250 techniques38% have ≥1 framework

ATT&CKATT&CK Matrix — coloured by compliance coverage

250 top-level ATT&CK Enterprise techniques across 14 tactics. Heat = distinct frameworks that map to a technique via the cs-graph corroborator. Authored by Adam Lundqvist.

compliance coverage
0
1
2-3
4-5
6+
ISO 27001 · 202DORA · 186CIS v8 · 159NIS2 · 140GDPR · 88OWASP Top 10 · 80NIST CSF · 80OWASP LLM Top 10 · 68PCI DSS v4 · 68OWASP API Top 10 · 67EU AI Act · 59iso27701 · 37EU CRA · 26tiber_eu · 24

TA0001Initial Access10 techniques

T1078
Valid Accounts
4
T1190
Exploit Public-Facing Application
T1133
External Remote Services
T1566
Phishing
4
T1195
Supply Chain Compromise
3
T1189
Drive-by Compromise
T1091
Replication Through Removable Media
T1199
Trusted Relationship
T1200
Hardware Additions
T1659
Content Injection

TA0002Execution14 techniques

T1059
Command and Scripting Interpreter
9
T1053
Scheduled Task/Job
7
T1047
Windows Management Instrumentation
T1203
Exploitation for Client Execution
T1072
Software Deployment Tools
T1106
Native API
T1129
Shared Modules
T1204
User Execution
3
T1559
Inter-Process Communication
3
T1569
System Services
2
T1609
Container Administration Command
T1610
Deploy Container
T1648
Serverless Execution
T1651
Cloud Administration Command

TA0003Persistence22 techniques

T1078
Valid Accounts
4
T1547
Boot or Logon Autostart Execution
15
T1133
External Remote Services
T1098
Account Manipulation
6
T1053
Scheduled Task/Job
7
T1136
Create Account
3
T1037
Boot or Logon Initialization Scripts
5
T1543
Create or Modify System Process
4
T1574
Hijack Execution Flow
12
T1137
Office Application Startup
6
T1176
Browser Extensions
T1197
BITS Jobs
T1205
Traffic Signaling
2
T1504
PowerShell Profile
T1505
Server Software Component
5
T1519
Emond
T1525
Implant Internal Image
T1542
Pre-OS Boot
5
T1546
Event Triggered Execution
16
T1554
Compromise Client Software Binary
T1556
Modify Authentication Process
8
T1653
Power Settings

TA0004Privilege Escalation18 techniques

T1068
Exploitation for Privilege Escalation
T1078
Valid Accounts
4
T1547
Boot or Logon Autostart Execution
15
T1055
Process Injection
12
T1098
Account Manipulation
6
T1053
Scheduled Task/Job
7
T1037
Boot or Logon Initialization Scripts
5
T1543
Create or Modify System Process
4
T1574
Hijack Execution Flow
12
T1134
Access Token Manipulation
5
T1484
Domain Policy Modification
2
T1502
Parent PID Spoofing
T1504
PowerShell Profile
T1514
Elevated Execution with Prompt
T1519
Emond
T1546
Event Triggered Execution
16
T1548
Abuse Elevation Control Mechanism
5
T1611
Escape to Host

TA0005Defense Evasion47 techniques

T1078
Valid Accounts
4
T1027
Obfuscated Files or Information
12
T1055
Process Injection
12
T1036
Masquerading
9
T1070
Indicator Removal
9
T1562
Impair Defenses
11
T1014
Rootkit
T1218
System Binary Proxy Execution
13
T1535
Unused/Unsupported Cloud Regions
T1574
Hijack Execution Flow
12
T1006
Direct Volume Access
T1112
Modify Registry
T1127
Trusted Developer Utilities Proxy Execution
1
T1134
Access Token Manipulation
5
T1140
Deobfuscate/Decode Files or Information
T1197
BITS Jobs
T1202
Indirect Command Execution
T1205
Traffic Signaling
2
T1207
Rogue Domain Controller
T1211
Exploitation for Defense Evasion
T1216
System Script Proxy Execution
1
T1220
XSL Script Processing
T1221
Template Injection
T1222
File and Directory Permissions Modification
2
T1480
Execution Guardrails
1
T1484
Domain Policy Modification
2
T1497
Virtualization/Sandbox Evasion
3
T1502
Parent PID Spoofing
T1506
Web Session Cookie
T1527
Application Access Token
T1536
Revert Cloud Instance
T1542
Pre-OS Boot
5
T1548
Abuse Elevation Control Mechanism
5
T1550
Use Alternate Authentication Material
4
T1553
Subvert Trust Controls
6
T1556
Modify Authentication Process
8
T1564
Hide Artifacts
11
T1578
Modify Cloud Compute Infrastructure
5
T1599
Network Boundary Bridging
1
T1600
Weaken Encryption
2
T1601
Modify System Image
2
T1610
Deploy Container
T1612
Build Image on Host
T1620
Reflective Code Loading
T1622
Debugger Evasion
T1647
Plist File Modification
T1656
Impersonation

TA0006Credential Access20 techniques

T1003
OS Credential Dumping
8
T1552
Unsecured Credentials
8
T1056
Input Capture
4
T1110
Brute Force
4
T1040
Network Sniffing
T1555
Credentials from Password Stores
6
T1528
Steal Application Access Token
T1539
Steal Web Session Cookie
T1111
Multi-Factor Authentication Interception
T1167
Securityd Memory
T1187
Forced Authentication
T1212
Exploitation for Credential Access
T1503
Credentials from Web Browsers
T1522
Cloud Instance Metadata API
T1556
Modify Authentication Process
8
T1557
Adversary-in-the-Middle
3
T1558
Steal or Forge Kerberos Tickets
4
T1606
Forge Web Credentials
2
T1621
Multi-Factor Authentication Request Generation
T1649
Steal or Forge Authentication Certificates

TA0007Discovery32 techniques

T1083
File and Directory Discovery
T1087
Account Discovery
4
T1018
Remote System Discovery
T1046
Network Service Discovery
T1012
Query Registry
T1049
System Network Connections Discovery
T1082
System Information Discovery
T1016
System Network Configuration Discovery
2
T1033
System Owner/User Discovery
T1040
Network Sniffing
T1007
System Service Discovery
T1057
Process Discovery
T1069
Permission Groups Discovery
3
T1135
Network Share Discovery
T1526
Cloud Service Discovery
T1010
Application Window Discovery
T1120
Peripheral Device Discovery
T1124
System Time Discovery
T1201
Password Policy Discovery
T1217
Browser Information Discovery
T1482
Domain Trust Discovery
T1497
Virtualization/Sandbox Evasion
3
T1518
Software Discovery
1
T1538
Cloud Service Dashboard
T1580
Cloud Infrastructure Discovery
T1613
Container and Resource Discovery
T1614
System Location Discovery
1
T1615
Group Policy Discovery
T1619
Cloud Storage Object Discovery
T1622
Debugger Evasion
T1652
Device Driver Discovery
T1654
Log Enumeration

TA0008Lateral Movement11 techniques

T1021
Remote Services
8
T1210
Exploitation of Remote Services
T1072
Software Deployment Tools
T1080
Taint Shared Content
T1091
Replication Through Removable Media
T1506
Web Session Cookie
T1527
Application Access Token
T1534
Internal Spearphishing
T1550
Use Alternate Authentication Material
4
T1563
Remote Service Session Hijacking
2
T1570
Lateral Tool Transfer

TA0009Collection17 techniques

T1005
Data from Local System
T1039
Data from Network Shared Drive
T1530
Data from Cloud Storage
T1056
Input Capture
4
T1119
Automated Collection
T1074
Data Staged
2
T1025
Data from Removable Media
T1114
Email Collection
3
T1560
Archive Collected Data
3
T1113
Screen Capture
T1115
Clipboard Data
T1123
Audio Capture
T1125
Video Capture
T1185
Browser Session Hijacking
T1213
Data from Information Repositories
3
T1557
Adversary-in-the-Middle
3
T1602
Data from Configuration Repository
2

TA0010Exfiltration9 techniques

T1041
Exfiltration Over C2 Channel
T1048
Exfiltration Over Alternative Protocol
3
T1567
Exfiltration Over Web Service
4
T1020
Automated Exfiltration
1
T1011
Exfiltration Over Other Network Medium
1
T1537
Transfer Data to Cloud Account
T1029
Scheduled Transfer
T1030
Data Transfer Size Limits
T1052
Exfiltration Over Physical Medium
1

TA0011Command and Control17 techniques

T1071
Application Layer Protocol
4
T1090
Proxy
4
T1572
Protocol Tunneling
T1105
Ingress Tool Transfer
T1001
Data Obfuscation
3
T1008
Fallback Channels
T1092
Communication Through Removable Media
T1095
Non-Application Layer Protocol
T1102
Web Service
3
T1104
Multi-Stage Channels
T1132
Data Encoding
2
T1205
Traffic Signaling
2
T1219
Remote Access Software
T1568
Dynamic Resolution
3
T1571
Non-Standard Port
T1573
Encrypted Channel
2
T1659
Content Injection

TA0040Impact15 techniques

T1485
Data Destruction
T1486
Data Encrypted for Impact
T1490
Inhibit System Recovery
T1499
Endpoint Denial of Service
4
T1498
Network Denial of Service
2
T1529
System Shutdown/Reboot
T1531
Account Access Removal
T1491
Defacement
2
T1561
Disk Wipe
2
T1487
Disk Structure Wipe
T1489
Service Stop
T1495
Firmware Corruption
T1496
Resource Hijacking
T1565
Data Manipulation
3
T1657
Financial Theft

TA0042Resource Development8 techniques

T1583
Acquire Infrastructure
8
T1584
Compromise Infrastructure
7
T1585
Establish Accounts
3
T1586
Compromise Accounts
3
T1587
Develop Capabilities
4
T1588
Obtain Capabilities
6
T1608
Stage Capabilities
6
T1650
Acquire Access

TA0043Reconnaissance10 techniques

T1592
Gather Victim Host Information
4
T1589
Gather Victim Identity Information
3
T1590
Gather Victim Network Information
6
T1591
Gather Victim Org Information
4
T1593
Search Open Websites/Domains
3
T1594
Search Victim-Owned Websites
T1595
Active Scanning
3
T1596
Search Open Technical Databases
5
T1597
Search Closed Sources
2
T1598
Phishing for Information
4
Sourced from MITRE ATT&CK Enterprise (current release). Compliance coverage derived from compliance_tests_technique edges in the cs-graph corroborator. Curated by Adam Lundqvist, Founder at SQUR.