security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cfa399357b4ecc0d893ceeebac4e4e1adfbbae0f
atomic-red-team/Windows/Windows.md
T

41 lines
17 KiB
Markdown
Raw Normal View History

Initial Commit
2017-10-11 10:35:17 -07:00
## MITRE ATT&CK Matrix - Windows
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|-------------------------------------------------------|---------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | Account Manipulation | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Application Shimming](Persistence/Application_Shimming.md) | Audio Capture | Automated Exfiltration | Commonly Used Port |
| [AppInit DLLs](Persistence/AppInit_DLLs.md) | [Accessibility Features](Persistence/Accessibility_Features.md) | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Exploitation of Vulnerability | Command-Line Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
| [Application Shimming](Persistence/Application_Shimming.md) | [AppInit DLLs](Persistence/AppInit_DLLs.md) | Bypass User Account Control | [Create Account](Credential_Access/Create%20Account.md) | File and Directory Discovery | Logon Scripts | Execution through API | Clipboard Data | Data Encrypted | Connection Proxy |
| Authentication Package | [Application Shimming](Persistence/Application_Shimming.md) | Code Signing | [Credential Dumping](Credential_Access/Credential%20Dumping.md) | Network Service Scanning | Pass the Hash | Execution through Module Load | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol |
| Bootkit | Bypass User Account Control | Component Firmware | Credentials in Files | Network Share Discovery | Pass the Ticket | Graphical User Interface | Data from Local System | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
Cleanup
2017-10-11 20:27:24 -07:00
| [Change Default File Association](Persistence/Change_Default_File_Association.md) | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | Exploitation of Vulnerability | Peripheral Device Discovery | Remote Desktop Protocol | [InstallUtil](Execution/InstallUtil.md) | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding |
Initial Commit
2017-10-11 10:35:17 -07:00
| Component Firmware | DLL Search Order Hijacking | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | Input Capture | Permission Groups Discovery | Remote File Copy | [PowerShell](Execution/PowerShell.md) | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation |
| Component Object Model Hijacking | Exploitation of Vulnerability | DLL Search Order Hijacking | Network Sniffing | Process Discovery | Remote Services | Process Hollowing | Email Collection | Exfiltration Over Physical Medium | Fallback Channels |
| DLL Search Order Hijacking | File System Permissions Weakness | DLL Side-Loading | Private Keys | [Query Registry](Discovery/Query%20Registry.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | Scheduled Transfer | Multi-Stage Channels |
| External Remote Services | Local Port Monitor | Deobfuscate/Decode Files or Information | Two-Factor Authentication Interception | [Remote System Discovery](Discovery/Remote%20System%20Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Screen Capture | | Multiband Communication |
| File System Permissions Weakness | New Service | Disabling Security Tools | | Security Software Discovery | Taint Shared Content | Rundll32 | Video Capture | | Multilayer Encryption |
Cleanup
2017-10-11 20:27:24 -07:00
| Hidden Files and Directories | Path Interception | Exploitation of Vulnerability | | [System Information Discovery](Discovery/System%20Information%20Discovery.md) | Third-party Software | [Scheduled Task](Persistence/Scheduled_Task.md) | | | Remote File Copy |
Broken links
2017-10-12 11:21:14 +02:00
| Hypervisor | [Scheduled Task](Persistence/Scheduled_Task.md) | [File Deletion](Defense%20Evasion/File_Deletion.md) | | System Network Configuration Discovery | [Windows Admin Shares](Lateral%20Movement/Windows%20Admin%20Shares.md) | Scripting | | | Standard Application Layer Protocol |
Initial Commit
2017-10-11 10:35:17 -07:00
| Local Port Monitor | Service Registry Permissions Weakness | File System Logical Offsets | | System Network Connections Discovery | Windows Remote Management | Service Execution | | | Standard Cryptographic Protocol |
| Logon Scripts | Valid Accounts | Hidden Files and Directories | | [System Owner/User Discovery](Discovery/System%20Owner-User%20Discovery.md) | | Third-party Software | | | Standard Non-Application Layer Protocol |
| Modify Existing Service | Web Shell | Indicator Blocking | | System Service Discovery | | Trusted Developer Utilities | | | Uncommonly Used Port |
Broken links
2017-10-12 11:21:14 +02:00
| [Netsh Helper DLL](Persistence/Netsh_Helper_DLL.md) | | Indicator Removal from Tools | | System Time Discovery | | [Windows Management Instrumentation](Execution/Windows_Management_Instrumentation.md) | | | Web Service |
| New Service | | [Indicator Removal on Host](Defense%20Evasion/Indicator_Removal_on_Host.md) | | | | [Windows Remote Management](Lateral%20Movement/Windows%20Remote%20Management.md) | | | |
Initial Commit
2017-10-11 10:35:17 -07:00
| Office Application Startup | | Install Root Certificate | | | | [Bitsadmin](Execution/Bitsadmin.md) | | | |
Update Windows.md
2017-10-12 08:05:08 -07:00
| Path Interception | | [InstallUtil](Execution/InstallUtil.md) | | | | | | | |
Initial Commit
2017-10-11 10:35:17 -07:00
| Redundant Access | | Masquerading | | | | | | | |
| Registry Run Keys / Start Folder | | Modify Registry | | | | | | | |
| Scheduled Task | | NTFS Extended Attributes | | | | | | | |
| Security Support Provider | | Network Share Connection Removal | | | | | | | |
| Service Registry Permissions Weakness | | Obfuscated Files or Information | | | | | | | |
| Shortcut Modification | | Process Hollowing | | | | | | | |
| System Firmware | | Redundant Access | | | | | | | |
| Valid Accounts | | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | | | | | | | |
| Web Shell | | [Regsvr32](Execution/Regsvr32.md) | | | | | | | |
| [Windows Management Instrumentation Event Subscription](Persistence/Windows_Management_Instrumentation_Event_Subscription.md) | | Rootkit | | | | | | | |
Update Windows.md
2017-10-11 10:47:01 -07:00
| Winlogon Helper DLL | | [Rundll32](Execution/Rundll32.md) | | | | | | | |
Initial Commit
2017-10-11 10:35:17 -07:00
| | | Scripting | | | | | | | |
| | | Software Packing | | | | | | | |
| | | Timestomp | | | | | | | |
| | | [Trusted Developer Utilities](Execution/Trusted_Developer_Utilities.md) | | | | | | | |
| | | Valid Accounts | | | | | | | |
Reference in New Issue Copy Permalink