2017-10-11 10:35:17 -07:00
## MITRE ATT&CK Matrix - Windows
2018-01-16 10:10:52 -07:00
|
|-------------------------------------------------------|----------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| [Accessibility Features ](Persistence/Accessibility_Features.md ) | Access Token Manipulation | Access Token Manipulation | [Account Manipulation ](Credential_Access/Account_Manipulation.md ) | [Account Discovery ](Discovery/Account_Discovery.md ) | Application Deployment Software | Command-Line Interface | [Audio Capture ](Collection/Audio_Capture.md ) | Automated Exfiltration | Commonly Used Port |
2018-03-08 14:26:18 -06:00
| AppCert DLLs | Accessibility Features | Binary Padding | [Brute Force ](Credential_Access/Brute_Force.md ) | Application Window Discovery | Distributed Component Object Model | [Dynamic Data Exchange ](Execution/Dynamic_Data_Exchange.md ) | [Automated Collection ](Collection/Automated_Collection.md ) | [Data Compressed ](Exfiltration/Data_Compressed.md ) | Communication Through Removable Media |
2018-02-26 13:14:07 +11:00
| [AppInit DLLs ](Persistence/AppInit_DLLs.md ) | AppCert DLLs | Bypass User Account Control | [Credential Dumping ](Credential_Access/Credential_Dumping.md ) | [File and Directory Discovery ](Discovery/File_and_Directory_Discovery.md ) | Exploitation of Vulnerability | Execution through API | [Browser Extensions ](Collection/Browser_Extensions.md ) | Data Encrypted | Connection Proxy |
2018-03-08 08:11:24 -06:00
| [Application Shimming ](Persistence/Application_Shimming.md ) | AppInit DLLs | Code Signing | [Credentials in Files ](Credential_Access/Credentials_in_Files.md ) | Network Service Scanning | [Logon Scripts ](Persistence/Logon_Scripts.md ) | Execution through Module Load | [Clipboard Data ](Collection/Clipboard_Data.md ) | Data Transfer Size Limits | Custom Command and Control Protocol |
2018-04-06 08:21:28 -04:00
| [Authentication Package ](Persistence/Authentication_Package.md ) | Application Shimming | Component Firmware | Exploitation of Vulnerability | Network Share Discovery | [Pass the Hash ](Lateral_Movement/Pass_the_Hash.md ) | Graphical User Interface | [Data Staged ](Collection/Data_Staged.md ) | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
2018-01-16 10:10:52 -07:00
| Bootkit | [Bypass User Account Control ](Privilege_Escalation/Bypass_User_Account_Control.md ) | Component Object Model Hijacking | Forced Authentication | Peripheral Device Discovery | Pass the Ticket | [InstallUtil ](Execution/InstallUtil.md ) | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding |
2018-04-06 08:21:28 -04:00
| [Browser Extensions ](Persistence/Browser_Extensions.md ) | DLL Search Order Hijacking | DLL Search Order Hijacking | Hooking | Permission Groups Discovery | [Remote Desktop Protocol ](Lateral_Movement/Remote_Desktop_Protocol.md ) | LSASS Driver | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation |
2018-01-16 10:22:36 -07:00
| [Change Default File Association ](Persistence/Change_Default_File_Association.md ) | Exploitation of Vulnerability | DLL Side-Loading | [Input Capture ](Collection/Input_Capture.md ) | Process Discovery | Remote File Copy | [Mshta ](Execution/Mshta.md ) | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting |
2018-01-16 10:10:52 -07:00
| Component Firmware | Extra Window Memory Injection | [Deobfuscate/Decode Files or Information ](Defense_Evasion/Deobfuscate_Decode_Files_Or_Information.md ) | LLMNR/NBT-NS Poisoning | [Query Registry ](Discovery/Query_Registry.md ) | Remote Services | [PowerShell ](Execution/PowerShell.md ) | Email Collection | Scheduled Transfer | Fallback Channels |
2018-02-25 17:04:36 +07:00
| [Component Object Model Hijacking ](Persistence/Component_Object_Model_Hijacking.md ) | File System Permissions Weakness | [Disabling Security Tools ](Defense_Evasion/Disabling_Security_Tools.md ) | Network Sniffing | [Remote System Discovery ](Discovery/Remote_System_Discovery.md ) | Replication Through Removable Media | [Regsvcs/Regasm ](Execution/RegsvcsRegasm.md ) | Input Capture | | Multi-Stage Channels |
2018-01-16 10:10:52 -07:00
| [Create Account ](Credential_Access/Create_Account.md ) | Hooking | Exploitation of Vulnerability | Password Filter DLL | [Security Software Discovery ](Discovery/Security_Software_Discovery.md ) | Shared Webroot | [Regsvr32 ](Execution/Regsvr32.md ) | Man in the Browser | | Multi-hop Proxy |
2018-03-08 14:26:18 -06:00
| DLL Search Order Hijacking | Image File Execution Options Injection | Extra Window Memory Injection | [Private Keys ](Credential_Access/Private_Keys.md ) | [System Information Discovery ](Discovery/System_Information_Discovery.md ) | Taint Shared Content | [Rundll32 ](Execution/rundll32.md ) | Screen Capture | | Multiband Communication |
2018-01-16 10:10:52 -07:00
| External Remote Services | [New Service ](Persistence/New_Service.md ) | [File Deletion ](Defense_Evasion/File_Deletion.md ) | Replication Through Removable Media | [System Network Configuration Discovery ](Discovery/System_Network_Configuration_Discovery.md ) | Third-party Software | Scheduled Task | Video Capture | | Multilayer Encryption |
| File System Permissions Weakness | Path Interception | File System Logical Offsets | Two-Factor Authentication Interception | System Network Connections Discovery | [Windows Admin Shares ](Lateral_Movement/Windows_Admin_Shares.md ) | Scripting | | | Remote File Copy |
2018-03-08 08:11:24 -06:00
| [Hidden Files and Directories ](Defense_Evasion/Hidden_Files_and_Directories.md ) | Port Monitors | [Hidden Files and Directories ](Defense_Evasion/Hidden_Files_and_Directories.md ) | | [System Owner/User Discovery ](Discovery/System_Owner-User_Discovery.md ) | [Windows Remote Management ](Lateral_Movement/Windows_Remote_Management.md ) | Service Execution | | | Standard Application Layer Protocol |
| Hooking | [Process Injection ](Privilege_Escalation/Process_Injection.md ) | Image File Execution Options Injection | | [System Service Discovery ](Discovery/System_Service_Discovery.md ) | | Third-party Software | | | Standard Cryptographic Protocol |
2018-01-16 10:10:52 -07:00
| Hypervisor | SID-History Injection | Indicator Blocking | | [System Time Discovery ](Discovery/System_Time_Discovery.md ) | | [Trusted Developer Utilities ](Execution/Trusted_Developer_Utilities.md ) | | | Standard Non-Application Layer Protocol |
| Image File Execution Options Injection | [Scheduled Task ](Persistence/Scheduled_Task.md ) | Indicator Removal from Tools | | | | [Windows Management Instrumentation ](Execution/Windows_Management_Instrumentation.md ) | | | Uncommonly Used Port |
2018-01-16 11:51:16 -07:00
| LSASS Driver | Service Registry Permissions Weakness | [Indicator Removal on Host ](Defense_Evasion/Indicator_Removal_on_Host.md ) | | | | [Windows Remote Management ](Lateral_Movement/Windows_Remote_Management.md ) | | | Web Service |
2018-03-08 08:11:24 -06:00
| [Logon Scripts ](Persistence/Logon_Scripts.md ) | Valid Accounts | Install Root Certificate | | | | [Bitsadmin ](Execution/Bitsadmin.md ) | | | |
| Modify Existing Service | Web Shell | [InstallUtil ](Execution/InstallUtil.md ) | | | | | | | |
2018-01-16 10:10:52 -07:00
| [Netsh Helper DLL ](Persistence/Netsh_Helper_DLL.md ) | | Masquerading | | | | | | | |
| [New Service ](Persistence/New_Service.md ) | | Modify Registry | | | | | | | |
2018-01-16 10:22:36 -07:00
| [Office Application Startup ](Persistence/Office_Application_Startup.md ) | | [Mshta ](Execution/Mshta.md ) | | | | | | | |
2018-01-16 10:10:52 -07:00
| Path Interception | | NTFS Extended Attributes | | | | | | | |
| Port Monitors | | Network Share Connection Removal | | | | | | | |
| Redundant Access | | Obfuscated Files or Information | | | | | | | |
2018-02-13 14:46:47 +11:00
| [Registry Run Keys / Start Folder ](Persistence/Registry_Run_Keys_Start_Folder.md ) | | Process Doppelgänging | | | | | | | |
2018-01-16 10:10:52 -07:00
| [Scheduled Task ](Persistence/Scheduled_Task.md ) | | Process Hollowing | | | | | | | |
| Screensaver | | [Process Injection ](Privilege_Escalation/Process_Injection.md ) | | | | | | | |
| Security Support Provider | | Redundant Access | | | | | | | |
2018-03-08 08:11:24 -06:00
| Service Registry Permissions Weakness | | [Regsvcs/Regasm ](Execution/RegsvcsRegasm.md ) | | | | | | | |
| Shortcut Modification | | [Regsvr32 ](Execution/Regsvr32.md ) | | | | | | | |
2018-01-16 10:10:52 -07:00
| System Firmware | | Rootkit | | | | | | | |
2018-03-08 08:11:24 -06:00
| Valid Accounts | | [Rundll32 ](Execution/Rundll32.md ) | | | | | | | |
2018-01-16 10:10:52 -07:00
| Web Shell | | Scripting | | | | | | | |
| [Windows Management Instrumentation Event Subscription ](Persistence/Windows_Management_Instrumentation_Event_Subscription.md ) | | Software Packing | | | | | | | |
| Winlogon Helper DLL | | [Timestomp ](Defense_Evasion/Timestomp.md ) | | | | | | | |
| | | Trusted Developer Utilities | | | | | | | |
| | | Valid Accounts | | | | | | | |
