All Atomic Tests by ATT&CK Tactic & Technique

initial-access	execution	persistence	privilege-escalation	defense-evasion	credential-access	discovery	lateral-movement	collection	exfiltration	command-and-control	impact
External Remote Services	Scheduled Task/Job: Scheduled Task	Scheduled Task/Job: Scheduled Task	Process Injection: Extra Window Memory Injection	Process Injection: Extra Window Memory Injection	Adversary-in-the-Middle CONTRIBUTE A TEST	System Owner/User Discovery	Remote Services:VNC	Archive Collected Data: Archive via Utility	Exfiltration Over Web Service CONTRIBUTE A TEST	Socket Filters CONTRIBUTE A TEST	Disk Structure Wipe CONTRIBUTE A TEST
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST	Windows Management Instrumentation	Socket Filters CONTRIBUTE A TEST	Scheduled Task/Job: Scheduled Task	Socket Filters CONTRIBUTE A TEST	Modify Authentication Process: Pluggable Authentication Modules	Container and Resource Discovery	Taint Shared Content CONTRIBUTE A TEST	Screen Capture	Exfiltration Over Webhook CONTRIBUTE A TEST	Data Encoding: Standard Encoding	Direct Network Flood CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST	Server Software Component	Boot or Logon Initialization Scripts CONTRIBUTE A TEST	Boot or Logon Initialization Scripts CONTRIBUTE A TEST	Fileless Storage CONTRIBUTE A TEST	Input Capture: Keylogging	Internet Connection Discovery CONTRIBUTE A TEST	Remote Services: SSH	Adversary-in-the-Middle CONTRIBUTE A TEST	Scheduled Transfer CONTRIBUTE A TEST	Domain Generation Algorithms CONTRIBUTE A TEST	External Defacement CONTRIBUTE A TEST
Phishing: Spearphishing Attachment	Command and Scripting Interpreter: JavaScript	Modify Authentication Process: Pluggable Authentication Modules	Path Interception by PATH Environment Variable CONTRIBUTE A TEST	Signed Binary Proxy Execution: Rundll32	Brute Force: Password Guessing	Permission Groups Discovery CONTRIBUTE A TEST	Replication Through Removable Media	Input Capture: Keylogging	Exfiltration Over Other Network Medium CONTRIBUTE A TEST	Application Layer Protocol: DNS	OS Exhaustion Flood CONTRIBUTE A TEST
Compromise Hardware Supply Chain CONTRIBUTE A TEST	Kubernetes Cronjob	Path Interception by PATH Environment Variable CONTRIBUTE A TEST	Event Triggered Execution: PowerShell Profile	Embedded Payloads CONTRIBUTE A TEST	OS Credential Dumping	Cloud Groups CONTRIBUTE A TEST	Direct Cloud VM Connections CONTRIBUTE A TEST	Data from Configuration Repository CONTRIBUTE A TEST	Exfiltration Over Bluetooth CONTRIBUTE A TEST	Symmetric Cryptography CONTRIBUTE A TEST	Application Exhaustion Flood CONTRIBUTE A TEST
Replication Through Removable Media	Inter-Process Communication: Dynamic Data Exchange	Event Triggered Execution: PowerShell Profile	Create or Modify System Process CONTRIBUTE A TEST	Modify Authentication Process: Pluggable Authentication Modules	Steal Web Session Cookie	Group Policy Discovery	SSH Hijacking CONTRIBUTE A TEST	Sharepoint CONTRIBUTE A TEST	Automated Exfiltration	Fast Flux DNS CONTRIBUTE A TEST	Disk Wipe CONTRIBUTE A TEST
Supply Chain Compromise	User Execution: Malicious File	Create or Modify System Process CONTRIBUTE A TEST	LC_LOAD_DYLIB Addition CONTRIBUTE A TEST	Revert Cloud Instance CONTRIBUTE A TEST	OS Credential Dumping: Security Account Manager	Device Driver Discovery CONTRIBUTE A TEST	Remote Services: SMB/Windows Admin Shares	Audio Capture	Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST	Application Layer Protocol	Stored Data Manipulation CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST	Scheduled Task/Job: Cron	External Remote Services	Kubernetes Cronjob	File/Path Exclusions CONTRIBUTE A TEST	Unsecured Credentials: Cloud Instance Metadata API	Account Discovery: Domain Account	Use Alternate Authentication Material CONTRIBUTE A TEST	Archive via Custom Method CONTRIBUTE A TEST	Traffic Duplication CONTRIBUTE A TEST	Remote Access Software	Service Stop
Content Injection CONTRIBUTE A TEST	Component Object Model CONTRIBUTE A TEST	LC_LOAD_DYLIB Addition CONTRIBUTE A TEST	Abuse Elevation Control Mechanism: Bypass User Account Control	File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification	Securityd Memory CONTRIBUTE A TEST	Account Discovery: Local Account	Remote Services CONTRIBUTE A TEST	Email Collection CONTRIBUTE A TEST	Exfiltration to Code Repository CONTRIBUTE A TEST	Content Injection CONTRIBUTE A TEST	Application or System Exploitation CONTRIBUTE A TEST
Valid Accounts: Default Accounts	Scheduled Task/Job CONTRIBUTE A TEST	Kubernetes Cronjob	Abuse Elevation Control Mechanism: Sudo and Sudo Caching	Signed Script Proxy Execution: Pubprn	Brute Force: Password Cracking	Virtualization/Sandbox Evasion: System Checks	Remote Service Session Hijacking CONTRIBUTE A TEST	Data from Removable Media CONTRIBUTE A TEST	Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Traffic Signaling CONTRIBUTE A TEST	Runtime Data Manipulation CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST	Command and Scripting Interpreter: AppleScript	Pre-OS Boot: System Firmware	Hijack Execution Flow: Services Registry Permissions Weakness	Path Interception by PATH Environment Variable CONTRIBUTE A TEST	Credentials from Password Stores: Keychain	Permission Groups Discovery: Domain Groups	Remote Services: Windows Remote Management	Data Staged: Local Data Staging	Exfiltration Over C2 Channel	Protocol Tunneling	Reflection Amplification CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST	Native API	Hijack Execution Flow: Services Registry Permissions Weakness	Boot or Logon Autostart Execution	Direct Volume Access	OS Credential Dumping: LSA Secrets	System Service Discovery	Remote Services: Distributed Component Object Model	Email Collection: Local Email Collection	Exfiltration Over Alternative Protocol	Mail Protocols CONTRIBUTE A TEST	Service Exhaustion Flood CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST	AutoHotKey & AutoIT CONTRIBUTE A TEST	Bootkit CONTRIBUTE A TEST	Active Setup	Email Hiding Rules CONTRIBUTE A TEST	Forge Web Credentials: SAML token	Network Sniffing	Use Alternate Authentication Material: Pass the Ticket	Automated Collection	Exfiltration over USB CONTRIBUTE A TEST	Communication Through Removable Media CONTRIBUTE A TEST	Defacement CONTRIBUTE A TEST
Spearphishing Voice CONTRIBUTE A TEST	Cloud API CONTRIBUTE A TEST	Boot or Logon Autostart Execution	Domain Trust Modification	Encrypted/Encoded File CONTRIBUTE A TEST	OS Credential Dumping: Proc Filesystem	Network Share Discovery	Cloud Services CONTRIBUTE A TEST	Clipboard Data	Exfiltration Over Web Service: Exfiltration to Text Storage Sites	External Proxy CONTRIBUTE A TEST	Financial Theft CONTRIBUTE A TEST
Compromise Software Supply Chain CONTRIBUTE A TEST	Deploy a container	Active Setup	Create or Modify System Process: Windows Service	Rootkit	Password Managers CONTRIBUTE A TEST	Peripheral Device Discovery	Software Deployment Tools	Data from Cloud Storage Object	Exfiltration Over Web Service: Exfiltration to Cloud Storage	Proxy CONTRIBUTE A TEST	Defacement: Internal Defacement
Domain Accounts CONTRIBUTE A TEST	Command and Scripting Interpreter	TFTP Boot CONTRIBUTE A TEST	Scheduled Task/Job: Cron	Double File Extension CONTRIBUTE A TEST	Network Sniffing	System Information Discovery	Exploitation of Remote Services CONTRIBUTE A TEST	Remote Data Staging CONTRIBUTE A TEST	Data Transfer Size Limits	Dynamic Resolution CONTRIBUTE A TEST	Data Manipulation CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST	Kubernetes Exec Into Container	Create or Modify System Process: Windows Service	Account Manipulation: Additional Cloud Roles	Abuse Elevation Control Mechanism: Bypass User Account Control	Unsecured Credentials: Credentials in Registry	Wi-Fi Discovery CONTRIBUTE A TEST	Internal Spearphishing CONTRIBUTE A TEST	Data from Local System	Transfer Data to Cloud Account CONTRIBUTE A TEST	Web Service CONTRIBUTE A TEST	Account Access Removal
Drive-by Compromise CONTRIBUTE A TEST	System Services: Launchctl	Scheduled Task/Job: Cron	Boot or Logon Autostart Execution: Print Processors	Abuse Elevation Control Mechanism: Sudo and Sudo Caching	Modify Authentication Process: Password Filter DLL	Application Window Discovery	Lateral Tool Transfer	Archive Collected Data: Archive via Library	Exfiltration Over Physical Medium CONTRIBUTE A TEST	DNS Calculation CONTRIBUTE A TEST	Data Encrypted for Impact
Valid Accounts: Cloud Accounts	Network Device CLI CONTRIBUTE A TEST	Office Application Startup	Hijack Execution Flow: DLL Search Order Hijacking	Modify Cloud Compute Infrastructure CONTRIBUTE A TEST	Steal or Forge Kerberos Tickets: AS-REP Roasting	Email Account CONTRIBUTE A TEST	Web Session Cookie CONTRIBUTE A TEST	Network Device Configuration Dump CONTRIBUTE A TEST	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	Multi-Stage Channels CONTRIBUTE A TEST	Endpoint Denial of Service CONTRIBUTE A TEST
Spearphishing via Service CONTRIBUTE A TEST	XPC Services CONTRIBUTE A TEST	Account Manipulation: Additional Cloud Roles	AppDomainManager CONTRIBUTE A TEST	Pre-OS Boot: System Firmware	Steal or Forge Kerberos Tickets CONTRIBUTE A TEST	Time Based Evasion CONTRIBUTE A TEST	Remote Service Session Hijacking: RDP Hijacking	Archive Collected Data		Port Knocking CONTRIBUTE A TEST	Resource Hijacking
Valid Accounts: Local Accounts	User Execution CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Print Processors	Additional Container Cluster Roles CONTRIBUTE A TEST	Hijack Execution Flow: Services Registry Permissions Weakness	Credentials from Password Stores	Cloud Infrastructure Discovery	Use Alternate Authentication Material: Pass the Hash	Browser Session Hijacking CONTRIBUTE A TEST		File Transfer Protocols CONTRIBUTE A TEST	Transmitted Data Manipulation CONTRIBUTE A TEST
	Software Deployment Tools	Hijack Execution Flow: DLL Search Order Hijacking	Scheduled Task/Job CONTRIBUTE A TEST	Bootkit CONTRIBUTE A TEST	Unsecured Credentials	Browser Bookmark Discovery	Remote Services: Remote Desktop Protocol	DHCP Spoofing CONTRIBUTE A TEST		One-Way Communication CONTRIBUTE A TEST	Data Destruction
	Command and Scripting Interpreter: PowerShell	Office Application Startup: Add-ins	Thread Execution Hijacking	Mavinject CONTRIBUTE A TEST	Hybrid Identity CONTRIBUTE A TEST	System Network Configuration Discovery	Application Access Token CONTRIBUTE A TEST	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay		Proxy: Multi-hop Proxy	Network Denial of Service CONTRIBUTE A TEST
	Scheduled Task/Job: Systemd Timers	Server Software Component: Transport Agent	Event Triggered Execution: Application Shimming	Masquerading: Match Legitimate Name or Location	Credentials from Password Stores: Credentials from Web Browsers	Account Discovery CONTRIBUTE A TEST		Web Portal Capture CONTRIBUTE A TEST		Data Obfuscation CONTRIBUTE A TEST	Firmware Corruption CONTRIBUTE A TEST
	Command and Scripting Interpreter: Bash	AppDomainManager CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Port Monitors	Weaken Encryption CONTRIBUTE A TEST	DHCP Spoofing CONTRIBUTE A TEST	Domain Trust Discovery		Video Capture		Non-Standard Port	Inhibit System Recovery
	Inter-Process Communication	Additional Container Cluster Roles CONTRIBUTE A TEST	Boot or Logon Initialization Scripts: Logon Script (Mac)	Masquerade File Type CONTRIBUTE A TEST	Unsecured Credentials: Private Keys	File and Directory Discovery		Confluence CONTRIBUTE A TEST		Encrypted Channel	Disk Content Wipe CONTRIBUTE A TEST
	User Execution: Malicious Image	Scheduled Task/Job CONTRIBUTE A TEST	Process Injection	Hide Artifacts	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay	System Network Connections Discovery		Email Collection: Email Forwarding Rule		Bidirectional Communication CONTRIBUTE A TEST	System Shutdown/Reboot
	Exploitation for Client Execution CONTRIBUTE A TEST	Modify Authentication Process: Password Filter DLL	Escape to Host	Domain Trust Modification	OS Credential Dumping: LSASS Memory	Virtualization/Sandbox Evasion CONTRIBUTE A TEST		Data Staged CONTRIBUTE A TEST		Asymmetric Cryptography CONTRIBUTE A TEST
	Command and Scripting Interpreter: Python	Server Software Component: Terminal Services DLL	Boot or Logon Autostart Execution: Shortcut Modification	Impair Defenses: Safe Boot Mode	Brute Force: Password Spraying	Cloud Storage Object Discovery		Input Capture: GUI Input Capture		Non-Application Layer Protocol
	System Services CONTRIBUTE A TEST	Browser Extensions	Boot or Logon Autostart Execution: Security Support Provider	TFTP Boot CONTRIBUTE A TEST	Web Portal Capture CONTRIBUTE A TEST	Log Enumeration		Data from Network Shared Drive		Protocol Impersonation CONTRIBUTE A TEST
	Command and Scripting Interpreter: Windows Command Shell	Outlook Rules CONTRIBUTE A TEST	Create or Modify System Process: Launch Daemon	Virtualization/Sandbox Evasion: System Checks	OS Credential Dumping: Cached Domain Credentials	Cloud Account CONTRIBUTE A TEST		Email Collection: Remote Email Collection		Domain Fronting CONTRIBUTE A TEST
	Cloud Administration Command CONTRIBUTE A TEST	Event Triggered Execution: Application Shimming	Hijack Execution Flow: Path Interception by Search Order Hijacking	Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs	Steal or Forge Kerberos Tickets: Golden Ticket	Process Discovery		Input Capture CONTRIBUTE A TEST		Data Encoding CONTRIBUTE A TEST
	Command and Scripting Interpreter: Visual Basic	Boot or Logon Autostart Execution: Port Monitors	Domain Policy Modification: Group Policy Modification	Signed Binary Proxy Execution: InstallUtil	Steal or Forge Authentication Certificates	User Activity Based Checks CONTRIBUTE A TEST		ARP Cache Poisoning CONTRIBUTE A TEST		Non-Standard Encoding CONTRIBUTE A TEST
	Serverless Execution CONTRIBUTE A TEST	Boot or Logon Initialization Scripts: Logon Script (Mac)	Valid Accounts: Default Accounts	Stripped Payloads CONTRIBUTE A TEST	Unsecured Credentials: Bash History	Permission Groups Discovery: Local Groups		Code Repositories CONTRIBUTE A TEST		Application Layer Protocol: Web Protocols
	Malicious Link CONTRIBUTE A TEST	Traffic Signaling CONTRIBUTE A TEST	Time Providers	Hijack Execution Flow: DLL Search Order Hijacking	Unsecured Credentials: Credentials In Files	Password Policy Discovery		Data from Information Repositories CONTRIBUTE A TEST		Ingress Tool Transfer
	System Services: Service Execution	Boot or Logon Autostart Execution: Shortcut Modification	Event Triggered Execution: Trap	Subvert Trust Controls: Gatekeeper Bypass	Web Cookies CONTRIBUTE A TEST	System Location Discovery: System Language Discovery		SNMP (MIB Dump) CONTRIBUTE A TEST		Hide Infrastructure CONTRIBUTE A TEST
	Scheduled Task/Job: At	Implant Internal Image CONTRIBUTE A TEST	Hijack Execution Flow: LD_PRELOAD	Code Signing CONTRIBUTE A TEST	Steal Application Access Token	Query Registry		Input Capture: Credential API Hooking		Data Obfuscation via Steganography
		Boot or Logon Autostart Execution: Security Support Provider	Abuse Elevation Control Mechanism CONTRIBUTE A TEST	Break Process Trees CONTRIBUTE A TEST	Unsecured Credentials: Group Policy Preferences	System Location Discovery CONTRIBUTE A TEST				Fallback Channels CONTRIBUTE A TEST
		Hybrid Identity CONTRIBUTE A TEST	Create Process with Token	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	Network Provider DLL CONTRIBUTE A TEST	Software Discovery: Security Software Discovery				Proxy: Internal Proxy
		Create or Modify System Process: Launch Daemon	Abuse Elevation Control Mechanism: Setuid and Setgid	AppDomainManager CONTRIBUTE A TEST	Forge Web Credentials CONTRIBUTE A TEST	Cloud Service Discovery				Dead Drop Resolver CONTRIBUTE A TEST
		Hijack Execution Flow: Path Interception by Search Order Hijacking	Boot or Logon Autostart Execution: Winlogon Helper DLL	Signed Binary Proxy Execution: Msiexec	Multi-Factor Authentication Request Generation CONTRIBUTE A TEST	Remote System Discovery				Junk Data CONTRIBUTE A TEST
		Server Software Component: Web Shell	SSH Authorized Keys	Modify Authentication Process: Password Filter DLL	Chat Messages CONTRIBUTE A TEST	Network Service Discovery
		Valid Accounts: Default Accounts	Event Triggered Execution: Image File Execution Options Injection	Clear Network Connection History and Configurations CONTRIBUTE A TEST	Exploitation for Credential Access CONTRIBUTE A TEST	Software Discovery
		Time Providers	Temporary Elevated Cloud Access CONTRIBUTE A TEST	Reduce Key Space CONTRIBUTE A TEST	Input Capture: GUI Input Capture	Cloud Service Dashboard CONTRIBUTE A TEST
		Event Triggered Execution: Trap	Process Doppelgänging CONTRIBUTE A TEST	Indicator Removal on Host: Clear Command History	Brute Force CONTRIBUTE A TEST	Debugger Evasion
		Hijack Execution Flow: LD_PRELOAD	Executable Installer File Permissions Weakness CONTRIBUTE A TEST	Indirect Command Execution	Brute Force: Credential Stuffing	System Time Discovery
		Create Account: Local Account	Event Triggered Execution: Accessibility Features	Deobfuscate/Decode Files or Information	Multi-Factor Authentication CONTRIBUTE A TEST
		Boot or Logon Autostart Execution: Winlogon Helper DLL	Process Injection: Asynchronous Procedure Call	Impair Defenses	Forced Authentication
		SSH Authorized Keys	Event Triggered Execution: AppCert DLLs	Thread Execution Hijacking	Input Capture CONTRIBUTE A TEST
		Event Triggered Execution: Image File Execution Options Injection	Device Registration CONTRIBUTE A TEST	Masquerading	ARP Cache Poisoning CONTRIBUTE A TEST
		Executable Installer File Permissions Weakness CONTRIBUTE A TEST	Process Injection: Portable Executable Injection	Email Collection: Mailbox Manipulation	Conditional Access Policies CONTRIBUTE A TEST
		Event Triggered Execution: Accessibility Features	Boot or Logon Autostart Execution: Login Items	Process Injection	Cloud Secrets Management Stores CONTRIBUTE A TEST
		Create Account: Domain Account	Access Token Manipulation: Token Impersonation/Theft	Traffic Signaling CONTRIBUTE A TEST	OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow
		Component Firmware CONTRIBUTE A TEST	Account Manipulation: Additional Cloud Credentials	Signed Binary Proxy Execution	Steal or Forge Kerberos Tickets: Silver Ticket
		Office Application Startup: Office Template Macros.	Make and Impersonate Token CONTRIBUTE A TEST	Indicator Removal on Host: Timestomp	Credentials from Password Stores: Windows Credential Manager
		Event Triggered Execution: AppCert DLLs	Event Triggered Execution: Windows Management Instrumentation Event Subscription	Reflective Code Loading	Domain Controller Authentication CONTRIBUTE A TEST
		Device Registration CONTRIBUTE A TEST	Access Token Manipulation: Parent PID Spoofing	Ignore Process Interrupts CONTRIBUTE A TEST	Reversible Encryption CONTRIBUTE A TEST
		Pre-OS Boot CONTRIBUTE A TEST	Event Triggered Execution: Change Default File Association	Time Based Evasion CONTRIBUTE A TEST	Multi-Factor Authentication Interception CONTRIBUTE A TEST
		Boot or Logon Autostart Execution: Login Items	VDSO Hijacking CONTRIBUTE A TEST	Signed Binary Proxy Execution: CMSTP	OS Credential Dumping: NTDS
		Port Knocking CONTRIBUTE A TEST	Event Triggered Execution: Emond	Impair Defenses: Disable Windows Event Logging	Steal or Forge Kerberos Tickets: Kerberoasting
		Account Manipulation: Additional Cloud Credentials	Services File Permissions Weakness CONTRIBUTE A TEST	Signed Binary Proxy Execution: Control Panel	OS Credential Dumping: DCSync
		Network Provider DLL CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Network Address Translation Traversal CONTRIBUTE A TEST	Modify Authentication Process CONTRIBUTE A TEST
		Event Triggered Execution: Windows Management Instrumentation Event Subscription	Account Manipulation	Use Alternate Authentication Material CONTRIBUTE A TEST	Input Capture: Credential API Hooking
		Compromise Host Software Binary CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Kernel Modules and Extensions	Impair Defenses: Disable or Modify System Firewall	Kubernetes List Secrets
		Event Triggered Execution: Change Default File Association	KernelCallbackTable CONTRIBUTE A TEST	Subvert Trust Controls: SIP and Trust Provider Hijacking	Network Device Authentication CONTRIBUTE A TEST
		Event Triggered Execution: Emond	Scheduled Task/Job: Systemd Timers	Hybrid Identity CONTRIBUTE A TEST
		Services File Permissions Weakness CONTRIBUTE A TEST	Hijack Execution Flow CONTRIBUTE A TEST	Electron Applications CONTRIBUTE A TEST
		Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Container Service CONTRIBUTE A TEST	Impair Defenses: Disable or Modify Linux Audit System
		Create Account: Cloud Account	Valid Accounts CONTRIBUTE A TEST	Rogue Domain Controller
		Account Manipulation	Process Injection: Process Hollowing	Code Signing Policy Modification CONTRIBUTE A TEST
		Boot or Logon Autostart Execution: Kernel Modules and Extensions	Exploitation for Privilege Escalation CONTRIBUTE A TEST	Deploy a container
		KernelCallbackTable CONTRIBUTE A TEST	Event Triggered Execution	Modify Registry
		Scheduled Task/Job: Systemd Timers	Event Triggered Execution: .bash_profile .bashrc and .shrc	Hijack Execution Flow: Path Interception by Search Order Hijacking
		ROMMONkit CONTRIBUTE A TEST	Access Token Manipulation: SID-History Injection	Unused/Unsupported Cloud Regions CONTRIBUTE A TEST
		Outlook Forms CONTRIBUTE A TEST	Elevated Execution with Prompt CONTRIBUTE A TEST	Obfuscated Files or Information: Binary Padding
		Hijack Execution Flow CONTRIBUTE A TEST	Authentication Package	Domain Policy Modification: Group Policy Modification
		Container Service CONTRIBUTE A TEST	Event Triggered Execution: Component Object Model Hijacking	Valid Accounts: Default Accounts
		Valid Accounts CONTRIBUTE A TEST	Hijack Execution Flow: Path Interception by Unquoted Path	Hijack Execution Flow: LD_PRELOAD
		Multi-Factor Authentication CONTRIBUTE A TEST	Boot or Logon Initialization Scripts: Startup Items	Indicator Removal on Host: Clear Windows Event Logs
		IIS Components	Domain Accounts CONTRIBUTE A TEST	File and Directory Permissions Modification CONTRIBUTE A TEST
		Event Triggered Execution	Network Logon Script CONTRIBUTE A TEST	Abuse Elevation Control Mechanism CONTRIBUTE A TEST
		Event Triggered Execution: .bash_profile .bashrc and .shrc	Event Triggered Execution: AppInit DLLs	Create Process with Token
		Authentication Package	Event Triggered Execution: Screensaver	Abuse Elevation Control Mechanism: Setuid and Setgid
		Event Triggered Execution: Component Object Model Hijacking	Create or Modify System Process: Launch Agent	Signed Binary Proxy Execution: Odbcconf
		Office Application Startup: Outlook Home Page	Proc Memory CONTRIBUTE A TEST	Temporary Elevated Cloud Access CONTRIBUTE A TEST
		Hijack Execution Flow: Path Interception by Unquoted Path	Installer Packages CONTRIBUTE A TEST	Process Doppelgänging CONTRIBUTE A TEST
		Boot or Logon Initialization Scripts: Startup Items	Boot or Logon Initialization Scripts: Rc.common	Delete Cloud Instance CONTRIBUTE A TEST
		Domain Accounts CONTRIBUTE A TEST	Access Token Manipulation CONTRIBUTE A TEST	Executable Installer File Permissions Weakness CONTRIBUTE A TEST
		Network Logon Script CONTRIBUTE A TEST	Create or Modify System Process: SysV/Systemd Service	Impair Defenses: Indicator Blocking
		BITS Jobs	XDG Autostart Entries CONTRIBUTE A TEST	Disable or Modify Cloud Firewall CONTRIBUTE A TEST
		Event Triggered Execution: AppInit DLLs	Thread Local Storage CONTRIBUTE A TEST	Right-to-Left Override CONTRIBUTE A TEST
		Event Triggered Execution: Screensaver	Boot or Logon Autostart Execution: Re-opened Applications	Component Firmware CONTRIBUTE A TEST
		Conditional Access Policies CONTRIBUTE A TEST	Hijack Execution Flow: DLL Side-Loading	Indicator Removal on Host
		Create or Modify System Process: Launch Agent	Account Manipulation: Additional Email Delegate Permissions	Use Alternate Authentication Material: Pass the Ticket
		Server Software Component CONTRIBUTE A TEST	TCC Manipulation CONTRIBUTE A TEST	Masquerading: Masquerade Task or Service
		Domain Controller Authentication CONTRIBUTE A TEST	Ptrace System Calls CONTRIBUTE A TEST	Process Injection: Asynchronous Procedure Call
		Reversible Encryption CONTRIBUTE A TEST	Boot or Logon Initialization Scripts: Logon Script (Windows)	Plist File Modification
		Installer Packages CONTRIBUTE A TEST	Process Injection: ListPlanting	Subvert Trust Controls: Mark-of-the-Web Bypass
		Boot or Logon Initialization Scripts: Rc.common	Domain or Tenant Policy Modification CONTRIBUTE A TEST	Disable Crypto Hardware CONTRIBUTE A TEST
		Create or Modify System Process: SysV/Systemd Service	Boot or Logon Autostart Execution: LSASS Driver	Pre-OS Boot CONTRIBUTE A TEST
		Create Account CONTRIBUTE A TEST	Valid Accounts: Cloud Accounts	Build Image on Host
		XDG Autostart Entries CONTRIBUTE A TEST	Scheduled Task/Job: At	Process Injection: Portable Executable Injection
		Boot or Logon Autostart Execution: Re-opened Applications	Process Injection: Dynamic-link Library Injection	Verclsid CONTRIBUTE A TEST
		Hijack Execution Flow: DLL Side-Loading	Event Triggered Execution: Netsh Helper DLL	Impair Defenses: Downgrade Attack
		Account Manipulation: Additional Email Delegate Permissions	Dylib Hijacking CONTRIBUTE A TEST	Virtualization/Sandbox Evasion CONTRIBUTE A TEST
		Power Settings CONTRIBUTE A TEST	Valid Accounts: Local Accounts	Signed Binary Proxy Execution: Mshta
		Boot or Logon Initialization Scripts: Logon Script (Windows)	Hijack Execution Flow: COR_PROFILER	Execution Guardrails CONTRIBUTE A TEST
		Office Application Startup: Office Test		Access Token Manipulation: Token Impersonation/Theft
		Boot or Logon Autostart Execution: LSASS Driver		Port Knocking CONTRIBUTE A TEST
		Valid Accounts: Cloud Accounts		LNK Icon Smuggling CONTRIBUTE A TEST
		Scheduled Task/Job: At		Hide Artifacts: Hidden Users
		Modify Authentication Process CONTRIBUTE A TEST		Make and Impersonate Token CONTRIBUTE A TEST
		Event Triggered Execution: Netsh Helper DLL		Impair Defenses: Impair Command History Logging
		SQL Stored Procedures CONTRIBUTE A TEST		Network Provider DLL CONTRIBUTE A TEST
		Network Device Authentication CONTRIBUTE A TEST		User Activity Based Checks CONTRIBUTE A TEST
		Dylib Hijacking CONTRIBUTE A TEST		Access Token Manipulation: Parent PID Spoofing
		Valid Accounts: Local Accounts		VDSO Hijacking CONTRIBUTE A TEST
		Hijack Execution Flow: COR_PROFILER		Services File Permissions Weakness CONTRIBUTE A TEST
				KernelCallbackTable CONTRIBUTE A TEST
				ROMMONkit CONTRIBUTE A TEST
				Signed Binary Proxy Execution: Compiled HTML File
				Indicator Removal on Host: Network Share Connection Removal
				Impair Defenses: Disable or Modify Tools
				Modify System Image CONTRIBUTE A TEST
				Hijack Execution Flow CONTRIBUTE A TEST
				Indicator Removal from Tools CONTRIBUTE A TEST
				Valid Accounts CONTRIBUTE A TEST
				Process Injection: Process Hollowing
				Resource Forking CONTRIBUTE A TEST
				Obfuscated Files or Information
				Multi-Factor Authentication CONTRIBUTE A TEST
				Invalid Code Signature CONTRIBUTE A TEST
				Run Virtual Instance
				Access Token Manipulation: SID-History Injection
				Network Boundary Bridging CONTRIBUTE A TEST
				Subvert Trust Controls CONTRIBUTE A TEST
				Elevated Execution with Prompt CONTRIBUTE A TEST
				Signed Binary Proxy Execution: Regsvr32
				Masquerading: Rename System Utilities
				Spoof Security Alerting CONTRIBUTE A TEST
				Hijack Execution Flow: Path Interception by Unquoted Path
				Steganography CONTRIBUTE A TEST
				Web Session Cookie CONTRIBUTE A TEST
				Domain Accounts CONTRIBUTE A TEST
				Signed Binary Proxy Execution: Regsvcs/Regasm
				Subvert Trust Controls: Install Root Certificate
				Obfuscated Files or Information: Compile After Delivery
				VBA Stomping CONTRIBUTE A TEST
				BITS Jobs
				Trusted Developer Utilities Proxy Execution: MSBuild
				Impersonation CONTRIBUTE A TEST
				Modify Cloud Compute Configurations CONTRIBUTE A TEST
				Impair Defenses: Disable Cloud Logs
				Hide Artifacts: Hidden Window
				Conditional Access Policies CONTRIBUTE A TEST
				Create Cloud Instance CONTRIBUTE A TEST
				Proc Memory CONTRIBUTE A TEST
				Patch System Image CONTRIBUTE A TEST
				Clear Persistence CONTRIBUTE A TEST
				Domain Controller Authentication CONTRIBUTE A TEST
				HTML Smuggling
				Reversible Encryption CONTRIBUTE A TEST
				Command Obfuscation CONTRIBUTE A TEST
				Indicator Removal on Host: File Deletion
				Template Injection
				Access Token Manipulation CONTRIBUTE A TEST
				Obfuscated Files or Information: Software Packing
				Hidden File System CONTRIBUTE A TEST
				Thread Local Storage CONTRIBUTE A TEST
				Debugger Evasion
				Masquerading: Space after Filename
				Use Alternate Authentication Material: Pass the Hash
				Hijack Execution Flow: DLL Side-Loading
				SyncAppvPublishingServer CONTRIBUTE A TEST
				TCC Manipulation CONTRIBUTE A TEST
				Ptrace System Calls CONTRIBUTE A TEST
				Obfuscated Files or Information: Dynamic API Resolution
				Process Injection: ListPlanting
				Domain or Tenant Policy Modification CONTRIBUTE A TEST
				XSL Script Processing
				Hide Artifacts: Hidden Files and Directories
				Create Snapshot CONTRIBUTE A TEST
				Application Access Token CONTRIBUTE A TEST
				Valid Accounts: Cloud Accounts
				Environmental Keying CONTRIBUTE A TEST
				Hide Artifacts: NTFS File Attributes
				Process Injection: Dynamic-link Library Injection
				Modify Authentication Process CONTRIBUTE A TEST
				Signed Script Proxy Execution
				Network Device Authentication CONTRIBUTE A TEST
				Dylib Hijacking CONTRIBUTE A TEST
				Downgrade System Image CONTRIBUTE A TEST
				Valid Accounts: Local Accounts
				Exploitation for Defense Evasion CONTRIBUTE A TEST
				Trusted Developer Utilities Proxy Execution
				MMC CONTRIBUTE A TEST
				Process Argument Spoofing CONTRIBUTE A TEST
				Hijack Execution Flow: COR_PROFILER

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

matrix.md

matrix.md

All Atomic Tests by ATT&CK Tactic & Technique

Files

matrix.md

Latest commit

History

matrix.md

File metadata and controls

All Atomic Tests by ATT&CK Tactic & Technique