Back to ransomware overview
MITRE ATT&CK Techniques
319 unique techniques observed across 1374 group attributions. Sorted within each tactic by how many groups use them.
TA0001Initial Access(20 techniques)
| Technique | Name | Used by |
|---|---|---|
| T1078 | Valid Accounts | 27 groups |
| T1190 | Exploit Public-Facing Application | 25 groups |
| T1566 | Phishing | 14 groups |
| T1566.001 | Phishing: Spear phishing Attachment | 14 groups |
| T1133 | External Remote Services | 8 groups |
| T1566.003 | Phishing: Spearphishing Voice (Vishing) | 5 groups |
| T1189 | Drive-by Compromise | 4 groups |
| T1078.002 | Valid Accounts: Domain Accounts | 3 groups |
| T1566.002 | Phishing: Spear phishing Link | 3 groups |
| T1078.003 | Valid Accounts: Local Accounts | 2 groups |
| T1091 | Replication Through Removable Media | 2 groups |
| T1199 | Trusted Relationship | 2 groups |
| T1021.001 | Remote Services: Remote Desktop Protocol | 1 groups |
| T1078.004 | Valid Accounts: Cloud Accounts | 1 groups |
| T1110 | Brute Force | 1 groups |
| T1195 | Supply Chain Compromise | 1 groups |
| T1210 | Exploitation of Remote Services | 1 groups |
| T1548.002 | Abusing Elevation Control Mechanism: Bypass User Account Control | 1 groups |
| T1552.004 | Unsecured Credentials: Private Keys | 1 groups |
| T1566.004 | Phishing: Spearphishing Voice | 1 groups |
TA0002Execution(22 techniques)
| Technique | Name | Used by |
|---|---|---|
| T1059.001 | Command and Scripting Interpreter: PowerShell | 26 groups |
| T1059 | Command and Scripting Interpreter | 16 groups |
| T1047 | Windows Management Instrumentation | 13 groups |
| T1059.003 | Command and Scripting Interpreter: Windows Command Shell | 12 groups |
| T1204.002 | User Execution | 10 groups |
| T1106 | Native API | 9 groups |
| T1053.005 | Scheduled Task/Job: Scheduled Task | 6 groups |
| T1129 | Shared Modules | 6 groups |
| T1203 | Exploitation for Client Execution | 6 groups |
| T1569.002 | System Services: Service Execution | 5 groups |
| T1072 | Windows Management Instrumentation | 4 groups |
| T1059.005 | Command and Scripting Interpreter: Visual Basic | 3 groups |
| T1204 | User Execution | 3 groups |
| T1053 | Scheduled Task/Job | 2 groups |
| T1059.004 | Command and Scripting Interpreter: Unix Shell | 2 groups |
| T1059.006 | Command and Scripting Interpreter: Python | 2 groups |
| T1204.001 | User Execution: Malicious Link | 2 groups |
| T1059.002 | System Services: Service Execution | 1 groups |
| T1064 | Scripting | 1 groups |
| T1204.004 | User Execution: Malicious Copy and Paste | 1 groups |
| T1218.007 | Signed Binary Proxy Execution: Msiexec | 1 groups |
| T1569 | System Services | 1 groups |
TA0003Persistence(22 techniques)
| Technique | Name | Used by |
|---|---|---|
| T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 14 groups |
| T1547 | Server Software Component | 9 groups |
| T1543.003 | Create or Modify System Process: Windows Service | 8 groups |
| T1136 | Create Account | 7 groups |
| T1053 | Scheduled Task/Job | 6 groups |
| T1098 | Account Manipulation | 5 groups |
| T1053.005 | Scheduled Task/Job: Scheduled Task | 4 groups |
| T1078 | Valid Accounts | 3 groups |
| T1136.001 | Create Account: Local Account | 3 groups |
| T1136.002 | Create Account: Domain Account | 3 groups |
| T1574.001 | Hijack Execution Flow: DLL Search Order Hijacking | 3 groups |
| T1505.004 | Server Software Component: IIS Components | 2 groups |
| T1542.003 | Pre-OS Boot: Bootkit | 2 groups |
| T1547.009 | Boot or Logon Autostart Execution: Shortcut Modification | 2 groups |
| T1037 | Boot or Logon Initialization Scripts | 1 groups |
| T1053.003 | Scheduled Task/Job: Cron | 1 groups |
| T1098.003 | Account Manipulation: Additional Cloud Credentials | 1 groups |
| T1098.004 | Account Manipulation: SSH Authorized Keys | 1 groups |
| T1133 | External Remote Services | 1 groups |
| T1505.003 | Server Software Component: Web Shell | 1 groups |
| T1543 | Create or Modify System Process | 1 groups |
| T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL | 1 groups |
TA0004Privilege Escalation(23 techniques)
| Technique | Name | Used by |
|---|---|---|
| T1068 | Exploitation for privilege escalation | 12 groups |
| T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 6 groups |
| T1078 | Valid Accounts | 3 groups |
| T1078.002 | Valid Accounts: Domain Accounts | 3 groups |
| T1134.002 | Access Token Manipulation: Create Process with Token | 3 groups |
| T1134.004 | Parent PID Spoofing | 2 groups |
| T1484.001 | Domain Policy Modification: Group Policy Modification | 2 groups |
| T1543 | Create or Modify System Process | 2 groups |
| T1543.003 | Create or Modify System Process: Windows Service | 2 groups |
| T1547.001 | Registry Run Keys | 2 groups |
| T1053 | Scheduled Task/Job | 1 groups |
| T1055 | Process Injection | 1 groups |
| T1055.003 | Thread Execution Hijacking | 1 groups |
| T1134 | Access Token Manipulation | 1 groups |
| T1134.001 | Token Impersonation/Theft | 1 groups |
| T1136 | Create Account: Cloud Account | 1 groups |
| T1187 | Forced Authentication | 1 groups |
| T1547 | Boot or Logon Autostart Execution | 1 groups |
| T1548 | Abuse Elevation Control Mechanism | 1 groups |
| T1557 | Adversary-in-the-Middle | 1 groups |
| T1574 | Hijack execution flow | 1 groups |
| T1574.001 | Hijack Execution Flow: DLL Search Order Hijacking | 1 groups |
| TA0004 | Privilege Escalation | 1 groups |
TA0005Defense Evasion(75 techniques)
| Technique | Name | Used by |
|---|---|---|
| T1562.001 | Impair Defenses: Disable or Modify Tools | 33 groups |
| T1027 | Obfuscated Files or Information | 24 groups |
| T1036 | Masquerading | 12 groups |
| T1070 | Indicator Removal | 11 groups |
| T1070.001 | Indicator Removal: Clear Windows Event Logs | 11 groups |
| T1070.004 | Indicator Removal: File Deletion | 9 groups |
| T1112 | Modify Registry | 8 groups |
| T1140 | Deobfuscate/Decode Files or Information | 8 groups |
| T1027.002 | Software Packing | 6 groups |
| T1497 | Virtualization/Sandbox Evasion | 6 groups |
| T1562 | Impair Defenses | 6 groups |
| T1027.013 | Obfuscated Files or Information: Encrypted/Encoded File | 5 groups |
| T1036.005 | Masquerading: Match Legitimate Name or Location | 5 groups |
| T1055 | Process Injection | 5 groups |
| T1218 | System Binary Proxy Execution | 5 groups |
| T1564 | Hide Artifacts | 5 groups |
| T1027.009 | Embedded Payloads | 4 groups |
| T1055.001 | Process injection: DLL injection | 4 groups |
| T1202 | Indirect command execution | 4 groups |
| T1218.011 | Signed Binary Proxy Execution: Rundll32 | 4 groups |
| T1480 | Execution Guardrails | 4 groups |
| T1484.001 | Domain Policy Modification: Group Policy Modification | 4 groups |
| T1497.001 | Virtualization/Sandbox Evasion: System Checks | 4 groups |
| T1562.004 | Impair Defenses: Disable or Modify System Firewall | 4 groups |
| T1620 | Reflective DLL Injection | 4 groups |
| T1622 | Debugger Evasion | 4 groups |
| T1027.005 | Indicator Removal from Tools | 3 groups |
| T1027.007 | Obfuscated Files or Information: Dynamic API Resolution | 3 groups |
| T1070.006 | Indicator Removal: Timestomp | 3 groups |
| T1218.005 | System Binary Proxy Execution: Mshta | 3 groups |
| T1222 | File and Directory Permissions Modification | 3 groups |
| T1497.003 | Virtualization/Sandbox Evasion: Time Based Checks | 3 groups |
| T1553.002 | Subvert Trust Controls: Code Signing | 3 groups |
| T1564.001 | Hidden Files and Directories | 3 groups |
| T1564.003 | Hidden Window | 3 groups |
| T1014 | Rootkit | 2 groups |
| T1036.001 | Masquerading: invalid code signature | 2 groups |
| T1036.003 | Masquerading: Rename Legitimate Utilities | 2 groups |
| T1036.004 | Masquerading: Masquerade Task or Service | 2 groups |
| T1036.008 | Masquerading: Masquerade File Type | 2 groups |
| T1070.003 | Indicator Removal: Clear Command History | 2 groups |
| T1218.010 | System Binary Proxy Execution: Regsvr32 | 2 groups |
| T1220 | XSL Script Processing | 2 groups |
| T1221 | Template Injection | 2 groups |
| T1548 | Abuse Elevation Control Mechanism | 2 groups |
| T1574.013 | Hijack Execution Flow: KernelCallbackTable | 2 groups |
| T1021.001 | Remote Services: Remote Desktop Protocol | 1 groups |
| T1027.006 | Obfuscated Files or Information: HTML Smuggling | 1 groups |
| T1027.011 | Obfuscated Files or Information: Fileless Storage | 1 groups |
| T1027.016 | Obfuscated Files or Information: Junk Code Insertion | 1 groups |
| T1036.007 | Masquerading: Double File Extension | 1 groups |
| T1055.003 | Thread Execution Hijacking | 1 groups |
| T1055.012 | Process Injection: Process Hollowing | 1 groups |
| T1064 | Scripting | 1 groups |
| T1068 | Exploitation for Privilege Escalation | 1 groups |
| T1078.002 | Domain Accounts | 1 groups |
| T1078.003 | Valid Accounts: Local Accounts | 1 groups |
| T1090 | Proxy | 1 groups |
| T1119 | Automated Collection | 1 groups |
| T1134 | Access Token Manipulation | 1 groups |
| T1134.001 | Access Token Manipulation: Token Impersonation/Theft | 1 groups |
| T1134.004 | Access Token Manipulation: Parent PID Spoofing | 1 groups |
| T1211 | Exploitation for Defense Evasion | 1 groups |
| T1218.004 | System Binary Proxy Execution: InstallUtil | 1 groups |
| T1218.007 | System Binary Proxy Execution: Msiexec | 1 groups |
| T1218.014 | System Binary Proxy Execution: MMC | 1 groups |
| T1222.001 | File and Directory Permissions Modification: Windows Permissions | 1 groups |
| T1484 | Domain or Tenant Policy Modification | 1 groups |
| T1531 | Account Access Removal | 1 groups |
| T1550.001 | Use Alternate Authentication Material: Application Access Token | 1 groups |
| T1562.009 | Safe Mode Boot | 1 groups |
| T1564.004 | NTFS File Attributes | 1 groups |
| T1574 | Hijack Execution Flow | 1 groups |
| T1672 | Email Spoofing | 1 groups |
| T1678 | Delay Execution | 1 groups |
TA0006Credential Access(19 techniques)
| Technique | Name | Used by |
|---|---|---|
| T1003.001 | OS Credential Dumping: LSASS Memory | 17 groups |
| T1003 | OS Credential Dumping | 13 groups |
| T1003.003 | OS Credential Dumping: NTDS | 6 groups |
| T1110 | Brute Force | 5 groups |
| T1552 | Unsecured Credentials | 5 groups |
| T1056 | Input Capture | 4 groups |
| T1555 | Credentials from Password Stores | 4 groups |
| T1056.001 | Input Capture: Keylogging | 3 groups |
| T1110.003 | Brute Force: Password Spraying | 3 groups |
| T1555.003 | Credentials from Web Browsers | 3 groups |
| T1557.001 | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning | 2 groups |
| T1003.008 | OS Credential Dumping: /etc/passwd and /etc/shadow | 1 groups |
| T1021.002 | Remote Services: External Remote Services | 1 groups |
| T1040 | Network Sniffing | 1 groups |
| T1110.002 | Brute Force: Password Cracking | 1 groups |
| T1212 | Exploitation for Credential Access | 1 groups |
| T1539 | Steal Web Session Cookie | 1 groups |
| T1552.001 | Unsecured Credentials: Credentials In Files | 1 groups |
| T1555.005 | Credentials from Password Stores: Password Managers | 1 groups |
TA0007Discovery(31 techniques)
| Technique | Name | Used by |
|---|---|---|
| T1083 | File and Directory Discovery | 23 groups |
| T1082 | System Information Discovery | 19 groups |
| T1046 | Network Service Discovery | 16 groups |
| T1057 | Process Discovery | 14 groups |
| T1135 | Network Share Discovery | 14 groups |
| T1018 | Remote System Discovery | 13 groups |
| T1087.002 | Account Discovery: Domain Account | 8 groups |
| T1482 | Domain Trust Discovery | 7 groups |
| T1012 | Query Registry | 6 groups |
| T1518.001 | Security Software Discovery | 6 groups |
| T1007 | System Service Discovery | 5 groups |
| T1087 | Account Discovery | 5 groups |
| T1010 | Application Window Discovery | 4 groups |
| T1016 | System Network Configuration Discovery | 4 groups |
| T1033 | System Owner/User Discovery | 4 groups |
| T1614.001 | System Location Discovery: System Language Discovery | 4 groups |
| T1049 | System Network Connections Discovery | 3 groups |
| T1120 | Peripheral Device Discovery | 3 groups |
| T1124 | Time Discovery | 3 groups |
| T1497 | Virtualization/Sandbox Evasion | 3 groups |
| T1614 | System Location Discovery | 3 groups |
| T1016.001 | Network Configuration Discovery: Network Connection Enumeration | 2 groups |
| T1087.001 | Account Discovery: Local Account | 2 groups |
| T1518 | Software Discovery | 2 groups |
| T1526 | Cloud Service Discovery | 2 groups |
| T1063 | Security software discovery | 1 groups |
| T1069 | Permission Groups Discovery | 1 groups |
| T1119 | Automated Collection | 1 groups |
| T1538 | Cloud Service Dashboard | 1 groups |
| T1615 | Group Policy Discovery | 1 groups |
| TA0007 | Discovery | 1 groups |
TA0008Lateral Movement(14 techniques)
| Technique | Name | Used by |
|---|---|---|
| T1021.001 | Remote Services: Remote Desktop Protocol | 24 groups |
| T1021.002 | Remote Services: SMB/Windows Admin Shares | 21 groups |
| T1570 | Lateral Tool Transfer | 8 groups |
| T1021 | Remote Services | 7 groups |
| T1021.004 | Remote Services: SSH | 6 groups |
| T1091 | Replication Through Removable Media | 2 groups |
| T1210 | Exploitation of Remote Services | 2 groups |
| T1534 | Internal Spearphishing | 2 groups |
| T1047 | Windows Management Instrumentation | 1 groups |
| T1078.002 | Valid Accounts: Domain Accounts | 1 groups |
| T1080 | Taint Shared Content | 1 groups |
| T1333 | External Remote Services | 1 groups |
| T1550.002 | Use Alternate Authentication Material: Pass the Hash | 1 groups |
| T1563 | Remote Service Session Hijacking | 1 groups |
TA0009Collection(13 techniques)
| Technique | Name | Used by |
|---|---|---|
| T1005 | Data from local system | 12 groups |
| T1560.001 | Archive Collected Data: Archive via Utility | 9 groups |
| T1074 | Data Staged | 7 groups |
| T1560 | Archive Collected Data | 7 groups |
| T1119 | Automated Collection | 6 groups |
| T1056 | Input Capture | 3 groups |
| T1074.001 | Data Staged: Local Data Staging | 3 groups |
| T1114 | Email Collection | 3 groups |
| T1039 | Data from Network Shared Drive | 2 groups |
| T1213 | Data from Information Repositories | 2 groups |
| T1560.002 | Archive Collected Data: Archive via Library | 2 groups |
| T1560.003 | Archive Collected Data: Archive via Custom Method | 2 groups |
| T1602.002 | Network Device Configuration Dump | 1 groups |
TA0010Exfiltration(15 techniques)
| Technique | Name | Used by |
|---|---|---|
| T1567.002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage | 20 groups |
| T1041 | Exfiltration Over C2 Channel | 12 groups |
| T1567 | Exfiltration over web service | 9 groups |
| T1048 | Exfiltration Over Alternative Protocol | 7 groups |
| T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol | 5 groups |
| T1020 | Automated Exfiltration; Exfiltration Over Web Service | 3 groups |
| T1048.002 | Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | 2 groups |
| T1537 | Transfer Data to Cloud Account | 2 groups |
| T1011 | Exfiltration Over Other Network Medium | 1 groups |
| T1011.001 | Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth | 1 groups |
| T1030 | Data Transfer Size Limits | 1 groups |
| T1045 | Exfiltration Over C2 Channel | 1 groups |
| T1048.001 | Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol | 1 groups |
| T1052.001 | Exfiltration Over Physical Medium: Exfiltration over USB | 1 groups |
| T1567.004 | Exfiltration Over Webhook | 1 groups |
TA0011Command and Control(24 techniques)
| Technique | Name | Used by |
|---|---|---|
| T1071.001 | Application Layer Protocol: Web Protocols | 21 groups |
| T1219 | Remote Access Software | 11 groups |
| T1071 | Application Layer Protocol | 8 groups |
| T1573 | Encrypted Channel | 5 groups |
| T1105 | Ingress Tool Transfer | 4 groups |
| T1090.003 | Multi-hop Proxy | 3 groups |
| T1102.002 | Web Service: Bidirectional Communication | 3 groups |
| T1572 | Protocol Tunneling | 3 groups |
| T1573.001 | Encrypted Channel: Symmetric Cryptography | 3 groups |
| T1001.003 | Data Obfuscation: Protocol or Service Impersonation | 2 groups |
| T1008 | Fallback Channels | 2 groups |
| T1090 | Proxy | 2 groups |
| T1090.001 | Proxy: Internal Proxy | 2 groups |
| T1090.002 | Proxy: External Proxy | 2 groups |
| T1104 | Multi-Stage Channels | 2 groups |
| T1132.001 | Data Encoding: Standard Encoding | 2 groups |
| T1571 | Non-Standard Port | 2 groups |
| T1001 | Data Obfuscation | 1 groups |
| T1001.001 | Data Obfuscation: Junk Data | 1 groups |
| T1071.004 | Application Layer Protocol: DNS | 1 groups |
| T1095 | Non-Application Layer Protocol | 1 groups |
| T1102 | Web Service | 1 groups |
| T1219.002 | Remote Access Software: Remote Desktop Software | 1 groups |
| T1229 | Remote Access Software | 1 groups |
TA0040Impact(13 techniques)
| Technique | Name | Used by |
|---|---|---|
| T1486 | Data Encrypted for Impact | 46 groups |
| T1490 | Inhibit System Recovery | 35 groups |
| T1489 | Service Stop | 17 groups |
| T1485 | Data Destruction | 7 groups |
| T1529 | System Shutdown/Reboot | 4 groups |
| T1561.001 | Disk Wipe: Disk Content Wipe | 4 groups |
| T1491 | Defacement | 2 groups |
| T1491.001 | Defacement: Internal Defacement | 2 groups |
| T1561 | Disk Wipe | 2 groups |
| T1561.002 | Disk Wipe: Disk Structure Wipe | 2 groups |
| T1657 | Financial Theft | 2 groups |
| T1498 | Network Denial of Service | 1 groups |
| T1531 | Account Access Removal | 1 groups |
TA0042Resource Development(19 techniques)
| Technique | Name | Used by |
|---|---|---|
| T1587.001 | Develop Capabilities: Malware | 4 groups |
| T1588.002 | Obtain Capabilities: Tool | 4 groups |
| T1583.001 | Acquire Infrastructure: Domains | 2 groups |
| T1583.004 | Acquire Infrastructure: Server | 2 groups |
| T1583.006 | Acquire Infrastructure: Web Services | 2 groups |
| T1584.001 | Compromise Infrastructure: Domains | 2 groups |
| T1584.004 | Compromise Infrastructure: Server | 2 groups |
| T1585.001 | Establish Accounts: Social Media Accounts | 2 groups |
| T1585.002 | Establish Accounts: Email Accounts | 2 groups |
| T1587 | Develop Capabilities | 2 groups |
| T1587.002 | Develop Capabilities: Code Signing Certificates | 2 groups |
| T1588.003 | Obtain Capabilities: Code Signing Certificates | 2 groups |
| T1588.004 | Obtain Capabilities: Digital Certificates | 2 groups |
| T1608.001 | Stage Capabilities: Upload Malware | 2 groups |
| T1608.002 | Stage Capabilities: Upload Tool | 2 groups |
| T1538.008 | Malvertising | 1 groups |
| T1583 | Acquire Infrastructure | 1 groups |
| T1586 | Compromise Accounts | 1 groups |
| T1650 | Acquire Access | 1 groups |
TA0043Reconnaissance(8 techniques)
| Technique | Name | Used by |
|---|---|---|
| T1589.002 | Gather Victim Identity Information: Email Addresses | 2 groups |
| T1591 | Gather Victim Org Information | 2 groups |
| T1591.004 | Gather Victim Org Information: Identify Roles | 2 groups |
| T1593.001 | Search Open Websites/Domains: Social Media | 2 groups |
| T1595 | Active Scanning | 2 groups |
| T1590.004 | Gather Victim Network Information: Network Topology | 1 groups |
| T1598 | Phishing for Information | 1 groups |
| T1598.002 | Phishing for Information: Spearphishing Attachment | 1 groups |
TA0112Defense Impairment(1 techniques)
| Technique | Name | Used by |
|---|---|---|
| T1685 | Disable or Modify Tools | 1 groups |