Skip to content

Latest commit

 

History

History
62 lines (62 loc) · 24.2 KB

matrix.md

File metadata and controls

62 lines (62 loc) · 24.2 KB

All Atomic Tests by ATT&CK Tactic & Technique

initial-access execution persistence privilege-escalation defense-evasion credential-access discovery lateral-movement collection exfiltration command-and-control
Drive-by Compromise AppleScript .bash_profile and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript Audio Capture Automated Exfiltration Commonly Used Port
Exploit Public-Facing Application CMSTP Accessibility Features Accessibility Features BITS Jobs Bash History Application Window Discovery Application Deployment Software Automated Collection Data Compressed Communication Through Removable Media
Hardware Additions Command-Line Interface AppCert DLLs AppCert DLLs Binary Padding Brute Force Browser Bookmark Discovery Distributed Component Object Model Clipboard Data Data Encrypted Connection Proxy
Replication Through Removable Media Control Panel Items AppInit DLLs AppInit DLLs Bypass User Account Control Credential Dumping File and Directory Discovery Exploitation of Remote Services Data Staged Data Transfer Size Limits Custom Command and Control Protocol
Spearphishing Attachment Dynamic Data Exchange Application Shimming Application Shimming CMSTP Credentials in Files Network Service Scanning Logon Scripts Data from Information Repositories Exfiltration Over Alternative Protocol Custom Cryptographic Protocol
Spearphishing Link Execution through API Authentication Package Bypass User Account Control Clear Command History Credentials in Registry Network Share Discovery Pass the Hash Data from Local System Exfiltration Over Command and Control Channel Data Encoding
Spearphishing via Service Execution through Module Load BITS Jobs DLL Search Order Hijacking Code Signing Exploitation for Credential Access Password Policy Discovery Pass the Ticket Data from Network Shared Drive Exfiltration Over Other Network Medium Data Obfuscation
Supply Chain Compromise Exploitation for Client Execution Bootkit Dylib Hijacking Component Firmware Forced Authentication Peripheral Device Discovery Remote Desktop Protocol Data from Removable Media Exfiltration Over Physical Medium Domain Fronting
Trusted Relationship Graphical User Interface Browser Extensions Exploitation for Privilege Escalation Component Object Model Hijacking Hooking Permission Groups Discovery Remote File Copy Email Collection Scheduled Transfer Fallback Channels
Valid Accounts InstallUtil Change Default File Association Extra Window Memory Injection Control Panel Items Input Capture Process Discovery Remote Services Input Capture Multi-Stage Channels
LSASS Driver Component Firmware File System Permissions Weakness DCShadow Input Prompt Query Registry Replication Through Removable Media Man in the Browser Multi-hop Proxy
Launchctl Component Object Model Hijacking Hooking DLL Search Order Hijacking Kerberoasting Remote System Discovery SSH Hijacking Screen Capture Multiband Communication
Local Job Scheduling Create Account Image File Execution Options Injection DLL Side-Loading Keychain Security Software Discovery Shared Webroot Video Capture Multilayer Encryption
Mshta DLL Search Order Hijacking Launch Daemon Deobfuscate/Decode Files or Information LLMNR/NBT-NS Poisoning System Information Discovery Taint Shared Content Port Knocking
PowerShell Dylib Hijacking New Service Disabling Security Tools Network Sniffing System Network Configuration Discovery Third-party Software Remote Access Tools
Regsvcs/Regasm External Remote Services Path Interception Exploitation for Defense Evasion Password Filter DLL System Network Connections Discovery Windows Admin Shares Remote File Copy
Regsvr32 File System Permissions Weakness Plist Modification Extra Window Memory Injection Private Keys System Owner/User Discovery Windows Remote Management Standard Application Layer Protocol
Rundll32 Hidden Files and Directories Port Monitors File Deletion Replication Through Removable Media System Service Discovery Standard Cryptographic Protocol
Scheduled Task Hooking Process Injection File System Logical Offsets Securityd Memory System Time Discovery Standard Non-Application Layer Protocol
Scripting Hypervisor SID-History Injection Gatekeeper Bypass Two-Factor Authentication Interception Uncommonly Used Port
Service Execution Image File Execution Options Injection Scheduled Task HISTCONTROL Web Service
Signed Binary Proxy Execution Kernel Modules and Extensions Service Registry Permissions Weakness Hidden Files and Directories
Signed Script Proxy Execution LC_LOAD_DYLIB Addition Setuid and Setgid Hidden Users
Source LSASS Driver Startup Items Hidden Window
Space after Filename Launch Agent Sudo Image File Execution Options Injection
Third-party Software Launch Daemon Sudo Caching Indicator Blocking
Trap Launchctl Valid Accounts Indicator Removal from Tools
Trusted Developer Utilities Local Job Scheduling Web Shell Indicator Removal on Host
User Execution Login Item Indirect Command Execution
Windows Management Instrumentation Logon Scripts Install Root Certificate
Windows Remote Management Modify Existing Service InstallUtil
Netsh Helper DLL LC_MAIN Hijacking
New Service Launchctl
Office Application Startup Masquerading
Path Interception Modify Registry
Plist Modification Mshta
Port Knocking NTFS File Attributes
Port Monitors Network Share Connection Removal
Rc.common Obfuscated Files or Information
Re-opened Applications Plist Modification
Redundant Access Port Knocking
Registry Run Keys / Start Folder Process Doppelgänging
SIP and Trust Provider Hijacking Process Hollowing
Scheduled Task Process Injection
Screensaver Redundant Access
Security Support Provider Regsvcs/Regasm
Service Registry Permissions Weakness Regsvr32
Shortcut Modification Rootkit
Startup Items Rundll32
System Firmware SIP and Trust Provider Hijacking
Time Providers Scripting
Trap Signed Binary Proxy Execution
Valid Accounts Signed Script Proxy Execution
Web Shell Software Packing
Windows Management Instrumentation Event Subscription Space after Filename
Winlogon Helper DLL Timestomp
Trusted Developer Utilities
Valid Accounts
Web Service