Skip to content

Latest commit

 

History

History
155 lines (155 loc) · 46.6 KB

matrix.md

File metadata and controls

155 lines (155 loc) · 46.6 KB
Raw

All Atomic Tests by ATT&CK Tactic & Technique

initial-access execution persistence privilege-escalation defense-evasion credential-access discovery lateral-movement collection exfiltration command-and-control impact
Cloud Accounts CONTRIBUTE A TEST AppleScript .bash_profile and .bashrc .bash_profile and .bashrc Abuse Elevation Control Mechanism CONTRIBUTE A TEST /etc/passwd and /etc/shadow Account Discovery CONTRIBUTE A TEST Application Access Token CONTRIBUTE A TEST ARP Cache Poisoning CONTRIBUTE A TEST Automated Exfiltration Application Layer Protocol CONTRIBUTE A TEST Account Access Removal
Compromise Hardware Supply Chain CONTRIBUTE A TEST At (Linux) Accessibility Features Abuse Elevation Control Mechanism CONTRIBUTE A TEST Access Token Manipulation CONTRIBUTE A TEST ARP Cache Poisoning CONTRIBUTE A TEST Application Window Discovery Component Object Model and Distributed COM CONTRIBUTE A TEST Archive Collected Data Data Transfer Size Limits Asymmetric Cryptography CONTRIBUTE A TEST Application Exhaustion Flood CONTRIBUTE A TEST
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST At (Windows) Account Manipulation Access Token Manipulation CONTRIBUTE A TEST Application Access Token CONTRIBUTE A TEST AS-REP Roasting CONTRIBUTE A TEST Browser Bookmark Discovery Distributed Component Object Model Archive via Custom Method CONTRIBUTE A TEST Exfiltration Over Alternative Protocol Bidirectional Communication CONTRIBUTE A TEST Application or System Exploitation CONTRIBUTE A TEST
Compromise Software Supply Chain CONTRIBUTE A TEST Command and Scripting Interpreter CONTRIBUTE A TEST Add Office 365 Global Administrator Role CONTRIBUTE A TEST Accessibility Features Asynchronous Procedure Call Bash History Cloud Account CONTRIBUTE A TEST Exploitation of Remote Services CONTRIBUTE A TEST Archive via Library CONTRIBUTE A TEST Exfiltration Over Asymmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST Commonly Used Port CONTRIBUTE A TEST Data Destruction
Default Accounts Component Object Model CONTRIBUTE A TEST Add-ins CONTRIBUTE A TEST AppCert DLLs CONTRIBUTE A TEST BITS Jobs Brute Force CONTRIBUTE A TEST Cloud Groups CONTRIBUTE A TEST Internal Spearphishing CONTRIBUTE A TEST Archive via Utility Exfiltration Over Bluetooth CONTRIBUTE A TEST Communication Through Removable Media CONTRIBUTE A TEST Data Encrypted for Impact CONTRIBUTE A TEST
Domain Accounts CONTRIBUTE A TEST Component Object Model and Distributed COM CONTRIBUTE A TEST Additional Cloud Credentials CONTRIBUTE A TEST AppInit DLLs Binary Padding Cached Domain Credentials CONTRIBUTE A TEST Cloud Infrastructure Discovery CONTRIBUTE A TEST Lateral Tool Transfer CONTRIBUTE A TEST Audio Capture Exfiltration Over C2 Channel CONTRIBUTE A TEST DNS Data Manipulation CONTRIBUTE A TEST
Drive-by Compromise CONTRIBUTE A TEST Cron AppCert DLLs CONTRIBUTE A TEST Application Shimming Bootkit CONTRIBUTE A TEST Cloud Instance Metadata API CONTRIBUTE A TEST Cloud Service Dashboard CONTRIBUTE A TEST Pass the Hash Automated Collection Exfiltration Over Other Network Medium CONTRIBUTE A TEST DNS Calculation CONTRIBUTE A TEST Defacement CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST Dynamic Data Exchange AppInit DLLs Asynchronous Procedure Call Bypass User Account Control Credential API Hooking Cloud Service Discovery CONTRIBUTE A TEST Pass the Ticket Clipboard Data Exfiltration Over Physical Medium CONTRIBUTE A TEST Data Encoding CONTRIBUTE A TEST Direct Network Flood CONTRIBUTE A TEST
External Remote Services Exploitation for Client Execution CONTRIBUTE A TEST Application Shimming At (Linux) CMSTP Credential Stuffing CONTRIBUTE A TEST Domain Account RDP Hijacking Confluence CONTRIBUTE A TEST Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST Data Obfuscation CONTRIBUTE A TEST Disk Content Wipe CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST Graphical User Interface CONTRIBUTE A TEST At (Linux) At (Windows) COR_PROFILER Credentials In Files Domain Groups Remote Desktop Protocol Credential API Hooking Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Dead Drop Resolver CONTRIBUTE A TEST Disk Structure Wipe CONTRIBUTE A TEST
Local Accounts Inter-Process Communication CONTRIBUTE A TEST At (Windows) Authentication Package CONTRIBUTE A TEST Clear Command History Credentials from Password Stores Domain Trust Discovery Remote Service Session Hijacking CONTRIBUTE A TEST Data Staged CONTRIBUTE A TEST Exfiltration Over Web Service CONTRIBUTE A TEST Domain Fronting CONTRIBUTE A TEST Disk Wipe CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST JavaScript/JScript CONTRIBUTE A TEST Authentication Package CONTRIBUTE A TEST Boot or Logon Autostart Execution CONTRIBUTE A TEST Clear Linux or Mac System Logs Credentials from Web Browsers Email Account CONTRIBUTE A TEST Remote Services CONTRIBUTE A TEST Data from Cloud Storage Object CONTRIBUTE A TEST Exfiltration over USB CONTRIBUTE A TEST Domain Generation Algorithms CONTRIBUTE A TEST Endpoint Denial of Service CONTRIBUTE A TEST
Replication Through Removable Media CONTRIBUTE A TEST Launchctl BITS Jobs Boot or Logon Initialization Scripts CONTRIBUTE A TEST Clear Windows Event Logs Credentials in Registry File and Directory Discovery Replication Through Removable Media CONTRIBUTE A TEST Data from Configuration Repository CONTRIBUTE A TEST Exfiltration to Cloud Storage CONTRIBUTE A TEST Dynamic Resolution CONTRIBUTE A TEST External Defacement CONTRIBUTE A TEST
Spearphishing Attachment Launchd Boot or Logon Autostart Execution CONTRIBUTE A TEST Bypass User Account Control Cloud Accounts CONTRIBUTE A TEST DCSync Local Account SMB/Windows Admin Shares Data from Information Repositories CONTRIBUTE A TEST Exfiltration to Code Repository CONTRIBUTE A TEST Encrypted Channel Firmware Corruption CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST Malicious File Boot or Logon Initialization Scripts CONTRIBUTE A TEST COR_PROFILER Code Signing CONTRIBUTE A TEST Domain Controller Authentication CONTRIBUTE A TEST Local Groups SSH CONTRIBUTE A TEST Data from Local System CONTRIBUTE A TEST Scheduled Transfer CONTRIBUTE A TEST External Proxy CONTRIBUTE A TEST Inhibit System Recovery
Spearphishing via Service CONTRIBUTE A TEST Malicious Link CONTRIBUTE A TEST Bootkit CONTRIBUTE A TEST Change Default File Association Compile After Delivery Exploitation for Credential Access CONTRIBUTE A TEST Network Service Scanning SSH Hijacking CONTRIBUTE A TEST Data from Network Shared Drive CONTRIBUTE A TEST Traffic Duplication CONTRIBUTE A TEST Fallback Channels CONTRIBUTE A TEST Internal Defacement CONTRIBUTE A TEST
Supply Chain Compromise CONTRIBUTE A TEST Native API Browser Extensions Cloud Accounts CONTRIBUTE A TEST Compiled HTML File Forced Authentication CONTRIBUTE A TEST Network Share Discovery Shared Webroot CONTRIBUTE A TEST Data from Removable Media CONTRIBUTE A TEST Transfer Data to Cloud Account CONTRIBUTE A TEST Fast Flux DNS CONTRIBUTE A TEST Network Denial of Service CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST Network Device CLI CONTRIBUTE A TEST COR_PROFILER Component Object Model Hijacking CONTRIBUTE A TEST Component Firmware CONTRIBUTE A TEST GUI Input Capture Network Sniffing Software Deployment Tools CONTRIBUTE A TEST Email Collection CONTRIBUTE A TEST File Transfer Protocols CONTRIBUTE A TEST OS Exhaustion Flood CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST PowerShell Change Default File Association Create Process with Token CONTRIBUTE A TEST Control Panel Golden Ticket Password Policy Discovery Taint Shared Content CONTRIBUTE A TEST Email Forwarding Rule CONTRIBUTE A TEST Ingress Tool Transfer Reflection Amplification CONTRIBUTE A TEST
Python CONTRIBUTE A TEST Cloud Account CONTRIBUTE A TEST Create or Modify System Process CONTRIBUTE A TEST Create Cloud Instance CONTRIBUTE A TEST Group Policy Preferences Peripheral Device Discovery Use Alternate Authentication Material CONTRIBUTE A TEST GUI Input Capture Internal Proxy Resource Hijacking
Scheduled Task Cloud Accounts CONTRIBUTE A TEST Cron Create Process with Token CONTRIBUTE A TEST Input Capture CONTRIBUTE A TEST Permission Groups Discovery CONTRIBUTE A TEST VNC CONTRIBUTE A TEST Input Capture CONTRIBUTE A TEST Junk Data CONTRIBUTE A TEST Runtime Data Manipulation CONTRIBUTE A TEST
Scheduled Task/Job CONTRIBUTE A TEST Component Firmware CONTRIBUTE A TEST DLL Search Order Hijacking Create Snapshot CONTRIBUTE A TEST Kerberoasting Process Discovery Web Session Cookie CONTRIBUTE A TEST Keylogging Mail Protocols CONTRIBUTE A TEST Service Exhaustion Flood CONTRIBUTE A TEST
Scripting CONTRIBUTE A TEST Component Object Model Hijacking CONTRIBUTE A TEST DLL Side-Loading DLL Search Order Hijacking Keychain Query Registry Windows Remote Management LLMNR/NBT-NS Poisoning and SMB Relay CONTRIBUTE A TEST Multi-Stage Channels CONTRIBUTE A TEST Service Stop
Service Execution Compromise Client Software Binary CONTRIBUTE A TEST Default Accounts DLL Side-Loading Keylogging Remote System Discovery Local Data Staging Multi-hop Proxy CONTRIBUTE A TEST Stored Data Manipulation CONTRIBUTE A TEST
Shared Modules CONTRIBUTE A TEST Create Account CONTRIBUTE A TEST Domain Accounts CONTRIBUTE A TEST Default Accounts LLMNR/NBT-NS Poisoning and SMB Relay CONTRIBUTE A TEST Security Software Discovery Local Email Collection Multiband Communication CONTRIBUTE A TEST System Shutdown/Reboot
Software Deployment Tools CONTRIBUTE A TEST Create or Modify System Process CONTRIBUTE A TEST Dylib Hijacking CONTRIBUTE A TEST Delete Cloud Instance CONTRIBUTE A TEST LSA Secrets Software Discovery Man in the Browser CONTRIBUTE A TEST Non-Application Layer Protocol Transmitted Data Manipulation CONTRIBUTE A TEST
Source CONTRIBUTE A TEST Cron Dynamic-link Library Injection Deobfuscate/Decode Files or Information LSASS Memory System Checks Man-in-the-Middle CONTRIBUTE A TEST Non-Standard Encoding CONTRIBUTE A TEST
System Services CONTRIBUTE A TEST DLL Search Order Hijacking Elevated Execution with Prompt CONTRIBUTE A TEST Direct Volume Access Man-in-the-Middle CONTRIBUTE A TEST System Information Discovery Network Device Configuration Dump CONTRIBUTE A TEST Non-Standard Port
Systemd Timers CONTRIBUTE A TEST DLL Side-Loading Emond Disable Cloud Logs CONTRIBUTE A TEST Modify Authentication Process CONTRIBUTE A TEST System Network Configuration Discovery Remote Data Staging CONTRIBUTE A TEST One-Way Communication CONTRIBUTE A TEST
Unix Shell Default Accounts Event Triggered Execution CONTRIBUTE A TEST Disable Crypto Hardware CONTRIBUTE A TEST NTDS System Network Connections Discovery Remote Email Collection CONTRIBUTE A TEST Port Knocking CONTRIBUTE A TEST
User Execution CONTRIBUTE A TEST Domain Account Executable Installer File Permissions Weakness CONTRIBUTE A TEST Disable Windows Event Logging Network Device Authentication CONTRIBUTE A TEST System Owner/User Discovery SNMP (MIB Dump) CONTRIBUTE A TEST Protocol Impersonation CONTRIBUTE A TEST
Visual Basic Domain Accounts CONTRIBUTE A TEST Exploitation for Privilege Escalation CONTRIBUTE A TEST Disable or Modify Cloud Firewall CONTRIBUTE A TEST Network Sniffing System Service Discovery Screen Capture Protocol Tunneling CONTRIBUTE A TEST
Windows Command Shell Dylib Hijacking CONTRIBUTE A TEST Extra Window Memory Injection CONTRIBUTE A TEST Disable or Modify System Firewall OS Credential Dumping System Time Discovery Sharepoint CONTRIBUTE A TEST Proxy CONTRIBUTE A TEST
Windows Management Instrumentation Emond Group Policy Modification CONTRIBUTE A TEST Disable or Modify Tools Password Cracking Time Based Evasion CONTRIBUTE A TEST Video Capture CONTRIBUTE A TEST Remote Access Software
Event Triggered Execution CONTRIBUTE A TEST Hijack Execution Flow CONTRIBUTE A TEST Domain Accounts CONTRIBUTE A TEST Password Filter DLL User Activity Based Checks CONTRIBUTE A TEST Web Portal Capture CONTRIBUTE A TEST Standard Encoding
Exchange Email Delegate Permissions CONTRIBUTE A TEST Image File Execution Options Injection Domain Controller Authentication CONTRIBUTE A TEST Password Guessing Virtualization/Sandbox Evasion CONTRIBUTE A TEST Steganography CONTRIBUTE A TEST
Executable Installer File Permissions Weakness CONTRIBUTE A TEST Kernel Modules and Extensions Downgrade System Image CONTRIBUTE A TEST Password Spraying Symmetric Cryptography CONTRIBUTE A TEST
External Remote Services LC_LOAD_DYLIB Addition CONTRIBUTE A TEST Dylib Hijacking CONTRIBUTE A TEST Pluggable Authentication Modules CONTRIBUTE A TEST Traffic Signaling CONTRIBUTE A TEST
Hijack Execution Flow CONTRIBUTE A TEST LD_PRELOAD Dynamic-link Library Injection Private Keys Web Protocols
Hypervisor CONTRIBUTE A TEST LSASS Driver CONTRIBUTE A TEST Elevated Execution with Prompt CONTRIBUTE A TEST Proc Filesystem CONTRIBUTE A TEST Web Service CONTRIBUTE A TEST
Image File Execution Options Injection Launch Agent Environmental Keying CONTRIBUTE A TEST Security Account Manager
Implant Container Image CONTRIBUTE A TEST Launch Daemon Executable Installer File Permissions Weakness CONTRIBUTE A TEST Securityd Memory CONTRIBUTE A TEST
Kernel Modules and Extensions Launchd Execution Guardrails CONTRIBUTE A TEST Silver Ticket CONTRIBUTE A TEST
LC_LOAD_DYLIB Addition CONTRIBUTE A TEST Local Accounts Exploitation for Defense Evasion CONTRIBUTE A TEST Steal Application Access Token CONTRIBUTE A TEST
LD_PRELOAD Logon Script (Mac) Extra Window Memory Injection CONTRIBUTE A TEST Steal Web Session Cookie CONTRIBUTE A TEST
LSASS Driver CONTRIBUTE A TEST Logon Script (Windows) File Deletion Steal or Forge Kerberos Tickets CONTRIBUTE A TEST
Launch Agent Make and Impersonate Token CONTRIBUTE A TEST File and Directory Permissions Modification CONTRIBUTE A TEST Two-Factor Authentication Interception CONTRIBUTE A TEST
Launch Daemon Netsh Helper DLL Gatekeeper Bypass Unsecured Credentials CONTRIBUTE A TEST
Launchd Network Logon Script CONTRIBUTE A TEST Group Policy Modification CONTRIBUTE A TEST Web Portal Capture CONTRIBUTE A TEST
Local Account Parent PID Spoofing Hidden File System CONTRIBUTE A TEST
Local Accounts Path Interception CONTRIBUTE A TEST Hidden Files and Directories
Logon Script (Mac) Path Interception by PATH Environment Variable CONTRIBUTE A TEST Hidden Users
Logon Script (Windows) Path Interception by Search Order Hijacking CONTRIBUTE A TEST Hidden Window
Netsh Helper DLL Path Interception by Unquoted Path Hide Artifacts
Network Logon Script CONTRIBUTE A TEST Plist Modification Hijack Execution Flow CONTRIBUTE A TEST
Office Application Startup CONTRIBUTE A TEST Port Monitors CONTRIBUTE A TEST Impair Command History Logging
Office Template Macros CONTRIBUTE A TEST Portable Executable Injection CONTRIBUTE A TEST Impair Defenses CONTRIBUTE A TEST
Office Test PowerShell Profile Indicator Blocking
Outlook Forms CONTRIBUTE A TEST Print Processors CONTRIBUTE A TEST Indicator Removal from Tools CONTRIBUTE A TEST
Outlook Home Page Proc Memory CONTRIBUTE A TEST Indicator Removal on Host
Outlook Rules CONTRIBUTE A TEST Process Doppelgänging CONTRIBUTE A TEST Indirect Command Execution
Path Interception CONTRIBUTE A TEST Process Hollowing Install Root Certificate
Path Interception by PATH Environment Variable CONTRIBUTE A TEST Process Injection InstallUtil
Path Interception by Search Order Hijacking CONTRIBUTE A TEST Ptrace System Calls CONTRIBUTE A TEST Invalid Code Signature CONTRIBUTE A TEST
Path Interception by Unquoted Path Rc.common LC_MAIN Hijacking CONTRIBUTE A TEST
Plist Modification Re-opened Applications LD_PRELOAD
Port Knocking CONTRIBUTE A TEST Registry Run Keys / Startup Folder Linux and Mac File and Directory Permissions Modification
Port Monitors CONTRIBUTE A TEST SID-History Injection CONTRIBUTE A TEST Local Accounts
PowerShell Profile Scheduled Task MSBuild
Pre-OS Boot CONTRIBUTE A TEST Scheduled Task/Job CONTRIBUTE A TEST Make and Impersonate Token CONTRIBUTE A TEST
Print Processors CONTRIBUTE A TEST Screensaver Masquerade Task or Service
ROMMONkit CONTRIBUTE A TEST Security Support Provider Masquerading CONTRIBUTE A TEST
Rc.common Services File Permissions Weakness CONTRIBUTE A TEST Match Legitimate Name or Location CONTRIBUTE A TEST
Re-opened Applications Services Registry Permissions Weakness Modify Authentication Process CONTRIBUTE A TEST
Redundant Access CONTRIBUTE A TEST Setuid and Setgid Modify Cloud Compute Infrastructure CONTRIBUTE A TEST
Registry Run Keys / Startup Folder Shortcut Modification Modify Registry
SQL Stored Procedures CONTRIBUTE A TEST Startup Items Modify System Image CONTRIBUTE A TEST
SSH Authorized Keys Sudo and Sudo Caching Mshta
Scheduled Task Systemd Service Msiexec
Scheduled Task/Job CONTRIBUTE A TEST Systemd Timers CONTRIBUTE A TEST NTFS File Attributes
Screensaver Thread Execution Hijacking CONTRIBUTE A TEST Network Address Translation Traversal CONTRIBUTE A TEST
Security Support Provider Thread Local Storage CONTRIBUTE A TEST Network Boundary Bridging CONTRIBUTE A TEST
Server Software Component CONTRIBUTE A TEST Time Providers CONTRIBUTE A TEST Network Device Authentication CONTRIBUTE A TEST
Services File Permissions Weakness CONTRIBUTE A TEST Token Impersonation/Theft Network Share Connection Removal
Services Registry Permissions Weakness Trap Obfuscated Files or Information
Shortcut Modification VDSO Hijacking CONTRIBUTE A TEST Odbcconf
Startup Items Valid Accounts CONTRIBUTE A TEST Parent PID Spoofing
System Firmware CONTRIBUTE A TEST Windows Management Instrumentation Event Subscription Pass the Hash
Systemd Service Windows Service Pass the Ticket
Systemd Timers CONTRIBUTE A TEST Winlogon Helper DLL Password Filter DLL
TFTP Boot CONTRIBUTE A TEST Patch System Image CONTRIBUTE A TEST
Time Providers CONTRIBUTE A TEST Path Interception by PATH Environment Variable CONTRIBUTE A TEST
Traffic Signaling CONTRIBUTE A TEST Path Interception by Search Order Hijacking CONTRIBUTE A TEST
Transport Agent Path Interception by Unquoted Path
Trap Pluggable Authentication Modules CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST Port Knocking CONTRIBUTE A TEST
Web Shell Portable Executable Injection CONTRIBUTE A TEST
Windows Management Instrumentation Event Subscription Pre-OS Boot CONTRIBUTE A TEST
Windows Service Proc Memory CONTRIBUTE A TEST
Winlogon Helper DLL Process Doppelgänging CONTRIBUTE A TEST
Process Hollowing
Process Injection
Ptrace System Calls CONTRIBUTE A TEST
PubPrn
ROMMONkit CONTRIBUTE A TEST
Reduce Key Space CONTRIBUTE A TEST
Redundant Access CONTRIBUTE A TEST
Regsvcs/Regasm
Regsvr32
Rename System Utilities
Revert Cloud Instance CONTRIBUTE A TEST
Right-to-Left Override CONTRIBUTE A TEST
Rogue Domain Controller
Rootkit
Run Virtual Instance CONTRIBUTE A TEST
Rundll32
SID-History Injection CONTRIBUTE A TEST
SIP and Trust Provider Hijacking CONTRIBUTE A TEST
Scripting CONTRIBUTE A TEST
Services File Permissions Weakness CONTRIBUTE A TEST
Services Registry Permissions Weakness
Setuid and Setgid
Signed Binary Proxy Execution
Signed Script Proxy Execution
Software Packing
Space after Filename
Steganography CONTRIBUTE A TEST
Subvert Trust Controls CONTRIBUTE A TEST
Sudo and Sudo Caching
System Checks
System Firmware CONTRIBUTE A TEST
TFTP Boot CONTRIBUTE A TEST
Template Injection CONTRIBUTE A TEST
Thread Execution Hijacking CONTRIBUTE A TEST
Thread Local Storage CONTRIBUTE A TEST
Time Based Evasion CONTRIBUTE A TEST
Timestomp
Token Impersonation/Theft
Traffic Signaling CONTRIBUTE A TEST
Trusted Developer Utilities Proxy Execution CONTRIBUTE A TEST
Unused/Unsupported Cloud Regions CONTRIBUTE A TEST
Use Alternate Authentication Material CONTRIBUTE A TEST
User Activity Based Checks CONTRIBUTE A TEST
VBA Stomping CONTRIBUTE A TEST
VDSO Hijacking CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST
Verclsid CONTRIBUTE A TEST
Virtualization/Sandbox Evasion CONTRIBUTE A TEST
Weaken Encryption CONTRIBUTE A TEST
Web Session Cookie CONTRIBUTE A TEST
Windows File and Directory Permissions Modification
XSL Script Processing