Skip to content

Latest commit

 

History

History
41 lines (39 loc) · 30.8 KB

Windows-matrix.md

File metadata and controls

41 lines (39 loc) · 30.8 KB
Raw

MITRE ATT&CK - Windows Technique Matrix

Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control
Accessibility Features Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software Application Shimming Audio Capture Automated Exfiltration Commonly Used Port
AppInit DLLs Accessibility Features Binary Padding Brute Force Application Window Discovery Exploitation of Vulnerability Command-Line Interface Automated Collection Data Compressed Communication Through Removable Media
Application Shimming AppInit DLLs Bypass User Account Control Create Account File and Directory Discovery Logon Scripts Execution through API Clipboard Data Data Encrypted Connection Proxy
Authentication Package Application Shimming Code Signing Credential Dumping Network Service Scanning Pass the Hash Execution through Module Load Data Staged Data Transfer Size Limits Custom Command and Control Protocol
Bootkit Bypass User Account Control Component Firmware Credentials in Files Network Share Discovery Pass the Ticket Graphical User Interface Data from Local System Exfiltration Over Alternative Protocol Custom Cryptographic Protocol
Change Default File Association DLL Injection Component Object Model Hijacking Exploitation of Vulnerability Peripheral Device Discovery Remote Desktop Protocol InstallUtil Data from Network Shared Drive Exfiltration Over Command and Control Channel Data Encoding
Component Firmware DLL Search Order Hijacking DLL Injection Input Capture Permission Groups Discovery Remote File Copy PowerShell Data from Removable Media Exfiltration Over Other Network Medium Data Obfuscation
Component Object Model Hijacking Exploitation of Vulnerability DLL Search Order Hijacking Network Sniffing Process Discovery Remote Services Process Hollowing Email Collection Exfiltration Over Physical Medium Fallback Channels
DLL Search Order Hijacking File System Permissions Weakness DLL Side-Loading Private Keys Query Registry Replication Through Removable Media Regsvcs/Regasm Input Capture Scheduled Transfer Multi-Stage Channels
External Remote Services Local Port Monitor Deobfuscate/Decode Files or Information Two-Factor Authentication Interception Remote System Discovery Shared Webroot Regsvr32 Screen Capture Multiband Communication
File System Permissions Weakness New Service Disabling Security Tools Security Software Discovery Taint Shared Content Rundll32 Video Capture Multilayer Encryption
Hidden Files and Directories Path Interception Exploitation of Vulnerability System Information Discovery Third-party Software Scheduled Task Remote File Copy
Hypervisor Scheduled Task File Deletion System Network Configuration Discovery Windows Admin Shares Scripting Standard Application Layer Protocol
Local Port Monitor Service Registry Permissions Weakness File System Logical Offsets System Network Connections Discovery Windows Remote Management Service Execution Standard Cryptographic Protocol
Logon Scripts Valid Accounts Hidden Files and Directories System Owner/User Discovery Third-party Software Standard Non-Application Layer Protocol
Modify Existing Service Web Shell Indicator Blocking System Service Discovery Trusted Developer Utilities Uncommonly Used Port
New Service Indicator Removal on Host System Time Discovery Windows Remote Management Web Service
Netsh Helper DLL Indicator Removal from Tools Windows Management Instrumentation
Office Application Startup Install Root Certificate
Path Interception InstallUtil
Redundant Access Masquerading
Registry Run Keys / Start Folder Modify Registry
Scheduled Task NTFS Extended Attributes
Security Support Provider Network Share Connection Removal
Service Registry Permissions Weakness Obfuscated Files or Information
Shortcut Modification Process Hollowing
System Firmware Redundant Access
Valid Accounts Regsvcs/Regasm
Web Shell Regsvr32
Windows Management Instrumentation Event Subscription Rootkit
Winlogon Helper DLL Rundll32
Scripting
Software Packing
Timestomp
Trusted Developer Utilities
Valid Accounts