Skip to content

Latest commit

 

History

History
131 lines (131 loc) · 42.7 KB

matrix.md

File metadata and controls

131 lines (131 loc) · 42.7 KB

All Atomic Tests by ATT&CK Tactic & Technique

initial-access execution persistence privilege-escalation defense-evasion credential-access discovery lateral-movement collection exfiltration command-and-control impact
Cloud Accounts CONTRIBUTE A TEST AppleScript .bash_profile and .bashrc .bash_profile and .bashrc Abuse Elevation Control Mechanism CONTRIBUTE A TEST /etc/passwd and /etc/shadow CONTRIBUTE A TEST Account Discovery CONTRIBUTE A TEST Application Access Token CONTRIBUTE A TEST Archive Collected Data Automated Exfiltration Application Layer Protocol CONTRIBUTE A TEST Account Access Removal
Compromise Hardware Supply Chain CONTRIBUTE A TEST At (Linux) CONTRIBUTE A TEST Accessibility Features Abuse Elevation Control Mechanism CONTRIBUTE A TEST Access Token Manipulation CONTRIBUTE A TEST Bash History Application Window Discovery Component Object Model and Distributed COM CONTRIBUTE A TEST Archive via Custom Method CONTRIBUTE A TEST Data Transfer Size Limits Asymmetric Cryptography CONTRIBUTE A TEST Application Exhaustion Flood CONTRIBUTE A TEST
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST At (Windows) Account Manipulation Access Token Manipulation CONTRIBUTE A TEST Application Access Token CONTRIBUTE A TEST Brute Force CONTRIBUTE A TEST Browser Bookmark Discovery Distributed Component Object Model CONTRIBUTE A TEST Archive via Library CONTRIBUTE A TEST Exfiltration Over Alternative Protocol Bidirectional Communication CONTRIBUTE A TEST Application or System Exploitation CONTRIBUTE A TEST
Compromise Software Supply Chain CONTRIBUTE A TEST Bash Add Office 365 Global Administrator Role CONTRIBUTE A TEST Accessibility Features Asynchronous Procedure Call Cached Domain Credentials CONTRIBUTE A TEST Cloud Account CONTRIBUTE A TEST Exploitation of Remote Services CONTRIBUTE A TEST Archive via Utility Exfiltration Over Asymmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST Communication Through Removable Media CONTRIBUTE A TEST Data Destruction
Default Accounts CONTRIBUTE A TEST Command and Scripting Interpreter CONTRIBUTE A TEST Add-ins CONTRIBUTE A TEST AppCert DLLs CONTRIBUTE A TEST BITS Jobs Cloud Instance Metadata API CONTRIBUTE A TEST Cloud Groups CONTRIBUTE A TEST Internal Spearphishing CONTRIBUTE A TEST Audio Capture Exfiltration Over Bluetooth CONTRIBUTE A TEST DNS Data Encrypted for Impact CONTRIBUTE A TEST
Domain Accounts CONTRIBUTE A TEST Component Object Model CONTRIBUTE A TEST Additional Azure Service Principal Credentials CONTRIBUTE A TEST AppInit DLLs Binary Padding Credential API Hooking Cloud Service Dashboard CONTRIBUTE A TEST Lateral Tool Transfer CONTRIBUTE A TEST Automated Collection Exfiltration Over C2 Channel CONTRIBUTE A TEST DNS Calculation CONTRIBUTE A TEST Data Manipulation CONTRIBUTE A TEST
Drive-by Compromise CONTRIBUTE A TEST Component Object Model and Distributed COM CONTRIBUTE A TEST AppCert DLLs CONTRIBUTE A TEST Application Shimming Bootkit CONTRIBUTE A TEST Credential Stuffing CONTRIBUTE A TEST Cloud Service Discovery CONTRIBUTE A TEST Pass the Hash Clipboard Data Exfiltration Over Other Network Medium CONTRIBUTE A TEST Data Encoding CONTRIBUTE A TEST Defacement CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST Cron AppInit DLLs Asynchronous Procedure Call Bypass User Access Control Credentials In Files Domain Account Pass the Ticket Confluence CONTRIBUTE A TEST Exfiltration Over Physical Medium CONTRIBUTE A TEST Data Obfuscation CONTRIBUTE A TEST Direct Network Flood CONTRIBUTE A TEST
External Remote Services CONTRIBUTE A TEST Dynamic Data Exchange Application Shimming At (Linux) CONTRIBUTE A TEST CMSTP Credentials from Password Stores CONTRIBUTE A TEST Domain Groups RDP Hijacking CONTRIBUTE A TEST Credential API Hooking Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST Dead Drop Resolver CONTRIBUTE A TEST Disk Content Wipe CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST Exploitation for Client Execution CONTRIBUTE A TEST At (Linux) CONTRIBUTE A TEST At (Windows) Clear Command History Credentials from Web Browsers Domain Trust Discovery Remote Desktop Protocol Data Staged CONTRIBUTE A TEST Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Domain Fronting CONTRIBUTE A TEST Disk Structure Wipe CONTRIBUTE A TEST
Local Accounts CONTRIBUTE A TEST Graphical User Interface CONTRIBUTE A TEST At (Windows) Authentication Package CONTRIBUTE A TEST Clear Linux or Mac System Logs Credentials in Registry Email Account CONTRIBUTE A TEST Remote Service Session Hijacking CONTRIBUTE A TEST Data from Cloud Storage Object CONTRIBUTE A TEST Exfiltration Over Web Service CONTRIBUTE A TEST Domain Generation Algorithms CONTRIBUTE A TEST Disk Wipe CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST Inter-Process Communication CONTRIBUTE A TEST Authentication Package CONTRIBUTE A TEST Boot or Logon Autostart Execution CONTRIBUTE A TEST Clear Windows Event Logs DCSync CONTRIBUTE A TEST File and Directory Discovery Remote Services CONTRIBUTE A TEST Data from Information Repositories CONTRIBUTE A TEST Exfiltration over USB CONTRIBUTE A TEST Dynamic Resolution CONTRIBUTE A TEST Endpoint Denial of Service CONTRIBUTE A TEST
Replication Through Removable Media CONTRIBUTE A TEST Launchctl BITS Jobs Boot or Logon Initialization Scripts CONTRIBUTE A TEST Cloud Accounts CONTRIBUTE A TEST Domain Controller Authentication CONTRIBUTE A TEST Local Account Replication Through Removable Media CONTRIBUTE A TEST Data from Local System CONTRIBUTE A TEST Exfiltration to Cloud Storage CONTRIBUTE A TEST Encrypted Channel External Defacement CONTRIBUTE A TEST
Spearphishing Attachment Launchd Boot or Logon Autostart Execution CONTRIBUTE A TEST Bypass User Access Control Code Signing CONTRIBUTE A TEST Exploitation for Credential Access CONTRIBUTE A TEST Local Groups SMB/Windows Admin Shares Data from Network Shared Drive CONTRIBUTE A TEST Exfiltration to Code Repository CONTRIBUTE A TEST External Proxy CONTRIBUTE A TEST Firmware Corruption CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST Malicious File Boot or Logon Initialization Scripts CONTRIBUTE A TEST Change Default File Association Compile After Delivery Forced Authentication CONTRIBUTE A TEST Network Service Scanning SSH CONTRIBUTE A TEST Data from Removable Media CONTRIBUTE A TEST Scheduled Transfer CONTRIBUTE A TEST Fallback Channels CONTRIBUTE A TEST Inhibit System Recovery
Spearphishing via Service CONTRIBUTE A TEST Malicious Link CONTRIBUTE A TEST Bootkit CONTRIBUTE A TEST Cloud Accounts CONTRIBUTE A TEST Compiled HTML File GUI Input Capture Network Share Discovery SSH Hijacking CONTRIBUTE A TEST Email Collection CONTRIBUTE A TEST Transfer Data to Cloud Account CONTRIBUTE A TEST Fast Flux DNS CONTRIBUTE A TEST Internal Defacement CONTRIBUTE A TEST
Supply Chain Compromise CONTRIBUTE A TEST Native API Browser Extensions Component Object Model Hijacking Component Firmware CONTRIBUTE A TEST Golden Ticket CONTRIBUTE A TEST Network Sniffing Shared Webroot CONTRIBUTE A TEST Email Forwarding Rule CONTRIBUTE A TEST File Transfer Protocols CONTRIBUTE A TEST Network Denial of Service CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST PowerShell Change Default File Association Create Process with Token CONTRIBUTE A TEST Control Panel Group Policy Preferences Password Policy Discovery Software Deployment Tools CONTRIBUTE A TEST GUI Input Capture Ingress Tool Transfer OS Exhaustion Flood CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST Python CONTRIBUTE A TEST Cloud Account CONTRIBUTE A TEST Create or Modify System Process CONTRIBUTE A TEST Create Process with Token CONTRIBUTE A TEST Input Capture CONTRIBUTE A TEST Peripheral Device Discovery CONTRIBUTE A TEST Taint Shared Content CONTRIBUTE A TEST Input Capture CONTRIBUTE A TEST Internal Proxy Reflection Amplification CONTRIBUTE A TEST
Scheduled Task Cloud Accounts CONTRIBUTE A TEST Cron DLL Search Order Hijacking Kerberoasting Permission Groups Discovery CONTRIBUTE A TEST Use Alternate Authentication Material CONTRIBUTE A TEST Keylogging Junk Data CONTRIBUTE A TEST Resource Hijacking
Scheduled Task/Job CONTRIBUTE A TEST Component Firmware CONTRIBUTE A TEST DLL Search Order Hijacking DLL Side-Loading Keychain Process Discovery VNC CONTRIBUTE A TEST LLMNR/NBT-NS Poisoning and SMB Relay CONTRIBUTE A TEST Mail Protocols CONTRIBUTE A TEST Runtime Data Manipulation CONTRIBUTE A TEST
Scripting CONTRIBUTE A TEST Component Object Model Hijacking DLL Side-Loading Default Accounts CONTRIBUTE A TEST Keylogging Query Registry Web Session Cookie CONTRIBUTE A TEST Local Data Staging Multi-Stage Channels CONTRIBUTE A TEST Service Exhaustion Flood CONTRIBUTE A TEST
Service Execution Compromise Client Software Binary CONTRIBUTE A TEST Default Accounts CONTRIBUTE A TEST Deobfuscate/Decode Files or Information LLMNR/NBT-NS Poisoning and SMB Relay CONTRIBUTE A TEST Remote System Discovery Windows Remote Management Local Email Collection Multi-hop Proxy CONTRIBUTE A TEST Service Stop
Shared Modules CONTRIBUTE A TEST Create Account CONTRIBUTE A TEST Domain Accounts CONTRIBUTE A TEST Direct Volume Access CONTRIBUTE A TEST LSA Secrets CONTRIBUTE A TEST Security Software Discovery Man in the Browser CONTRIBUTE A TEST Multiband Communication CONTRIBUTE A TEST Stored Data Manipulation CONTRIBUTE A TEST
Software Deployment Tools CONTRIBUTE A TEST Create or Modify System Process CONTRIBUTE A TEST Dylib Hijacking CONTRIBUTE A TEST Disable Windows Event Logging LSASS Memory Software Discovery Man-in-the-Middle CONTRIBUTE A TEST Non-Application Layer Protocol System Shutdown/Reboot
Source CONTRIBUTE A TEST Cron Dynamic-link Library Injection CONTRIBUTE A TEST Disable or Modify System Firewall Man-in-the-Middle CONTRIBUTE A TEST System Information Discovery Remote Data Staging CONTRIBUTE A TEST Non-Standard Encoding CONTRIBUTE A TEST Transmitted Data Manipulation CONTRIBUTE A TEST
System Services CONTRIBUTE A TEST DLL Search Order Hijacking Elevated Execution with Prompt CONTRIBUTE A TEST Disable or Modify Tools Modify Authentication Process CONTRIBUTE A TEST System Network Configuration Discovery Remote Email Collection CONTRIBUTE A TEST Non-Standard Port
User Execution CONTRIBUTE A TEST DLL Side-Loading Emond Domain Accounts CONTRIBUTE A TEST NTDS System Network Connections Discovery Screen Capture One-Way Communication CONTRIBUTE A TEST
VBScript CONTRIBUTE A TEST Default Accounts CONTRIBUTE A TEST Event Triggered Execution CONTRIBUTE A TEST Domain Controller Authentication CONTRIBUTE A TEST Network Sniffing System Owner/User Discovery Sharepoint CONTRIBUTE A TEST Port Knocking CONTRIBUTE A TEST
Windows Command Shell Domain Account CONTRIBUTE A TEST Executable Installer File Permissions Weakness CONTRIBUTE A TEST Dylib Hijacking CONTRIBUTE A TEST OS Credential Dumping System Service Discovery Video Capture CONTRIBUTE A TEST Protocol Impersonation CONTRIBUTE A TEST
Windows Management Instrumentation Domain Accounts CONTRIBUTE A TEST Exploitation for Privilege Escalation CONTRIBUTE A TEST Dynamic-link Library Injection CONTRIBUTE A TEST Password Cracking CONTRIBUTE A TEST System Time Discovery Web Portal Capture CONTRIBUTE A TEST Protocol Tunneling CONTRIBUTE A TEST
Dylib Hijacking CONTRIBUTE A TEST Extra Window Memory Injection CONTRIBUTE A TEST Elevated Execution with Prompt CONTRIBUTE A TEST Password Filter DLL Proxy CONTRIBUTE A TEST
Emond Group Policy Modification CONTRIBUTE A TEST Executable Installer File Permissions Weakness CONTRIBUTE A TEST Password Guessing Remote Access Software
Event Triggered Execution CONTRIBUTE A TEST Hijack Execution Flow CONTRIBUTE A TEST Execution Guardrails CONTRIBUTE A TEST Password Spraying Standard Encoding
Exchange Email Delegate Permissions CONTRIBUTE A TEST Image File Execution Options Injection Exploitation for Defense Evasion CONTRIBUTE A TEST Private Keys Steganography CONTRIBUTE A TEST
Executable Installer File Permissions Weakness CONTRIBUTE A TEST Kernel Modules and Extensions Extra Window Memory Injection CONTRIBUTE A TEST Proc Filesystem CONTRIBUTE A TEST Symmetric Cryptography CONTRIBUTE A TEST
External Remote Services CONTRIBUTE A TEST LC_LOAD_DYLIB Addition CONTRIBUTE A TEST File Deletion Security Account Manager Traffic Signaling CONTRIBUTE A TEST
Hijack Execution Flow CONTRIBUTE A TEST LD_PRELOAD File and Directory Permissions Modification CONTRIBUTE A TEST Securityd Memory CONTRIBUTE A TEST Web Protocols
Hypervisor CONTRIBUTE A TEST LSASS Driver CONTRIBUTE A TEST Gatekeeper Bypass Silver Ticket CONTRIBUTE A TEST Web Service CONTRIBUTE A TEST
Image File Execution Options Injection Launch Agent Group Policy Modification CONTRIBUTE A TEST Steal Application Access Token CONTRIBUTE A TEST
Implant Container Image CONTRIBUTE A TEST Launch Daemon HISTCONTROL Steal Web Session Cookie CONTRIBUTE A TEST
Kernel Modules and Extensions Launchd Hidden Files and Directories Steal or Forge Kerberos Tickets CONTRIBUTE A TEST
LC_LOAD_DYLIB Addition CONTRIBUTE A TEST Local Accounts CONTRIBUTE A TEST Hidden Users Two-Factor Authentication Interception CONTRIBUTE A TEST
LD_PRELOAD Logon Script (Mac) Hidden Window Unsecured Credentials CONTRIBUTE A TEST
LSASS Driver CONTRIBUTE A TEST Logon Script (Windows) Hide Artifacts CONTRIBUTE A TEST Web Portal Capture CONTRIBUTE A TEST
Launch Agent Make and Impersonate Token CONTRIBUTE A TEST Hijack Execution Flow CONTRIBUTE A TEST
Launch Daemon Netsh Helper DLL Impair Defenses CONTRIBUTE A TEST
Launchd Network Logon Script CONTRIBUTE A TEST Indicator Blocking CONTRIBUTE A TEST
Local Account Parent PID Spoofing Indicator Removal from Tools CONTRIBUTE A TEST
Local Accounts CONTRIBUTE A TEST Path Interception CONTRIBUTE A TEST Indicator Removal on Host
Logon Script (Mac) Path Interception by PATH Environment Variable CONTRIBUTE A TEST Indirect Command Execution
Logon Script (Windows) Path Interception by Search Order Hijacking CONTRIBUTE A TEST Install Root Certificate
Netsh Helper DLL Path Interception by Unquoted Path InstallUtil
Network Logon Script CONTRIBUTE A TEST Plist Modification Invalid Code Signature CONTRIBUTE A TEST
Office Application Startup CONTRIBUTE A TEST Port Monitors CONTRIBUTE A TEST LC_MAIN Hijacking CONTRIBUTE A TEST
Office Template Macros CONTRIBUTE A TEST Portable Executable Injection CONTRIBUTE A TEST LD_PRELOAD
Office Test CONTRIBUTE A TEST PowerShell Profile Linux and Mac File and Directory Permissions Modification
Outlook Forms CONTRIBUTE A TEST Proc Memory CONTRIBUTE A TEST Local Accounts CONTRIBUTE A TEST
Outlook Home Page CONTRIBUTE A TEST Process Doppelgänging CONTRIBUTE A TEST MSBuild
Outlook Rules CONTRIBUTE A TEST Process Hollowing Make and Impersonate Token CONTRIBUTE A TEST
Path Interception CONTRIBUTE A TEST Process Injection Masquerade Task or Service CONTRIBUTE A TEST
Path Interception by PATH Environment Variable CONTRIBUTE A TEST Ptrace System Calls CONTRIBUTE A TEST Masquerading CONTRIBUTE A TEST
Path Interception by Search Order Hijacking CONTRIBUTE A TEST Rc.common Match Legitimate Name or Location CONTRIBUTE A TEST
Path Interception by Unquoted Path Re-opened Applications Modify Authentication Process CONTRIBUTE A TEST
Plist Modification Registry Run Keys / Startup Folder Modify Registry
Port Knocking CONTRIBUTE A TEST SID-History Injection CONTRIBUTE A TEST Mshta
Port Monitors CONTRIBUTE A TEST Scheduled Task Msiexec
PowerShell Profile Scheduled Task/Job CONTRIBUTE A TEST NTFS File Attributes
Pre-OS Boot CONTRIBUTE A TEST Screensaver Network Share Connection Removal
Rc.common Security Support Provider Obfuscated Files or Information
Re-opened Applications Services File Permissions Weakness Odbcconf
Redundant Access CONTRIBUTE A TEST Services Registry Permissions Weakness Parent PID Spoofing
Registry Run Keys / Startup Folder Setuid and Setgid Pass the Hash
SQL Stored Procedures CONTRIBUTE A TEST Shortcut Modification Pass the Ticket
Scheduled Task Startup Items Password Filter DLL
Scheduled Task/Job CONTRIBUTE A TEST Sudo and Sudo Caching Path Interception by PATH Environment Variable CONTRIBUTE A TEST
Screensaver Systemd Service Path Interception by Search Order Hijacking CONTRIBUTE A TEST
Security Support Provider Thread Execution Hijacking CONTRIBUTE A TEST Path Interception by Unquoted Path
Server Software Component CONTRIBUTE A TEST Thread Local Storage CONTRIBUTE A TEST Port Knocking CONTRIBUTE A TEST
Services File Permissions Weakness Time Providers CONTRIBUTE A TEST Portable Executable Injection CONTRIBUTE A TEST
Services Registry Permissions Weakness Token Impersonation/Theft CONTRIBUTE A TEST Pre-OS Boot CONTRIBUTE A TEST
Shortcut Modification Trap Proc Memory CONTRIBUTE A TEST
Startup Items VDSO Hijacking CONTRIBUTE A TEST Process Doppelgänging CONTRIBUTE A TEST
System Firmware CONTRIBUTE A TEST Valid Accounts CONTRIBUTE A TEST Process Hollowing
Systemd Service Windows Management Instrumentation Event Subscription Process Injection
Time Providers CONTRIBUTE A TEST Windows Service Ptrace System Calls CONTRIBUTE A TEST
Traffic Signaling CONTRIBUTE A TEST Winlogon Helper DLL PubPrn
Transport Agent Redundant Access CONTRIBUTE A TEST
Trap Regsvcs/Regasm
Valid Accounts CONTRIBUTE A TEST Regsvr32
Web Shell Rename System Utilities
Windows Management Instrumentation Event Subscription Revert Cloud Instance CONTRIBUTE A TEST
Windows Service Right-to-Left Override CONTRIBUTE A TEST
Winlogon Helper DLL Rogue Domain Controller
Rootkit
Rundll32
SID-History Injection CONTRIBUTE A TEST
SIP and Trust Provider Hijacking CONTRIBUTE A TEST
Scripting CONTRIBUTE A TEST
Services File Permissions Weakness
Services Registry Permissions Weakness
Setuid and Setgid
Signed Binary Proxy Execution
Signed Script Proxy Execution
Software Packing
Space after Filename
Steganography CONTRIBUTE A TEST
Subvert Trust Controls CONTRIBUTE A TEST
Sudo and Sudo Caching
System Checks CONTRIBUTE A TEST
System Firmware CONTRIBUTE A TEST
Template Injection CONTRIBUTE A TEST
Thread Execution Hijacking CONTRIBUTE A TEST
Thread Local Storage CONTRIBUTE A TEST
Time Based Evasion CONTRIBUTE A TEST
Timestomp
Token Impersonation/Theft CONTRIBUTE A TEST
Traffic Signaling CONTRIBUTE A TEST
Trusted Developer Utilities Proxy Execution CONTRIBUTE A TEST
Unused/Unsupported Cloud Regions CONTRIBUTE A TEST
Use Alternate Authentication Material CONTRIBUTE A TEST
User Activity Based Checks CONTRIBUTE A TEST
VDSO Hijacking CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST
Virtualization/Sandbox Evasion CONTRIBUTE A TEST
Web Session Cookie CONTRIBUTE A TEST
Windows File and Directory Permissions Modification
XSL Script Processing