## MITRE ATT&CK Matrix - Windows | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | |-------------------------------------------------------|----------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| | [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | [Account Manipulation](Credential_Access/Account_Manipulation.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | Command-Line Interface | [Audio Capture](Collection/Audio_Capture.md) | Automated Exfiltration | Commonly Used Port | | AppCert DLLs | Accessibility Features | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Distributed Component Object Model | Dynamic Data Exchange | [Automated Collection](Collection/Automated_Collection.md) | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media | | [AppInit DLLs](Persistence/AppInit_DLLs.md) | AppCert DLLs | Bypass User Account Control | [Credential Dumping](Credential_Access/Credential_Dumping.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Execution through API | [Browser Extensions](Collection/Browser_Extensions.md) | Data Encrypted | Connection Proxy | | [Application Shimming](Persistence/Application_Shimming.md) | AppInit DLLs | Code Signing | [Credentials in Files](Credential_Access/Credentials_in_Files.md) | Network Service Scanning | Logon Scripts | Execution through Module Load | [Clipboard Data](Collection/Clipboard_Data.md) | Data Transfer Size Limits | Custom Command and Control Protocol | | [Authentication Package](Persistence/Authentication_Package.md) | Application Shimming | Component Firmware | Exploitation of Vulnerability | Network Share Discovery | Pass the Hash | Graphical User Interface | Data Staged | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | | Bootkit | [Bypass User Account Control](Privilege_Escalation/Bypass_User_Account_Control.md) | Component Object Model Hijacking | Forced Authentication | Peripheral Device Discovery | Pass the Ticket | [InstallUtil](Execution/InstallUtil.md) | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding | | [Browser Extensions](Persistence/Browser_Extensions.md) | DLL Search Order Hijacking | DLL Search Order Hijacking | Hooking | Permission Groups Discovery | Remote Desktop Protocol | LSASS Driver | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation | | [Change Default File Association](Persistence/Change_Default_File_Association.md) | Exploitation of Vulnerability | DLL Side-Loading | [Input Capture](Collection/Input_Capture.md) | Process Discovery | Remote File Copy | [Mshta](Execution/Mshta.md) | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting | | Component Firmware | Extra Window Memory Injection | [Deobfuscate/Decode Files or Information](Defense_Evasion/Deobfuscate_Decode_Files_Or_Information.md) | LLMNR/NBT-NS Poisoning | [Query Registry](Discovery/Query_Registry.md) | Remote Services | [PowerShell](Execution/PowerShell.md) | Email Collection | Scheduled Transfer | Fallback Channels | | [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | File System Permissions Weakness | Disabling Security Tools | Network Sniffing | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | | Multi-Stage Channels | | [Create Account](Credential_Access/Create_Account.md) | Hooking | Exploitation of Vulnerability | Password Filter DLL | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Man in the Browser | | Multi-hop Proxy | | DLL Search Order Hijacking | Image File Execution Options Injection | Extra Window Memory Injection | Private Keys | [System Information Discovery](Discovery/System_Information_Discovery.md) | Taint Shared Content | [Rundll32](Execution/rundll32.md) | Screen Capture | | Multiband Communication | | External Remote Services | [New Service](Persistence/New_Service.md) | [File Deletion](Defense_Evasion/File_Deletion.md) | Replication Through Removable Media | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | Third-party Software | Scheduled Task | Video Capture | | Multilayer Encryption | | File System Permissions Weakness | Path Interception | File System Logical Offsets | Two-Factor Authentication Interception | System Network Connections Discovery | [Windows Admin Shares](Lateral_Movement/Windows_Admin_Shares.md) | Scripting | | | Remote File Copy | | Hidden Files and Directories | Port Monitors | Hidden Files and Directories | | [System Owner/User Discovery](Discovery/System_Owner-User_Discovery.md) | [Windows Remote Management](Lateral_Movement/Windows_Remote_Management.md) | Service Execution | | | Standard Application Layer Protocol | | Hooking | Process Injection](Privilege_Escalation/Process_Injection.md) | Image File Execution Options Injection | | [System Service Discovery](Discovery/System_Service_Discovery.md) | | Third-party Software | | | Standard Cryptographic Protocol | | Hypervisor | SID-History Injection | Indicator Blocking | | [System Time Discovery](Discovery/System_Time_Discovery.md) | | [Trusted Developer Utilities](Execution/Trusted_Developer_Utilities.md) | | | Standard Non-Application Layer Protocol | | Image File Execution Options Injection | [Scheduled Task](Persistence/Scheduled_Task.md) | Indicator Removal from Tools | | | | [Windows Management Instrumentation](Execution/Windows_Management_Instrumentation.md) | | | Uncommonly Used Port | | LSASS Driver | Service Registry Permissions Weakness | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_on_Host.md) | | | | [Windows Remote Management](Lateral_Movement/Windows_Remote_Management.md) | | | Web Service | | Logon Scripts | Valid Accounts | Install Root Certificate | | | | [Bitsadmin](Execution/Bitsadmin.md) | | | | | Modify Existing Service | Web Shell | InstallUtil | | | | | | | | | [Netsh Helper DLL](Persistence/Netsh_Helper_DLL.md) | | Masquerading | | | | | | | | | [New Service](Persistence/New_Service.md) | | Modify Registry | | | | | | | | | [Office Application Startup](Persistence/Office_Application_Startup.md) | | [Mshta](Execution/Mshta.md) | | | | | | | | | Path Interception | | NTFS Extended Attributes | | | | | | | | | Port Monitors | | Network Share Connection Removal | | | | | | | | | Redundant Access | | Obfuscated Files or Information | | | | | | | | | [Registry Run Keys / Start Folder](Persistence/Registry_Run_Keys_Start_Folder.md) | | Process Doppelgänging | | | | | | | | | [Scheduled Task](Persistence/Scheduled_Task.md) | | Process Hollowing | | | | | | | | | Screensaver | | [Process Injection](Privilege_Escalation/Process_Injection.md) | | | | | | | | | Security Support Provider | | Redundant Access | | | | | | | | | Service Registry Permissions Weakness | | Regsvcs/Regasm | | | | | | | | | Shortcut Modification | | Regsvr32 | | | | | | | | | System Firmware | | Rootkit | | | | | | | | | Valid Accounts | | Rundll32 | | | | | | | | | Web Shell | | Scripting | | | | | | | | | [Windows Management Instrumentation Event Subscription](Persistence/Windows_Management_Instrumentation_Event_Subscription.md) | | Software Packing | | | | | | | | | Winlogon Helper DLL | | [Timestomp](Defense_Evasion/Timestomp.md) | | | | | | | | | | | Trusted Developer Utilities | | | | | | | | | | | Valid Accounts | | | | | | | |