee Names Credentials Gather Victim Identity Information Search Open Technical Databases WHOIS Scan Databases DNS/Passive DNS Digital Certificates CDNs Search Open Technical Databases Search Open Websites/Domains Search Engines Code Repositories Social Media Search Open Websites/Domains Gather Victim Org Information Identify Roles Identify Business Tempo Business Relationships Determine Physical Locations Gather Victim Org Information Gather Victim Network Information Domain Properties Network Trust Dependencies Network Topology Network Security Appliances DNS IP Addresses Gather Victim Network Information Search Closed Sources Purchase Technical Data Threat Intel Vendors Search Closed Sources	Acquire Infrastructure DNS Server Server Botnet Web Services Virtual Private Server Malvertising Serverless Domains Acquire Infrastructure Acquire Access Compromise Accounts Cloud Accounts Social Media Accounts Email Accounts Compromise Accounts Establish Accounts Cloud Accounts Email Accounts Social Media Accounts Establish Accounts Develop Capabilities Digital Certificates Malware Code Signing Certificates Exploits Develop Capabilities Compromise Infrastructure Web Services DNS Server Virtual Private Server Domains Server Serverless Botnet Compromise Infrastructure Stage Capabilities Install Digital Certificate SEO Poisoning Upload Tool Drive-by Target Upload Malware Link Target Stage Capabilities Obtain Capabilities Malware Code Signing Certificates Digital Certificates Tool Vulnerabilities Exploits Obtain Capabilities	Valid Accounts Cloud Accounts Domain Accounts Local Accounts Default Accounts Valid Accounts Spearphishing Link Spearphishing Attachment Spearphishing via Service Drive-by Compromise Hardware Additions Supply Chain Compromise Compromise Software Dependencies and Development Tools Compromise Hardware Supply Chain Compromise Software Supply Chain Supply Chain Compromise Replication Through Removable Media Phishing Spearphishing Voice Spearphishing Link Spearphishing Attachment Spearphishing via Service Phishing Exploit Public-Facing Application Content Injection External Remote Services Trusted Relationship	Regsvcs/Regasm Cloud Administration Command Launchctl Regsvr32 Deploy Container AppleScript Space after Filename Dynamic Data Exchange Rundll32 Source Native API Container Administration Command Shared Modules Graphical User Interface Trap Windows Remote Management System Services Service Execution Launchctl System Services Compiled HTML File Scheduled Task/Job Cron At (Linux) Scheduled Task Launchd Systemd Timers Container Orchestration Job At Scheduled Task/Job Component Object Model and Distributed COM LSASS Driver Service Execution PowerShell InstallUtil Command and Scripting Interpreter Visual Basic Python Unix Shell Cloud API AppleScript JavaScript Network Device CLI Windows Command Shell PowerShell Command and Scripting Interpreter Windows Management Instrumentation User Execution Malicious Image Malicious Link Malicious File User Execution Serverless Execution CMSTP Control Panel Items Mshta Inter-Process Communication Component Object Model Dynamic Data Exchange XPC Services Inter-Process Communication Exploitation for Client Execution Local Job Scheduling Scripting Software Deployment Tools	Path Interception Valid Accounts Cloud Accounts Domain Accounts Local Accounts Default Accounts Valid Accounts Boot or Logon Initialization Scripts Network Logon Script Login Hook Startup Items Logon Script (Windows) RC Scripts Boot or Logon Initialization Scripts Rc.common BITS Jobs Port Monitors LC_LOAD_DYLIB Addition Office Application Startup Outlook Rules Office Test Outlook Forms Outlook Home Page Add-ins Office Template Macros Office Application Startup AppInit DLLs Malicious Shell Modification Bootkit Hypervisor Systemd Service Traffic Signaling Port Knocking Socket Filters Traffic Signaling Service Registry Permissions Weakness New Service Winlogon Helper DLL Emond AppCert DLLs Change Default File Association Authentication Package Launchctl Kernel Modules and Extensions Hidden Files and Directories Launch Agent Hooking System Firmware Re-opened Applications SIP and Trust Provider Hijacking Power Settings Application Shimming Pre-OS Boot Bootkit ROMMONkit Component Firmware System Firmware TFTP Boot Pre-OS Boot Screensaver Account Manipulation Additional Container Cluster Roles SSH Authorized Keys Device Registration Additional Cloud Roles Additional Cloud Credentials Additional Email Delegate Permissions Account Manipulation Shortcut Modification Component Object Model Hijacking Registry Run Keys / Startup Folder Boot or Logon Autostart Execution Port Monitors Plist Modification LSASS Driver Registry Run Keys / Startup Folder Print Processors Re-opened Applications Shortcut Modification Active Setup Winlogon Helper DLL Time Providers Login Items Authentication Package XDG Autostart Entries Security Support Provider Kernel Modules and Extensions Boot or Logon Autostart Execution Dylib Hijacking Hijack Execution Flow KernelCallbackTable Services File Permissions Weakness Services Registry Permissions Weakness Dylib Hijacking Path Interception by Unquoted Path DLL Search Order Hijacking Path Interception by PATH Environment Variable DLL Side-Loading COR_PROFILER Executable Installer File Permissions Weakness Path Interception by Search Order Hijacking Dynamic Linker Hijacking Hijack Execution Flow Netsh Helper DLL Trap Event Triggered Execution AppInit DLLs Screensaver PowerShell Profile Trap Emond Image File Execution Options Injection Installer Packages Component Object Model Hijacking Unix Shell Configuration Modification Netsh Helper DLL Application Shimming Accessibility Features LC_LOAD_DYLIB Addition AppCert DLLs Windows Management Instrumentation Event Subscription Change Default File Association Event Triggered Execution Modify Existing Service Web Shell Server Software Component IIS Components Web Shell Transport Agent Terminal Services DLL SQL Stored Procedures Server Software Component Scheduled Task/Job Cron At (Linux) Scheduled Task Launchd Systemd Timers Container Orchestration Job At Scheduled Task/Job Time Providers Create Account Domain Account Cloud Account Local Account Create Account Windows Management Instrumentation Event Subscription Image File Execution Options Injection LSASS Driver Modify Authentication Process Multi-Factor Authentication Domain Controller Authentication Reversible Encryption Pluggable Authentication Modules Password Filter DLL Network Device Authentication Hybrid Identity Network Provider DLL Modify Authentication Process Security Support Provider PowerShell Profile Plist Modification Create or Modify System Process Launch Daemon Windows Service Systemd Service Launch Agent Create or Modify System Process External Remote Services Setuid and Setgid Browser Extensions Implant Internal Image Component Firmware Redundant Access Accessibility Features DLL Search Order Hijacking File System Permissions Weakness Launch Daemon Local Job Scheduling Login Item Startup Items Compromise Client Software Binary	Exploitation for Privilege Escalation Path Interception Valid Accounts Cloud Accounts Domain Accounts Local Accounts Default Accounts Valid Accounts Boot or Logon Initialization Scripts Network Logon Script Login Hook Startup Items Logon Script (Windows) RC Scripts Boot or Logon Initialization Scripts Port Monitors AppInit DLLs Elevated Execution with Prompt Service Registry Permissions Weakness New Service Emond AppCert DLLs Access Token Manipulation SID-History Injection Make and Impersonate Token Parent PID Spoofing Create Process with Token Token Impersonation/Theft Access Token Manipulation Abuse Elevation Control Mechanism Setuid and Setgid Sudo and Sudo Caching Bypass User Account Control Temporary Elevated Cloud Access Elevated Execution with Prompt Abuse Elevation Control Mechanism Hooking Domain Policy Modification Domain Trust Modification Group Policy Modification Domain Policy Modification Application Shimming Account Manipulation Additional Container Cluster Roles SSH Authorized Keys Device Registration Additional Cloud Roles Additional Cloud Credentials Additional Email Delegate Permissions Account Manipulation Boot or Logon Autostart Execution Port Monitors Plist Modification LSASS Driver Registry Run Keys / Startup Folder Print Processors Re-opened Applications Shortcut Modification Active Setup Winlogon Helper DLL Time Providers Login Items Authentication Package XDG Autostart Entries Security Support Provider Kernel Modules and Extensions Boot or Logon Autostart Execution Parent PID Spoofing Extra Window Memory Injection Sudo Dylib Hijacking Hijack Execution Flow KernelCallbackTable Services File Permissions Weakness Services Registry Permissions Weakness Dylib Hijacking Path Interception by Unquoted Path DLL Search Order Hijacking Path Interception by PATH Environment Variable DLL Side-Loading COR_PROFILER Executable Installer File Permissions Weakness Path Interception by Search Order Hijacking Dynamic Linker Hijacking Hijack Execution Flow Event Triggered Execution AppInit DLLs Screensaver PowerShell Profile Trap Emond Image File Execution Options Injection Installer Packages Component Object Model Hijacking Unix Shell Configuration Modification Netsh Helper DLL Application Shimming Accessibility Features LC_LOAD_DYLIB Addition AppCert DLLs Windows Management Instrumentation Event Subscription Change Default File Association Event Triggered Execution Web Shell Scheduled Task/Job Cron At (Linux) Scheduled Task Launchd Systemd Timers Container Orchestration Job At Scheduled Task/Job Image File Execution Options Injection PowerShell Profile Plist Modification Create or Modify System Process Launch Daemon Windows Service Systemd Service Launch Agent Create or Modify System Process Setuid and Setgid Sudo Caching Accessibility Features DLL Search Order Hijacking SID-History Injection File System Permissions Weakness Launch Daemon Bypass User Account Control Process Injection ListPlanting Process Hollowing Extra Window Memory Injection Thread Local Storage Thread Execution Hijacking VDSO Hijacking Process Doppelgänging Asynchronous Procedure Call Portable Executable Injection Ptrace System Calls Proc Memory Dynamic-link Library Injection Process Injection Escape to Host Startup Items	Indicator Removal from Tools Network Share Connection Removal Direct Volume Access Valid Accounts Cloud Accounts Domain Accounts Local Accounts Default Accounts Valid Accounts Reflective Code Loading Timestomp Modify Cloud Compute Infrastructure Revert Cloud Instance Modify Cloud Compute Configurations Delete Cloud Instance Create Snapshot Create Cloud Instance Modify Cloud Compute Infrastructure BITS Jobs Process Hollowing Regsvcs/Regasm Disabling Security Tools Impersonation HISTCONTROL Impair Defenses Disable or Modify Tools Spoof Security Alerting Disable or Modify Cloud Logs Disable or Modify Cloud Firewall Disable or Modify System Firewall Disable or Modify Linux Audit System Safe Mode Boot Impair Command History Logging Indicator Blocking Disable Windows Event Logging Downgrade Attack Impair Defenses Code Signing Masquerading Match Legitimate Name or Location Right-to-Left Override Masquerade Task or Service Masquerade File Type Double File Extension Invalid Code Signature Rename System Utilities Break Process Trees Space after Filename Masquerading Traffic Signaling Port Knocking Socket Filters Traffic Signaling Binary Padding Hidden Window Access Token Manipulation SID-History Injection Make and Impersonate Token Parent PID Spoofing Create Process with Token Token Impersonation/Theft Access Token Manipulation Gatekeeper Bypass Launchctl Regsvr32 Rootkit Deploy Container Space after Filename Hidden Files and Directories Abuse Elevation Control Mechanism Setuid and Setgid Sudo and Sudo Caching Bypass User Account Control Temporary Elevated Cloud Access Elevated Execution with Prompt Abuse Elevation Control Mechanism Rundll32 Install Root Certificate Debugger Evasion Revert Cloud Instance SIP and Trust Provider Hijacking Software Packing System Binary Proxy Execution Regsvr32 InstallUtil Regsvcs/Regasm Mavinject Msiexec Rundll32 Verclsid Mshta Compiled HTML File Control Panel CMSTP MMC Odbcconf System Binary Proxy Execution Indicator Removal Timestomp Clear Windows Event Logs File Deletion Network Share Connection Removal Clear Linux or Mac System Logs Clear Persistence Clear Network Connection History and Configurations Clear Command History Clear Mailbox Data Indicator Removal Domain Policy Modification Domain Trust Modification Group Policy Modification Domain Policy Modification Pre-OS Boot Bootkit ROMMONkit Component Firmware System Firmware TFTP Boot Pre-OS Boot Component Object Model Hijacking Parent PID Spoofing Obfuscated Files or Information Compile After Delivery HTML Smuggling Command Obfuscation Binary Padding Dynamic API Resolution Fileless Storage Indicator Removal from Tools Steganography Software Packing Embedded Payloads Stripped Payloads LNK Icon Smuggling Obfuscated Files or Information Extra Window Memory Injection LC_MAIN Hijacking Hide Artifacts Hidden Window Hidden Files and Directories Hidden File System NTFS File Attributes Email Hiding Rules Process Argument Spoofing Run Virtual Instance VBA Stomping Ignore Process Interrupts Hidden Users Resource Forking Hide Artifacts Modify System Image Downgrade System Image Patch System Image Modify System Image DLL Side-Loading Hijack Execution Flow KernelCallbackTable Services File Permissions Weakness Services Registry Permissions Weakness Dylib Hijacking Path Interception by Unquoted Path DLL Search Order Hijacking Path Interception by PATH Environment Variable DLL Side-Loading COR_PROFILER Executable Installer File Permissions Weakness Path Interception by Search Order Hijacking Dynamic Linker Hijacking Hijack Execution Flow Subvert Trust Controls Gatekeeper Bypass SIP and Trust Provider Hijacking Code Signing Policy Modification Code Signing Install Root Certificate Mark-of-the-Web Bypass Subvert Trust Controls Hidden Users Compiled HTML File File and Directory Permissions Modification Windows File and Directory Permissions Modification Linux and Mac File and Directory Permissions Modification File and Directory Permissions Modification File Deletion Image File Execution Options Injection Modify Authentication Process Multi-Factor Authentication Domain Controller Authentication Reversible Encryption Pluggable Authentication Modules Password Filter DLL Network Device Authentication Hybrid Identity Network Provider DLL Modify Authentication Process InstallUtil System Script Proxy Execution PubPrn System Script Proxy Execution Clear Command History Trusted Developer Utilities Proxy Execution MSBuild Trusted Developer Utilities Proxy Execution Plist Modification Virtualization/Sandbox Evasion User Activity Based Checks System Checks Time Based Evasion Virtualization/Sandbox Evasion Exploitation for Defense Evasion Rogue Domain Controller Unused/Unsupported Cloud Regions Component Firmware Redundant Access CMSTP Indicator Blocking DLL Search Order Hijacking Web Session Cookie Control Panel Items Compile After Delivery Mshta Network Boundary Bridging Network Address Translation Traversal Network Boundary Bridging Deobfuscate/Decode Files or Information Plist File Modification Bypass User Account Control Process Injection ListPlanting Process Hollowing Extra Window Memory Injection Thread Local Storage Thread Execution Hijacking VDSO Hijacking Process Doppelgänging Asynchronous Procedure Call Portable Executable Injection Ptrace System Calls Proc Memory Dynamic-link Library Injection Process Injection XSL Script Processing Weaken Encryption Disable Crypto Hardware Reduce Key Space Weaken Encryption Process Doppelgänging Build Image on Host Application Access Token Execution Guardrails Environmental Keying Execution Guardrails Scripting NTFS File Attributes Use Alternate Authentication Material Web Session Cookie Pass the Ticket Application Access Token Pass the Hash Use Alternate Authentication Material Template Injection Indirect Command Execution Modify Registry	OS Credential Dumping LSA Secrets Cached Domain Credentials DCSync Security Account Manager Proc Filesystem /etc/passwd and /etc/shadow NTDS LSASS Memory OS Credential Dumping Forced Authentication Credentials in Registry Steal or Forge Kerberos Tickets Golden Ticket Kerberoasting AS-REP Roasting Silver Ticket Steal or Forge Kerberos Tickets Credentials from Password Stores Cloud Secrets Management Stores Windows Credential Manager Securityd Memory Password Managers Keychain Credentials from Web Browsers Credentials from Password Stores Bash History Unsecured Credentials Bash History Cloud Instance Metadata API Credentials In Files Group Policy Preferences Container API Credentials in Registry Private Keys Chat Messages Unsecured Credentials LLMNR/NBT-NS Poisoning and Relay Steal Web Session Cookie Steal Application Access Token Hooking Keychain Input Capture Web Portal Capture GUI Input Capture Keylogging Credential API Hooking Input Capture Private Keys Modify Authentication Process Multi-Factor Authentication Domain Controller Authentication Reversible Encryption Pluggable Authentication Modules Password Filter DLL Network Device Authentication Hybrid Identity Network Provider DLL Modify Authentication Process Adversary-in-the-Middle ARP Cache Poisoning DHCP Spoofing LLMNR/NBT-NS Poisoning and SMB Relay Adversary-in-the-Middle Brute Force Credential Stuffing Password Guessing Password Cracking Password Spraying Brute Force Cloud Instance Metadata API Securityd Memory Password Filter DLL Credentials from Web Browsers Multi-Factor Authentication Request Generation Network Sniffing Multi-Factor Authentication Interception Input Prompt Kerberoasting Credentials in Files Steal or Forge Authentication Certificates Forge Web Credentials SAML Tokens Web Cookies Forge Web Credentials Exploitation for Credential Access	Container and Resource Discovery Password Policy Discovery Permission Groups Discovery Domain Groups Cloud Groups Local Groups Permission Groups Discovery Peripheral Device Discovery System Service Discovery Network Share Discovery Cloud Service Discovery Application Window Discovery Browser Information Discovery Debugger Evasion Account Discovery Domain Account Local Account Cloud Account Email Account Account Discovery Process Discovery Cloud Storage Object Discovery Device Driver Discovery Group Policy Discovery System Location Discovery System Language Discovery System Location Discovery Query Registry System Information Discovery Software Discovery Security Software Discovery Software Discovery Network Service Discovery Cloud Service Dashboard File and Directory Discovery System Owner/User Discovery System Time Discovery System Network Configuration Discovery Internet Connection Discovery Wi-Fi Discovery System Network Configuration Discovery Virtualization/Sandbox Evasion User Activity Based Checks System Checks Time Based Evasion Virtualization/Sandbox Evasion Cloud Infrastructure Discovery Network Sniffing Domain Trust Discovery System Network Connections Discovery Security Software Discovery Remote System Discovery Log Enumeration	Lateral Tool Transfer Application Deployment Software Remote Desktop Protocol Windows Admin Shares Exploitation of Remote Services Internal Spearphishing Pass the Ticket Windows Remote Management Pass the Hash Component Object Model and Distributed COM Replication Through Removable Media Remote Services SSH SMB/Windows Admin Shares Direct Cloud VM Connections Windows Remote Management VNC Cloud Services Remote Desktop Protocol Distributed Component Object Model Remote Services SSH Hijacking Remote Service Session Hijacking SSH Hijacking RDP Hijacking Remote Service Session Hijacking Taint Shared Content Web Session Cookie Shared Webroot Application Access Token Use Alternate Authentication Material Web Session Cookie Pass the Ticket Application Access Token Pass the Hash Use Alternate Authentication Material Software Deployment Tools	Data from Information Repositories Code Repositories Sharepoint Confluence Data from Information Repositories Screen Capture Data from Configuration Repository SNMP (MIB Dump) Network Device Configuration Dump Data from Configuration Repository Data from Removable Media Clipboard Data Audio Capture Archive Collected Data Archive via Custom Method Archive via Library Archive via Utility Archive Collected Data Video Capture Input Capture Web Portal Capture GUI Input Capture Keylogging Credential API Hooking Input Capture Data from Cloud Storage Data from Local System Adversary-in-the-Middle ARP Cache Poisoning DHCP Spoofing LLMNR/NBT-NS Poisoning and SMB Relay Adversary-in-the-Middle Data Staged Local Data Staging Remote Data Staging Data Staged Data from Network Shared Drive Browser Session Hijacking Email Collection Local Email Collection Email Forwarding Rule Remote Email Collection Email Collection Automated Collection	Application Layer Protocol Mail Protocols DNS File Transfer Protocols Web Protocols Application Layer Protocol Domain Fronting Multilayer Encryption Traffic Signaling Port Knocking Socket Filters Traffic Signaling Standard Cryptographic Protocol Domain Generation Algorithms Communication Through Removable Media Proxy Multi-hop Proxy Internal Proxy Domain Fronting External Proxy Proxy Multi-Stage Channels Dynamic Resolution DNS Calculation Domain Generation Algorithms Fast Flux DNS Dynamic Resolution Multi-hop Proxy Multiband Communication Data Obfuscation Steganography Protocol Impersonation Junk Data Data Obfuscation Non-Standard Port Custom Cryptographic Protocol Encrypted Channel Symmetric Cryptography Asymmetric Cryptography Encrypted Channel Non-Application Layer Protocol Uncommonly Used Port Data Encoding Standard Encoding Non-Standard Encoding Data Encoding Ingress Tool Transfer Fallback Channels Custom Command and Control Protocol Remote Access Software Content Injection Protocol Tunneling Web Service Bidirectional Communication One-Way Communication Dead Drop Resolver Web Service Commonly Used Port	Exfiltration Over Web Service Exfiltration to Text Storage Sites Exfiltration to Code Repository Exfiltration to Cloud Storage Exfiltration Over Webhook Exfiltration Over Web Service Scheduled Transfer Exfiltration Over Other Network Medium Exfiltration Over Bluetooth Exfiltration Over Other Network Medium Automated Exfiltration Traffic Duplication Automated Exfiltration Exfiltration Over C2 Channel Exfiltration Over Alternative Protocol Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration Over Alternative Protocol Data Compressed Data Transfer Size Limits Data Encrypted Exfiltration Over Physical Medium Exfiltration over USB Exfiltration Over Physical Medium Transfer Data to Cloud Account	Stored Data Manipulation Service Stop Disk Structure Wipe Network Denial of Service Reflection Amplification Direct Network Flood Network Denial of Service Firmware Corruption Data Manipulation Transmitted Data Manipulation Stored Data Manipulation Runtime Data Manipulation Data Manipulation Inhibit System Recovery Defacement External Defacement Internal Defacement Defacement Endpoint Denial of Service Application Exhaustion Flood Service Exhaustion Flood Application or System Exploitation OS Exhaustion Flood Endpoint Denial of Service Runtime Data Manipulation Data Destruction Account Access Removal Disk Wipe Disk Structure Wipe Disk Content Wipe Disk Wipe System Shutdown/Reboot Data Encrypted for Impact Disk Content Wipe Transmitted Data Manipulation Financial Theft Resource Hijacking