MITRE ATT&CK Enterprise Tactics

A Quick Reference for the 14 Core Adversary Playbooks

Initial Access

TA0001

Gaining an initial foothold within a network.

Phishing

Exploit Public-Facing App

Drive-by Compromise

Supply Chain Compromise

Execution

TA0002

Running adversary-controlled code on a system.

Command Line Interface

PowerShell

Windows Management

Scheduled Tasks

Persistence

TA0003

Maintaining access across restarts and interruptions.

Registry Run Keys

Scheduled Tasks

Web Shell

Account Manipulation

Privilege Escalation

TA0004

Gaining higher-level permissions on a system.

Process Injection

Access Token Manipulation

Bypass User Access Control

DLL Side-Loading

Defense Evasion

TA0005

Avoiding detection by security software and analysts.

Process Injection

Masquerading

Code Signing

Disable Security Tools

Credential Access

TA0006

Stealing credentials like account names and passwords.

Credential Dumping

Input Capture

Network Sniffing

Brute Force

Discovery

TA0007

Gaining knowledge about the internal network and systems.

System Information Discovery

Network Service Scanning

Account Discovery

Remote System Discovery

Lateral Movement

TA0008

Pivoting through the environment to control remote systems.

Remote Desktop Protocol

Windows Admin Shares

Pass the Hash

SSH

Collection

TA0009

Gathering sensitive information prior to exfiltration.

Data from Local System

Screen Capture

Clipboard Data

Email Collection

Exfiltration

TA0010

Stealing data from the compromised network.

Data Compressed

Exfiltration Over C2

Data Encrypted

Automated Exfiltration

Command and Control

TA0011

Communicating with compromised systems.

Standard Application Layer

Uncommonly Used Port

Web Service

Domain Fronting

Impact

TA0040

Manipulating, interrupting, or destroying systems and data.

Data Destruction

Service Stop

Resource Hijacking

Data Encrypted for Impact

Resource Development

TA0042

Establishing resources to support operations.

Acquire Infrastructure

Develop Capabilities

Obtain Capabilities

Stage Capabilities

Reconnaissance

TA0043

Gathering information to plan future operations.

Active Scanning

Gather Victim Network Info

Search Open Websites

Phishing for Information