search
githubEdit

Attack Index

Quick reference to attack techniques organized by MITRE ATT&CK tactics and common vulnerability types.

hashtag
By MITRE ATT&CK Tactic

hashtag
Initial Access (TA0001)

Technique
Description
Related Section

Phishing

Spearphishing, credential harvesting

Social Engineering

Drive-by Compromise

Exploit via malicious website

XSS

Exploit Public-Facing App

Web app vulnerabilities

Web Attacks

External Remote Services

VPN, RDP exploitation

Ports

Valid Accounts

Credential reuse, default creds

Bruteforcing

Supply Chain Compromise

Package/dependency attacks

Supply Chain

hashtag
Execution (TA0002)

Technique
Description
Related Section

Command Injection

OS command execution

Command Injection

Scripting

PowerShell, Python, Bash

Reverse Shells

Exploitation for Client Execution

Browser/doc exploits

Buffer Overflow

User Execution

Social engineering execution

Social Engineering

hashtag
Persistence (TA0003)

Technique
Description
Related Section

Account Manipulation

Modify accounts/groups

AD Attacks

Boot/Logon Autostart

Registry run keys, startup

Windows Post-Exploitation

Scheduled Task/Job

Cron, Task Scheduler

Windows Post-Exploitation

Web Shell

Persistent web backdoor

Webshells

Create Account

Add backdoor accounts

Linux Post-Exploitation

hashtag
Privilege Escalation (TA0004)

Technique
Description
Related Section

Exploitation for Privilege Escalation

Kernel/service exploits

Privilege Escalation

Access Token Manipulation

Token impersonation

Windows Post-Exploitation

Sudo/SUID Abuse

Linux permission abuse

Linux Post-Exploitation

DLL Hijacking

Malicious DLL loading

Windows Post-Exploitation

Bypass UAC

User Account Control bypass

Windows Post-Exploitation

hashtag
Defense Evasion (TA0005)

Technique
Description
Related Section

Obfuscated Files/Information

Encoding, encryption

RT/EDR Evasion

Process Injection

Code injection

RT/EDR Evasion

Indicator Removal

Log clearing

Purple Team

AMSI Bypass

Antimalware bypass

RT/EDR Evasion

Timestomping

Modify file times

Purple Team

hashtag
Credential Access (TA0006)

Technique
Description
Related Section

OS Credential Dumping

Mimikatz, LSASS

Windows Post-Exploitation

Credentials from Password Stores

Browser, Keychain

Linux Post-Exploitation

Kerberoasting

SPN ticket cracking

Kerberos Attacks

AS-REP Roasting

Pre-auth disabled accounts

Kerberos Attacks

Brute Force

Password guessing

Bruteforcing

hashtag
Discovery (TA0007)

Technique
Description
Related Section

Network Service Scanning

Port/service discovery

Network Scanning

Remote System Discovery

AD enumeration

AD Attacks

File and Directory Discovery

Sensitive file search

Files

Cloud Service Discovery

AWS/Azure/GCP enum

Cloud

hashtag
Lateral Movement (TA0008)

Technique
Description
Related Section

Remote Services

SSH, RDP, WinRM

Pivoting

Pass the Hash

NTLM hash reuse

AD Attacks

Pass the Ticket

Kerberos ticket reuse

Kerberos Attacks

Internal Spearphishing

Lateral phishing

Social Engineering

hashtag
Collection (TA0009)

Technique
Description
Related Section

Data from Information Repositories

SharePoint, Confluence

Enumeration

Archive Collected Data

Compression, staging

File Transfer

Screen Capture

Screenshot collection

Post-Exploitation

hashtag
Exfiltration (TA0010)

Technique
Description
Related Section

Exfiltration Over Web Service

Cloud storage

File Transfer

Exfiltration Over DNS

DNS tunneling

Wireless Testing

Exfiltration Over Alternative Protocol

ICMP, custom

Pivoting

hashtag
By Vulnerability Type

hashtag
Injection Attacks

Attack
Description
Section

SQL Injection

Database query manipulation

SQLi

Command Injection

OS command execution

Command Injection

LDAP Injection

LDAP query manipulation

AD Attacks

XPath Injection

XML query manipulation

XXE

SSTI

Template engine injection

SSTI

NoSQL Injection

MongoDB/CouchDB injection

NoSQL

Header Injection

HTTP header manipulation

Header Injections

CRLF Injection

Response splitting

CRLF

hashtag
Cross-Site Attacks

Attack
Description
Section

XSS (Reflected)

Script injection via URL

XSS

XSS (Stored)

Persistent script injection

XSS

XSS (DOM)

Client-side DOM manipulation

XSS

CSRF

Cross-site request forgery

CSRF

CORS Misconfiguration

Cross-origin resource sharing

CORS

Clickjacking

UI redressing

Clickjacking

hashtag
Authentication/Authorization

Attack
Description
Section

Brute Force

Password guessing

Bruteforcing

Credential Stuffing

Reused credential attacks

Bruteforcing

Session Fixation

Session ID manipulation

Session Fixation

IDOR

Insecure direct object reference

IDOR

JWT Attacks

Token manipulation

JWT

OAuth Flaws

OAuth flow manipulation

OAuth

MFA Bypass

Multi-factor bypass

MFA

hashtag
Server-Side Attacks

Attack
Description
Section

SSRF

Server-side request forgery

SSRF

XXE

XML external entity

XXE

LFI/RFI

Local/Remote file inclusion

LFI/RFI

File Upload

Malicious file upload

File Upload

Deserialization

Insecure deserialization

Deserialization

Request Smuggling

HTTP desync attacks

Request Smuggling

hashtag
Cache/Proxy Attacks

Attack
Description
Section

Web Cache Poisoning

Cache manipulation

Cache Poisoning

Web Cache Deception

Cache rule abuse

Cache Deception

DNS Rebinding

DNS TTL manipulation

DNS Rebinding

hashtag
API Attacks

Attack
Description
Section

BOLA

Broken object-level authorization

API Security

Mass Assignment

Unexpected parameter binding

API Security

GraphQL Attacks

Introspection, batching abuse

API Security

Rate Limit Bypass

Throttling circumvention

API Security

hashtag
Active Directory Attacks

Attack
Description
Section

Kerberoasting

SPN ticket cracking

Kerberos

AS-REP Roasting

Pre-auth disabled abuse

Kerberos

Golden Ticket

Forged TGT

Kerberos

Silver Ticket

Forged service ticket

Kerberos

DCSync

Replicate DC credentials

AD

Pass the Hash

NTLM relay

AD

Pass the Ticket

Kerberos ticket reuse

Kerberos

AD CS Abuse

Certificate services attacks

AD

hashtag
Cloud Attacks

Attack
Description
Section

Metadata Service Abuse

IMDS exploitation

AWS

S3 Bucket Misconfiguration

Public bucket access

AWS

IAM Privilege Escalation

Permission escalation

GCP

Managed Identity Abuse

Token theft

Azure

Container Escape

Breakout from containers

Docker/K8s

Serverless Exploitation

Lambda/Functions abuse

Serverless

hashtag
Wireless Attacks

Attack
Description
Section

WPA2 Cracking

Handshake/PMKID attacks

Wireless

Evil Twin

Rogue access point

Wireless

Bluetooth Attacks

BLE exploitation

Wireless

RFID Cloning

Badge duplication

Hardware

hashtag
Physical/Social Engineering

Attack
Description
Section

Phishing

Credential harvesting

Social Engineering

Vishing

Voice phishing

Social Engineering

USB Drops

Malicious USB devices

Hardware

Tailgating

Physical access

Social Engineering

Badge Cloning

RFID/NFC cloning

Hardware

hashtag
By CWE (Common Weakness Enumeration)

CWE ID
Name
Section

CWE-78

OS Command Injection

Command Injection

CWE-79

Cross-site Scripting (XSS)

XSS

CWE-89

SQL Injection

SQLi

CWE-94

Code Injection

SSTI

CWE-98

PHP File Inclusion

LFI/RFI

CWE-120

Buffer Overflow

Buffer Overflow

CWE-200

Information Exposure

Recon

CWE-287

Authentication Issues

Bruteforcing

CWE-352

Cross-Site Request Forgery

CSRF

CWE-434

Unrestricted Upload

File Upload

CWE-502

Deserialization

Deserialization

CWE-611

XXE

XXE

CWE-639

IDOR

IDOR

CWE-918

SSRF

SSRF

hashtag
Quick Reference: Attack → Defense Mapping

Attack
Detection
Prevention

SQLi

WAF rules, query logging

Parameterized queries, input validation

XSS

CSP violations, WAF

Output encoding, CSP, sanitization

Command Injection

Process monitoring, syscall audit

Input validation, avoid shell

SSRF

Outbound request monitoring

Allowlisting, network segmentation

LFI/RFI

File access logging

Input validation, chroot

Credential Stuffing

Failed login monitoring

MFA, rate limiting, CAPTCHA

Kerberoasting

Event ID 4769 monitoring

Strong service account passwords

Pass the Hash

NTLM relay detection

Credential Guard, SMB signing

Container Escape

Syscall monitoring (seccomp)

Rootless containers, gVisor

hashtag
Resources

PreviousTool IndexNextWordlist Reference

Last updated

Was this helpful?