All Atomic Tests by ATT&CK Tactic & Technique

initial-access	execution	persistence	privilege-escalation	defense-evasion	credential-access	discovery	lateral-movement	collection	exfiltration	command-and-control	impact
External Remote Services	Scheduled Task/Job: Scheduled Task	Scheduled Task/Job: Scheduled Task	Extra Window Memory Injection CONTRIBUTE A TEST	Extra Window Memory Injection CONTRIBUTE A TEST	Adversary-in-the-Middle CONTRIBUTE A TEST	System Owner/User Discovery	VNC CONTRIBUTE A TEST	Archive Collected Data: Archive via Utility	Exfiltration Over Web Service CONTRIBUTE A TEST	Socket Filters CONTRIBUTE A TEST	Disk Structure Wipe CONTRIBUTE A TEST
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST	Windows Management Instrumentation	Socket Filters CONTRIBUTE A TEST	Scheduled Task/Job: Scheduled Task	Socket Filters CONTRIBUTE A TEST	Modify Authentication Process: Pluggable Authentication Modules	Container and Resource Discovery	Taint Shared Content CONTRIBUTE A TEST	Screen Capture	Scheduled Transfer CONTRIBUTE A TEST	Data Encoding: Standard Encoding	Direct Network Flood CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST	Shared Modules CONTRIBUTE A TEST	Malicious Shell Modification CONTRIBUTE A TEST	Boot or Logon Initialization Scripts CONTRIBUTE A TEST	Indicator Removal from Tools CONTRIBUTE A TEST	Input Capture: Keylogging	Internet Connection Discovery CONTRIBUTE A TEST	Application Access Token CONTRIBUTE A TEST	Adversary-in-the-Middle CONTRIBUTE A TEST	Exfiltration Over Other Network Medium CONTRIBUTE A TEST	Domain Generation Algorithms CONTRIBUTE A TEST	Stored Data Manipulation CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST	Command and Scripting Interpreter: JavaScript	Bootkit CONTRIBUTE A TEST	Plist Modification CONTRIBUTE A TEST	Fileless Storage CONTRIBUTE A TEST	Brute Force: Password Guessing	Permission Groups Discovery CONTRIBUTE A TEST	SSH CONTRIBUTE A TEST	Input Capture: Keylogging	Exfiltration Over Bluetooth CONTRIBUTE A TEST	Application Layer Protocol: DNS	External Defacement CONTRIBUTE A TEST
Phishing: Spearphishing Attachment	Kubernetes Cronjob	Boot or Logon Initialization Scripts CONTRIBUTE A TEST	Path Interception by PATH Environment Variable CONTRIBUTE A TEST	Signed Binary Proxy Execution: Rundll32	OS Credential Dumping	Cloud Groups CONTRIBUTE A TEST	Application Deployment Software CONTRIBUTE A TEST	Data from Configuration Repository CONTRIBUTE A TEST	Automated Exfiltration	Domain Fronting CONTRIBUTE A TEST	OS Exhaustion Flood CONTRIBUTE A TEST
Compromise Hardware Supply Chain CONTRIBUTE A TEST	Regsvcs/Regasm CONTRIBUTE A TEST	LC_LOAD_DYLIB Addition CONTRIBUTE A TEST	File System Permissions Weakness CONTRIBUTE A TEST	Hidden Window CONTRIBUTE A TEST	LLMNR/NBT-NS Poisoning and Relay CONTRIBUTE A TEST	Group Policy Discovery	Replication Through Removable Media	Sharepoint CONTRIBUTE A TEST	Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST	Symmetric Cryptography CONTRIBUTE A TEST	Application Exhaustion Flood CONTRIBUTE A TEST
Replication Through Removable Media	Inter-Process Communication: Dynamic Data Exchange	Plist Modification CONTRIBUTE A TEST	Event Triggered Execution: PowerShell Profile	Embedded Payloads CONTRIBUTE A TEST	Steal Web Session Cookie	Device Driver Discovery CONTRIBUTE A TEST	SSH Hijacking CONTRIBUTE A TEST	Audio Capture	Traffic Duplication CONTRIBUTE A TEST	Fast Flux DNS CONTRIBUTE A TEST	Disk Wipe CONTRIBUTE A TEST
Supply Chain Compromise	User Execution: Malicious File	Modify Authentication Process: Pluggable Authentication Modules	Elevated Execution with Prompt CONTRIBUTE A TEST	Plist Modification CONTRIBUTE A TEST	OS Credential Dumping: Security Account Manager	Account Discovery: Domain Account	Remote Services: SMB/Windows Admin Shares	Archive via Custom Method CONTRIBUTE A TEST	Exfiltration to Code Repository CONTRIBUTE A TEST	Application Layer Protocol CONTRIBUTE A TEST	Stored Data Manipulation CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST	Scheduled Task/Job: Cron	Path Interception by PATH Environment Variable CONTRIBUTE A TEST	Create or Modify System Process CONTRIBUTE A TEST	Modify Authentication Process: Pluggable Authentication Modules	Unsecured Credentials: Cloud Instance Metadata API	Security Software Discovery CONTRIBUTE A TEST	Use Alternate Authentication Material CONTRIBUTE A TEST	Email Collection CONTRIBUTE A TEST	Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Custom Cryptographic Protocol CONTRIBUTE A TEST	Service Stop
Valid Accounts: Default Accounts	Component Object Model CONTRIBUTE A TEST	File System Permissions Weakness CONTRIBUTE A TEST	LC_LOAD_DYLIB Addition CONTRIBUTE A TEST	Revert Cloud Instance CONTRIBUTE A TEST	Securityd Memory CONTRIBUTE A TEST	Account Discovery: Local Account	Remote Desktop Protocol CONTRIBUTE A TEST	Data from Removable Media CONTRIBUTE A TEST	Exfiltration Over C2 Channel	Remote Access Software	Application or System Exploitation CONTRIBUTE A TEST
Spearphishing Attachment CONTRIBUTE A TEST	Scheduled Task/Job CONTRIBUTE A TEST	Event Triggered Execution: PowerShell Profile	Kubernetes Cronjob	HISTCONTROL CONTRIBUTE A TEST	Cloud Instance Metadata API CONTRIBUTE A TEST	Virtualization/Sandbox Evasion: System Checks	Remote Services CONTRIBUTE A TEST	Data Staged: Local Data Staging	Exfiltration Over Alternative Protocol	Multilayer Encryption CONTRIBUTE A TEST	Disk Structure Wipe CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST	Command and Scripting Interpreter: AppleScript	Systemd Service CONTRIBUTE A TEST	Abuse Elevation Control Mechanism: Bypass User Account Control	File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification	Brute Force: Password Cracking	Permission Groups Discovery: Domain Groups	Remote Service Session Hijacking CONTRIBUTE A TEST	Email Collection: Local Email Collection	Exfiltration over USB CONTRIBUTE A TEST	Traffic Signaling CONTRIBUTE A TEST	Runtime Data Manipulation CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST	Native API	Create or Modify System Process CONTRIBUTE A TEST	Abuse Elevation Control Mechanism: Sudo and Sudo Caching	Signed Script Proxy Execution: Pubprn	Credentials from Password Stores: Keychain	System Service Discovery	Remote Services: Windows Remote Management	Automated Collection	Data Compressed CONTRIBUTE A TEST	Standard Cryptographic Protocol CONTRIBUTE A TEST	Reflection Amplification CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST	Source CONTRIBUTE A TEST	External Remote Services	Hijack Execution Flow: Services Registry Permissions Weakness	Path Interception by PATH Environment Variable CONTRIBUTE A TEST	OS Credential Dumping: LSA Secrets	Network Sniffing	Remote Services: Distributed Component Object Model	Clipboard Data	Exfiltration to Text Storage Sites CONTRIBUTE A TEST	Protocol Tunneling	Service Exhaustion Flood CONTRIBUTE A TEST
Compromise Software Supply Chain CONTRIBUTE A TEST	Launchctl CONTRIBUTE A TEST	Component Firmware CONTRIBUTE A TEST	SID-History Injection CONTRIBUTE A TEST	Direct Volume Access	Forge Web Credentials: SAML token	Network Share Discovery	Component Object Model and Distributed COM CONTRIBUTE A TEST	Data from Cloud Storage Object	Exfiltration Over Web Service: Exfiltration to Cloud Storage	Domain Generation Algorithms CONTRIBUTE A TEST	Defacement CONTRIBUTE A TEST
Domain Accounts CONTRIBUTE A TEST	Cloud API CONTRIBUTE A TEST	LC_LOAD_DYLIB Addition CONTRIBUTE A TEST	Boot or Logon Autostart Execution	Email Hiding Rules CONTRIBUTE A TEST	Securityd Memory CONTRIBUTE A TEST	Peripheral Device Discovery	Use Alternate Authentication Material: Pass the Ticket	Remote Data Staging CONTRIBUTE A TEST	Data Transfer Size Limits	Mail Protocols CONTRIBUTE A TEST	Defacement: Internal Defacement
Spearphishing via Service CONTRIBUTE A TEST	Deploy a container	Kubernetes Cronjob	Port Monitors CONTRIBUTE A TEST	Rootkit	Credentials in Registry CONTRIBUTE A TEST	System Information Discovery	Shared Webroot CONTRIBUTE A TEST	Data from Local System CONTRIBUTE A TEST	Transfer Data to Cloud Account CONTRIBUTE A TEST	Communication Through Removable Media CONTRIBUTE A TEST	Data Manipulation CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST	AppleScript CONTRIBUTE A TEST	System Firmware CONTRIBUTE A TEST	Sudo Caching CONTRIBUTE A TEST	Component Firmware CONTRIBUTE A TEST	OS Credential Dumping: Proc Filesystem	Application Window Discovery	Cloud Services CONTRIBUTE A TEST	Archive Collected Data: Archive via Library	Data Encrypted CONTRIBUTE A TEST	External Proxy CONTRIBUTE A TEST	Account Access Removal
Drive-by Compromise CONTRIBUTE A TEST	Rundll32 CONTRIBUTE A TEST	Hijack Execution Flow: Services Registry Permissions Weakness	Active Setup	Double File Extension CONTRIBUTE A TEST	Password Managers CONTRIBUTE A TEST	Email Account CONTRIBUTE A TEST	Software Deployment Tools	Network Device Configuration Dump CONTRIBUTE A TEST	Exfiltration Over Physical Medium CONTRIBUTE A TEST	Proxy CONTRIBUTE A TEST	Data Encrypted for Impact
Valid Accounts: Cloud Accounts	At (Linux) CONTRIBUTE A TEST	Rc.common CONTRIBUTE A TEST	Domain Trust Modification	Abuse Elevation Control Mechanism: Bypass User Account Control	Network Sniffing	Time Based Evasion CONTRIBUTE A TEST	Exploitation of Remote Services CONTRIBUTE A TEST	Archive Collected Data	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	Dynamic Resolution CONTRIBUTE A TEST	Disk Content Wipe CONTRIBUTE A TEST
Spearphishing via Service CONTRIBUTE A TEST	Regsvr32 CONTRIBUTE A TEST	Bootkit CONTRIBUTE A TEST	Create or Modify System Process: Windows Service	Timestomp CONTRIBUTE A TEST	Unsecured Credentials: Credentials in Registry	Cloud Infrastructure Discovery	Internal Spearphishing CONTRIBUTE A TEST	Browser Session Hijacking CONTRIBUTE A TEST		Multi-hop Proxy CONTRIBUTE A TEST	Endpoint Denial of Service CONTRIBUTE A TEST
Valid Accounts: Local Accounts	LSASS Driver CONTRIBUTE A TEST	Boot or Logon Autostart Execution	Scheduled Task/Job: Cron	Abuse Elevation Control Mechanism: Sudo and Sudo Caching	Modify Authentication Process: Password Filter DLL	Browser Bookmark Discovery	Pass the Ticket CONTRIBUTE A TEST	DHCP Spoofing CONTRIBUTE A TEST		Web Service CONTRIBUTE A TEST	Runtime Data Manipulation CONTRIBUTE A TEST
	Command and Scripting Interpreter CONTRIBUTE A TEST	Port Monitors CONTRIBUTE A TEST	Startup Items CONTRIBUTE A TEST	Modify Cloud Compute Infrastructure CONTRIBUTE A TEST	Steal or Forge Kerberos Tickets: AS-REP Roasting	System Network Configuration Discovery	Lateral Tool Transfer	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay		DNS Calculation CONTRIBUTE A TEST	Transmitted Data Manipulation CONTRIBUTE A TEST
	Component Object Model and Distributed COM CONTRIBUTE A TEST	Active Setup	Print Processors CONTRIBUTE A TEST	System Firmware CONTRIBUTE A TEST	Steal or Forge Kerberos Tickets CONTRIBUTE A TEST	Account Discovery CONTRIBUTE A TEST	SSH Hijacking CONTRIBUTE A TEST	Web Portal Capture CONTRIBUTE A TEST		Multi-Stage Channels CONTRIBUTE A TEST	Resource Hijacking
	Kubernetes Exec Into Container	Screensaver CONTRIBUTE A TEST	Hijack Execution Flow: DLL Search Order Hijacking	Hijack Execution Flow: Services Registry Permissions Weakness	Credentials from Password Stores	Domain Trust Discovery	Pass the Hash CONTRIBUTE A TEST	Video Capture		Port Knocking CONTRIBUTE A TEST	Transmitted Data Manipulation CONTRIBUTE A TEST
	CMSTP CONTRIBUTE A TEST	TFTP Boot CONTRIBUTE A TEST	AppInit DLLs CONTRIBUTE A TEST	Bootkit CONTRIBUTE A TEST	Unsecured Credentials	File and Directory Discovery	Windows Remote Management CONTRIBUTE A TEST	Confluence CONTRIBUTE A TEST		Multiband Communication CONTRIBUTE A TEST	Data Destruction
	Scripting CONTRIBUTE A TEST	Create or Modify System Process: Windows Service	Scheduled Task/Job CONTRIBUTE A TEST	Code Signing CONTRIBUTE A TEST	Bash History CONTRIBUTE A TEST	System Network Connections Discovery	Web Session Cookie CONTRIBUTE A TEST	Email Collection: Email Forwarding Rule		File Transfer Protocols CONTRIBUTE A TEST	Network Denial of Service CONTRIBUTE A TEST
	System Services: Launchctl	Scheduled Task/Job: Cron	Service Registry Permissions Weakness CONTRIBUTE A TEST	Mavinject CONTRIBUTE A TEST	Credentials from Web Browsers CONTRIBUTE A TEST	Virtualization/Sandbox Evasion CONTRIBUTE A TEST	Web Session Cookie CONTRIBUTE A TEST	Data Staged CONTRIBUTE A TEST		One-Way Communication CONTRIBUTE A TEST	Firmware Corruption CONTRIBUTE A TEST
	Network Device CLI CONTRIBUTE A TEST	Startup Items CONTRIBUTE A TEST	Thread Execution Hijacking	Process Hollowing CONTRIBUTE A TEST	Hybrid Identity CONTRIBUTE A TEST	Cloud Storage Object Discovery	Remote Service Session Hijacking: RDP Hijacking	Input Capture: GUI Input Capture		Proxy: Multi-hop Proxy	Inhibit System Recovery
	XPC Services CONTRIBUTE A TEST	Office Application Startup	Event Triggered Execution: Application Shimming	Masquerading: Match Legitimate Name or Location	Private Keys CONTRIBUTE A TEST	Cloud Account CONTRIBUTE A TEST	Use Alternate Authentication Material: Pass the Hash	Data from Network Shared Drive		Data Obfuscation CONTRIBUTE A TEST	Disk Content Wipe CONTRIBUTE A TEST
	User Execution CONTRIBUTE A TEST	Additional Cloud Roles CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Port Monitors	Weaken Encryption CONTRIBUTE A TEST	Credentials from Password Stores: Credentials from Web Browsers	Process Discovery	Remote Services: Remote Desktop Protocol	Remote Email Collection CONTRIBUTE A TEST		Non-Standard Port	System Shutdown/Reboot
	Control Panel Items CONTRIBUTE A TEST	Print Processors CONTRIBUTE A TEST	Boot or Logon Initialization Scripts: Logon Script (Mac)	Masquerade File Type CONTRIBUTE A TEST	DHCP Spoofing CONTRIBUTE A TEST	User Activity Based Checks CONTRIBUTE A TEST	Application Access Token CONTRIBUTE A TEST	Input Capture CONTRIBUTE A TEST		Encrypted Channel
	Launchd CONTRIBUTE A TEST	Hijack Execution Flow: DLL Search Order Hijacking	Process Injection	Regsvcs/Regasm CONTRIBUTE A TEST	Unsecured Credentials: Private Keys	Permission Groups Discovery: Local Groups	Windows Admin Shares CONTRIBUTE A TEST	ARP Cache Poisoning CONTRIBUTE A TEST		Bidirectional Communication CONTRIBUTE A TEST
	Software Deployment Tools	AppInit DLLs CONTRIBUTE A TEST	DLL Search Order Hijacking CONTRIBUTE A TEST	Hide Artifacts	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay	Password Policy Discovery		Code Repositories CONTRIBUTE A TEST		Asymmetric Cryptography CONTRIBUTE A TEST
	Command and Scripting Interpreter: PowerShell	Office Application Startup: Add-ins	New Service CONTRIBUTE A TEST	Domain Trust Modification	OS Credential Dumping: LSASS Memory	System Location Discovery: System Language Discovery		Data from Information Repositories CONTRIBUTE A TEST		Non-Application Layer Protocol
	Mshta CONTRIBUTE A TEST	Server Software Component: Transport Agent	Escape to Host	Application Access Token CONTRIBUTE A TEST	Hooking CONTRIBUTE A TEST	Query Registry		SNMP (MIB Dump) CONTRIBUTE A TEST		Protocol Impersonation CONTRIBUTE A TEST
	Scheduled Task/Job: Systemd Timers	Scheduled Task/Job CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Shortcut Modification	Impair Defenses: Safe Boot Mode	Brute Force: Password Spraying	System Location Discovery CONTRIBUTE A TEST		Input Capture: Credential API Hooking		Uncommonly Used Port CONTRIBUTE A TEST
	Graphical User Interface CONTRIBUTE A TEST	Login Item CONTRIBUTE A TEST	AppCert DLLs CONTRIBUTE A TEST	TFTP Boot CONTRIBUTE A TEST	Web Portal Capture CONTRIBUTE A TEST	Software Discovery: Security Software Discovery				Domain Fronting CONTRIBUTE A TEST
	Command and Scripting Interpreter: Bash	Modify Authentication Process: Password Filter DLL	Boot or Logon Autostart Execution: Security Support Provider	Virtualization/Sandbox Evasion: System Checks	OS Credential Dumping: Cached Domain Credentials	Cloud Service Discovery				Data Encoding CONTRIBUTE A TEST
	Inter-Process Communication	Server Software Component: Terminal Services DLL	Extra Window Memory Injection CONTRIBUTE A TEST	Indicator Removal on Host: Clear Linux or Mac System Logs	Steal or Forge Kerberos Tickets: Golden Ticket	Remote System Discovery				Non-Standard Encoding CONTRIBUTE A TEST
	User Execution: Malicious Image	Browser Extensions	Create or Modify System Process: Launch Daemon	Signed Binary Proxy Execution: InstallUtil	Steal or Forge Authentication Certificates	Network Service Discovery				Application Layer Protocol: Web Protocols
	Trap CONTRIBUTE A TEST	Service Registry Permissions Weakness CONTRIBUTE A TEST	Hijack Execution Flow: Path Interception by Search Order Hijacking	Disabling Security Tools CONTRIBUTE A TEST	Unsecured Credentials: Bash History	Software Discovery				Ingress Tool Transfer
	Exploitation for Client Execution CONTRIBUTE A TEST	Outlook Rules CONTRIBUTE A TEST	Domain Policy Modification: Group Policy Modification	Stripped Payloads CONTRIBUTE A TEST	Unsecured Credentials: Credentials In Files	Cloud Service Dashboard CONTRIBUTE A TEST				Steganography CONTRIBUTE A TEST
	Local Job Scheduling CONTRIBUTE A TEST	Event Triggered Execution: Application Shimming	Valid Accounts: Default Accounts	Hijack Execution Flow: DLL Search Order Hijacking	Web Cookies CONTRIBUTE A TEST	Debugger Evasion CONTRIBUTE A TEST				Fallback Channels CONTRIBUTE A TEST
	Windows Remote Management CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Port Monitors	Time Providers	Subvert Trust Controls: Gatekeeper Bypass	Steal Application Access Token	System Time Discovery				Proxy: Internal Proxy
	Command and Scripting Interpreter: Python	Boot or Logon Initialization Scripts: Logon Script (Mac)	Image File Execution Options Injection CONTRIBUTE A TEST	Code Signing CONTRIBUTE A TEST	Unsecured Credentials: Group Policy Preferences					Custom Command and Control Protocol CONTRIBUTE A TEST
	System Services CONTRIBUTE A TEST	Traffic Signaling CONTRIBUTE A TEST	Event Triggered Execution: Trap	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	Network Provider DLL CONTRIBUTE A TEST					Dead Drop Resolver CONTRIBUTE A TEST
	Command and Scripting Interpreter: Windows Command Shell	DLL Search Order Hijacking CONTRIBUTE A TEST	Hijack Execution Flow: LD_PRELOAD	Signed Binary Proxy Execution: Msiexec	Input Prompt CONTRIBUTE A TEST					Junk Data CONTRIBUTE A TEST
	Compiled HTML File CONTRIBUTE A TEST	New Service CONTRIBUTE A TEST	At (Linux) CONTRIBUTE A TEST	Modify Authentication Process: Password Filter DLL	Forge Web Credentials CONTRIBUTE A TEST					Commonly Used Port CONTRIBUTE A TEST
	Cloud Administration Command CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Shortcut Modification	Hooking CONTRIBUTE A TEST	Clear Network Connection History and Configurations CONTRIBUTE A TEST	Multi-Factor Authentication Request Generation CONTRIBUTE A TEST
	Command and Scripting Interpreter: Visual Basic	Hypervisor CONTRIBUTE A TEST	Plist Modification CONTRIBUTE A TEST	Reduce Key Space CONTRIBUTE A TEST	Chat Messages CONTRIBUTE A TEST
	Space after Filename CONTRIBUTE A TEST	AppCert DLLs CONTRIBUTE A TEST	Abuse Elevation Control Mechanism CONTRIBUTE A TEST	Indicator Removal on Host: Clear Command History	Exploitation for Credential Access CONTRIBUTE A TEST
	Serverless Execution CONTRIBUTE A TEST	Implant Internal Image CONTRIBUTE A TEST	Create Process with Token	Indirect Command Execution	Keychain CONTRIBUTE A TEST
	Dynamic Data Exchange CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Security Support Provider	Abuse Elevation Control Mechanism: Setuid and Setgid	Revert Cloud Instance CONTRIBUTE A TEST	Input Capture: GUI Input Capture
	Malicious Link CONTRIBUTE A TEST	Winlogon Helper DLL CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Winlogon Helper DLL	Deobfuscate/Decode Files or Information	Brute Force CONTRIBUTE A TEST
	System Services: Service Execution	Authentication Package CONTRIBUTE A TEST	Event Triggered Execution: Image File Execution Options Injection	Impair Defenses	Brute Force: Credential Stuffing
	Scheduled Task/Job: At	Launchctl CONTRIBUTE A TEST	Process Doppelgänging CONTRIBUTE A TEST	Thread Execution Hijacking	Kerberoasting CONTRIBUTE A TEST
	Service Execution CONTRIBUTE A TEST	Hybrid Identity CONTRIBUTE A TEST	Executable Installer File Permissions Weakness CONTRIBUTE A TEST	Masquerading	Multi-Factor Authentication CONTRIBUTE A TEST
	PowerShell CONTRIBUTE A TEST	Create or Modify System Process: Launch Daemon	Event Triggered Execution: Accessibility Features	Email Collection: Mailbox Manipulation	Forced Authentication
	InstallUtil CONTRIBUTE A TEST	Hijack Execution Flow: Path Interception by Search Order Hijacking	PowerShell Profile CONTRIBUTE A TEST	Process Injection	Password Filter DLL CONTRIBUTE A TEST
		Server Software Component: Web Shell	Process Injection: Asynchronous Procedure Call	Traffic Signaling CONTRIBUTE A TEST	Credentials in Files CONTRIBUTE A TEST
		Valid Accounts: Default Accounts	Application Shimming CONTRIBUTE A TEST	Signed Binary Proxy Execution	Input Capture CONTRIBUTE A TEST
		Time Providers	Event Triggered Execution: AppCert DLLs	DLL Search Order Hijacking CONTRIBUTE A TEST	ARP Cache Poisoning CONTRIBUTE A TEST
		Image File Execution Options Injection CONTRIBUTE A TEST	Portable Executable Injection CONTRIBUTE A TEST	Indicator Removal on Host: Timestomp	OS Credential Dumping: /etc/passwd and /etc/shadow
		Modify Existing Service CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Login Items	Reflective Code Loading	Steal or Forge Kerberos Tickets: Silver Ticket
		Event Triggered Execution: Trap	Access Token Manipulation: Token Impersonation/Theft	Time Based Evasion CONTRIBUTE A TEST	Credentials from Password Stores: Windows Credential Manager
		Hijack Execution Flow: LD_PRELOAD	Make and Impersonate Token CONTRIBUTE A TEST	Signed Binary Proxy Execution: CMSTP	Domain Controller Authentication CONTRIBUTE A TEST
		Create Account: Local Account	Launchd CONTRIBUTE A TEST	Impair Defenses: Disable Windows Event Logging	Reversible Encryption CONTRIBUTE A TEST
		At (Linux) CONTRIBUTE A TEST	Event Triggered Execution: Windows Management Instrumentation Event Subscription	Signed Binary Proxy Execution: Control Panel	Multi-Factor Authentication Interception CONTRIBUTE A TEST
		Hooking CONTRIBUTE A TEST	Access Token Manipulation: Parent PID Spoofing	Network Address Translation Traversal CONTRIBUTE A TEST	OS Credential Dumping: NTDS
		Plist Modification CONTRIBUTE A TEST	Event Triggered Execution: Change Default File Association	Binary Padding CONTRIBUTE A TEST	Steal or Forge Kerberos Tickets: Kerberoasting
		Boot or Logon Autostart Execution: Winlogon Helper DLL	VDSO Hijacking CONTRIBUTE A TEST	Use Alternate Authentication Material CONTRIBUTE A TEST	OS Credential Dumping: DCSync
		System Firmware CONTRIBUTE A TEST	Accessibility Features CONTRIBUTE A TEST	Extra Window Memory Injection CONTRIBUTE A TEST	Modify Authentication Process CONTRIBUTE A TEST
		Change Default File Association CONTRIBUTE A TEST	Event Triggered Execution: Emond	Impair Defenses: Disable or Modify System Firewall	Input Capture: Credential API Hooking
		Re-opened Applications CONTRIBUTE A TEST	Parent PID Spoofing CONTRIBUTE A TEST	Launchctl CONTRIBUTE A TEST	Kubernetes List Secrets
		Redundant Access CONTRIBUTE A TEST	Sudo CONTRIBUTE A TEST	SIP and Trust Provider Hijacking CONTRIBUTE A TEST	Network Device Authentication CONTRIBUTE A TEST
		SSH Authorized Keys	Services File Permissions Weakness CONTRIBUTE A TEST	Hybrid Identity CONTRIBUTE A TEST
		Kernel Modules and Extensions CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Rogue Domain Controller
		Security Support Provider CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Kernel Modules and Extensions	Code Signing Policy Modification CONTRIBUTE A TEST
		Event Triggered Execution: Image File Execution Options Injection	KernelCallbackTable CONTRIBUTE A TEST	Deploy a container
		LSASS Driver CONTRIBUTE A TEST	Scheduled Task/Job: Systemd Timers	File Deletion CONTRIBUTE A TEST
		Executable Installer File Permissions Weakness CONTRIBUTE A TEST	Dylib Hijacking CONTRIBUTE A TEST	Modify Registry
		Event Triggered Execution: Accessibility Features	Hijack Execution Flow CONTRIBUTE A TEST	Hijack Execution Flow: Path Interception by Search Order Hijacking
		PowerShell Profile CONTRIBUTE A TEST	Valid Accounts CONTRIBUTE A TEST	Unused/Unsupported Cloud Regions CONTRIBUTE A TEST
		SIP and Trust Provider Hijacking CONTRIBUTE A TEST	Process Injection: Process Hollowing	Obfuscated Files or Information: Binary Padding
		Create Account: Domain Account	Exploitation for Privilege Escalation CONTRIBUTE A TEST	Domain Policy Modification: Group Policy Modification
		Component Firmware CONTRIBUTE A TEST	Event Triggered Execution	Valid Accounts: Default Accounts
		Office Template Macros CONTRIBUTE A TEST	Event Triggered Execution: .bash_profile and .bashrc	Image File Execution Options Injection CONTRIBUTE A TEST
		Application Shimming CONTRIBUTE A TEST	Access Token Manipulation: SID-History Injection	Rundll32 CONTRIBUTE A TEST
		Event Triggered Execution: AppCert DLLs	Elevated Execution with Prompt CONTRIBUTE A TEST	Hijack Execution Flow: LD_PRELOAD
		Device Registration CONTRIBUTE A TEST	Authentication Package	Indicator Removal on Host: Clear Windows Event Logs
		Pre-OS Boot CONTRIBUTE A TEST	Event Triggered Execution: Component Object Model Hijacking	File and Directory Permissions Modification CONTRIBUTE A TEST
		Boot or Logon Autostart Execution: Login Items	Hijack Execution Flow: Path Interception by Unquoted Path	Abuse Elevation Control Mechanism CONTRIBUTE A TEST
		Port Knocking CONTRIBUTE A TEST	Setuid and Setgid CONTRIBUTE A TEST	Create Process with Token
		Account Manipulation: Additional Cloud Credentials	Boot or Logon Initialization Scripts: Startup Items	Abuse Elevation Control Mechanism: Setuid and Setgid
		Launchd CONTRIBUTE A TEST	Web Shell CONTRIBUTE A TEST	Regsvr32 CONTRIBUTE A TEST
		Network Provider DLL CONTRIBUTE A TEST	Domain Accounts CONTRIBUTE A TEST	Indicator Blocking CONTRIBUTE A TEST
		Event Triggered Execution: Windows Management Instrumentation Event Subscription	Path Interception CONTRIBUTE A TEST	Redundant Access CONTRIBUTE A TEST
		Registry Run Keys / Startup Folder CONTRIBUTE A TEST	Network Logon Script CONTRIBUTE A TEST	Signed Binary Proxy Execution: Odbcconf
		Compromise Client Software Binary CONTRIBUTE A TEST	Bypass User Account Control CONTRIBUTE A TEST	Gatekeeper Bypass CONTRIBUTE A TEST
		Shortcut Modification CONTRIBUTE A TEST	Event Triggered Execution: AppInit DLLs	Software Packing CONTRIBUTE A TEST
		Event Triggered Execution: Change Default File Association	Event Triggered Execution: Screensaver	Process Doppelgänging CONTRIBUTE A TEST
		Component Object Model Hijacking CONTRIBUTE A TEST	Create or Modify System Process: Launch Agent	Delete Cloud Instance CONTRIBUTE A TEST
		Accessibility Features CONTRIBUTE A TEST	Proc Memory CONTRIBUTE A TEST	Executable Installer File Permissions Weakness CONTRIBUTE A TEST
		Event Triggered Execution: Emond	Emond CONTRIBUTE A TEST	SIP and Trust Provider Hijacking CONTRIBUTE A TEST
		Services File Permissions Weakness CONTRIBUTE A TEST	Installer Packages CONTRIBUTE A TEST	Impair Defenses: Indicator Blocking
		Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Boot or Logon Initialization Scripts: Rc.common	Disable or Modify Cloud Firewall CONTRIBUTE A TEST
		Create Account: Cloud Account	Access Token Manipulation CONTRIBUTE A TEST	Right-to-Left Override CONTRIBUTE A TEST
		Account Manipulation	Create or Modify System Process: Systemd Service	Component Firmware CONTRIBUTE A TEST
		Boot or Logon Autostart Execution: Kernel Modules and Extensions	XDG Autostart Entries CONTRIBUTE A TEST	Indicator Removal on Host
		KernelCallbackTable CONTRIBUTE A TEST	Thread Local Storage CONTRIBUTE A TEST	Use Alternate Authentication Material: Pass the Ticket
		Scheduled Task/Job: Systemd Timers	Boot or Logon Autostart Execution: Re-opened Applications	Masquerading: Masquerade Task or Service
		ROMMONkit CONTRIBUTE A TEST	Hijack Execution Flow: DLL Side-Loading	Process Injection: Asynchronous Procedure Call
		Outlook Forms CONTRIBUTE A TEST	Launch Daemon CONTRIBUTE A TEST	Plist File Modification
		Dylib Hijacking CONTRIBUTE A TEST	Ptrace System Calls CONTRIBUTE A TEST	CMSTP CONTRIBUTE A TEST
		Hijack Execution Flow CONTRIBUTE A TEST	Boot or Logon Initialization Scripts: Logon Script (Windows)	Subvert Trust Controls: Mark-of-the-Web Bypass
		Valid Accounts CONTRIBUTE A TEST	ListPlanting CONTRIBUTE A TEST	Disable Crypto Hardware CONTRIBUTE A TEST
		Multi-Factor Authentication CONTRIBUTE A TEST	Domain Policy Modification CONTRIBUTE A TEST	Pre-OS Boot CONTRIBUTE A TEST
		IIS Components	Boot or Logon Autostart Execution: LSASS Driver	Scripting CONTRIBUTE A TEST
		Trap CONTRIBUTE A TEST	Valid Accounts: Cloud Accounts	Build Image on Host
		Event Triggered Execution	Scheduled Task/Job: At	Portable Executable Injection CONTRIBUTE A TEST
		Event Triggered Execution: .bash_profile and .bashrc	Process Injection: Dynamic-link Library Injection	Verclsid CONTRIBUTE A TEST
		Authentication Package	Event Triggered Execution: Netsh Helper DLL	Downgrade Attack CONTRIBUTE A TEST
		Netsh Helper DLL CONTRIBUTE A TEST	Dylib Hijacking CONTRIBUTE A TEST	Virtualization/Sandbox Evasion CONTRIBUTE A TEST
		Event Triggered Execution: Component Object Model Hijacking	Valid Accounts: Local Accounts	Signed Binary Proxy Execution: Mshta
		Office Application Startup: Outlook Home Page	Hijack Execution Flow: COR_PROFILER	Execution Guardrails CONTRIBUTE A TEST
		Hijack Execution Flow: Path Interception by Unquoted Path		Access Token Manipulation: Token Impersonation/Theft
		Local Job Scheduling CONTRIBUTE A TEST		Port Knocking CONTRIBUTE A TEST
		Setuid and Setgid CONTRIBUTE A TEST		Hide Artifacts: Hidden Users
		Boot or Logon Initialization Scripts: Startup Items		Make and Impersonate Token CONTRIBUTE A TEST
		Web Shell CONTRIBUTE A TEST		Control Panel Items CONTRIBUTE A TEST
		Domain Accounts CONTRIBUTE A TEST		Impair Defenses: HISTCONTROL
		Path Interception CONTRIBUTE A TEST		Network Provider DLL CONTRIBUTE A TEST
		Network Logon Script CONTRIBUTE A TEST		User Activity Based Checks CONTRIBUTE A TEST
		BITS Jobs		Access Token Manipulation: Parent PID Spoofing
		Event Triggered Execution: AppInit DLLs		VDSO Hijacking CONTRIBUTE A TEST
		Event Triggered Execution: Screensaver		Component Object Model Hijacking CONTRIBUTE A TEST
		Create or Modify System Process: Launch Agent		Parent PID Spoofing CONTRIBUTE A TEST
		Emond CONTRIBUTE A TEST		Services File Permissions Weakness CONTRIBUTE A TEST
		Server Software Component CONTRIBUTE A TEST		LC_MAIN Hijacking CONTRIBUTE A TEST
		Domain Controller Authentication CONTRIBUTE A TEST		Mshta CONTRIBUTE A TEST
		Reversible Encryption CONTRIBUTE A TEST		KernelCallbackTable CONTRIBUTE A TEST
		Installer Packages CONTRIBUTE A TEST		ROMMONkit CONTRIBUTE A TEST
		Hidden Files and Directories CONTRIBUTE A TEST		Signed Binary Proxy Execution: Compiled HTML File
		Boot or Logon Initialization Scripts: Rc.common		Indicator Removal on Host: Network Share Connection Removal
		Time Providers CONTRIBUTE A TEST		Impair Defenses: Disable or Modify Tools
		Launch Agent CONTRIBUTE A TEST		Modify System Image CONTRIBUTE A TEST
		Create or Modify System Process: Systemd Service		Hijack Execution Flow CONTRIBUTE A TEST
		Create Account CONTRIBUTE A TEST		Indicator Removal from Tools CONTRIBUTE A TEST
		XDG Autostart Entries CONTRIBUTE A TEST		Valid Accounts CONTRIBUTE A TEST
		Boot or Logon Autostart Execution: Re-opened Applications		DLL Side-Loading CONTRIBUTE A TEST
		Hijack Execution Flow: DLL Side-Loading		Process Injection: Process Hollowing
		Additional Email Delegate Permissions CONTRIBUTE A TEST		Resource Forking CONTRIBUTE A TEST
		Windows Management Instrumentation Event Subscription CONTRIBUTE A TEST		Obfuscated Files or Information
		Launch Daemon CONTRIBUTE A TEST		Multi-Factor Authentication CONTRIBUTE A TEST
		Boot or Logon Initialization Scripts: Logon Script (Windows)		Invalid Code Signature CONTRIBUTE A TEST
		Office Application Startup: Office Test		Run Virtual Instance
		Boot or Logon Autostart Execution: LSASS Driver		Access Token Manipulation: SID-History Injection
		Valid Accounts: Cloud Accounts		Network Boundary Bridging CONTRIBUTE A TEST
		Scheduled Task/Job: At		Subvert Trust Controls CONTRIBUTE A TEST
		Modify Authentication Process CONTRIBUTE A TEST		Elevated Execution with Prompt CONTRIBUTE A TEST
		Event Triggered Execution: Netsh Helper DLL		Signed Binary Proxy Execution: Regsvr32
		SQL Stored Procedures CONTRIBUTE A TEST		Masquerading: Rename System Utilities
		Network Device Authentication CONTRIBUTE A TEST		Spoof Security Alerting CONTRIBUTE A TEST
		Dylib Hijacking CONTRIBUTE A TEST		Hijack Execution Flow: Path Interception by Unquoted Path
		Valid Accounts: Local Accounts		Process Doppelgänging CONTRIBUTE A TEST
		Hijack Execution Flow: COR_PROFILER		Steganography CONTRIBUTE A TEST
				Web Session Cookie CONTRIBUTE A TEST
				Domain Accounts CONTRIBUTE A TEST
				Signed Binary Proxy Execution: Regsvcs/Regasm
				Web Session Cookie CONTRIBUTE A TEST
				Subvert Trust Controls: Install Root Certificate
				Obfuscated Files or Information: Compile After Delivery
				VBA Stomping CONTRIBUTE A TEST
				BITS Jobs
				Trusted Developer Utilities Proxy Execution: MSBuild
				Bypass User Account Control CONTRIBUTE A TEST
				Impair Defenses: Disable Cloud Logs
				Hide Artifacts: Hidden Window
				Hidden Users CONTRIBUTE A TEST
				Create Cloud Instance CONTRIBUTE A TEST
				Compile After Delivery CONTRIBUTE A TEST
				Proc Memory CONTRIBUTE A TEST
				Compiled HTML File CONTRIBUTE A TEST
				Patch System Image CONTRIBUTE A TEST
				Clear Persistence CONTRIBUTE A TEST
				Clear Command History CONTRIBUTE A TEST
				Domain Controller Authentication CONTRIBUTE A TEST
				HTML Smuggling
				Reversible Encryption CONTRIBUTE A TEST
				Command Obfuscation CONTRIBUTE A TEST
				Install Root Certificate CONTRIBUTE A TEST
				Indicator Removal on Host: File Deletion
				Hidden Files and Directories CONTRIBUTE A TEST
				Template Injection
				Access Token Manipulation CONTRIBUTE A TEST
				Obfuscated Files or Information: Software Packing
				Hidden File System CONTRIBUTE A TEST
				Space after Filename CONTRIBUTE A TEST
				Thread Local Storage CONTRIBUTE A TEST
				Debugger Evasion CONTRIBUTE A TEST
				Masquerading: Space after Filename
				Use Alternate Authentication Material: Pass the Hash
				Hijack Execution Flow: DLL Side-Loading
				Network Share Connection Removal CONTRIBUTE A TEST
				Ptrace System Calls CONTRIBUTE A TEST
				Dynamic API Resolution CONTRIBUTE A TEST
				ListPlanting CONTRIBUTE A TEST
				Domain Policy Modification CONTRIBUTE A TEST
				XSL Script Processing
				Hide Artifacts: Hidden Files and Directories
				Create Snapshot CONTRIBUTE A TEST
				Application Access Token CONTRIBUTE A TEST
				Valid Accounts: Cloud Accounts
				Environmental Keying CONTRIBUTE A TEST
				Hide Artifacts: NTFS File Attributes
				NTFS File Attributes CONTRIBUTE A TEST
				Process Injection: Dynamic-link Library Injection
				Modify Authentication Process CONTRIBUTE A TEST
				Signed Script Proxy Execution
				InstallUtil CONTRIBUTE A TEST
				Network Device Authentication CONTRIBUTE A TEST
				Dylib Hijacking CONTRIBUTE A TEST
				Downgrade System Image CONTRIBUTE A TEST
				Valid Accounts: Local Accounts
				Exploitation for Defense Evasion CONTRIBUTE A TEST
				Trusted Developer Utilities Proxy Execution
				MMC CONTRIBUTE A TEST
				Process Argument Spoofing CONTRIBUTE A TEST
				Hijack Execution Flow: COR_PROFILER

87 KiB Raw Blame History

All Atomic Tests by ATT&CK Tactic & Technique

87 KiB

Raw Blame History