TTPs & Attack Vectors

Tactics, techniques, procedures, and vulnerability exploitation intelligence

MITRE ATT&CK Navigator — Ransomware Coverage

156 techniques across 9 tactics · all groups · cell = group count, color = intensity (log scale)

Low

Critical(log scale)

Execution

Persistence

Priv Esc

Def Evasion

Cred Access

Discovery

Lateral Mvmt

Collection

Impact

T1003.001

LSASS Memory

T1053.005

Scheduled Task

T1003

OS Credential Dumping

T1027

Obfuscated Files or Information

T1003

OS Credential Dumping

T1007

System Service Discovery

T1005

Data from Local System

T1005

Data from Local System

—

Linux / ESXi Variants

T1005.002

User Execution

T1071

Application Layer Protocol

T1055

Process Injection

T1027.002

Software Packing

T1003.001

LSASS Memory

T1010

Application Window Discovery

T1021

Remote Services

T1056

Input Capture

—

Data Theft / Double Extortion

T1027

Obfuscated Files or Information

T1078

Valid Accounts

T1055.003

Thread Execution Hijacking

T1027.005

Indicator Removal from Tools

T1056

Input Capture

T1012

Query Registry

T1021.001

Remote Desktop Protocol

T1071

Application Layer Protocol

T1485

Data Destruction

T1036

Masquerading

T1098

Account Manipulation

T1068

Exploitation for Privilege Escalation

T1027.009

Embedded Payloads

T1110

Brute Force

T1016

System Network Configuration Discovery

T1021.002

SMB/Windows Admin Shares

T1074

Data Staged

T1486

Data Encrypted for Impact

110

T1047

Windows Management Instrumentation

T1098.003

Additional Cloud Roles

T1078

Valid Accounts

T1036

Masquerading

T1555.003

Credentials from Web Browsers

T1018

Remote System Discovery

T1021.004

SSH

T1105

Ingress Tool Transfer

T1489

Service Stop

T1053

Scheduled Task/Job

T1112

Modify Registry

T1134.001

Token Impersonation/Theft

T1036.005

Match Legitimate Resource Name or Location

T1555

Credentials from Password Stores

T1046

Network Service Discovery

T1039

Data from Network Shared Drive

T1119

Automated Collection

T1490

Inhibit System Recovery

T1053.005

Scheduled Task

T1136

Create Account

T1484.001

Group Policy Modification

T1055.001

Dynamic-link Library Injection

T1558

Steal or Forge Kerberos Tickets

T1049

System Network Connections Discovery

T1074

Data Staged

T1213

Data from Information Repositories

T1491.001

Internal Defacement

T1059

Command and Scripting Interpreter

T1136.001

Local Account

T1543.003

Windows Service

T1055.003

Thread Execution Hijacking

T1558.003

Kerberoasting

T1057

Process Discovery

T1080

Taint Shared Content

T1219

Remote Access Tools

T1498

Network Denial of Service

T1059.001

PowerShell

T1136.002

Domain Account

T1547.001

Registry Run Keys / Startup Folder

T1055

Process Injection

T1063

Security Software Discovery

T1091

Replication Through Removable Media

T1560

Archive Collected Data

T1657

Financial Theft

T1059.003

Windows Command Shell

T1543.002

Systemd Service

T1547

Boot or Logon Autostart Execution

T1064

Scripting

T1069.001

Local Groups

T1570

Lateral Tool Transfer

T1560.001

Archive via Utility

T1059.004

Unix Shell

T1543.003

Windows Service

T1548

Abuse Elevation Control Mechanism

T1070

Indicator Removal

T1082

System Information Discovery

T1572

Protocol Tunneling

T1059.006

Python

T1547

Boot or Logon Autostart Execution

T1548.002

Bypass User Account Control

T1070.001

Clear Windows Event Logs

T1083

File and Directory Discovery

T1573

Encrypted Channel

T1064

Scripting

T1547.001

Registry Run Keys / Startup Folder

T1558.003

Kerberoasting

T1070.004

File Deletion

T1087

Account Discovery

T1070.001

Clear Windows Event Logs

T1574.001

DLL

T1574

Hijack Execution Flow

T1089

Disabling Security Tools

T1087.001

Local Account

T1072

Software Deployment Tools

T1574.001

DLL

T1112

Modify Registry

T1087.002

Domain Account

T1105

Ingress Tool Transfer

T1140

Deobfuscate/Decode Files or Information

T1120

Peripheral Device Discovery

T1106

Native API

T1202

Indirect Command Execution

T1135

Network Share Discovery

T1112

Modify Registry

T1218

System Binary Proxy Execution

T1482

Domain Trust Discovery

T1129

Shared Modules

T1218.010

Regsvr32

T1497

Virtualization/Sandbox Evasion

T1134.002

Create Process with Token

T1222

File and Directory Permissions Modification

T1518

Software Discovery

T1140

Deobfuscate/Decode Files or Information

T1480.001

Environmental Keying

T1538

Cloud Service Dashboard

T1204.002

Malicious File

T1484.001

Group Policy Modification

T1614

System Location Discovery

T1219

Remote Access Tools

T1497

Virtualization/Sandbox Evasion

T1614.001

System Language Discovery

T1497

Virtualization/Sandbox Evasion

T1550.001

Application Access Token

T1615

Group Policy Discovery

T1547

Boot or Logon Autostart Execution

T1562

Impair Defenses

T1548.002

Bypass User Account Control

T1562.001

Disable or Modify Tools

T1552

Unsecured Credentials

T1562.002

Disable Windows Event Logging

T1555

Credentials from Password Stores

T1562.004

Disable or Modify System Firewall

T1562.001

Disable or Modify Tools

T1562.009

Safe Mode Boot

T1569.002

Service Execution

T1564

Hide Artifacts

T1564.003

Hidden Window

T1564.004

NTFS File Attributes

T1620

Reflective Code Loading

T1622

Debugger Evasion