PACT
The Physical Access & Control Taxonomy (PACT) is a community-built, structured knowledge base of physical tactics, techniques and procedures (TTPs) derived from real-world observations. The matrix builds upon the foundational framework of the MITRE ATT&CK® matrix and is designed to integrate with and extend its methodologies into the physical domain. Using PACT together with the ATT&CK Matrix allows organizations to plan and map out cyber-physical attacks.
PACT was inspired by and fulfills the requirements outlined in "Requirements and Recommendations for a Physical Attack Characterization Framework" (McGrath et al., 2023)1.
Utilizing PACT effectively requires working knowledge of the MITRE ATT&CK® matrix. For foundational orientation, we recommend the MITRE Get Started Guide.
Browse PACT on the official website, or load the matrix in the MITRE ATT&CK® Navigator.
PACT Matrix
| PT0001 Reconnaissance |
PT0002 Resource Development |
PT0003 Initial Access |
PT0004 Persistence |
PT0005 Privilege Escalation |
PT0006 Credential Access |
PT0007 Lateral Movement |
PT0008 Stealth |
PT0009 Defense Impairment |
PT0010 Collection |
PT0011 Exfiltration |
PT0012 Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|
| P0001 Gather Victim Facility Information |
P0004 Fabricate ID |
P0006 Tailgate |
P0008 Valid Credentials |
P0006 Tailgate |
P0014 Steal Valid Credentials |
P0007 Social Engineering |
P0007 Social Engineering |
P0024 Disable Sensor |
P0027 Steal Hardware |
P0010 Exploit Physical Access Weaknesses |
P0034 Espionage |
| ↳ P0001.001 Facility Plans |
↳ P0004.001 Fabricate Victim Company ID |
P0007 Social Engineering |
P0011 Establish Trust |
P0007 Social Engineering |
↳ P0014.001 Shoulder Surf PIN Entry |
↳ P0007.001 Exploit Business Process |
↳ P0007.001 Exploit Business Process |
↳ P0024.001 Disable Camera |
↳ P0027.001 Steal Endpoint Device |
↳ P0010.001 Exploit Perimeter Controls |
↳ P0034.001 Industry Espionage |
| ↳ P0001.002 Facility Rhythms |
↳ P0004.002 Fabricate Victim Vendor ID |
↳ P0007.001 Exploit Business Process |
P0012 Manipulate Physical Access Controls |
↳ P0007.001 Exploit Business Process |
P0015 Forge Key |
↳ P0007.002 Impersonate Staff or Vendor |
↳ P0007.002 Impersonate Staff or Vendor |
↳ P0024.002 Disable Intrusion Sensor |
↳ P0027.002 Steal Removable Media |
↳ P0010.002 Exploit Unrestricted Opening |
↳ P0034.002 Nation State Espionage |
| P0002 Surveillance |
P0005 Develop Pretext |
↳ P0007.002 Impersonate Staff or Vendor |
↳ P0012.001 Replace Lock |
↳ P0007.002 Impersonate Staff or Vendor |
P0016 Clone Badge |
↳ P0007.003 Pose as Visitor or Guest |
↳ P0007.003 Pose as Visitor or Guest |
↳ P0024.003 Disable Alarm Device |
↳ P0027.003 Steal Server Hardware |
↳ P0010.003 Exploit Request-to-Exit Sensor |
P0035 Sabotage |
| ↳ P0002.001 On-site Surveillance |
↳ P0005.001 Develop Pretext Story |
↳ P0007.003 Pose as Visitor or Guest |
↳ P0012.002 Disable Latch |
↳ P0007.003 Pose as Visitor or Guest |
↳ P0016.001 Skim Badge with Covert Reader |
↳ P0007.004 Employ Pretext in Conversation |
↳ P0007.004 Employ Pretext in Conversation |
P0025 Block Camera View |
P0028 Copy Information |
P0031 Exfiltrate via Entry Route |
P0036 Theft |
| ↳ P0002.002 Remote Surveillance |
↳ P0005.002 Gather Pretext Props |
↳ P0007.004 Employ Pretext in Conversation |
P0013 Hide on Premises |
↳ P0007.004 Employ Pretext in Conversation |
↳ P0016.002 Capture Badge with Long-Range Reader |
↳ P0007.005 Wear Cover Dress |
↳ P0007.005 Wear Cover Dress |
P0026 Employ Distraction |
↳ P0028.001 Photograph Information |
P0032 Exfiltrate via Emergency Route |
P0037 Distraction |
| P0003 Gather Victim Facility Perimeter |
↳ P0005.003 Gather Pretext Uniform |
↳ P0007.005 Wear Cover Dress |
P0038 Manipulate Electronic Access Control |
↳ P0007.005 Wear Cover Dress |
P0038 Manipulate Electronic Access Control |
↳ P0007.006 Employ Pretext via Phone Calls |
↳ P0007.006 Employ Pretext via Phone Calls |
↳ P0026.001 Trigger False Alarm |
↳ P0028.002 Photocopy Documents |
P0033 Exfiltrate via Alternative Route |
|
| P0007 Social Engineering |
↳ P0007.006 Employ Pretext via Phone Calls |
↳ P0038.001 Implant Covert Capture Device |
↳ P0007.006 Employ Pretext via Phone Calls |
↳ P0038.001 Implant Covert Capture Device |
↳ P0007.007 Employ Pretext via Email |
↳ P0007.007 Employ Pretext via Email |
↳ P0026.002 Stage Diversion |
P0029 Steal Information |
|||
| ↳ P0007.001 Exploit Business Process |
↳ P0007.007 Employ Pretext via Email |
↳ P0007.007 Employ Pretext via Email |
P0009 Bypass Physical Access Controls |
P0013 Hide on Premises |
P0030 Plant Surveillance Device |
||||||
| ↳ P0007.002 Impersonate Staff or Vendor |
P0008 Valid Credentials |
P0008 Valid Credentials |
↳ P0009.001 Bypass Window |
P0021 Select Low-Visibility Route |
|||||||
| ↳ P0007.003 Pose as Visitor or Guest |
P0009 Bypass Physical Access Controls |
↳ P0009.002 Bypass Door |
P0022 Activity Timing |
||||||||
| ↳ P0007.004 Employ Pretext in Conversation |
↳ P0009.001 Bypass Window |
↳ P0009.003 Bypass Perimeter Controls |
↳ P0022.001 Time Activity to Normal Operations |
||||||||
| ↳ P0007.005 Wear Cover Dress |
↳ P0009.002 Bypass Door |
P0010 Exploit Physical Access Weaknesses |
↳ P0022.002 Time Activity Outside Regular Business Hours |
||||||||
| ↳ P0007.006 Employ Pretext via Phone Calls |
↳ P0009.003 Bypass Perimeter Controls |
↳ P0010.001 Exploit Perimeter Controls |
|||||||||
| ↳ P0007.007 Employ Pretext via Email |
P0010 Exploit Physical Access Weaknesses |
↳ P0010.002 Exploit Unrestricted Opening |
|||||||||
| P0039 Dumpster Diving |
↳ P0010.001 Exploit Perimeter Controls |
↳ P0010.003 Exploit Request-to-Exit Sensor |
|||||||||
| ↳ P0010.002 Exploit Unrestricted Opening |
P0017 Cross Security Zone |
||||||||||
| ↳ P0010.003 Exploit Request-to-Exit Sensor |
↳ P0017.001 Cross Zone via Internal Door |
||||||||||
| P0038 Manipulate Electronic Access Control |
↳ P0017.002 Cross Zone via Inter-Building Connector |
||||||||||
| ↳ P0038.001 Implant Covert Capture Device |
P0018 Use Vertical Circulation |
||||||||||
| ↳ P0018.001 Use Stairwell |
|||||||||||
| ↳ P0018.002 Use Elevator |
|||||||||||
| ↳ P0018.003 Use Exterior Access or Climbing |
|||||||||||
| P0019 Use Service Route |
|||||||||||
| P0038 Manipulate Electronic Access Control |
|||||||||||
| ↳ P0038.001 Implant Covert Capture Device |
-
J. McGrath, H. Scott, and L. Slone, “Requirements and Recommendations for a Physical Attack Characterization Framework,” Office of Scientific and Technical Information (OSTI), Jul. 2023. doi: 10.2172/2229613. ↩