All Atomic Tests by ATT&CK Tactic & Technique

initial-access	execution	persistence	privilege-escalation	defense-evasion	credential-access	discovery	lateral-movement	collection	exfiltration	command-and-control	impact
External Remote Services	Scheduled Task/Job: Scheduled Task	Scheduled Task/Job: Scheduled Task	Extra Window Memory Injection CONTRIBUTE A TEST	Extra Window Memory Injection CONTRIBUTE A TEST	Adversary-in-the-Middle CONTRIBUTE A TEST	System Owner/User Discovery	VNC CONTRIBUTE A TEST	Archive Collected Data: Archive via Utility	Exfiltration Over Web Service CONTRIBUTE A TEST	Data Encoding: Standard Encoding	Disk Structure Wipe CONTRIBUTE A TEST
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST	Windows Management Instrumentation	Malicious Shell Modification CONTRIBUTE A TEST	Scheduled Task/Job: Scheduled Task	Indicator Removal from Tools CONTRIBUTE A TEST	Modify Authentication Process: Pluggable Authentication Modules	Container and Resource Discovery	Taint Shared Content CONTRIBUTE A TEST	Screen Capture	Scheduled Transfer CONTRIBUTE A TEST	Domain Generation Algorithms CONTRIBUTE A TEST	Direct Network Flood CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST	Shared Modules CONTRIBUTE A TEST	Bootkit CONTRIBUTE A TEST	Boot or Logon Initialization Scripts CONTRIBUTE A TEST	Signed Binary Proxy Execution: Rundll32	Input Capture: Keylogging	Internet Connection Discovery CONTRIBUTE A TEST	Application Access Token CONTRIBUTE A TEST	Adversary-in-the-Middle CONTRIBUTE A TEST	Exfiltration Over Other Network Medium CONTRIBUTE A TEST	Application Layer Protocol: DNS	Stored Data Manipulation CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST	Command and Scripting Interpreter: JavaScript	Boot or Logon Initialization Scripts CONTRIBUTE A TEST	Plist Modification CONTRIBUTE A TEST	Hidden Window CONTRIBUTE A TEST	Brute Force: Password Guessing	Permission Groups Discovery CONTRIBUTE A TEST	SSH CONTRIBUTE A TEST	Input Capture: Keylogging	Exfiltration Over Bluetooth CONTRIBUTE A TEST	Domain Fronting CONTRIBUTE A TEST	External Defacement CONTRIBUTE A TEST
Phishing: Spearphishing Attachment	Kubernetes Cronjob	LC_LOAD_DYLIB Addition CONTRIBUTE A TEST	Path Interception by PATH Environment Variable CONTRIBUTE A TEST	Plist Modification CONTRIBUTE A TEST	OS Credential Dumping	Cloud Groups CONTRIBUTE A TEST	Application Deployment Software CONTRIBUTE A TEST	Data from Configuration Repository CONTRIBUTE A TEST	Automated Exfiltration	Symmetric Cryptography CONTRIBUTE A TEST	OS Exhaustion Flood CONTRIBUTE A TEST
Compromise Hardware Supply Chain CONTRIBUTE A TEST	Regsvcs/Regasm CONTRIBUTE A TEST	Plist Modification CONTRIBUTE A TEST	File System Permissions Weakness CONTRIBUTE A TEST	Modify Authentication Process: Pluggable Authentication Modules	LLMNR/NBT-NS Poisoning and Relay CONTRIBUTE A TEST	Group Policy Discovery	Replication Through Removable Media	Sharepoint CONTRIBUTE A TEST	Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST	Fast Flux DNS CONTRIBUTE A TEST	Application Exhaustion Flood CONTRIBUTE A TEST
Replication Through Removable Media	Inter-Process Communication: Dynamic Data Exchange	Modify Authentication Process: Pluggable Authentication Modules	Event Triggered Execution: PowerShell Profile	Revert Cloud Instance CONTRIBUTE A TEST	Steal Web Session Cookie	Account Discovery: Domain Account	SSH Hijacking CONTRIBUTE A TEST	Audio Capture	Traffic Duplication CONTRIBUTE A TEST	Application Layer Protocol CONTRIBUTE A TEST	Disk Wipe CONTRIBUTE A TEST
Supply Chain Compromise	User Execution: Malicious File	Path Interception by PATH Environment Variable CONTRIBUTE A TEST	Elevated Execution with Prompt CONTRIBUTE A TEST	HISTCONTROL CONTRIBUTE A TEST	OS Credential Dumping: Security Account Manager	Security Software Discovery CONTRIBUTE A TEST	Remote Services: SMB/Windows Admin Shares	Archive via Custom Method CONTRIBUTE A TEST	Exfiltration to Code Repository CONTRIBUTE A TEST	Custom Cryptographic Protocol CONTRIBUTE A TEST	Stored Data Manipulation CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST	Scheduled Task/Job: Cron	File System Permissions Weakness CONTRIBUTE A TEST	Create or Modify System Process CONTRIBUTE A TEST	File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification	Unsecured Credentials: Cloud Instance Metadata API	Account Discovery: Local Account	Use Alternate Authentication Material CONTRIBUTE A TEST	Email Collection CONTRIBUTE A TEST	Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Remote Access Software	Service Stop
Valid Accounts: Default Accounts	Component Object Model CONTRIBUTE A TEST	Event Triggered Execution: PowerShell Profile	LC_LOAD_DYLIB Addition CONTRIBUTE A TEST	Signed Script Proxy Execution: Pubprn	Securityd Memory CONTRIBUTE A TEST	Virtualization/Sandbox Evasion: System Checks	Remote Desktop Protocol CONTRIBUTE A TEST	Data from Removable Media CONTRIBUTE A TEST	Exfiltration Over C2 Channel	Multilayer Encryption CONTRIBUTE A TEST	Application or System Exploitation CONTRIBUTE A TEST
Spearphishing Attachment CONTRIBUTE A TEST	Scheduled Task/Job CONTRIBUTE A TEST	Systemd Service CONTRIBUTE A TEST	Kubernetes Cronjob	Path Interception by PATH Environment Variable CONTRIBUTE A TEST	Cloud Instance Metadata API CONTRIBUTE A TEST	Permission Groups Discovery: Domain Groups	Remote Services CONTRIBUTE A TEST	Data Staged: Local Data Staging	Exfiltration Over Alternative Protocol	Traffic Signaling CONTRIBUTE A TEST	Disk Structure Wipe CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST	Command and Scripting Interpreter: AppleScript	Create or Modify System Process CONTRIBUTE A TEST	Abuse Elevation Control Mechanism: Bypass User Account Control	Direct Volume Access	Brute Force: Password Cracking	System Service Discovery	Remote Service Session Hijacking CONTRIBUTE A TEST	Email Collection: Local Email Collection	Exfiltration over USB CONTRIBUTE A TEST	Standard Cryptographic Protocol CONTRIBUTE A TEST	Runtime Data Manipulation CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST	Native API	External Remote Services	Abuse Elevation Control Mechanism: Sudo and Sudo Caching	Email Hiding Rules CONTRIBUTE A TEST	Credentials from Password Stores: Keychain	Network Sniffing	Remote Services: Windows Remote Management	Automated Collection	Data Compressed CONTRIBUTE A TEST	Protocol Tunneling	Reflection Amplification CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST	Source CONTRIBUTE A TEST	Component Firmware CONTRIBUTE A TEST	Hijack Execution Flow: Services Registry Permissions Weakness	Rootkit	OS Credential Dumping: LSA Secrets	Network Share Discovery	Remote Services: Distributed Component Object Model	Clipboard Data	Exfiltration Over Web Service: Exfiltration to Cloud Storage	Domain Generation Algorithms CONTRIBUTE A TEST	Service Exhaustion Flood CONTRIBUTE A TEST
Compromise Software Supply Chain CONTRIBUTE A TEST	Launchctl CONTRIBUTE A TEST	LC_LOAD_DYLIB Addition CONTRIBUTE A TEST	SID-History Injection CONTRIBUTE A TEST	Component Firmware CONTRIBUTE A TEST	Forge Web Credentials: SAML token	Peripheral Device Discovery	Component Object Model and Distributed COM CONTRIBUTE A TEST	Data from Cloud Storage Object	Data Transfer Size Limits	Mail Protocols CONTRIBUTE A TEST	Defacement CONTRIBUTE A TEST
Domain Accounts CONTRIBUTE A TEST	Deploy a container	Kubernetes Cronjob	Boot or Logon Autostart Execution	Double File Extension CONTRIBUTE A TEST	Securityd Memory CONTRIBUTE A TEST	System Information Discovery	Use Alternate Authentication Material: Pass the Ticket	Remote Data Staging CONTRIBUTE A TEST	Transfer Data to Cloud Account CONTRIBUTE A TEST	Communication Through Removable Media CONTRIBUTE A TEST	Defacement: Internal Defacement
Spearphishing via Service CONTRIBUTE A TEST	AppleScript CONTRIBUTE A TEST	System Firmware CONTRIBUTE A TEST	Port Monitors CONTRIBUTE A TEST	Abuse Elevation Control Mechanism: Bypass User Account Control	Credentials in Registry CONTRIBUTE A TEST	Application Window Discovery	Shared Webroot CONTRIBUTE A TEST	Data from Local System CONTRIBUTE A TEST	Data Encrypted CONTRIBUTE A TEST	External Proxy CONTRIBUTE A TEST	Data Manipulation CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST	Rundll32 CONTRIBUTE A TEST	Hijack Execution Flow: Services Registry Permissions Weakness	Sudo Caching CONTRIBUTE A TEST	Timestomp CONTRIBUTE A TEST	OS Credential Dumping: Proc Filesystem	Email Account CONTRIBUTE A TEST	Software Deployment Tools	Archive Collected Data: Archive via Library	Exfiltration Over Physical Medium CONTRIBUTE A TEST	Proxy CONTRIBUTE A TEST	Account Access Removal
Drive-by Compromise CONTRIBUTE A TEST	At (Linux) CONTRIBUTE A TEST	Rc.common CONTRIBUTE A TEST	Active Setup	Abuse Elevation Control Mechanism: Sudo and Sudo Caching	Password Managers CONTRIBUTE A TEST	Time Based Evasion CONTRIBUTE A TEST	Exploitation of Remote Services CONTRIBUTE A TEST	Network Device Configuration Dump CONTRIBUTE A TEST	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	Dynamic Resolution CONTRIBUTE A TEST	Data Encrypted for Impact
Valid Accounts: Cloud Accounts	Regsvr32 CONTRIBUTE A TEST	Bootkit CONTRIBUTE A TEST	Domain Trust Modification	Modify Cloud Compute Infrastructure CONTRIBUTE A TEST	Network Sniffing	Cloud Infrastructure Discovery CONTRIBUTE A TEST	Internal Spearphishing CONTRIBUTE A TEST	Archive Collected Data		Multi-hop Proxy CONTRIBUTE A TEST	Disk Content Wipe CONTRIBUTE A TEST
Spearphishing via Service CONTRIBUTE A TEST	LSASS Driver CONTRIBUTE A TEST	Boot or Logon Autostart Execution	Create or Modify System Process: Windows Service	System Firmware CONTRIBUTE A TEST	Unsecured Credentials: Credentials in Registry	Browser Bookmark Discovery	Pass the Ticket CONTRIBUTE A TEST	Browser Session Hijacking CONTRIBUTE A TEST		Web Service CONTRIBUTE A TEST	Endpoint Denial of Service CONTRIBUTE A TEST
Valid Accounts: Local Accounts	Command and Scripting Interpreter CONTRIBUTE A TEST	Port Monitors CONTRIBUTE A TEST	Scheduled Task/Job: Cron	Hijack Execution Flow: Services Registry Permissions Weakness	Modify Authentication Process: Password Filter DLL	System Network Configuration Discovery	Lateral Tool Transfer CONTRIBUTE A TEST	DHCP Spoofing CONTRIBUTE A TEST		DNS Calculation CONTRIBUTE A TEST	Runtime Data Manipulation CONTRIBUTE A TEST
	Component Object Model and Distributed COM CONTRIBUTE A TEST	Active Setup	Startup Items CONTRIBUTE A TEST	Bootkit CONTRIBUTE A TEST	Steal or Forge Kerberos Tickets: AS-REP Roasting	Account Discovery CONTRIBUTE A TEST	SSH Hijacking CONTRIBUTE A TEST	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay		Multi-Stage Channels CONTRIBUTE A TEST	Transmitted Data Manipulation CONTRIBUTE A TEST
	Kubernetes Exec Into Container	Screensaver CONTRIBUTE A TEST	Print Processors CONTRIBUTE A TEST	Code Signing CONTRIBUTE A TEST	Steal or Forge Kerberos Tickets CONTRIBUTE A TEST	Domain Trust Discovery	Pass the Hash CONTRIBUTE A TEST	Web Portal Capture CONTRIBUTE A TEST		Port Knocking CONTRIBUTE A TEST	Resource Hijacking
	CMSTP CONTRIBUTE A TEST	TFTP Boot CONTRIBUTE A TEST	Hijack Execution Flow: DLL Search Order Hijacking	Mavinject CONTRIBUTE A TEST	Credentials from Password Stores	File and Directory Discovery	Windows Remote Management CONTRIBUTE A TEST	Video Capture		Multiband Communication CONTRIBUTE A TEST	Transmitted Data Manipulation CONTRIBUTE A TEST
	Scripting CONTRIBUTE A TEST	Create or Modify System Process: Windows Service	AppInit DLLs CONTRIBUTE A TEST	Process Hollowing CONTRIBUTE A TEST	Unsecured Credentials	System Network Connections Discovery	Web Session Cookie CONTRIBUTE A TEST	Confluence CONTRIBUTE A TEST		File Transfer Protocols CONTRIBUTE A TEST	Data Destruction
	System Services: Launchctl	Scheduled Task/Job: Cron	Scheduled Task/Job CONTRIBUTE A TEST	Masquerading: Match Legitimate Name or Location	Bash History CONTRIBUTE A TEST	Virtualization/Sandbox Evasion CONTRIBUTE A TEST	Web Session Cookie CONTRIBUTE A TEST	Email Collection: Email Forwarding Rule		One-Way Communication CONTRIBUTE A TEST	Network Denial of Service CONTRIBUTE A TEST
	Network Device CLI CONTRIBUTE A TEST	Startup Items CONTRIBUTE A TEST	Service Registry Permissions Weakness CONTRIBUTE A TEST	Weaken Encryption CONTRIBUTE A TEST	Credentials from Web Browsers CONTRIBUTE A TEST	Cloud Storage Object Discovery	Remote Service Session Hijacking: RDP Hijacking	Data Staged CONTRIBUTE A TEST		Proxy: Multi-hop Proxy	Firmware Corruption CONTRIBUTE A TEST
	XPC Services CONTRIBUTE A TEST	Office Application Startup	Thread Execution Hijacking	Regsvcs/Regasm CONTRIBUTE A TEST	Private Keys CONTRIBUTE A TEST	Cloud Account CONTRIBUTE A TEST	Use Alternate Authentication Material: Pass the Hash	Input Capture: GUI Input Capture		Data Obfuscation CONTRIBUTE A TEST	Inhibit System Recovery
	User Execution CONTRIBUTE A TEST	Additional Cloud Roles CONTRIBUTE A TEST	Event Triggered Execution: Application Shimming	Hide Artifacts	Credentials from Password Stores: Credentials from Web Browsers	Process Discovery	Remote Services: Remote Desktop Protocol	Data from Network Shared Drive		Non-Standard Port	Disk Content Wipe CONTRIBUTE A TEST
	Control Panel Items CONTRIBUTE A TEST	Print Processors CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Port Monitors	Domain Trust Modification	DHCP Spoofing CONTRIBUTE A TEST	User Activity Based Checks CONTRIBUTE A TEST	Application Access Token CONTRIBUTE A TEST	Remote Email Collection CONTRIBUTE A TEST		Encrypted Channel	System Shutdown/Reboot
	Launchd CONTRIBUTE A TEST	Hijack Execution Flow: DLL Search Order Hijacking	Boot or Logon Initialization Scripts: Logon Script (Mac)	Application Access Token CONTRIBUTE A TEST	Unsecured Credentials: Private Keys	Permission Groups Discovery: Local Groups	Windows Admin Shares CONTRIBUTE A TEST	Input Capture CONTRIBUTE A TEST		Bidirectional Communication CONTRIBUTE A TEST
	Software Deployment Tools	AppInit DLLs CONTRIBUTE A TEST	Process Injection	Safe Mode Boot CONTRIBUTE A TEST	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay	Password Policy Discovery		ARP Cache Poisoning CONTRIBUTE A TEST		Asymmetric Cryptography CONTRIBUTE A TEST
	Command and Scripting Interpreter: PowerShell	Office Application Startup: Add-ins	DLL Search Order Hijacking CONTRIBUTE A TEST	TFTP Boot CONTRIBUTE A TEST	OS Credential Dumping: LSASS Memory	System Location Discovery: System Language Discovery		Code Repositories CONTRIBUTE A TEST		Non-Application Layer Protocol
	Mshta CONTRIBUTE A TEST	Server Software Component: Transport Agent	New Service CONTRIBUTE A TEST	Virtualization/Sandbox Evasion: System Checks	Hooking CONTRIBUTE A TEST	Query Registry		Data from Information Repositories CONTRIBUTE A TEST		Protocol Impersonation CONTRIBUTE A TEST
	Scheduled Task/Job: Systemd Timers	Scheduled Task/Job CONTRIBUTE A TEST	Escape to Host	Indicator Removal on Host: Clear Linux or Mac System Logs	Brute Force: Password Spraying	System Location Discovery CONTRIBUTE A TEST		SNMP (MIB Dump) CONTRIBUTE A TEST		Uncommonly Used Port CONTRIBUTE A TEST
	Graphical User Interface CONTRIBUTE A TEST	Login Item CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Shortcut Modification	Signed Binary Proxy Execution: InstallUtil	Web Portal Capture CONTRIBUTE A TEST	Software Discovery: Security Software Discovery		Input Capture: Credential API Hooking		Domain Fronting CONTRIBUTE A TEST
	Command and Scripting Interpreter: Bash	Modify Authentication Process: Password Filter DLL	AppCert DLLs CONTRIBUTE A TEST	Disabling Security Tools CONTRIBUTE A TEST	OS Credential Dumping: Cached Domain Credentials	Cloud Service Discovery				Data Encoding CONTRIBUTE A TEST
	Inter-Process Communication CONTRIBUTE A TEST	Terminal Services DLL CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Security Support Provider	Hijack Execution Flow: DLL Search Order Hijacking	Steal or Forge Kerberos Tickets: Golden Ticket	Remote System Discovery				Non-Standard Encoding CONTRIBUTE A TEST
	Malicious Image CONTRIBUTE A TEST	Browser Extensions	Extra Window Memory Injection CONTRIBUTE A TEST	Subvert Trust Controls: Gatekeeper Bypass	Unsecured Credentials: Bash History	Network Service Scanning				Application Layer Protocol: Web Protocols
	Trap CONTRIBUTE A TEST	Service Registry Permissions Weakness CONTRIBUTE A TEST	Create or Modify System Process: Launch Daemon	Code Signing CONTRIBUTE A TEST	Unsecured Credentials: Credentials In Files	Software Discovery				Ingress Tool Transfer
	Exploitation for Client Execution CONTRIBUTE A TEST	Outlook Rules CONTRIBUTE A TEST	Hijack Execution Flow: Path Interception by Search Order Hijacking	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	Web Cookies CONTRIBUTE A TEST	Cloud Service Dashboard CONTRIBUTE A TEST				Steganography CONTRIBUTE A TEST
	Local Job Scheduling CONTRIBUTE A TEST	Event Triggered Execution: Application Shimming	Domain Policy Modification: Group Policy Modification	Signed Binary Proxy Execution: Msiexec	Steal Application Access Token	Debugger Evasion CONTRIBUTE A TEST				Fallback Channels CONTRIBUTE A TEST
	Windows Remote Management CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Port Monitors	Valid Accounts: Default Accounts	Modify Authentication Process: Password Filter DLL	Unsecured Credentials: Group Policy Preferences	System Time Discovery				Proxy: Internal Proxy
	Command and Scripting Interpreter: Python	Boot or Logon Initialization Scripts: Logon Script (Mac)	Time Providers	Reduce Key Space CONTRIBUTE A TEST	Input Prompt CONTRIBUTE A TEST					Custom Command and Control Protocol CONTRIBUTE A TEST
	System Services CONTRIBUTE A TEST	Traffic Signaling CONTRIBUTE A TEST	Image File Execution Options Injection CONTRIBUTE A TEST	Indicator Removal on Host: Clear Command History	Forge Web Credentials CONTRIBUTE A TEST					Dead Drop Resolver CONTRIBUTE A TEST
	Command and Scripting Interpreter: Windows Command Shell	DLL Search Order Hijacking CONTRIBUTE A TEST	Event Triggered Execution: Trap	Indirect Command Execution	Multi-Factor Authentication Request Generation CONTRIBUTE A TEST					Junk Data CONTRIBUTE A TEST
	Compiled HTML File CONTRIBUTE A TEST	New Service CONTRIBUTE A TEST	Hijack Execution Flow: LD_PRELOAD	Revert Cloud Instance CONTRIBUTE A TEST	Exploitation for Credential Access CONTRIBUTE A TEST					Commonly Used Port CONTRIBUTE A TEST
	Command and Scripting Interpreter: Visual Basic	Boot or Logon Autostart Execution: Shortcut Modification	At (Linux) CONTRIBUTE A TEST	Deobfuscate/Decode Files or Information	Keychain CONTRIBUTE A TEST
	Space after Filename CONTRIBUTE A TEST	Hypervisor CONTRIBUTE A TEST	Hooking CONTRIBUTE A TEST	Impair Defenses	Input Capture: GUI Input Capture
	Dynamic Data Exchange CONTRIBUTE A TEST	AppCert DLLs CONTRIBUTE A TEST	Plist Modification CONTRIBUTE A TEST	Thread Execution Hijacking	Brute Force CONTRIBUTE A TEST
	Malicious Link CONTRIBUTE A TEST	Implant Internal Image CONTRIBUTE A TEST	Abuse Elevation Control Mechanism CONTRIBUTE A TEST	Masquerading	Brute Force: Credential Stuffing
	System Services: Service Execution	Boot or Logon Autostart Execution: Security Support Provider	Create Process with Token	Process Injection	Kerberoasting CONTRIBUTE A TEST
	Scheduled Task/Job: At	Winlogon Helper DLL CONTRIBUTE A TEST	Abuse Elevation Control Mechanism: Setuid and Setgid	Traffic Signaling CONTRIBUTE A TEST	Forced Authentication
	Service Execution CONTRIBUTE A TEST	Authentication Package CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Winlogon Helper DLL	Signed Binary Proxy Execution	Password Filter DLL CONTRIBUTE A TEST
	PowerShell CONTRIBUTE A TEST	Launchctl CONTRIBUTE A TEST	Event Triggered Execution: Image File Execution Options Injection	DLL Search Order Hijacking CONTRIBUTE A TEST	Credentials in Files CONTRIBUTE A TEST
	InstallUtil CONTRIBUTE A TEST	Create or Modify System Process: Launch Daemon	Process Doppelgänging CONTRIBUTE A TEST	Indicator Removal on Host: Timestomp	Input Capture CONTRIBUTE A TEST
		Hijack Execution Flow: Path Interception by Search Order Hijacking	Executable Installer File Permissions Weakness CONTRIBUTE A TEST	Reflective Code Loading	ARP Cache Poisoning CONTRIBUTE A TEST
		Server Software Component: Web Shell	Event Triggered Execution: Accessibility Features	Time Based Evasion CONTRIBUTE A TEST	OS Credential Dumping: /etc/passwd and /etc/shadow
		Valid Accounts: Default Accounts	PowerShell Profile CONTRIBUTE A TEST	Signed Binary Proxy Execution: CMSTP	Steal or Forge Kerberos Tickets: Silver Ticket
		Time Providers	Process Injection: Asynchronous Procedure Call	Impair Defenses: Disable Windows Event Logging	Credentials from Password Stores: Windows Credential Manager
		Image File Execution Options Injection CONTRIBUTE A TEST	Application Shimming CONTRIBUTE A TEST	Signed Binary Proxy Execution: Control Panel	Domain Controller Authentication CONTRIBUTE A TEST
		Modify Existing Service CONTRIBUTE A TEST	Event Triggered Execution: AppCert DLLs	Network Address Translation Traversal CONTRIBUTE A TEST	Reversible Encryption CONTRIBUTE A TEST
		Event Triggered Execution: Trap	Portable Executable Injection CONTRIBUTE A TEST	Binary Padding CONTRIBUTE A TEST	Multi-Factor Authentication Interception CONTRIBUTE A TEST
		Hijack Execution Flow: LD_PRELOAD	Boot or Logon Autostart Execution: Login Items	Use Alternate Authentication Material CONTRIBUTE A TEST	OS Credential Dumping: NTDS
		Create Account: Local Account	Access Token Manipulation: Token Impersonation/Theft	Extra Window Memory Injection CONTRIBUTE A TEST	Steal or Forge Kerberos Tickets: Kerberoasting
		At (Linux) CONTRIBUTE A TEST	Make and Impersonate Token CONTRIBUTE A TEST	Impair Defenses: Disable or Modify System Firewall	OS Credential Dumping: DCSync
		Hooking CONTRIBUTE A TEST	Launchd CONTRIBUTE A TEST	Launchctl CONTRIBUTE A TEST	Modify Authentication Process CONTRIBUTE A TEST
		Plist Modification CONTRIBUTE A TEST	Event Triggered Execution: Windows Management Instrumentation Event Subscription	SIP and Trust Provider Hijacking CONTRIBUTE A TEST	Input Capture: Credential API Hooking
		Boot or Logon Autostart Execution: Winlogon Helper DLL	Access Token Manipulation: Parent PID Spoofing	Rogue Domain Controller	Kubernetes List Secrets
		System Firmware CONTRIBUTE A TEST	Event Triggered Execution: Change Default File Association	Code Signing Policy Modification CONTRIBUTE A TEST	Network Device Authentication CONTRIBUTE A TEST
		Change Default File Association CONTRIBUTE A TEST	VDSO Hijacking CONTRIBUTE A TEST	Deploy a container
		Re-opened Applications CONTRIBUTE A TEST	Accessibility Features CONTRIBUTE A TEST	File Deletion CONTRIBUTE A TEST
		Redundant Access CONTRIBUTE A TEST	Event Triggered Execution: Emond	Modify Registry
		SSH Authorized Keys	Parent PID Spoofing CONTRIBUTE A TEST	Hijack Execution Flow: Path Interception by Search Order Hijacking
		Kernel Modules and Extensions CONTRIBUTE A TEST	Sudo CONTRIBUTE A TEST	Unused/Unsupported Cloud Regions CONTRIBUTE A TEST
		Security Support Provider CONTRIBUTE A TEST	Services File Permissions Weakness CONTRIBUTE A TEST	Obfuscated Files or Information: Binary Padding
		Event Triggered Execution: Image File Execution Options Injection	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Domain Policy Modification: Group Policy Modification
		LSASS Driver CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Kernel Modules and Extensions	Valid Accounts: Default Accounts
		Executable Installer File Permissions Weakness CONTRIBUTE A TEST	KernelCallbackTable CONTRIBUTE A TEST	Image File Execution Options Injection CONTRIBUTE A TEST
		Event Triggered Execution: Accessibility Features	Scheduled Task/Job: Systemd Timers	Rundll32 CONTRIBUTE A TEST
		PowerShell Profile CONTRIBUTE A TEST	Dylib Hijacking CONTRIBUTE A TEST	Hijack Execution Flow: LD_PRELOAD
		SIP and Trust Provider Hijacking CONTRIBUTE A TEST	Hijack Execution Flow CONTRIBUTE A TEST	Indicator Removal on Host: Clear Windows Event Logs
		Create Account: Domain Account	Valid Accounts CONTRIBUTE A TEST	File and Directory Permissions Modification CONTRIBUTE A TEST
		Component Firmware CONTRIBUTE A TEST	Process Injection: Process Hollowing	Abuse Elevation Control Mechanism CONTRIBUTE A TEST
		Office Template Macros CONTRIBUTE A TEST	Exploitation for Privilege Escalation CONTRIBUTE A TEST	Create Process with Token
		Application Shimming CONTRIBUTE A TEST	Event Triggered Execution	Abuse Elevation Control Mechanism: Setuid and Setgid
		Event Triggered Execution: AppCert DLLs	Event Triggered Execution: .bash_profile and .bashrc	Regsvr32 CONTRIBUTE A TEST
		Device Registration CONTRIBUTE A TEST	Access Token Manipulation: SID-History Injection	Indicator Blocking CONTRIBUTE A TEST
		Pre-OS Boot CONTRIBUTE A TEST	Elevated Execution with Prompt CONTRIBUTE A TEST	Redundant Access CONTRIBUTE A TEST
		Boot or Logon Autostart Execution: Login Items	Authentication Package	Signed Binary Proxy Execution: Odbcconf
		Port Knocking CONTRIBUTE A TEST	Event Triggered Execution: Component Object Model Hijacking	Gatekeeper Bypass CONTRIBUTE A TEST
		Account Manipulation: Additional Cloud Credentials	Hijack Execution Flow: Path Interception by Unquoted Path	Software Packing CONTRIBUTE A TEST
		Launchd CONTRIBUTE A TEST	Setuid and Setgid CONTRIBUTE A TEST	Process Doppelgänging CONTRIBUTE A TEST
		Event Triggered Execution: Windows Management Instrumentation Event Subscription	Boot or Logon Initialization Scripts: Startup Items	Delete Cloud Instance CONTRIBUTE A TEST
		Registry Run Keys / Startup Folder CONTRIBUTE A TEST	Web Shell CONTRIBUTE A TEST	Executable Installer File Permissions Weakness CONTRIBUTE A TEST
		Compromise Client Software Binary CONTRIBUTE A TEST	Domain Accounts CONTRIBUTE A TEST	SIP and Trust Provider Hijacking CONTRIBUTE A TEST
		Shortcut Modification CONTRIBUTE A TEST	Path Interception CONTRIBUTE A TEST	Impair Defenses: Indicator Blocking
		Event Triggered Execution: Change Default File Association	Network Logon Script CONTRIBUTE A TEST	Disable or Modify Cloud Firewall CONTRIBUTE A TEST
		Component Object Model Hijacking CONTRIBUTE A TEST	Bypass User Account Control CONTRIBUTE A TEST	Right-to-Left Override CONTRIBUTE A TEST
		Accessibility Features CONTRIBUTE A TEST	Event Triggered Execution: AppInit DLLs	Component Firmware CONTRIBUTE A TEST
		Event Triggered Execution: Emond	Event Triggered Execution: Screensaver	Indicator Removal on Host
		Services File Permissions Weakness CONTRIBUTE A TEST	Create or Modify System Process: Launch Agent	Use Alternate Authentication Material: Pass the Ticket
		Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Proc Memory CONTRIBUTE A TEST	Masquerading: Masquerade Task or Service
		Create Account: Cloud Account	Emond CONTRIBUTE A TEST	Process Injection: Asynchronous Procedure Call
		Account Manipulation	Boot or Logon Initialization Scripts: Rc.common	Plist File Modification
		Boot or Logon Autostart Execution: Kernel Modules and Extensions	Access Token Manipulation CONTRIBUTE A TEST	CMSTP CONTRIBUTE A TEST
		KernelCallbackTable CONTRIBUTE A TEST	Create or Modify System Process: Systemd Service	Subvert Trust Controls: Mark-of-the-Web Bypass
		Scheduled Task/Job: Systemd Timers	XDG Autostart Entries CONTRIBUTE A TEST	Disable Crypto Hardware CONTRIBUTE A TEST
		ROMMONkit CONTRIBUTE A TEST	Thread Local Storage CONTRIBUTE A TEST	Pre-OS Boot CONTRIBUTE A TEST
		Outlook Forms CONTRIBUTE A TEST	Boot or Logon Autostart Execution: Re-opened Applications	Scripting CONTRIBUTE A TEST
		Dylib Hijacking CONTRIBUTE A TEST	Hijack Execution Flow: DLL Side-Loading	Build Image on Host CONTRIBUTE A TEST
		Hijack Execution Flow CONTRIBUTE A TEST	Launch Daemon CONTRIBUTE A TEST	Portable Executable Injection CONTRIBUTE A TEST
		Valid Accounts CONTRIBUTE A TEST	Ptrace System Calls CONTRIBUTE A TEST	Verclsid CONTRIBUTE A TEST
		IIS Components	Boot or Logon Initialization Scripts: Logon Script (Windows)	Downgrade Attack CONTRIBUTE A TEST
		Trap CONTRIBUTE A TEST	ListPlanting CONTRIBUTE A TEST	Virtualization/Sandbox Evasion CONTRIBUTE A TEST
		Event Triggered Execution	Domain Policy Modification CONTRIBUTE A TEST	Signed Binary Proxy Execution: Mshta
		Event Triggered Execution: .bash_profile and .bashrc	Boot or Logon Autostart Execution: LSASS Driver	Execution Guardrails CONTRIBUTE A TEST
		Authentication Package	Valid Accounts: Cloud Accounts	Access Token Manipulation: Token Impersonation/Theft
		Netsh Helper DLL CONTRIBUTE A TEST	Scheduled Task/Job: At	Port Knocking CONTRIBUTE A TEST
		Event Triggered Execution: Component Object Model Hijacking	Process Injection: Dynamic-link Library Injection	Hide Artifacts: Hidden Users
		Office Application Startup: Outlook Home Page	Event Triggered Execution: Netsh Helper DLL	Make and Impersonate Token CONTRIBUTE A TEST
		Hijack Execution Flow: Path Interception by Unquoted Path	Dylib Hijacking CONTRIBUTE A TEST	Control Panel Items CONTRIBUTE A TEST
		Local Job Scheduling CONTRIBUTE A TEST	Valid Accounts: Local Accounts	Impair Defenses: HISTCONTROL
		Setuid and Setgid CONTRIBUTE A TEST	Hijack Execution Flow: COR_PROFILER	User Activity Based Checks CONTRIBUTE A TEST
		Boot or Logon Initialization Scripts: Startup Items		Access Token Manipulation: Parent PID Spoofing
		Web Shell CONTRIBUTE A TEST		VDSO Hijacking CONTRIBUTE A TEST
		Domain Accounts CONTRIBUTE A TEST		Component Object Model Hijacking CONTRIBUTE A TEST
		Path Interception CONTRIBUTE A TEST		Parent PID Spoofing CONTRIBUTE A TEST
		Network Logon Script CONTRIBUTE A TEST		Services File Permissions Weakness CONTRIBUTE A TEST
		BITS Jobs		LC_MAIN Hijacking CONTRIBUTE A TEST
		Event Triggered Execution: AppInit DLLs		Mshta CONTRIBUTE A TEST
		Event Triggered Execution: Screensaver		KernelCallbackTable CONTRIBUTE A TEST
		Create or Modify System Process: Launch Agent		ROMMONkit CONTRIBUTE A TEST
		Emond CONTRIBUTE A TEST		Signed Binary Proxy Execution: Compiled HTML File
		Server Software Component CONTRIBUTE A TEST		Indicator Removal on Host: Network Share Connection Removal
		Domain Controller Authentication CONTRIBUTE A TEST		Impair Defenses: Disable or Modify Tools
		Reversible Encryption CONTRIBUTE A TEST		Modify System Image CONTRIBUTE A TEST
		Hidden Files and Directories CONTRIBUTE A TEST		Hijack Execution Flow CONTRIBUTE A TEST
		Boot or Logon Initialization Scripts: Rc.common		Indicator Removal from Tools CONTRIBUTE A TEST
		Time Providers CONTRIBUTE A TEST		Valid Accounts CONTRIBUTE A TEST
		Launch Agent CONTRIBUTE A TEST		DLL Side-Loading CONTRIBUTE A TEST
		Create or Modify System Process: Systemd Service		Process Injection: Process Hollowing
		Create Account CONTRIBUTE A TEST		Resource Forking CONTRIBUTE A TEST
		XDG Autostart Entries CONTRIBUTE A TEST		Obfuscated Files or Information
		Boot or Logon Autostart Execution: Re-opened Applications		Invalid Code Signature CONTRIBUTE A TEST
		Hijack Execution Flow: DLL Side-Loading		Run Virtual Instance
		Additional Email Delegate Permissions CONTRIBUTE A TEST		Access Token Manipulation: SID-History Injection
		Windows Management Instrumentation Event Subscription CONTRIBUTE A TEST		Network Boundary Bridging CONTRIBUTE A TEST
		Launch Daemon CONTRIBUTE A TEST		Subvert Trust Controls CONTRIBUTE A TEST
		Boot or Logon Initialization Scripts: Logon Script (Windows)		Elevated Execution with Prompt CONTRIBUTE A TEST
		Office Application Startup: Office Test		Signed Binary Proxy Execution: Regsvr32
		Boot or Logon Autostart Execution: LSASS Driver		Masquerading: Rename System Utilities
		Valid Accounts: Cloud Accounts		Hijack Execution Flow: Path Interception by Unquoted Path
		Scheduled Task/Job: At		Process Doppelgänging CONTRIBUTE A TEST
		Modify Authentication Process CONTRIBUTE A TEST		Steganography CONTRIBUTE A TEST
		Event Triggered Execution: Netsh Helper DLL		Web Session Cookie CONTRIBUTE A TEST
		SQL Stored Procedures CONTRIBUTE A TEST		Domain Accounts CONTRIBUTE A TEST
		Network Device Authentication CONTRIBUTE A TEST		Signed Binary Proxy Execution: Regsvcs/Regasm
		Dylib Hijacking CONTRIBUTE A TEST		Web Session Cookie CONTRIBUTE A TEST
		Valid Accounts: Local Accounts		Subvert Trust Controls: Install Root Certificate
		Hijack Execution Flow: COR_PROFILER		Obfuscated Files or Information: Compile After Delivery
				VBA Stomping CONTRIBUTE A TEST
				BITS Jobs
				Trusted Developer Utilities Proxy Execution: MSBuild
				Bypass User Account Control CONTRIBUTE A TEST
				Impair Defenses: Disable Cloud Logs
				Hide Artifacts: Hidden Window
				Hidden Users CONTRIBUTE A TEST
				Create Cloud Instance CONTRIBUTE A TEST
				Compile After Delivery CONTRIBUTE A TEST
				Proc Memory CONTRIBUTE A TEST
				Compiled HTML File CONTRIBUTE A TEST
				Patch System Image CONTRIBUTE A TEST
				Clear Command History CONTRIBUTE A TEST
				Domain Controller Authentication CONTRIBUTE A TEST
				HTML Smuggling
				Reversible Encryption CONTRIBUTE A TEST
				Install Root Certificate CONTRIBUTE A TEST
				Indicator Removal on Host: File Deletion
				Hidden Files and Directories CONTRIBUTE A TEST
				Template Injection
				Access Token Manipulation CONTRIBUTE A TEST
				Obfuscated Files or Information: Software Packing
				Hidden File System CONTRIBUTE A TEST
				Space after Filename CONTRIBUTE A TEST
				Thread Local Storage CONTRIBUTE A TEST
				Debugger Evasion CONTRIBUTE A TEST
				Masquerading: Space after Filename
				Use Alternate Authentication Material: Pass the Hash
				Hijack Execution Flow: DLL Side-Loading
				Network Share Connection Removal CONTRIBUTE A TEST
				Ptrace System Calls CONTRIBUTE A TEST
				ListPlanting CONTRIBUTE A TEST
				Domain Policy Modification CONTRIBUTE A TEST
				XSL Script Processing
				Hide Artifacts: Hidden Files and Directories
				Create Snapshot CONTRIBUTE A TEST
				Application Access Token CONTRIBUTE A TEST
				Valid Accounts: Cloud Accounts
				Environmental Keying CONTRIBUTE A TEST
				Hide Artifacts: NTFS File Attributes
				NTFS File Attributes CONTRIBUTE A TEST
				Process Injection: Dynamic-link Library Injection
				Modify Authentication Process CONTRIBUTE A TEST
				Signed Script Proxy Execution
				InstallUtil CONTRIBUTE A TEST
				Network Device Authentication CONTRIBUTE A TEST
				Dylib Hijacking CONTRIBUTE A TEST
				Downgrade System Image CONTRIBUTE A TEST
				Valid Accounts: Local Accounts
				Exploitation for Defense Evasion CONTRIBUTE A TEST
				Trusted Developer Utilities Proxy Execution
				MMC CONTRIBUTE A TEST
				Process Argument Spoofing CONTRIBUTE A TEST
				Hijack Execution Flow: COR_PROFILER

84 KiB Raw Blame History

All Atomic Tests by ATT&CK Tactic & Technique

84 KiB

Raw Blame History