MITRE ATT&CK Enterprise Technique Index
All 697 ATT&CK Enterprise techniques and sub-techniques. Each page includes the technique overview, tactics, platforms, and counts of detection strategies, mitigations, threat groups, software, and campaigns tracked in the interactive matrix.
- Data Obfuscation (T1001) — Command and Control
- OS Credential Dumping (T1003) — Credential Access
- Data from Local System (T1005) — Collection
- Direct Volume Access (T1006) — Stealth
- System Service Discovery (T1007) — Discovery
- Fallback Channels (T1008) — Command and Control
- Application Window Discovery (T1010) — Discovery
- Exfiltration Over Other Network Medium (T1011) — Exfiltration
- Query Registry (T1012) — Discovery
- Rootkit (T1014) — Stealth
- System Network Configuration Discovery (T1016) — Discovery
- Remote System Discovery (T1018) — Discovery
- Automated Exfiltration (T1020) — Exfiltration
- Remote Services (T1021) — Lateral Movement
- Data from Removable Media (T1025) — Collection
- Obfuscated Files or Information (T1027) — Stealth
- Binary Padding (T1027.001)
- Software Packing (T1027.002)
- Steganography (T1027.003)
- Compile After Delivery (T1027.004)
- Indicator Removal from Tools (T1027.005)
- HTML Smuggling (T1027.006)
- Dynamic API Resolution (T1027.007)
- Stripped Payloads (T1027.008)
- Embedded Payloads (T1027.009)
- Command Obfuscation (T1027.010)
- Fileless Storage (T1027.011)
- LNK Icon Smuggling (T1027.012)
- Encrypted/Encoded File (T1027.013)
- Polymorphic Code (T1027.014)
- Compression (T1027.015)
- Junk Code Insertion (T1027.016)
- SVG Smuggling (T1027.017)
- Invisible Unicode (T1027.018)
- Scheduled Transfer (T1029) — Exfiltration
- Data Transfer Size Limits (T1030) — Exfiltration
- System Owner/User Discovery (T1033) — Discovery
- Masquerading (T1036) — Stealth
- Invalid Code Signature (T1036.001)
- Right-to-Left Override (T1036.002)
- Rename Legitimate Utilities (T1036.003)
- Masquerade Task or Service (T1036.004)
- Match Legitimate Resource Name or Location (T1036.005)
- Space after Filename (T1036.006)
- Double File Extension (T1036.007)
- Masquerade File Type (T1036.008)
- Break Process Trees (T1036.009)
- Masquerade Account Name (T1036.010)
- Overwrite Process Arguments (T1036.011)
- Browser Fingerprint (T1036.012)
- Boot or Logon Initialization Scripts (T1037) — Persistence, Privilege Escalation
- Data from Network Shared Drive (T1039) — Collection
- Network Sniffing (T1040) — Credential Access, Discovery
- Exfiltration Over C2 Channel (T1041) — Exfiltration
- Network Service Discovery (T1046) — Discovery
- Windows Management Instrumentation (T1047) — Execution
- Exfiltration Over Alternative Protocol (T1048) — Exfiltration
- System Network Connections Discovery (T1049) — Discovery
- Exfiltration Over Physical Medium (T1052) — Exfiltration
- Scheduled Task/Job (T1053) — Execution, Persistence, Privilege Escalation
- Process Injection (T1055) — Stealth, Privilege Escalation
- Dynamic-link Library Injection (T1055.001)
- Portable Executable Injection (T1055.002)
- Thread Execution Hijacking (T1055.003)
- Asynchronous Procedure Call (T1055.004)
- Thread Local Storage (T1055.005)
- Ptrace System Calls (T1055.008)
- Proc Memory (T1055.009)
- Extra Window Memory Injection (T1055.011)
- Process Hollowing (T1055.012)
- Process Doppelgänging (T1055.013)
- VDSO Hijacking (T1055.014)
- ListPlanting (T1055.015)
- Input Capture (T1056) — Collection, Credential Access
- Process Discovery (T1057) — Discovery
- Command and Scripting Interpreter (T1059) — Execution
- PowerShell (T1059.001)
- AppleScript (T1059.002)
- Windows Command Shell (T1059.003)
- Unix Shell (T1059.004)
- Visual Basic (T1059.005)
- Python (T1059.006)
- JavaScript (T1059.007)
- Network Device CLI (T1059.008)
- Cloud API (T1059.009)
- AutoHotKey & AutoIT (T1059.010)
- Lua (T1059.011)
- Hypervisor CLI (T1059.012)
- Container CLI/API (T1059.013)
- Exploitation for Privilege Escalation (T1068) — Privilege Escalation
- Permission Groups Discovery (T1069) — Discovery
- Indicator Removal (T1070) — Stealth
- Application Layer Protocol (T1071) — Command and Control
- Software Deployment Tools (T1072) — Execution, Lateral Movement
- Data Staged (T1074) — Collection
- Valid Accounts (T1078) — Stealth, Persistence, Privilege Escalation, Initial Access
- Taint Shared Content (T1080) — Lateral Movement
- System Information Discovery (T1082) — Discovery
- File and Directory Discovery (T1083) — Discovery
- Account Discovery (T1087) — Discovery
- Proxy (T1090) — Command and Control
- Replication Through Removable Media (T1091) — Lateral Movement, Initial Access
- Communication Through Removable Media (T1092) — Command and Control
- Non-Application Layer Protocol (T1095) — Command and Control
- Account Manipulation (T1098) — Persistence, Privilege Escalation
- Web Service (T1102) — Command and Control
- Multi-Stage Channels (T1104) — Command and Control
- Ingress Tool Transfer (T1105) — Command and Control
- Native API (T1106) — Execution
- Brute Force (T1110) — Credential Access
- Multi-Factor Authentication Interception (T1111) — Credential Access
- Modify Registry (T1112) — Defense Impairment, Persistence
- Screen Capture (T1113) — Collection
- Email Collection (T1114) — Collection
- Clipboard Data (T1115) — Collection
- Automated Collection (T1119) — Collection
- Peripheral Device Discovery (T1120) — Discovery
- Audio Capture (T1123) — Collection
- System Time Discovery (T1124) — Discovery
- Video Capture (T1125) — Collection
- Trusted Developer Utilities Proxy Execution (T1127) — Stealth, Execution
- Shared Modules (T1129) — Execution
- Data Encoding (T1132) — Command and Control
- External Remote Services (T1133) — Persistence, Initial Access
- Access Token Manipulation (T1134) — Stealth, Privilege Escalation
- Network Share Discovery (T1135) — Discovery
- Create Account (T1136) — Persistence
- Office Application Startup (T1137) — Persistence
- Deobfuscate/Decode Files or Information (T1140) — Stealth
- Software Extensions (T1176) — Persistence
- Browser Session Hijacking (T1185) — Collection
- Forced Authentication (T1187) — Credential Access
- Drive-by Compromise (T1189) — Initial Access
- Exploit Public-Facing Application (T1190) — Initial Access
- Supply Chain Compromise (T1195) — Initial Access
- BITS Jobs (T1197) — Stealth, Persistence, Execution
- Trusted Relationship (T1199) — Initial Access
- Hardware Additions (T1200) — Initial Access
- Password Policy Discovery (T1201) — Discovery
- Indirect Command Execution (T1202) — Stealth
- Exploitation for Client Execution (T1203) — Execution
- User Execution (T1204) — Execution
- Traffic Signaling (T1205) — Stealth, Persistence, Command and Control
- Rogue Domain Controller (T1207) — Defense Impairment
- Exploitation of Remote Services (T1210) — Lateral Movement
- Exploitation for Stealth (T1211) — Stealth
- Exploitation for Credential Access (T1212) — Credential Access
- Data from Information Repositories (T1213) — Collection
- System Script Proxy Execution (T1216) — Stealth
- Browser Information Discovery (T1217) — Discovery
- System Binary Proxy Execution (T1218) — Stealth
- Compiled HTML File (T1218.001)
- Control Panel (T1218.002)
- CMSTP (T1218.003)
- InstallUtil (T1218.004)
- Mshta (T1218.005)
- Msiexec (T1218.007)
- Odbcconf (T1218.008)
- Regsvcs/Regasm (T1218.009)
- Regsvr32 (T1218.010)
- Rundll32 (T1218.011)
- Verclsid (T1218.012)
- Mavinject (T1218.013)
- MMC (T1218.014)
- Electron Applications (T1218.015)
- Remote Access Tools (T1219) — Command and Control
- XSL Script Processing (T1220) — Stealth
- Template Injection (T1221) — Stealth
- File and Directory Permissions Modification (T1222) — Defense Impairment
- Execution Guardrails (T1480) — Stealth
- Domain Trust Discovery (T1482) — Discovery
- Domain or Tenant Policy Modification (T1484) — Defense Impairment, Privilege Escalation
- Data Destruction (T1485) — Impact
- Data Encrypted for Impact (T1486) — Impact
- Service Stop (T1489) — Impact
- Inhibit System Recovery (T1490) — Impact
- Defacement (T1491) — Impact
- Firmware Corruption (T1495) — Impact
- Resource Hijacking (T1496) — Impact
- Virtualization/Sandbox Evasion (T1497) — Stealth, Discovery
- Network Denial of Service (T1498) — Impact
- Endpoint Denial of Service (T1499) — Impact
- Server Software Component (T1505) — Persistence
- Software Discovery (T1518) — Discovery
- Implant Internal Image (T1525) — Persistence
- Cloud Service Discovery (T1526) — Discovery
- Steal Application Access Token (T1528) — Credential Access
- System Shutdown/Reboot (T1529) — Impact
- Data from Cloud Storage (T1530) — Collection
- Account Access Removal (T1531) — Impact
- Internal Spearphishing (T1534) — Lateral Movement
- Unused/Unsupported Cloud Regions (T1535) — Stealth
- Transfer Data to Cloud Account (T1537) — Exfiltration
- Cloud Service Dashboard (T1538) — Discovery
- Steal Web Session Cookie (T1539) — Credential Access
- Pre-OS Boot (T1542) — Stealth, Persistence
- Create or Modify System Process (T1543) — Persistence, Privilege Escalation
- Event Triggered Execution (T1546) — Privilege Escalation, Persistence
- Change Default File Association (T1546.001)
- Screensaver (T1546.002)
- Windows Management Instrumentation Event Subscription (T1546.003)
- Unix Shell Configuration Modification (T1546.004)
- Trap (T1546.005)
- LC_LOAD_DYLIB Addition (T1546.006)
- Netsh Helper DLL (T1546.007)
- Accessibility Features (T1546.008)
- AppCert DLLs (T1546.009)
- AppInit DLLs (T1546.010)
- Application Shimming (T1546.011)
- Image File Execution Options Injection (T1546.012)
- PowerShell Profile (T1546.013)
- Emond (T1546.014)
- Component Object Model Hijacking (T1546.015)
- Installer Packages (T1546.016)
- Udev Rules (T1546.017)
- Python Startup Hooks (T1546.018)
- Boot or Logon Autostart Execution (T1547) — Persistence, Privilege Escalation
- Registry Run Keys / Startup Folder (T1547.001)
- Authentication Package (T1547.002)
- Time Providers (T1547.003)
- Winlogon Helper DLL (T1547.004)
- Security Support Provider (T1547.005)
- Kernel Modules and Extensions (T1547.006)
- Re-opened Applications (T1547.007)
- LSASS Driver (T1547.008)
- Shortcut Modification (T1547.009)
- Port Monitors (T1547.010)
- Print Processors (T1547.012)
- XDG Autostart Entries (T1547.013)
- Active Setup (T1547.014)
- Login Items (T1547.015)
- Abuse Elevation Control Mechanism (T1548) — Privilege Escalation
- Use Alternate Authentication Material (T1550) — Lateral Movement
- Unsecured Credentials (T1552) — Credential Access
- Subvert Trust Controls (T1553) — Defense Impairment
- Compromise Host Software Binary (T1554) — Persistence
- Credentials from Password Stores (T1555) — Credential Access
- Modify Authentication Process (T1556) — Defense Impairment, Persistence, Credential Access
- Domain Controller Authentication (T1556.001)
- Password Filter DLL (T1556.002)
- Pluggable Authentication Modules (T1556.003)
- Network Device Authentication (T1556.004)
- Reversible Encryption (T1556.005)
- Multi-Factor Authentication (T1556.006)
- Hybrid Identity (T1556.007)
- Network Provider DLL (T1556.008)
- Conditional Access Policies (T1556.009)
- Adversary-in-the-Middle (T1557) — Credential Access, Collection
- Steal or Forge Kerberos Tickets (T1558) — Credential Access
- Inter-Process Communication (T1559) — Execution
- Archive Collected Data (T1560) — Collection
- Disk Wipe (T1561) — Impact
- Remote Service Session Hijacking (T1563) — Lateral Movement
- Hide Artifacts (T1564) — Stealth
- Hidden Files and Directories (T1564.001)
- Hidden Users (T1564.002)
- Hidden Window (T1564.003)
- NTFS File Attributes (T1564.004)
- Hidden File System (T1564.005)
- Run Virtual Instance (T1564.006)
- VBA Stomping (T1564.007)
- Email Hiding Rules (T1564.008)
- Resource Forking (T1564.009)
- Process Argument Spoofing (T1564.010)
- Ignore Process Interrupts (T1564.011)
- File/Path Exclusions (T1564.012)
- Bind Mounts (T1564.013)
- Extended Attributes (T1564.014)
- Data Manipulation (T1565) — Impact
- Phishing (T1566) — Initial Access
- Exfiltration Over Web Service (T1567) — Exfiltration
- Dynamic Resolution (T1568) — Command and Control
- System Services (T1569) — Execution
- Lateral Tool Transfer (T1570) — Lateral Movement
- Non-Standard Port (T1571) — Command and Control
- Protocol Tunneling (T1572) — Command and Control
- Encrypted Channel (T1573) — Command and Control
- Hijack Execution Flow (T1574) — Stealth, Execution
- DLL (T1574.001)
- Dylib Hijacking (T1574.004)
- Executable Installer File Permissions Weakness (T1574.005)
- Dynamic Linker Hijacking (T1574.006)
- Path Interception by PATH Environment Variable (T1574.007)
- Path Interception by Search Order Hijacking (T1574.008)
- Path Interception by Unquoted Path (T1574.009)
- Services File Permissions Weakness (T1574.010)
- Services Registry Permissions Weakness (T1574.011)
- COR_PROFILER (T1574.012)
- KernelCallbackTable (T1574.013)
- AppDomainManager (T1574.014)
- Modify Cloud Compute Infrastructure (T1578) — Defense Impairment
- Cloud Infrastructure Discovery (T1580) — Discovery
- Acquire Infrastructure (T1583) — Resource Development
- Compromise Infrastructure (T1584) — Resource Development
- Establish Accounts (T1585) — Resource Development
- Compromise Accounts (T1586) — Resource Development
- Develop Capabilities (T1587) — Resource Development
- Obtain Capabilities (T1588) — Resource Development
- Gather Victim Identity Information (T1589) — Reconnaissance
- Gather Victim Network Information (T1590) — Reconnaissance
- Gather Victim Org Information (T1591) — Reconnaissance
- Gather Victim Host Information (T1592) — Reconnaissance
- Search Open Websites/Domains (T1593) — Reconnaissance
- Search Victim-Owned Websites (T1594) — Reconnaissance
- Active Scanning (T1595) — Reconnaissance
- Search Open Technical Databases (T1596) — Reconnaissance
- Search Closed Sources (T1597) — Reconnaissance
- Phishing for Information (T1598) — Reconnaissance
- Network Boundary Bridging (T1599) — Defense Impairment
- Weaken Encryption (T1600) — Defense Impairment
- Modify System Image (T1601) — Defense Impairment
- Data from Configuration Repository (T1602) — Collection
- Forge Web Credentials (T1606) — Credential Access
- Stage Capabilities (T1608) — Resource Development
- Container Administration Command (T1609) — Execution
- Deploy Container (T1610) — Execution
- Escape to Host (T1611) — Privilege Escalation
- Build Image on Host (T1612) — Stealth
- Container and Resource Discovery (T1613) — Discovery
- System Location Discovery (T1614) — Discovery
- Group Policy Discovery (T1615) — Discovery
- Cloud Storage Object Discovery (T1619) — Discovery
- Reflective Code Loading (T1620) — Stealth
- Multi-Factor Authentication Request Generation (T1621) — Credential Access
- Debugger Evasion (T1622) — Stealth, Discovery
- Plist File Modification (T1647) — Defense Impairment
- Serverless Execution (T1648) — Execution
- Steal or Forge Authentication Certificates (T1649) — Credential Access
- Acquire Access (T1650) — Resource Development
- Cloud Administration Command (T1651) — Execution
- Device Driver Discovery (T1652) — Discovery
- Power Settings (T1653) — Persistence
- Log Enumeration (T1654) — Discovery
- Financial Theft (T1657) — Impact
- Content Injection (T1659) — Initial Access, Command and Control
- Hide Infrastructure (T1665) — Command and Control
- Modify Cloud Resource Hierarchy (T1666) — Defense Impairment
- Email Bombing (T1667) — Impact
- Exclusive Control (T1668) — Persistence
- Wi-Fi Networks (T1669) — Initial Access
- Cloud Application Integration (T1671) — Persistence
- Virtual Machine Discovery (T1673) — Discovery
- Input Injection (T1674) — Execution
- ESXi Administration Command (T1675) — Execution
- Poisoned Pipeline Execution (T1677) — Execution
- Delay Execution (T1678) — Stealth
- Selective Exclusion (T1679) — Stealth
- Local Storage Discovery (T1680) — Discovery
- Search Threat Vendor Data (T1681) — Reconnaissance
- Query Public AI Services (T1682) — Reconnaissance
- Generate Content (T1683) — Resource Development
- Social Engineering (T1684) — Stealth
- Disable or Modify Tools (T1685) — Defense Impairment
- Disable or Modify System Firewall (T1686) — Defense Impairment
- Exploitation for Defense Impairment (T1687) — Defense Impairment
- Safe Mode Boot (T1688) — Defense Impairment
- Downgrade Attack (T1689) — Defense Impairment
- Prevent Command History Logging (T1690) — Defense Impairment