Enterprise Attack v15.1 Matrices
Enterprise Attack v15.1 Matrices
Scheduled Task/Job
Scheduled Task/Job
Container Orchestration Job Scheduled Task
Scheduled Task/Job Cron Systemd Timers
Scheduled Task Cloud Accounts
Systemd Timers Default Accounts
Valid Accounts
IIS Components Domain Accounts
SQL Stored Procedures Local Accounts
Server Software
Component Terminal Services DLL
Transport Agent
Web Shell
Port Knocking
Traffic Signaling
Socket Filters
Cloud Accounts
Default Accounts
Valid Accounts
Domain Accounts
Local Accounts
Defense Evasion Credential Access
Bypass User Account Control ARP Cache Poisoning
Elevated Execution with Prompt Adversary-in-the-Middle DHCP Spoofing
Abuse Elevation Control Setuid and Setgid LLMNR/NBT-NS Poisoning and SMB Relay
Mechanism Sudo and Sudo Caching Credential Stuffing
TCC Manipulation Password Cracking
Brute Force
Temporary Elevated Cloud Access Password Guessing
Create Process with Token Password Spraying
Make and Impersonate Token Cloud Secrets Management Stores
Access Token
Manipulation Parent PID Spoofing Credentials from Web Browsers
SID-History Injection Credentials from Keychain
Token Impersonation/Theft Password Stores Password Managers
BITS Jobs Securityd Memory
Build Image on Host Windows Credential Manager
Debugger Evasion Exploitation for Credential Access
Deobfuscate/Decode Files or Information Forced Authentication
Deploy Container SAML Tokens
Forge Web Credentials
Direct Volume Access Web Cookies
Domain or Tenant Policy Group Policy Modification Credential API Hooking
Modification Trust Modification GUI Input Capture
Input Capture
Execution Guardrails Environmental Keying Keylogging
Exploitation for Defense Evasion Web Portal Capture
File and Directory Linux and Mac File and Directory Permissions Modification Conditional Access Policies
Permissions Modification Windows File and Directory Permissions Modification Domain Controller Authentication
Email Hiding Rules Hybrid Identity
File/Path Exclusions Multi-Factor Authentication
Modify Authentication
Hidden File System Process Network Device Authentication
Hidden Files and Directories Network Provider DLL
Hidden Users Password Filter DLL
Hidden Window Pluggable Authentication Modules
Hide Artifacts
Ignore Process Interrupts Reversible Encryption
NTFS File Attributes Multi-Factor Authentication Interception
Clear Persistence
Indicator Removal
Clear Windows Event Logs
File Deletion
Network Share Connection Removal
Timestomp
Indirect Command Execution
Double File Extension
Invalid Code Signature
Masquerade File Type
Masquerading Masquerade Task or Service
Match Legitimate Name or Location
Rename System Utilities
Right-to-Left Override
Domain Controller Authentication
Hybrid Identity
Modify Authentication Multi-Factor Authentication
Process Network Provider DLL
Password Filter DLL
Reversible Encryption
Modify Registry
Binary Padding
Command Obfuscation
Compile After Delivery
Dynamic API Resolution
Embedded Payloads
Encrypted/Encoded File
Obfuscated Files or
Information Fileless Storage
HTML Smuggling
Indicator Removal from Tools
LNK Icon Smuggling
Software Packing
Steganography
Stripped Payloads
Bootkit
Pre-OS Boot Component Firmware
System Firmware
Asynchronous Procedure Call
Dynamic-link Library Injection
Extra Window Memory Injection
ListPlanting
Process Injection
Process Injection Portable Executable Injection
Process Doppelgänging
Process Hollowing
Thread Execution Hijacking
Thread Local Storage
Reflective Code Loading
Rogue Domain Controller
Rootkit
Code Signing
Code Signing Policy Modification
Subvert Trust Controls Install Root Certificate
Mark-of-the-Web Bypass
SIP and Trust Provider Hijacking
CMSTP
Compiled HTML File
Control Panel
Electron Applications
InstallUtil
MMC
System Binary Proxy Mavinject
Execution Mshta
Msiexec
Odbcconf
Regsvcs/Regasm
Regsvr32
Rundll32
Verclsid
System Script Proxy PubPrn
Execution SyncAppvPublishingServer
Template Injection
Port Knocking
Traffic Signaling
Socket Filters
Trusted Developer Utilities Proxy Execution MSBuild
Clear Persistence
File Deletion
Timestomp
Break Process Trees
Invalid Code Signature
Masquerade File Type
Masquerade Task or Service
Masquerading
Match Legitimate Name or Location
Rename System Utilities
Right-to-Left Override
Space after Filename
Modify Authentication Multi-Factor Authentication
Process Pluggable Authentication Modules
Binary Padding
Command Obfuscation
Compile After Delivery
Embedded Payloads
Obfuscated Files or Encrypted/Encoded File
Information HTML Smuggling
Indicator Removal from Tools
Software Packing
Steganography
Stripped Payloads
Plist File Modification
Pre-OS Boot Component Firmware
Process Injection
Reflective Code Loading
Rootkit Code Signing
Code Signing Policy Modification
Gatekeeper Bypass
Subvert Trust Controls
Install Root Certificate
Electron Applications
System Binary Proxy Execution Port Knocking
Socket Filters
Traffic Signaling
Default Accounts
Domain Accounts
Valid Accounts Local Accounts
System Checks
Time Based Evasion
Virtualization/Sandbox
Evasion User Activity Based Checks
Discovery Lateral Movement
Domain Account Exploitation of Remote Services
Account Discovery
Local Account Internal Spearphishing
Application Window Discovery Lateral Tool Transfer
Browser Information Discovery Remote Service Session Hijacking SSH Hijacking
Debugger Evasion SSH
Remote Services
Device Driver Discovery VNC
File and Directory Discovery Software Deployment Tools
Log Enumeration Taint Shared Content
Network Service Discovery
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Domain Groups
Discovery Local Groups
Process Discovery
Remote System Discovery
Software Discovery Security Software Discovery
System Information Discovery
System Location Discovery System Language Discovery
System Network Internet Connection Discovery
Configuration Discovery Wi-Fi Discovery
System Network Connections Discovery
Clear Persistence
File Deletion
Timestomp
Break Process Trees
Masquerade File Type
Masquerade Task or Service
Masquerading Match Legitimate Name or Location
Rename System Utilities
Right-to-Left Override
Space after Filename
Modify Authentication Multi-Factor Authentication
Process Pluggable Authentication Modules
Binary Padding
Command Obfuscation
Obfuscated Files or
Information
Compile After Delivery
Embedded Payloads
Obfuscated Files or Encrypted/Encoded File
Information HTML Smuggling
Indicator Removal from Tools
Software Packing
Steganography
Stripped Payloads
Bootkit
Pre-OS Boot
Component Firmware
Proc Memory
Process Injection Ptrace System Calls
VDSO Hijacking
Reflective Code Loading
Rootkit
Subvert Trust Controls Install Root Certificate
System Binary Proxy Execution Electron Applications
Port Knocking
Traffic Signaling
Socket Filters
Default Accounts
Valid Accounts Domain Accounts
Local Accounts
System Checks
Virtualization/Sandbox
Evasion Time Based Evasion
User Activity Based Checks
Discovery Lateral Movement
Domain Account Exploitation of Remote Services
Account Discovery
Local Account Internal Spearphishing
Application Window Discovery Lateral Tool Transfer
Browser Information Discovery Remote Service Session Hijacking SSH Hijacking
Debugger Evasion SSH
Remote Services
Device Driver Discovery VNC
File and Directory Discovery Software Deployment Tools
Log Enumeration Taint Shared Content
Network Service Discovery
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Domain Groups
Discovery Local Groups
Process Discovery
Remote System Discovery
Software Discovery Security Software Discovery
System Information Discovery
System Location Discovery System Language Discovery
System Network Internet Connection Discovery
Configuration Discovery Wi-Fi Discovery
System Network Connections Discovery
Unsecured Credentials
Discovery Impact
Account Discovery Cloud Account Application Exhaustion Flood
Endpoint Denial of
Cloud Service Dashboard Service Application or System Exploitation
Cloud Service Discovery Service Exhaustion Flood
Permission Groups Discovery Cloud Groups Network Denial of Direct Network Flood
Service Reflection Amplification
Initial Access Execution
Spearphishing Link Command and Scripting Interpreter Cloud API
Phishing
Spearphishing Voice
Cloud Accounts
Valid Accounts
Default Accounts
Persistence Privilege Escalation
Additional Cloud Roles Abuse Elevation Control Mechanism Temporary Elevated Cloud Access
Account Manipulation
Additional Email Delegate Permissions Additional Cloud Roles
Account Manipulation
Create Account Cloud Account Additional Email Delegate Permissions
Valid Accounts
Persistence Privilege Escalation Defense Evasion
Additional Cloud Credentials Additional Cloud Credentials Domain or Tenant Policy Modification
Additional Cloud Roles Account Manipulation Additional Cloud Roles Exploitation for Defense Evasion
Device Registration Device Registration Impersonation
Cloud Account Domain or Tenant Policy Modification Trust Modification
Modify Authentication
Conditional Access Policies Event Triggered Execution Cloud Accounts Process
Hybrid Identity Default Accounts
Valid Accounts
Multi-Factor Authentication Use Alternate
Cloud Accounts Authentication Material
Default Accounts
Valid Accounts
Defense Evasion Credential Access Discovery
Trust Modification Credential Stuffing Account Discovery
Brute Force Password Guessing Cloud Service Dashboard
Password Spraying Cloud Service Discovery
Conditional Access Policies SAML Tokens Permission Groups Discovery
Forge Web Credentials
Hybrid Identity Web Cookies
Multi-Factor Authentication Conditional Access Policies
Modify Authentication
Application Access Token Process Hybrid Identity
Web Session Cookie Multi-Factor Authentication
Cloud Accounts Multi-Factor Authentication Request Generation
External Defacement
Application Exhaustion Flood
Application or System Exploitation
Service Exhaustion Flood
al of Service