MITRE ATT&CK® Matrix
Enterprise ATT&CK Matrix
A Glexia-styled visualization of ATT&CK tactics and techniques. This is not the MITRE Navigator UI and does not imply MITRE endorsement.
Collection
41 techniques
T1005 Data from Local System ESXi, Linux T1025 Data from Removable Media Linux, macOS T1039 Data from Network Shared Drive Linux, macOS T1056 Input Capture Linux, macOS T1056.001 Keylogging Linux, macOS T1056.002 GUI Input Capture Linux, macOS T1056.003 Web Portal Capture Linux, macOS T1056.004 Credential API Hooking Windows, Linux T1074 Data Staged ESXi, IaaS T1074.001 Local Data Staging ESXi, Linux T1074.002 Remote Data Staging ESXi, IaaS T1113 Screen Capture Linux, macOS T1114 Email Collection Windows, macOS T1114.001 Local Email Collection Windows T1114.002 Remote Email Collection Office Suite, Windows T1114.003 Email Forwarding Rule Linux, macOS T1115 Clipboard Data Linux, macOS T1119 Automated Collection IaaS, Linux T1123 Audio Capture Linux, macOS T1125 Video Capture Linux, macOS T1185 Browser Session Hijacking Windows T1213 Data from Information Repositories Linux, Windows T1213.001 Confluence SaaS T1213.002 Sharepoint Office Suite, Windows T1213.003 Code Repositories SaaS T1213.004 Customer Relationship Management Software SaaS T1213.005 Messaging Applications Office Suite, SaaS T1213.006 Databases IaaS, Linux T1530 Data from Cloud Storage IaaS, Office Suite T1557 Adversary-in-the-Middle Linux, macOS T1557.001 Name Resolution Poisoning and SMB Relay Windows T1557.002 ARP Cache Poisoning Linux, Windows T1557.003 DHCP Spoofing Linux, Windows T1557.004 Evil Twin Network Devices T1560 Archive Collected Data Linux, macOS T1560.001 Archive via Utility Linux, macOS T1560.002 Archive via Library Linux, macOS T1560.003 Archive via Custom Method Linux, macOS T1602 Data from Configuration Repository Network Devices T1602.001 SNMP (MIB Dump) Network Devices T1602.002 Network Device Configuration Dump Network Devices
Command and Control
45 techniques
T1001 Data Obfuscation ESXi, Linux T1001.001 Junk Data ESXi, Linux T1001.002 Steganography Linux, macOS T1001.003 Protocol or Service Impersonation ESXi, Linux T1008 Fallback Channels ESXi, Linux T1071 Application Layer Protocol Linux, macOS T1071.001 Web Protocols ESXi, Linux T1071.002 File Transfer Protocols ESXi, Linux T1071.003 Mail Protocols Linux, macOS T1071.004 DNS ESXi, Linux T1071.005 Publish/Subscribe Protocols macOS, Linux T1090 Proxy ESXi, Linux T1090.001 Internal Proxy ESXi, Linux T1090.002 External Proxy ESXi, Linux T1090.003 Multi-hop Proxy ESXi, Linux T1090.004 Domain Fronting Linux, macOS T1092 Communication Through Removable Media Linux, macOS T1095 Non-Application Layer Protocol ESXi, Linux T1102 Web Service ESXi, Linux T1102.001 Dead Drop Resolver ESXi, Linux T1102.002 Bidirectional Communication ESXi, Linux T1102.003 One-Way Communication Linux, macOS T1104 Multi-Stage Channels Linux, macOS T1105 Ingress Tool Transfer ESXi, Linux T1132 Data Encoding ESXi, Linux T1132.001 Standard Encoding ESXi, Linux T1132.002 Non-Standard Encoding ESXi, Linux T1205 Traffic Signaling Linux, macOS T1205.001 Port Knocking Linux, macOS T1205.002 Socket Filters Linux, macOS T1219 Remote Access Tools Linux, macOS T1219.001 IDE Tunneling Linux, macOS T1219.002 Remote Desktop Software Linux, macOS T1219.003 Remote Access Hardware Linux, macOS T1568 Dynamic Resolution ESXi, Linux T1568.001 Fast Flux DNS Linux, macOS T1568.002 Domain Generation Algorithms ESXi, Linux T1568.003 DNS Calculation ESXi, Linux T1571 Non-Standard Port ESXi, Linux T1572 Protocol Tunneling ESXi, Linux T1573 Encrypted Channel ESXi, Linux T1573.001 Symmetric Cryptography ESXi, Linux T1573.002 Asymmetric Cryptography ESXi, Linux T1659 Content Injection Linux, macOS T1665 Hide Infrastructure ESXi, Linux
Credential Access
67 techniques
T1003 OS Credential Dumping Linux, macOS T1003.001 LSASS Memory Windows T1003.002 Security Account Manager Windows T1003.003 NTDS Windows T1003.004 LSA Secrets Windows T1003.005 Cached Domain Credentials Windows, Linux T1003.006 DCSync Windows T1003.007 Proc Filesystem Linux T1003.008 /etc/passwd and /etc/shadow Linux T1040 Network Sniffing IaaS, Linux T1056 Input Capture Linux, macOS T1056.001 Keylogging Linux, macOS T1056.002 GUI Input Capture Linux, macOS T1056.003 Web Portal Capture Linux, macOS T1056.004 Credential API Hooking Windows, Linux T1110 Brute Force Containers, ESXi T1110.001 Password Guessing Containers, ESXi T1110.002 Password Cracking Identity Provider, Linux T1110.003 Password Spraying Containers, ESXi T1110.004 Credential Stuffing Containers, ESXi T1111 Multi-Factor Authentication Interception Linux, macOS T1187 Forced Authentication Windows T1212 Exploitation for Credential Access Linux, Windows T1528 Steal Application Access Token Containers, IaaS T1539 Steal Web Session Cookie Linux, macOS T1552 Unsecured Credentials Windows, SaaS T1552.001 Credentials In Files Containers, IaaS T1552.002 Credentials in Registry Windows T1552.003 Shell History Linux, macOS T1552.004 Private Keys Linux, macOS T1552.005 Cloud Instance Metadata API IaaS T1552.006 Group Policy Preferences Windows T1552.007 Container API Containers T1552.008 Chat Messages SaaS, Office Suite T1555 Credentials from Password Stores IaaS, Linux T1555.001 Keychain macOS T1555.002 Securityd Memory Linux, macOS T1555.003 Credentials from Web Browsers Linux, macOS T1555.004 Windows Credential Manager Windows T1555.005 Password Managers Linux, macOS T1555.006 Cloud Secrets Management Stores IaaS T1556 Modify Authentication Process IaaS, Identity Provider T1556.001 Domain Controller Authentication Windows T1556.002 Password Filter DLL Windows T1556.003 Pluggable Authentication Modules Linux, macOS T1556.004 Network Device Authentication Network Devices T1556.005 Reversible Encryption Windows T1556.006 Multi-Factor Authentication IaaS, Identity Provider T1556.007 Hybrid Identity IaaS, Identity Provider T1556.008 Network Provider DLL Windows T1556.009 Conditional Access Policies IaaS, Identity Provider T1557 Adversary-in-the-Middle Linux, macOS T1557.001 Name Resolution Poisoning and SMB Relay Windows T1557.002 ARP Cache Poisoning Linux, Windows T1557.003 DHCP Spoofing Linux, Windows T1557.004 Evil Twin Network Devices T1558 Steal or Forge Kerberos Tickets Linux, macOS T1558.001 Golden Ticket Windows T1558.002 Silver Ticket Windows T1558.003 Kerberoasting Windows T1558.004 AS-REP Roasting Windows T1558.005 Ccache Files Linux, macOS T1606 Forge Web Credentials SaaS, Windows T1606.001 Web Cookies Linux, macOS T1606.002 SAML Tokens SaaS, Windows T1621 Multi-Factor Authentication Request Generation Windows, Linux T1649 Steal or Forge Authentication Certificates Windows, Linux
Defense Impairment
56 techniques
T1112 Modify Registry Windows T1207 Rogue Domain Controller Windows T1222 File and Directory Permissions Modification ESXi, Linux T1222.001 Windows Permissions Windows T1222.002 Linux and Mac Permissions Linux, macOS T1484 Domain or Tenant Policy Modification Windows, Identity Provider T1484.001 Group Policy Modification Windows T1484.002 Trust Modification Identity Provider, Windows T1553 Subvert Trust Controls Linux, macOS T1553.001 Gatekeeper Bypass macOS T1553.002 Code Signing macOS, Windows T1553.003 SIP and Trust Provider Hijacking Windows T1553.004 Install Root Certificate Linux, macOS T1553.005 Mark-of-the-Web Bypass Windows T1553.006 Code Signing Policy Modification macOS, Windows T1556 Modify Authentication Process IaaS, Identity Provider T1556.001 Domain Controller Authentication Windows T1556.002 Password Filter DLL Windows T1556.003 Pluggable Authentication Modules Linux, macOS T1556.004 Network Device Authentication Network Devices T1556.005 Reversible Encryption Windows T1556.006 Multi-Factor Authentication IaaS, Identity Provider T1556.007 Hybrid Identity IaaS, Identity Provider T1556.008 Network Provider DLL Windows T1556.009 Conditional Access Policies IaaS, Identity Provider T1578 Modify Cloud Compute Infrastructure IaaS T1578.001 Create Snapshot IaaS T1578.002 Create Cloud Instance IaaS T1578.003 Delete Cloud Instance IaaS T1578.004 Revert Cloud Instance IaaS T1578.005 Modify Cloud Compute Configurations IaaS T1599 Network Boundary Bridging Network Devices T1599.001 Network Address Translation Traversal Network Devices T1600 Weaken Encryption Network Devices T1600.001 Reduce Key Space Network Devices T1600.002 Disable Crypto Hardware Network Devices T1601 Modify System Image Network Devices T1601.001 Patch System Image Network Devices T1601.002 Downgrade System Image Network Devices T1647 Plist File Modification macOS T1666 Modify Cloud Resource Hierarchy IaaS T1685 Disable or Modify Tools Containers, ESXi T1685.001 Disable or Modify Windows Event Log Windows T1685.002 Disable or Modify Cloud Log IaaS, SaaS T1685.003 Modify or Spoof Tool UI Linux, macOS T1685.004 Disable or Modify Linux Audit System Log Linux T1685.005 Clear Windows Event Logs Windows T1685.006 Clear Linux or Mac System Logs Linux, macOS T1686 Disable or Modify System Firewall ESXi, Linux T1686.001 Cloud Firewall IaaS T1686.002 Network Device Firewall Network Devices T1686.003 Windows Host Firewall Windows T1687 Exploitation for Defense Impairment IaaS, Linux T1688 Safe Mode Boot Windows T1689 Downgrade Attack macOS, Windows T1690 Prevent Command History Logging ESXi, Linux
Discovery
49 techniques
T1007 System Service Discovery Linux, macOS T1010 Application Window Discovery Linux, macOS T1012 Query Registry Windows T1016 System Network Configuration Discovery ESXi, Linux T1016.001 Internet Connection Discovery Windows, Linux T1016.002 Wi-Fi Discovery Linux, Windows T1018 Remote System Discovery ESXi, Linux T1033 System Owner/User Discovery Linux, macOS T1040 Network Sniffing IaaS, Linux T1046 Network Service Discovery Containers, IaaS T1049 System Network Connections Discovery ESXi, IaaS T1057 Process Discovery ESXi, Linux T1069 Permission Groups Discovery Containers, IaaS T1069.001 Local Groups Linux, macOS T1069.002 Domain Groups Linux, macOS T1069.003 Cloud Groups SaaS, IaaS T1082 System Information Discovery ESXi, IaaS T1083 File and Directory Discovery ESXi, Linux T1087 Account Discovery ESXi, IaaS T1087.001 Local Account ESXi, Linux T1087.002 Domain Account Linux, macOS T1087.003 Email Account Windows, Office Suite T1087.004 Cloud Account IaaS, Identity Provider T1120 Peripheral Device Discovery Linux, macOS T1124 System Time Discovery ESXi, Linux T1135 Network Share Discovery Linux, macOS T1201 Password Policy Discovery Windows, Linux T1217 Browser Information Discovery Linux, macOS T1482 Domain Trust Discovery Windows T1497 Virtualization/Sandbox Evasion Linux, macOS T1497.001 System Checks Linux, macOS T1497.002 User Activity Based Checks Linux, macOS T1497.003 Time Based Checks Linux, macOS T1518 Software Discovery ESXi, IaaS T1518.001 Security Software Discovery IaaS, Linux T1518.002 Backup Software Discovery Windows, macOS T1526 Cloud Service Discovery IaaS, Identity Provider T1538 Cloud Service Dashboard IaaS, SaaS T1580 Cloud Infrastructure Discovery IaaS T1613 Container and Resource Discovery Containers T1614 System Location Discovery IaaS, Linux T1614.001 System Language Discovery Linux, macOS T1615 Group Policy Discovery Windows T1619 Cloud Storage Object Discovery IaaS T1622 Debugger Evasion Linux, macOS T1652 Device Driver Discovery Linux, macOS T1654 Log Enumeration ESXi, IaaS T1673 Virtual Machine Discovery ESXi, Linux T1680 Local Storage Discovery ESXi, IaaS
Execution
64 techniques
T1047 Windows Management Instrumentation Windows T1053 Scheduled Task/Job Containers, ESXi T1053.002 At Windows, Linux T1053.003 Cron Linux, macOS T1053.005 Scheduled Task Windows T1053.006 Systemd Timers Linux T1053.007 Container Orchestration Job Containers T1059 Command and Scripting Interpreter Containers, ESXi T1059.001 PowerShell Windows T1059.002 AppleScript macOS T1059.003 Windows Command Shell Windows T1059.004 Unix Shell ESXi, Linux T1059.005 Visual Basic Linux, macOS T1059.006 Python ESXi, Linux T1059.007 JavaScript Linux, macOS T1059.008 Network Device CLI Network Devices T1059.009 Cloud API IaaS, Identity Provider T1059.010 AutoHotKey & AutoIT Windows T1059.011 Lua Linux, Network Devices T1059.012 Hypervisor CLI ESXi T1059.013 Container CLI/API Containers T1072 Software Deployment Tools Linux, macOS T1106 Native API Linux, macOS T1127 Trusted Developer Utilities Proxy Execution Windows T1127.001 MSBuild Windows T1127.002 ClickOnce Windows T1127.003 JamPlus Windows T1129 Shared Modules Linux, macOS T1197 BITS Jobs Windows T1203 Exploitation for Client Execution Linux, macOS T1204 User Execution Linux, Windows T1204.001 Malicious Link Linux, macOS T1204.002 Malicious File Linux, macOS T1204.003 Malicious Image IaaS, Containers T1204.004 Malicious Copy and Paste Linux, macOS T1204.005 Malicious Library Linux, macOS T1559 Inter-Process Communication Linux, macOS T1559.001 Component Object Model Windows T1559.002 Dynamic Data Exchange Windows T1559.003 XPC Services macOS T1569 System Services Windows, macOS T1569.001 Launchctl macOS T1569.002 Service Execution Windows T1569.003 Systemctl Linux T1574 Hijack Execution Flow Linux, macOS T1574.001 DLL Windows T1574.004 Dylib Hijacking macOS T1574.005 Executable Installer File Permissions Weakness Windows T1574.006 Dynamic Linker Hijacking Linux, macOS T1574.007 Path Interception by PATH Environment Variable Linux, macOS T1574.008 Path Interception by Search Order Hijacking Windows T1574.009 Path Interception by Unquoted Path Windows T1574.010 Services File Permissions Weakness Windows T1574.011 Services Registry Permissions Weakness Windows T1574.012 COR_PROFILER Windows T1574.013 KernelCallbackTable Windows T1574.014 AppDomainManager Windows T1609 Container Administration Command Containers T1610 Deploy Container Containers T1648 Serverless Execution SaaS, IaaS T1651 Cloud Administration Command IaaS T1674 Input Injection Windows, macOS T1675 ESXi Administration Command ESXi T1677 Poisoned Pipeline Execution SaaS
Exfiltration
19 techniques
T1011 Exfiltration Over Other Network Medium Linux, macOS T1011.001 Exfiltration Over Bluetooth Linux, macOS T1020 Automated Exfiltration Linux, macOS T1020.001 Traffic Duplication Network Devices, IaaS T1029 Scheduled Transfer Linux, macOS T1030 Data Transfer Size Limits Linux, macOS T1041 Exfiltration Over C2 Channel ESXi, Linux T1048 Exfiltration Over Alternative Protocol ESXi, IaaS T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Linux, macOS T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol ESXi, Linux T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol ESXi, Linux T1052 Exfiltration Over Physical Medium Linux, macOS T1052.001 Exfiltration over USB Linux, Windows T1537 Transfer Data to Cloud Account IaaS, Office Suite T1567 Exfiltration Over Web Service ESXi, Linux T1567.001 Exfiltration to Code Repository ESXi, Linux T1567.002 Exfiltration to Cloud Storage ESXi, Linux T1567.003 Exfiltration to Text Storage Sites Linux, macOS T1567.004 Exfiltration Over Webhook ESXi, Linux
Impact
33 techniques
T1485 Data Destruction Containers, ESXi T1485.001 Lifecycle-Triggered Deletion IaaS T1486 Data Encrypted for Impact ESXi, IaaS T1489 Service Stop ESXi, IaaS T1490 Inhibit System Recovery Containers, ESXi T1491 Defacement Windows, IaaS T1491.001 Internal Defacement ESXi, Linux T1491.002 External Defacement Windows, IaaS T1495 Firmware Corruption Linux, macOS T1496 Resource Hijacking Windows, IaaS T1496.001 Compute Hijacking Windows, IaaS T1496.002 Bandwidth Hijacking Linux, Windows T1496.003 SMS Pumping SaaS T1496.004 Cloud Service Hijacking SaaS T1498 Network Denial of Service Windows, IaaS T1498.001 Direct Network Flood Windows, IaaS T1498.002 Reflection Amplification Windows, IaaS T1499 Endpoint Denial of Service Windows, Linux T1499.001 OS Exhaustion Flood Linux, macOS T1499.002 Service Exhaustion Flood Windows, IaaS T1499.003 Application Exhaustion Flood Windows, IaaS T1499.004 Application or System Exploitation Windows, IaaS T1529 System Shutdown/Reboot ESXi, Linux T1531 Account Access Removal Linux, macOS T1561 Disk Wipe Linux, macOS T1561.001 Disk Content Wipe Linux, macOS T1561.002 Disk Structure Wipe Linux, macOS T1565 Data Manipulation Linux, macOS T1565.001 Stored Data Manipulation Linux, macOS T1565.002 Transmitted Data Manipulation Linux, macOS T1565.003 Runtime Data Manipulation Linux, macOS T1657 Financial Theft Linux, macOS T1667 Email Bombing Linux, Office Suite
Initial Access
22 techniques
T1078 Valid Accounts Containers, ESXi T1078.001 Default Accounts Containers, ESXi T1078.002 Domain Accounts ESXi, Linux T1078.003 Local Accounts Containers, ESXi T1078.004 Cloud Accounts IaaS, Identity Provider T1091 Replication Through Removable Media Windows T1133 External Remote Services Containers, Linux T1189 Drive-by Compromise Identity Provider, Linux T1190 Exploit Public-Facing Application Containers, ESXi T1195 Supply Chain Compromise Linux, Windows T1195.001 Compromise Software Dependencies and Development Tools Linux, macOS T1195.002 Compromise Software Supply Chain Linux, Windows T1195.003 Compromise Hardware Supply Chain Linux, macOS T1199 Trusted Relationship IaaS, Identity Provider T1200 Hardware Additions Windows, Linux T1566 Phishing Identity Provider, Linux T1566.001 Spearphishing Attachment Linux, macOS T1566.002 Spearphishing Link Identity Provider, Linux T1566.003 Spearphishing via Service Linux, macOS T1566.004 Spearphishing Voice Linux, macOS T1659 Content Injection Linux, macOS T1669 Wi-Fi Networks Linux, Network Devices
Lateral Movement
23 techniques
T1021 Remote Services Linux, macOS T1021.001 Remote Desktop Protocol Windows T1021.002 SMB/Windows Admin Shares Windows T1021.003 Distributed Component Object Model Windows T1021.004 SSH ESXi, Linux T1021.005 VNC Linux, Windows T1021.006 Windows Remote Management Windows T1021.007 Cloud Services IaaS, Identity Provider T1021.008 Direct Cloud VM Connections IaaS T1072 Software Deployment Tools Linux, macOS T1080 Taint Shared Content Windows, SaaS T1091 Replication Through Removable Media Windows T1210 Exploitation of Remote Services Linux, Windows T1534 Internal Spearphishing Linux, macOS T1550 Use Alternate Authentication Material Containers, IaaS T1550.001 Application Access Token Containers, IaaS T1550.002 Pass the Hash Windows T1550.003 Pass the Ticket Windows T1550.004 Web Session Cookie IaaS, Office Suite T1563 Remote Service Session Hijacking Linux, macOS T1563.001 SSH Hijacking Linux, macOS T1563.002 RDP Hijacking Windows T1570 Lateral Tool Transfer ESXi, Linux
Persistence
113 techniques
T1037 Boot or Logon Initialization Scripts ESXi, Linux T1037.001 Logon Script (Windows) Windows T1037.002 Login Hook macOS T1037.003 Network Logon Script Windows T1037.004 RC Scripts macOS, Linux T1037.005 Startup Items macOS T1053 Scheduled Task/Job Containers, ESXi T1053.002 At Windows, Linux T1053.003 Cron Linux, macOS T1053.005 Scheduled Task Windows T1053.006 Systemd Timers Linux T1053.007 Container Orchestration Job Containers T1078 Valid Accounts Containers, ESXi T1078.001 Default Accounts Containers, ESXi T1078.002 Domain Accounts ESXi, Linux T1078.003 Local Accounts Containers, ESXi T1078.004 Cloud Accounts IaaS, Identity Provider T1098 Account Manipulation Containers, ESXi T1098.001 Additional Cloud Credentials IaaS, Identity Provider T1098.002 Additional Email Delegate Permissions Windows, Office Suite T1098.003 Additional Cloud Roles IaaS, Identity Provider T1098.004 SSH Authorized Keys ESXi, IaaS T1098.005 Device Registration Windows, Identity Provider T1098.006 Additional Container Cluster Roles Containers T1098.007 Additional Local or Domain Groups Windows, macOS T1112 Modify Registry Windows T1133 External Remote Services Containers, Linux T1136 Create Account Windows, IaaS T1136.001 Local Account Containers, ESXi T1136.002 Domain Account Linux, macOS T1136.003 Cloud Account IaaS, SaaS T1137 Office Application Startup Windows, Office Suite T1137.001 Office Template Macros Office Suite, Windows T1137.002 Office Test Windows, Office Suite T1137.003 Outlook Forms Windows, Office Suite T1137.004 Outlook Home Page Windows, Office Suite T1137.005 Outlook Rules Windows, Office Suite T1137.006 Add-ins Windows, Office Suite T1176 Software Extensions Linux, macOS T1176.001 Browser Extensions Linux, Windows T1176.002 IDE Extensions Linux, macOS T1197 BITS Jobs Windows T1205 Traffic Signaling Linux, macOS T1205.001 Port Knocking Linux, macOS T1205.002 Socket Filters Linux, macOS T1505 Server Software Component Windows, Linux T1505.001 SQL Stored Procedures Windows, Linux T1505.002 Transport Agent Linux, Windows T1505.003 Web Shell Linux, macOS T1505.004 IIS Components Windows T1505.005 Terminal Services DLL Windows T1505.006 vSphere Installation Bundles ESXi T1525 Implant Internal Image IaaS, Containers T1542 Pre-OS Boot Linux, macOS T1542.001 System Firmware Network Devices, Windows T1542.002 Component Firmware Windows, Linux T1542.003 Bootkit Linux, Windows T1542.004 ROMMONkit Network Devices T1542.005 TFTP Boot Network Devices T1543 Create or Modify System Process Containers, Linux T1543.001 Launch Agent macOS T1543.002 Systemd Service Linux T1543.003 Windows Service Windows T1543.004 Launch Daemon macOS T1543.005 Container Service Containers T1546 Event Triggered Execution Linux, macOS T1546.001 Change Default File Association Windows T1546.002 Screensaver Windows T1546.003 Windows Management Instrumentation Event Subscription Windows T1546.004 Unix Shell Configuration Modification Linux, macOS T1546.005 Trap macOS, Linux T1546.006 LC_LOAD_DYLIB Addition macOS T1546.007 Netsh Helper DLL Windows T1546.008 Accessibility Features Windows T1546.009 AppCert DLLs Windows T1546.010 AppInit DLLs Windows T1546.011 Application Shimming Windows T1546.012 Image File Execution Options Injection Windows T1546.013 PowerShell Profile Windows T1546.014 Emond macOS T1546.015 Component Object Model Hijacking Windows T1546.016 Installer Packages Linux, macOS T1546.017 Udev Rules Linux T1546.018 Python Startup Hooks Linux, macOS T1547 Boot or Logon Autostart Execution Linux, macOS T1547.001 Registry Run Keys / Startup Folder Windows T1547.002 Authentication Package Windows T1547.003 Time Providers Windows T1547.004 Winlogon Helper DLL Windows T1547.005 Security Support Provider Windows T1547.006 Kernel Modules and Extensions macOS, Linux T1547.007 Re-opened Applications macOS T1547.008 LSASS Driver Windows T1547.009 Shortcut Modification Windows T1547.010 Port Monitors Windows T1547.012 Print Processors Windows T1547.013 XDG Autostart Entries Linux T1547.014 Active Setup Windows T1547.015 Login Items macOS T1554 Compromise Host Software Binary ESXi, Linux T1556 Modify Authentication Process IaaS, Identity Provider T1556.001 Domain Controller Authentication Windows T1556.002 Password Filter DLL Windows T1556.003 Pluggable Authentication Modules Linux, macOS T1556.004 Network Device Authentication Network Devices T1556.005 Reversible Encryption Windows T1556.006 Multi-Factor Authentication IaaS, Identity Provider T1556.007 Hybrid Identity IaaS, Identity Provider T1556.008 Network Provider DLL Windows T1556.009 Conditional Access Policies IaaS, Identity Provider T1653 Power Settings Windows, Linux T1668 Exclusive Control Linux, macOS T1671 Cloud Application Integration Office Suite, SaaS
Privilege Escalation
96 techniques
T1037 Boot or Logon Initialization Scripts ESXi, Linux T1037.001 Logon Script (Windows) Windows T1037.002 Login Hook macOS T1037.003 Network Logon Script Windows T1037.004 RC Scripts macOS, Linux T1037.005 Startup Items macOS T1053 Scheduled Task/Job Containers, ESXi T1053.002 At Windows, Linux T1053.003 Cron Linux, macOS T1053.005 Scheduled Task Windows T1053.006 Systemd Timers Linux T1053.007 Container Orchestration Job Containers T1055 Process Injection Linux, macOS T1055.001 Dynamic-link Library Injection Windows T1055.002 Portable Executable Injection Windows T1055.003 Thread Execution Hijacking Windows T1055.004 Asynchronous Procedure Call Windows T1055.005 Thread Local Storage Windows T1055.008 Ptrace System Calls Linux T1055.009 Proc Memory Linux T1055.011 Extra Window Memory Injection Windows T1055.012 Process Hollowing Windows T1055.013 Process Doppelgänging Windows T1055.014 VDSO Hijacking Linux T1055.015 ListPlanting Windows T1068 Exploitation for Privilege Escalation Containers, Linux T1078 Valid Accounts Containers, ESXi T1078.001 Default Accounts Containers, ESXi T1078.002 Domain Accounts ESXi, Linux T1078.003 Local Accounts Containers, ESXi T1078.004 Cloud Accounts IaaS, Identity Provider T1098 Account Manipulation Containers, ESXi T1098.001 Additional Cloud Credentials IaaS, Identity Provider T1098.002 Additional Email Delegate Permissions Windows, Office Suite T1098.003 Additional Cloud Roles IaaS, Identity Provider T1098.004 SSH Authorized Keys ESXi, IaaS T1098.005 Device Registration Windows, Identity Provider T1098.006 Additional Container Cluster Roles Containers T1098.007 Additional Local or Domain Groups Windows, macOS T1134 Access Token Manipulation Windows T1134.001 Token Impersonation/Theft Windows T1134.002 Create Process with Token Windows T1134.003 Make and Impersonate Token Windows T1134.004 Parent PID Spoofing Windows T1134.005 SID-History Injection Windows T1484 Domain or Tenant Policy Modification Windows, Identity Provider T1484.001 Group Policy Modification Windows T1484.002 Trust Modification Identity Provider, Windows T1543 Create or Modify System Process Containers, Linux T1543.001 Launch Agent macOS T1543.002 Systemd Service Linux T1543.003 Windows Service Windows T1543.004 Launch Daemon macOS T1543.005 Container Service Containers T1546 Event Triggered Execution Linux, macOS T1546.001 Change Default File Association Windows T1546.002 Screensaver Windows T1546.003 Windows Management Instrumentation Event Subscription Windows T1546.004 Unix Shell Configuration Modification Linux, macOS T1546.005 Trap macOS, Linux T1546.006 LC_LOAD_DYLIB Addition macOS T1546.007 Netsh Helper DLL Windows T1546.008 Accessibility Features Windows T1546.009 AppCert DLLs Windows T1546.010 AppInit DLLs Windows T1546.011 Application Shimming Windows T1546.012 Image File Execution Options Injection Windows T1546.013 PowerShell Profile Windows T1546.014 Emond macOS T1546.015 Component Object Model Hijacking Windows T1546.016 Installer Packages Linux, macOS T1546.017 Udev Rules Linux T1546.018 Python Startup Hooks Linux, macOS T1547 Boot or Logon Autostart Execution Linux, macOS T1547.001 Registry Run Keys / Startup Folder Windows T1547.002 Authentication Package Windows T1547.003 Time Providers Windows T1547.004 Winlogon Helper DLL Windows T1547.005 Security Support Provider Windows T1547.006 Kernel Modules and Extensions macOS, Linux T1547.007 Re-opened Applications macOS T1547.008 LSASS Driver Windows T1547.009 Shortcut Modification Windows T1547.010 Port Monitors Windows T1547.012 Print Processors Windows T1547.013 XDG Autostart Entries Linux T1547.014 Active Setup Windows T1547.015 Login Items macOS T1548 Abuse Elevation Control Mechanism Linux, macOS T1548.001 Setuid and Setgid Linux, macOS T1548.002 Bypass User Account Control Windows T1548.003 Sudo and Sudo Caching Linux, macOS T1548.004 Elevated Execution with Prompt macOS T1548.005 Temporary Elevated Cloud Access IaaS, Office Suite T1548.006 TCC Manipulation macOS T1611 Escape to Host Windows, Linux
Reconnaissance
46 techniques
T1589 Gather Victim Identity Information PRE T1589.001 Credentials PRE T1589.002 Email Addresses PRE T1589.003 Employee Names PRE T1590 Gather Victim Network Information PRE T1590.001 Domain Properties PRE T1590.002 DNS PRE T1590.003 Network Trust Dependencies PRE T1590.004 Network Topology PRE T1590.005 IP Addresses PRE T1590.006 Network Security Appliances PRE T1591 Gather Victim Org Information PRE T1591.001 Determine Physical Locations PRE T1591.002 Business Relationships PRE T1591.003 Identify Business Tempo PRE T1591.004 Identify Roles PRE T1592 Gather Victim Host Information PRE T1592.001 Hardware PRE T1592.002 Software PRE T1592.003 Firmware PRE T1592.004 Client Configurations PRE T1593 Search Open Websites/Domains PRE T1593.001 Social Media PRE T1593.002 Search Engines PRE T1593.003 Code Repositories PRE T1594 Search Victim-Owned Websites PRE T1595 Active Scanning PRE T1595.001 Scanning IP Blocks PRE T1595.002 Vulnerability Scanning PRE T1595.003 Wordlist Scanning PRE T1596 Search Open Technical Databases PRE T1596.001 DNS/Passive DNS PRE T1596.002 WHOIS PRE T1596.003 Digital Certificates PRE T1596.004 CDNs PRE T1596.005 Scan Databases PRE T1597 Search Closed Sources PRE T1597.001 Threat Intel Vendors PRE T1597.002 Purchase Technical Data PRE T1598 Phishing for Information PRE T1598.001 Spearphishing Service PRE T1598.002 Spearphishing Attachment PRE T1598.003 Spearphishing Link PRE T1598.004 Spearphishing Voice PRE T1681 Search Threat Vendor Data PRE T1682 Query Public AI Services PRE
Resource Development
50 techniques
T1583 Acquire Infrastructure PRE T1583.001 Domains PRE T1583.002 DNS Server PRE T1583.003 Virtual Private Server PRE T1583.004 Server PRE T1583.005 Botnet PRE T1583.006 Web Services PRE T1583.007 Serverless PRE T1583.008 Malvertising PRE T1584 Compromise Infrastructure PRE T1584.001 Domains PRE T1584.002 DNS Server PRE T1584.003 Virtual Private Server PRE T1584.004 Server PRE T1584.005 Botnet PRE T1584.006 Web Services PRE T1584.007 Serverless PRE T1584.008 Network Devices PRE T1585 Establish Accounts PRE T1585.001 Social Media Accounts PRE T1585.002 Email Accounts PRE T1585.003 Cloud Accounts PRE T1586 Compromise Accounts PRE T1586.001 Social Media Accounts PRE T1586.002 Email Accounts PRE T1586.003 Cloud Accounts PRE T1587 Develop Capabilities PRE T1587.001 Malware PRE T1587.002 Code Signing Certificates PRE T1587.003 Digital Certificates PRE T1587.004 Exploits PRE T1588 Obtain Capabilities PRE T1588.001 Malware PRE T1588.002 Tool PRE T1588.003 Code Signing Certificates PRE T1588.004 Digital Certificates PRE T1588.005 Exploits PRE T1588.006 Vulnerabilities PRE T1588.007 Artificial Intelligence PRE T1608 Stage Capabilities PRE T1608.001 Upload Malware PRE T1608.002 Upload Tool PRE T1608.003 Install Digital Certificate PRE T1608.004 Drive-by Target PRE T1608.005 Link Target PRE T1608.006 SEO Poisoning PRE T1650 Acquire Access PRE T1683 Generate Content PRE T1683.001 Written Content PRE T1683.002 Audio-Visual Content PRE
Stealth
148 techniques
T1006 Direct Volume Access Network Devices, Windows T1014 Rootkit Linux, macOS T1027 Obfuscated Files or Information ESXi, Linux T1027.001 Binary Padding Linux, macOS T1027.002 Software Packing Linux, macOS T1027.003 Steganography Linux, macOS T1027.004 Compile After Delivery Linux, macOS T1027.005 Indicator Removal from Tools Linux, macOS T1027.006 HTML Smuggling Linux, macOS T1027.007 Dynamic API Resolution Windows T1027.008 Stripped Payloads Linux, macOS T1027.009 Embedded Payloads Linux, macOS T1027.010 Command Obfuscation Linux, macOS T1027.011 Fileless Storage Linux, Windows T1027.012 LNK Icon Smuggling Windows T1027.013 Encrypted/Encoded File Linux, macOS T1027.014 Polymorphic Code Linux, macOS T1027.015 Compression Linux, macOS T1027.016 Junk Code Insertion Linux, macOS ` tags that enable adversaries to include malicious javascript payloads. however, svgs may appear less suspicious to users than other types of executable files, as they are often treated as image files.
svg smuggling can take a number of forms. for example, threat actors may include content that:
* assembles malicious payloads(citation: talos svg smuggling 2022)
* downloads malicious payloads(citation: cofense svg smuggling 2024)
* redirects users to malicious websites(citation: bleeping computer svg smuggling 2024)
* displays interactive content to users, such as fake login forms and download buttons.(citation: bleeping computer svg smuggling 2024)
svg smuggling may be used in conjunction with [html smuggling](https://attack.mitre.org/techniques/t1027/006) where an svg with a malicious payload is included inside an html file.(citation: talos svg smuggling 2022) svgs may also be included in other types of documents, such as pdfs. " data-astro-cid-ev5llraf> T1027.017 SVG Smuggling Linux, macOS T1027.018 Invisible Unicode Linux, macOS T1036 Masquerading Containers, ESXi T1036.001 Invalid Code Signature macOS, Windows T1036.002 Right-to-Left Override Linux, macOS T1036.003 Rename Legitimate Utilities Linux, macOS T1036.004 Masquerade Task or Service Linux, macOS T1036.005 Match Legitimate Resource Name or Location Containers, ESXi T1036.006 Space after Filename Linux, macOS T1036.007 Double File Extension Windows T1036.008 Masquerade File Type Linux, macOS T1036.009 Break Process Trees Linux, macOS T1036.010 Masquerade Account Name Containers, IaaS T1036.011 Overwrite Process Arguments Linux T1036.012 Browser Fingerprint Linux, macOS T1055 Process Injection Linux, macOS T1055.001 Dynamic-link Library Injection Windows T1055.002 Portable Executable Injection Windows T1055.003 Thread Execution Hijacking Windows T1055.004 Asynchronous Procedure Call Windows T1055.005 Thread Local Storage Windows T1055.008 Ptrace System Calls Linux T1055.009 Proc Memory Linux T1055.011 Extra Window Memory Injection Windows T1055.012 Process Hollowing Windows T1055.013 Process Doppelgänging Windows T1055.014 VDSO Hijacking Linux T1055.015 ListPlanting Windows T1070 Indicator Removal Containers, ESXi T1070.003 Clear Command History ESXi, Linux T1070.004 File Deletion ESXi, Linux T1070.005 Network Share Connection Removal Windows T1070.006 Timestomp ESXi, Linux T1070.007 Clear Network Connection History and Configurations Linux, macOS T1070.008 Clear Mailbox Data Linux, macOS T1070.009 Clear Persistence ESXi, Linux T1070.010 Relocate Malware Linux, macOS T1078 Valid Accounts Containers, ESXi T1078.001 Default Accounts Containers, ESXi T1078.002 Domain Accounts ESXi, Linux T1078.003 Local Accounts Containers, ESXi T1078.004 Cloud Accounts IaaS, Identity Provider T1127 Trusted Developer Utilities Proxy Execution Windows T1127.001 MSBuild Windows T1127.002 ClickOnce Windows T1127.003 JamPlus Windows T1134 Access Token Manipulation Windows T1134.001 Token Impersonation/Theft Windows T1134.002 Create Process with Token Windows T1134.003 Make and Impersonate Token Windows T1134.004 Parent PID Spoofing Windows T1134.005 SID-History Injection Windows T1140 Deobfuscate/Decode Files or Information ESXi, Linux T1197 BITS Jobs Windows T1202 Indirect Command Execution Windows T1205 Traffic Signaling Linux, macOS T1205.001 Port Knocking Linux, macOS T1205.002 Socket Filters Linux, macOS T1211 Exploitation for Stealth Linux, Windows T1216 System Script Proxy Execution Windows T1216.001 PubPrn Windows T1216.002 SyncAppvPublishingServer Windows T1218 System Binary Proxy Execution Linux, macOS T1218.001 Compiled HTML File Windows T1218.002 Control Panel Windows T1218.003 CMSTP Windows T1218.004 InstallUtil Windows T1218.005 Mshta Windows T1218.007 Msiexec Windows T1218.008 Odbcconf Windows T1218.009 Regsvcs/Regasm Windows T1218.010 Regsvr32 Windows T1218.011 Rundll32 Windows T1218.012 Verclsid Windows T1218.013 Mavinject Windows T1218.014 MMC Windows T1218.015 Electron Applications Linux, macOS T1220 XSL Script Processing Windows T1221 Template Injection Windows T1480 Execution Guardrails ESXi, Linux T1480.001 Environmental Keying Linux, Windows T1480.002 Mutual Exclusion Linux, macOS T1497 Virtualization/Sandbox Evasion Linux, macOS T1497.001 System Checks Linux, macOS T1497.002 User Activity Based Checks Linux, macOS T1497.003 Time Based Checks Linux, macOS T1535 Unused/Unsupported Cloud Regions IaaS T1542 Pre-OS Boot Linux, macOS T1542.001 System Firmware Network Devices, Windows T1542.002 Component Firmware Windows, Linux T1542.003 Bootkit Linux, Windows T1542.004 ROMMONkit Network Devices T1542.005 TFTP Boot Network Devices T1564 Hide Artifacts ESXi, Linux T1564.001 Hidden Files and Directories Linux, macOS T1564.002 Hidden Users Linux, macOS T1564.003 Hidden Window Linux, macOS T1564.004 NTFS File Attributes Windows T1564.005 Hidden File System Linux, macOS T1564.006 Run Virtual Instance ESXi, Linux T1564.007 VBA Stomping Linux, macOS T1564.008 Email Hiding Rules Windows, Linux T1564.009 Resource Forking macOS T1564.010 Process Argument Spoofing Windows T1564.011 Ignore Process Interrupts Linux, macOS T1564.012 File/Path Exclusions Linux, macOS T1564.013 Bind Mounts Linux T1564.014 Extended Attributes Linux, macOS T1574 Hijack Execution Flow Linux, macOS T1574.001 DLL Windows T1574.004 Dylib Hijacking macOS T1574.005 Executable Installer File Permissions Weakness Windows T1574.006 Dynamic Linker Hijacking Linux, macOS T1574.007 Path Interception by PATH Environment Variable Linux, macOS T1574.008 Path Interception by Search Order Hijacking Windows T1574.009 Path Interception by Unquoted Path Windows T1574.010 Services File Permissions Weakness Windows T1574.011 Services Registry Permissions Weakness Windows T1574.012 COR_PROFILER Windows T1574.013 KernelCallbackTable Windows T1574.014 AppDomainManager Windows T1612 Build Image on Host Containers T1620 Reflective Code Loading Linux, macOS T1622 Debugger Evasion Linux, macOS T1678 Delay Execution Linux, macOS T1679 Selective Exclusion Windows T1684 Social Engineering Linux, macOS T1684.001 Impersonation Linux, macOS T1684.002 Email Spoofing Linux, macOS
Exports
Structured JSON, CSV, and Navigator-layer export generation will use the normalized reference records after full sync. The current page is intentionally lightweight and source-backed.
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.