windows-matrix.md

Windows Atomic Tests by ATT&CK Tactic & Technique

initial-access	execution	persistence	privilege-escalation	defense-evasion	credential-access	discovery	lateral-movement	collection	exfiltration	command-and-control	impact
Compromise Hardware Supply Chain CONTRIBUTE A TEST	At (Windows)	Accessibility Features	Abuse Elevation Control Mechanism CONTRIBUTE A TEST	Abuse Elevation Control Mechanism CONTRIBUTE A TEST	ARP Cache Poisoning CONTRIBUTE A TEST	Account Discovery CONTRIBUTE A TEST	Component Object Model and Distributed COM CONTRIBUTE A TEST	ARP Cache Poisoning CONTRIBUTE A TEST	Automated Exfiltration	Application Layer Protocol CONTRIBUTE A TEST	Account Access Removal
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST	Command and Scripting Interpreter CONTRIBUTE A TEST	Account Manipulation	Access Token Manipulation CONTRIBUTE A TEST	Access Token Manipulation CONTRIBUTE A TEST	AS-REP Roasting CONTRIBUTE A TEST	Application Window Discovery	Distributed Component Object Model	Archive Collected Data	Data Transfer Size Limits CONTRIBUTE A TEST	Asymmetric Cryptography CONTRIBUTE A TEST	Application Exhaustion Flood CONTRIBUTE A TEST
Compromise Software Supply Chain CONTRIBUTE A TEST	Component Object Model CONTRIBUTE A TEST	Active Setup CONTRIBUTE A TEST	Accessibility Features	Asynchronous Procedure Call	Brute Force CONTRIBUTE A TEST	Browser Bookmark Discovery	Exploitation of Remote Services CONTRIBUTE A TEST	Archive via Custom Method CONTRIBUTE A TEST	Exfiltration Over Alternative Protocol CONTRIBUTE A TEST	Bidirectional Communication CONTRIBUTE A TEST	Application or System Exploitation CONTRIBUTE A TEST
Default Accounts	Component Object Model and Distributed COM CONTRIBUTE A TEST	Add-ins CONTRIBUTE A TEST	Active Setup CONTRIBUTE A TEST	BITS Jobs	Cached Domain Credentials CONTRIBUTE A TEST	Domain Account	Internal Spearphishing CONTRIBUTE A TEST	Archive via Library CONTRIBUTE A TEST	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST	Commonly Used Port CONTRIBUTE A TEST	Data Destruction
Domain Accounts CONTRIBUTE A TEST	Dynamic Data Exchange	AppCert DLLs CONTRIBUTE A TEST	AppCert DLLs CONTRIBUTE A TEST	Binary Padding CONTRIBUTE A TEST	Credential API Hooking	Domain Groups	Lateral Tool Transfer CONTRIBUTE A TEST	Archive via Utility	Exfiltration Over Bluetooth CONTRIBUTE A TEST	Communication Through Removable Media CONTRIBUTE A TEST	Data Encrypted for Impact CONTRIBUTE A TEST
Drive-by Compromise CONTRIBUTE A TEST	Exploitation for Client Execution CONTRIBUTE A TEST	AppInit DLLs	AppInit DLLs	Bootkit CONTRIBUTE A TEST	Credential Stuffing CONTRIBUTE A TEST	Domain Trust Discovery	Pass the Hash	Audio Capture	Exfiltration Over C2 Channel CONTRIBUTE A TEST	DNS	Data Manipulation CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST	Graphical User Interface CONTRIBUTE A TEST	Application Shimming	Application Shimming	Bypass User Account Control	Credentials In Files	Email Account CONTRIBUTE A TEST	Pass the Ticket	Automated Collection	Exfiltration Over Other Network Medium CONTRIBUTE A TEST	DNS Calculation CONTRIBUTE A TEST	Defacement CONTRIBUTE A TEST
External Remote Services	Inter-Process Communication CONTRIBUTE A TEST	At (Windows)	Asynchronous Procedure Call	CMSTP	Credentials from Password Stores	File and Directory Discovery	RDP Hijacking	Clipboard Data	Exfiltration Over Physical Medium CONTRIBUTE A TEST	Data Encoding CONTRIBUTE A TEST	Direct Network Flood CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST	JavaScript CONTRIBUTE A TEST	Authentication Package CONTRIBUTE A TEST	At (Windows)	COR_PROFILER	Credentials from Web Browsers	Internet Connection Discovery CONTRIBUTE A TEST	Remote Desktop Protocol	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST	Data Obfuscation CONTRIBUTE A TEST	Disk Content Wipe CONTRIBUTE A TEST
Local Accounts	Malicious File	BITS Jobs	Authentication Package CONTRIBUTE A TEST	Clear Command History	Credentials in Registry	Local Account	Remote Service Session Hijacking CONTRIBUTE A TEST	Data Staged CONTRIBUTE A TEST	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	Dead Drop Resolver CONTRIBUTE A TEST	Disk Structure Wipe CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST	Malicious Link CONTRIBUTE A TEST	Boot or Logon Autostart Execution CONTRIBUTE A TEST	Boot or Logon Autostart Execution CONTRIBUTE A TEST	Clear Windows Event Logs	DCSync	Local Groups	Remote Services CONTRIBUTE A TEST	Data from Information Repositories CONTRIBUTE A TEST	Exfiltration Over Web Service CONTRIBUTE A TEST	Domain Fronting CONTRIBUTE A TEST	Disk Wipe CONTRIBUTE A TEST
Replication Through Removable Media CONTRIBUTE A TEST	Native API	Boot or Logon Initialization Scripts CONTRIBUTE A TEST	Boot or Logon Initialization Scripts CONTRIBUTE A TEST	Code Signing CONTRIBUTE A TEST	Domain Controller Authentication CONTRIBUTE A TEST	Network Service Scanning	Replication Through Removable Media CONTRIBUTE A TEST	Data from Local System CONTRIBUTE A TEST	Exfiltration over USB CONTRIBUTE A TEST	Domain Generation Algorithms CONTRIBUTE A TEST	Endpoint Denial of Service CONTRIBUTE A TEST
Spearphishing Attachment	PowerShell	Bootkit CONTRIBUTE A TEST	Bypass User Account Control	Code Signing Policy Modification CONTRIBUTE A TEST	Exploitation for Credential Access CONTRIBUTE A TEST	Network Share Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive CONTRIBUTE A TEST	Exfiltration to Cloud Storage CONTRIBUTE A TEST	Dynamic Resolution CONTRIBUTE A TEST	External Defacement CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST	Python CONTRIBUTE A TEST	Browser Extensions	COR_PROFILER	Compile After Delivery	Forced Authentication CONTRIBUTE A TEST	Network Sniffing	Shared Webroot CONTRIBUTE A TEST	Data from Removable Media CONTRIBUTE A TEST	Exfiltration to Code Repository CONTRIBUTE A TEST	Encrypted Channel	Firmware Corruption CONTRIBUTE A TEST
Spearphishing via Service CONTRIBUTE A TEST	Scheduled Task	COR_PROFILER	Change Default File Association	Compiled HTML File	Forge Web Credentials CONTRIBUTE A TEST	Password Policy Discovery	Software Deployment Tools CONTRIBUTE A TEST	Email Collection CONTRIBUTE A TEST	Scheduled Transfer CONTRIBUTE A TEST	External Proxy CONTRIBUTE A TEST	Inhibit System Recovery
Supply Chain Compromise CONTRIBUTE A TEST	Scheduled Task/Job CONTRIBUTE A TEST	Change Default File Association	Component Object Model Hijacking CONTRIBUTE A TEST	Component Firmware CONTRIBUTE A TEST	GUI Input Capture	Peripheral Device Discovery	Taint Shared Content CONTRIBUTE A TEST	Email Forwarding Rule CONTRIBUTE A TEST		Fallback Channels CONTRIBUTE A TEST	Internal Defacement
Trusted Relationship CONTRIBUTE A TEST	Scripting CONTRIBUTE A TEST	Component Firmware CONTRIBUTE A TEST	Create Process with Token CONTRIBUTE A TEST	Control Panel	Golden Ticket	Permission Groups Discovery CONTRIBUTE A TEST	Use Alternate Authentication Material CONTRIBUTE A TEST	GUI Input Capture		Fast Flux DNS CONTRIBUTE A TEST	Network Denial of Service CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST	Service Execution	Component Object Model Hijacking CONTRIBUTE A TEST	Create or Modify System Process CONTRIBUTE A TEST	Create Process with Token CONTRIBUTE A TEST	Group Policy Preferences	Process Discovery	VNC CONTRIBUTE A TEST	Input Capture CONTRIBUTE A TEST		File Transfer Protocols CONTRIBUTE A TEST	OS Exhaustion Flood CONTRIBUTE A TEST
	Shared Modules CONTRIBUTE A TEST	Compromise Client Software Binary CONTRIBUTE A TEST	DLL Search Order Hijacking	DLL Search Order Hijacking	Input Capture CONTRIBUTE A TEST	Query Registry	Windows Remote Management	Keylogging		Ingress Tool Transfer	Reflection Amplification CONTRIBUTE A TEST
	Software Deployment Tools CONTRIBUTE A TEST	Create Account CONTRIBUTE A TEST	DLL Side-Loading	DLL Side-Loading	Kerberoasting	Remote System Discovery		LLMNR/NBT-NS Poisoning and SMB Relay CONTRIBUTE A TEST		Internal Proxy	Resource Hijacking CONTRIBUTE A TEST
	System Services CONTRIBUTE A TEST	Create or Modify System Process CONTRIBUTE A TEST	Default Accounts	Default Accounts	Keylogging	Security Software Discovery		Local Data Staging		Junk Data CONTRIBUTE A TEST	Runtime Data Manipulation CONTRIBUTE A TEST
	User Execution CONTRIBUTE A TEST	DLL Search Order Hijacking	Domain Accounts CONTRIBUTE A TEST	Deobfuscate/Decode Files or Information	LLMNR/NBT-NS Poisoning and SMB Relay CONTRIBUTE A TEST	Software Discovery		Local Email Collection		Mail Protocols CONTRIBUTE A TEST	Service Exhaustion Flood CONTRIBUTE A TEST
	Visual Basic	DLL Side-Loading	Domain Policy Modification CONTRIBUTE A TEST	Direct Volume Access	LSA Secrets	System Checks		Man in the Browser CONTRIBUTE A TEST		Multi-Stage Channels CONTRIBUTE A TEST	Service Stop
	Windows Command Shell	Default Accounts	Domain Trust Modification CONTRIBUTE A TEST	Disable Windows Event Logging	LSASS Memory	System Information Discovery		Man-in-the-Middle CONTRIBUTE A TEST		Multi-hop Proxy CONTRIBUTE A TEST	Stored Data Manipulation CONTRIBUTE A TEST
	Windows Management Instrumentation	Domain Account	Dynamic-link Library Injection	Disable or Modify System Firewall	Man-in-the-Middle CONTRIBUTE A TEST	System Location Discovery CONTRIBUTE A TEST		Remote Data Staging CONTRIBUTE A TEST		Multiband Communication CONTRIBUTE A TEST	System Shutdown/Reboot
		Domain Accounts CONTRIBUTE A TEST	Escape to Host CONTRIBUTE A TEST	Disable or Modify Tools	Modify Authentication Process CONTRIBUTE A TEST	System Network Configuration Discovery		Remote Email Collection CONTRIBUTE A TEST		Non-Application Layer Protocol	Transmitted Data Manipulation CONTRIBUTE A TEST
		Domain Controller Authentication CONTRIBUTE A TEST	Event Triggered Execution CONTRIBUTE A TEST	Domain Accounts CONTRIBUTE A TEST	NTDS	System Network Connections Discovery		Screen Capture		Non-Standard Encoding CONTRIBUTE A TEST
		Event Triggered Execution CONTRIBUTE A TEST	Executable Installer File Permissions Weakness CONTRIBUTE A TEST	Domain Controller Authentication CONTRIBUTE A TEST	Network Sniffing	System Owner/User Discovery		Sharepoint CONTRIBUTE A TEST		Non-Standard Port
		Exchange Email Delegate Permissions CONTRIBUTE A TEST	Exploitation for Privilege Escalation CONTRIBUTE A TEST	Domain Policy Modification CONTRIBUTE A TEST	OS Credential Dumping	System Service Discovery		Video Capture CONTRIBUTE A TEST		One-Way Communication CONTRIBUTE A TEST
		Executable Installer File Permissions Weakness CONTRIBUTE A TEST	Extra Window Memory Injection CONTRIBUTE A TEST	Domain Trust Modification CONTRIBUTE A TEST	Password Cracking	System Time Discovery		Web Portal Capture CONTRIBUTE A TEST		Port Knocking CONTRIBUTE A TEST
		External Remote Services	Group Policy Modification CONTRIBUTE A TEST	Dynamic-link Library Injection	Password Filter DLL	Time Based Evasion CONTRIBUTE A TEST				Protocol Impersonation CONTRIBUTE A TEST
		Hijack Execution Flow CONTRIBUTE A TEST	Hijack Execution Flow CONTRIBUTE A TEST	Environmental Keying CONTRIBUTE A TEST	Password Guessing	User Activity Based Checks CONTRIBUTE A TEST				Protocol Tunneling CONTRIBUTE A TEST
		Hypervisor CONTRIBUTE A TEST	Image File Execution Options Injection	Executable Installer File Permissions Weakness CONTRIBUTE A TEST	Password Managers CONTRIBUTE A TEST	Virtualization/Sandbox Evasion CONTRIBUTE A TEST				Proxy CONTRIBUTE A TEST
		Image File Execution Options Injection	LSASS Driver CONTRIBUTE A TEST	Execution Guardrails CONTRIBUTE A TEST	Password Spraying					Remote Access Software
		LSASS Driver CONTRIBUTE A TEST	Local Accounts	Exploitation for Defense Evasion CONTRIBUTE A TEST	Private Keys					Standard Encoding CONTRIBUTE A TEST
		Local Account	Logon Script (Windows)	Extra Window Memory Injection CONTRIBUTE A TEST	SAML Tokens CONTRIBUTE A TEST					Steganography CONTRIBUTE A TEST
		Local Accounts	Make and Impersonate Token CONTRIBUTE A TEST	File Deletion	Security Account Manager					Symmetric Cryptography CONTRIBUTE A TEST
		Logon Script (Windows)	Netsh Helper DLL	File and Directory Permissions Modification CONTRIBUTE A TEST	Silver Ticket CONTRIBUTE A TEST					Traffic Signaling CONTRIBUTE A TEST
		Modify Authentication Process CONTRIBUTE A TEST	Network Logon Script CONTRIBUTE A TEST	Group Policy Modification CONTRIBUTE A TEST	Steal Web Session Cookie CONTRIBUTE A TEST					Web Protocols
		Netsh Helper DLL	Parent PID Spoofing	Hidden File System CONTRIBUTE A TEST	Steal or Forge Kerberos Tickets CONTRIBUTE A TEST					Web Service CONTRIBUTE A TEST
		Network Logon Script CONTRIBUTE A TEST	Path Interception CONTRIBUTE A TEST	Hidden Files and Directories	Two-Factor Authentication Interception CONTRIBUTE A TEST
		Office Application Startup	Path Interception by PATH Environment Variable CONTRIBUTE A TEST	Hidden Window	Unsecured Credentials CONTRIBUTE A TEST
		Office Template Macros CONTRIBUTE A TEST	Path Interception by Search Order Hijacking CONTRIBUTE A TEST	Hide Artifacts	Web Cookies CONTRIBUTE A TEST
		Office Test	Path Interception by Unquoted Path	Hijack Execution Flow CONTRIBUTE A TEST	Web Portal Capture CONTRIBUTE A TEST
		Outlook Forms CONTRIBUTE A TEST	Port Monitors	Impair Command History Logging CONTRIBUTE A TEST	Windows Credential Manager CONTRIBUTE A TEST
		Outlook Home Page	Portable Executable Injection CONTRIBUTE A TEST	Impair Defenses CONTRIBUTE A TEST
		Outlook Rules CONTRIBUTE A TEST	PowerShell Profile	Indicator Blocking CONTRIBUTE A TEST
		Password Filter DLL	Print Processors CONTRIBUTE A TEST	Indicator Removal from Tools CONTRIBUTE A TEST
		Path Interception CONTRIBUTE A TEST	Process Doppelgänging CONTRIBUTE A TEST	Indicator Removal on Host
		Path Interception by PATH Environment Variable CONTRIBUTE A TEST	Process Hollowing	Indirect Command Execution
		Path Interception by Search Order Hijacking CONTRIBUTE A TEST	Process Injection	Install Root Certificate
		Path Interception by Unquoted Path	Registry Run Keys / Startup Folder	InstallUtil
		Port Knocking CONTRIBUTE A TEST	SID-History Injection CONTRIBUTE A TEST	Invalid Code Signature CONTRIBUTE A TEST
		Port Monitors	Scheduled Task	Local Accounts
		PowerShell Profile	Scheduled Task/Job CONTRIBUTE A TEST	MSBuild
		Pre-OS Boot CONTRIBUTE A TEST	Screensaver	Make and Impersonate Token CONTRIBUTE A TEST
		Print Processors CONTRIBUTE A TEST	Security Support Provider	Mark-of-the-Web Bypass
		Redundant Access CONTRIBUTE A TEST	Services File Permissions Weakness CONTRIBUTE A TEST	Masquerade Task or Service
		Registry Run Keys / Startup Folder	Services Registry Permissions Weakness	Masquerading
		SQL Stored Procedures CONTRIBUTE A TEST	Shortcut Modification	Match Legitimate Name or Location CONTRIBUTE A TEST
		Scheduled Task	Thread Execution Hijacking CONTRIBUTE A TEST	Modify Authentication Process CONTRIBUTE A TEST
		Scheduled Task/Job CONTRIBUTE A TEST	Thread Local Storage CONTRIBUTE A TEST	Modify Registry
		Screensaver	Time Providers CONTRIBUTE A TEST	Mshta
		Security Support Provider	Token Impersonation/Theft	Msiexec
		Server Software Component CONTRIBUTE A TEST	Valid Accounts CONTRIBUTE A TEST	NTFS File Attributes
		Services File Permissions Weakness CONTRIBUTE A TEST	Windows Management Instrumentation Event Subscription	Network Share Connection Removal
		Services Registry Permissions Weakness	Windows Service	Obfuscated Files or Information
		Shortcut Modification	Winlogon Helper DLL	Odbcconf
		System Firmware CONTRIBUTE A TEST		Parent PID Spoofing
		Time Providers CONTRIBUTE A TEST		Pass the Hash
		Traffic Signaling CONTRIBUTE A TEST		Pass the Ticket
		Transport Agent		Password Filter DLL
		Valid Accounts CONTRIBUTE A TEST		Path Interception by PATH Environment Variable CONTRIBUTE A TEST
		Web Shell		Path Interception by Search Order Hijacking CONTRIBUTE A TEST
		Windows Management Instrumentation Event Subscription		Path Interception by Unquoted Path
		Windows Service		Port Knocking CONTRIBUTE A TEST
		Winlogon Helper DLL		Portable Executable Injection CONTRIBUTE A TEST
				Pre-OS Boot CONTRIBUTE A TEST
				Process Doppelgänging CONTRIBUTE A TEST
				Process Hollowing
				Process Injection
				PubPrn
				Redundant Access CONTRIBUTE A TEST
				Regsvcs/Regasm
				Regsvr32
				Rename System Utilities
				Right-to-Left Override CONTRIBUTE A TEST
				Rogue Domain Controller
				Rootkit
				Run Virtual Instance CONTRIBUTE A TEST
				Rundll32
				SID-History Injection CONTRIBUTE A TEST
				SIP and Trust Provider Hijacking CONTRIBUTE A TEST
				Scripting CONTRIBUTE A TEST
				Services File Permissions Weakness CONTRIBUTE A TEST
				Services Registry Permissions Weakness
				Signed Binary Proxy Execution
				Signed Script Proxy Execution
				Software Packing CONTRIBUTE A TEST
				Steganography CONTRIBUTE A TEST
				Subvert Trust Controls CONTRIBUTE A TEST
				System Checks
				System Firmware CONTRIBUTE A TEST
				Template Injection
				Thread Execution Hijacking CONTRIBUTE A TEST
				Thread Local Storage CONTRIBUTE A TEST
				Time Based Evasion CONTRIBUTE A TEST
				Timestomp
				Token Impersonation/Theft
				Traffic Signaling CONTRIBUTE A TEST
				Trusted Developer Utilities Proxy Execution CONTRIBUTE A TEST
				Use Alternate Authentication Material CONTRIBUTE A TEST
				User Activity Based Checks CONTRIBUTE A TEST
				VBA Stomping CONTRIBUTE A TEST
				Valid Accounts CONTRIBUTE A TEST
				Verclsid CONTRIBUTE A TEST
				Virtualization/Sandbox Evasion CONTRIBUTE A TEST
				Windows File and Directory Permissions Modification
				XSL Script Processing