Windows/README.md

## MITRE ATT&CK Matrix - Windows

| Initial Access	| Execution	| Persistence	| Privilege Escalation	| Defense Evasion	| Credential Access	| Discovery	| Lateral Movement	| Collection	| Exfiltration	| Command and Control|
|-------------------------------------------------------|----------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| Drive-by Compromise	| [CMSTP](Execution/CMSTP.md)	| [Accessibility Features](Persistence/Accessibility_Features.md)	| [Access Token Manipulation](Privilege_Escalation/AccessTokenManipulation.md)	| [Access Token Manipulation](Privilege_Escalation/AccessTokenManipulation.md)	| [Account Manipulation](Credential_Access/Account_Manipulation.md)	| [Account Discovery](Discovery/Account_Discovery.md)	| Application Deployment Software	| [Audio Capture](Collection/Audio_Capture.md)	| Automated Exfiltration	| Commonly Used Port |
| Exploit Public-Facing Application	| Command-Line Interface	| AppCert DLLs	| [Accessibility Features](Persistence/Accessibility_Features.md)	| [BITS Jobs](Execution/Bitsadmin.md)	| [Brute Force](Credential_Access/Brute_Force.md)	| Application Window Discovery	| Distributed Component Object Model	| [Automated Collection](Collection/Automated_Collection.md)	| [Data Compressed](Exfiltration/Data_Compressed.md)	| Communication Through Removable Media |
| Hardware Additions	| Control Panel Items	| [AppInit DLLs](Persistence/AppInit_DLLs.md)	| AppCert DLLs	| Binary Padding	| Credential Dumping	| Browser Bookmark Discovery	| Exploitation of Remote Services	| [Clipboard Data](Collection/Clipboard_Data.md)	| Data Encrypted	| Connection Proxy|
| Replication Through Removable Media	| [Dynamic Data Exchange](Execution/Dynamic_Data_Exchange.md) 	| Application Shimming	| [AppInit DLLs](Persistence/AppInit_DLLs.md)	| [Bypass User Account Control](Privilege_Escalation/Bypass_User_Account_Control.md)	| [Credentials in Files](Credential_Access/Credentials_in_Files.md)	| File and Directory Discovery	| [Logon Scripts](Persistence/Logon_Scripts.md)	| [Data Staged](Collection/Data_Staged.md)	| Data Transfer Size Limits	| Custom Command and Control Protocol |
| Spearphishing Attachment 	| 	Execution through API	| [Authentication Package](Persistence/Authentication_Package.md)	| Application Shimming	| CMSTP	| Credentials in Registry	| Network Service Scanning	| [Pass the Hash](Lateral_Movement/Pass_the_Hash.md)	| Data from Information Repositories	| Exfiltration Over Alternative Protocol	| Custom Cryptographic Protocol |
| Spearphishing Link	| Execution through Module Load	| [BITS Jobs](Execution/Bitsadmin.md)	| [Bypass User Account Control](Privilege_Escalation/Bypass_User_Account_Control.md)	| Code Signing	| Exploitation for Credential Access	| Network Share Discovery	| Pass the Ticket	| Data from Local System	| Exfiltration Over Command and Control Channel	|Data Encoding |		 |
| Spearphishing via Service	| Exploitation for Client Execution	| Bootkit	|DLL Search Order Hijacking	| Component Firmware	| Forced Authentication	| Password Policy Discovery	| [Remote Desktop Protocol](Lateral_Movement/Remote_Desktop_Protocol.md)	| Data from Network Shared Drive	| Exfiltration Over Other Network Medium	| Data Obfuscation |
| Supply Chain Compromise	| Graphical User Interface	| [Browser Extensions](Persistence/Browser_Extensions.md)	| Exploitation for Privilege Escalation	| [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md)	| [Hooking](Credential_Access/Hooking.md)	| Peripheral Device Discovery	| Remote File Copy	| Data from Removable Media	| Exfiltration Over Physical Medium	| Domain Fronting |
|Trusted Relationship	| [InstallUtil](Execution/InstallUtil.md) 	| [Change Default File Association](Persistence/Change_Default_File_Association.md) 	| Extra Window Memory Injection	| Control Panel Items	| [Input Capture](Collection/Input_Capture.md)	| Permission Groups Discovery	| Remote Services	| Email Collection	| Scheduled Transfer	| Fallback Channels |
| Valid Accounts	| LSASS Driver	| Component Firmware	| File System Permissions Weakness	| DCShadow	| Kerberoasting	| Process Discovery	| Replication Through Removable Media	| [Input Capture](Collection/Input_Capture.md) |     |  Multi-Stage Channels |
|      | [Mshta](Execution/Mshta.md) 	| [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md)	| [Hooking](Credential_Access/Hooking.md)	| DLL Search Order Hijacking	| LLMNR/NBT-NS Poisoning	| [Query Registry](Discovery/Query_Registry.md)	| Shared Webroot	| Man in the Browser	|      		| Multi-hop Proxy	|     
|      |[PowerShell](Execution/PowerShell.md)	| [Create Account](Credential_Access/Create_Account.md)	| Image File Execution Options Injection	| DLL Side-Loading	| Network Sniffing	| [Remote System Discovery](Discovery/Remote_System_Discovery.md) 	| Taint Shared Content	| Screen Capture		|      | Multiband Communication	|  
|      |[Regsvcs/Regasm](Execution/RegsvcsRegasm.md) 	| DLL Search Order Hijacking	| [New Service](Persistence/New_Service.md)	| [Deobfuscate/Decode Files or Information](Defense_Evasion/Deobfuscate_Decode_Files_Or_Information.md)	| Password Filter DLL	| [Security Software Discovery](Discovery/Security_Software_Discovery.md) 	| Third-party Software	| Video Capture		|      | Multilayer Encryption	|  
|      |[Regsvr32](Execution/Regsvr32.md)	| External Remote Services	| Path Interception	| [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md)	| [Private Keys](Credential_Access/Private_Keys.md) 	| [System Information Discovery](Discovery/System_Information_Discovery.md)	| [Windows Admin Shares](Lateral_Movement/Windows_Admin_Shares.md)			| 			| 			| Remote Access Tools		|
|      |[Rundll32](Execution/rundll32.md) 	| File System Permissions Weakness	| Port Monitors	| Exploitation for Defense Evasion	| Replication Through Removable Media	| [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md)	| [Windows Remote Management](Lateral_Movement/Windows_Remote_Management.md)			| 			| 			| Remote File Copy			| 			|
|      |[Scheduled Task](Persistence/Scheduled_Task.md) 	| [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories.md)	| [Process Injection](Privilege_Escalation/Process_Injection.md) 	| Extra Window Memory Injection	| Two-Factor Authentication Interception	| System Network Connections Discovery				| 			| 			| 			| Standard Application Layer Protocol		| 		
|      | Scripting	| [Hooking](Credential_Access/Hooking.md)	| SID-History Injection	| [File Deletion](Defense_Evasion/File_Deletion.md) 		| 			| [System Owner/User Discovery](Discovery/System_Owner-User_Discovery.md) 				| 			| 			| 			| Standard Cryptographic Protocol|
|      |Service Execution	| Hypervisor	| [Scheduled Task](Persistence/Scheduled_Task.md) 	| File System Logical Offsets		| 			| [System Service Discovery](Discovery/System_Service_Discovery.md)				| 			| 			| 			| Standard Non-Application Layer Protocol|			
|      |Signed Binary Proxy Execution	| Image File Execution Options Injection	| Service Registry Permissions Weakness	| [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories.md)		| 			|  [System Time Discovery](Discovery/System_Time_Discovery.md)				|			| 			| 			|  Uncommonly Used Port|
|      				| Signed Script Proxy Execution	| LSASS Driver	| Valid Accounts	| Image File Execution Options Injection						| 			| 			| 			| 			| 			| Web Service		|
|		| Third-party Software	| [Logon Scripts](Persistence/Logon_Scripts.md)	| Web Shell	| Indicator Blocking								| 				| 		| 		| 			| 			| 			|
| 		| [Trusted Developer Utilities](Execution/Trusted_Developer_Utilities.md) 	| Modify Existing Service		|	|  Indicator Removal from Tools		|				 | 		|		|		 | 		|		 |
|		| User Execution	| [Netsh Helper DLL](Persistence/Netsh_Helper_DLL.md)		|		 | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_on_Host.md) 						| 		 		| 		|		 |		 | 		|		 |
|		|   [Windows Management Instrumentation](Execution/Windows_Management_Instrumentation.md)	| [New Service](Persistence/New_Service.md)		| 		|Indirect Command Execution			|				 | 		|		 |		 |		 | 		|
| 		| [Windows Remote Management](Lateral_Movement/Windows_Remote_Management.md)	| [Office Application Startup](Persistence/Office_Application_Startup.md) 		|  		|Install Root Certificate		| 				|		|		 | 		|		 |		 |
|		 | 		| Path Interception		|  		|[InstallUtil](Execution/InstallUtil.md) 													| 				|		|		 | 		|		 |		 |
|		 | 		| Port Monitors		|  		|Masquerading								 						| 				|		 |		 | 		|		 |		 |
|		 | 		| Redundant Access		|  		|Modify Registry								    | 			|				 |		 | 		|		 |		 |
|		 | 		| [Registry Run Keys / Start Folder](Persistence/Registry_Run_Keys_Start_Folder.md) 		|  		|[Mshta](Execution/Mshta.md) 								| 			|				 |		 | 		|		 |		 |
|		 | 		| SIP and Trust Provider Hijacking		|  		|NTFS File Attributes				| 			|				 |		 | 		|		 |		 |
|		 | 		| [Scheduled Task](Persistence/Scheduled_Task.md) 		|  		|Network Share Connection Removal					| 			|				 |		 | 		|		 |		 |
|		 | 		| Screensaver		|  		|Obfuscated Files or Information				 		| 			|				 |		 | 		|		 |		 |
|		 | 		| Security Support Provider	|  		|	Process Doppelgänging						| 			|				 |		 | 		|		 |		 |
|		 | 		| Service Registry Permissions Weakness	  		|		| Process Hollowing			| 			|				 |		 | 		|		 |		 |
|		 | 		| Shortcut Modification		| 		| [Process Injection](Privilege_Escalation/Process_Injection.md) 								| 			|				 |		 | 		|		 |		 |
|		 | 		| System Firmware			| 		| Redundant Access								| 			|				 |		 | 		|		 |		 |
|		 | 		| Time Providers			| 		| [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) 				 				| 			|				 |		 |		| 		 |		 |
|		 | 		| Valid Accounts			| 		| [Regsvr32](Execution/Regsvr32.md)										| 			|				 |		 | 		|		 |		 |
|		 | 		|  Web Shell				| 		| Rootkit										| 			|				 |		 |		| 		 |		 |
|		 | 		| [Windows Management Instrumentation Event Subscription](Persistence/Windows_Management_Instrumentation_Event_Subscription.md)		| 		| [Rundll32](Execution/rundll32.md) 		| 			|				 |		 |		| 		 |		 |
|		 | 		| Winlogon Helper DLL		| 		| SIP and Trust Provider Hijacking	|			|				 |		 | 		|		 |		 |
| 		| 		| 							| 		| Scripting										| 			|				 |		 | 		|		 |		 |
| 		| 		| 							| 		| Signed Binary Proxy Execution					| 			|				 |		 | 		|		 |		 |
| 		| 		| 							| 		| Signed Script Proxy Execution				 	| 			|				 |		 | 		|		 |		 |
| 		| 		| 							| 		| Software Packing						 		| 			|				 |		 | 		|		 |		 |
| 		| 		| 							| 		| [Timestomp](Defense_Evasion/Timestomp.md) 								 		| 			|				 |		 | 		|		 |		 |
| 		| 		| 							| 		| [Trusted Developer Utilities](Execution/Trusted_Developer_Utilities.md) 			 		| 			|				 |		 | 		|		 |		 |
| 		| 		| 							| 		| Valid Accounts						 		| 			|				 |		 | 		|		 |		 |
| 		| 		| 							| 		| Web Service						 			| 			|				 |		 | 		|		 |		 |
Initial Commit 2017-10-11 10:35:17 -07:00			`## MITRE ATT&CK Matrix - Windows`

changed as april update 2018-04-16 15:22:25 +08:00			`\| Initial Access \| Execution \| Persistence \| Privilege Escalation \| Defense Evasion \| Credential Access \| Discovery \| Lateral Movement \| Collection \| Exfiltration \| Command and Control\|`
			`\|-------------------------------------------------------\|----------------------------------------\|-----------------------------------------\|----------------------------------------\|----------------------------------------\|-------------------------------------\|------------------------------------\|--------------------------------\|--------------------------------\|-----------------------------------------------\|-----------------------------------------\|`
AccessTokenManipulation 2018-05-17 06:34:54 -05:00			\| Drive-by Compromise \| [CMSTP](Execution/CMSTP.md) \| [Accessibility Features](Persistence/Accessibility_Features.md) \| [Access Token Manipulation](Privilege_Escalation/AccessTokenManipulation.md) \| [Access Token Manipulation](Privilege_Escalation/AccessTokenManipulation.md) \| [Account Manipulation](Credential_Access/Account_Manipulation.md) \| [Account Discovery](Discovery/Account_Discovery.md) \| Application Deployment Software \| [Audio Capture](Collection/Audio_Capture.md) \| Automated Exfiltration \| Commonly Used Port \|
updated link for April update 2018-04-16 16:05:01 +08:00			`\| Exploit Public-Facing Application \| Command-Line Interface \| AppCert DLLs \| [Accessibility Features](Persistence/Accessibility_Features.md) \| [BITS Jobs](Execution/Bitsadmin.md) \| [Brute Force](Credential_Access/Brute_Force.md) \| Application Window Discovery \| Distributed Component Object Model \| [Automated Collection](Collection/Automated_Collection.md) \| [Data Compressed](Exfiltration/Data_Compressed.md) \| Communication Through Removable Media \|`
			`\| Hardware Additions \| Control Panel Items \| [AppInit DLLs](Persistence/AppInit_DLLs.md) \| AppCert DLLs \| Binary Padding \| Credential Dumping \| Browser Bookmark Discovery \| Exploitation of Remote Services \| [Clipboard Data](Collection/Clipboard_Data.md) \| Data Encrypted \| Connection Proxy\|`
			\| Replication Through Removable Media \| [Dynamic Data Exchange](Execution/Dynamic_Data_Exchange.md) \| Application Shimming \| [AppInit DLLs](Persistence/AppInit_DLLs.md) \| [Bypass User Account Control](Privilege_Escalation/Bypass_User_Account_Control.md) \| [Credentials in Files](Credential_Access/Credentials_in_Files.md) \| File and Directory Discovery \| [Logon Scripts](Persistence/Logon_Scripts.md) \| [Data Staged](Collection/Data_Staged.md) \| Data Transfer Size Limits \| Custom Command and Control Protocol \|
updated link for Mitre April update 2018-04-16 16:19:46 +08:00			`\| Spearphishing Attachment \| Execution through API \| [Authentication Package](Persistence/Authentication_Package.md) \| Application Shimming \| CMSTP \| Credentials in Registry \| Network Service Scanning \| [Pass the Hash](Lateral_Movement/Pass_the_Hash.md) \| Data from Information Repositories \| Exfiltration Over Alternative Protocol \| Custom Cryptographic Protocol \|`
			`\| Spearphishing Link \| Execution through Module Load \| [BITS Jobs](Execution/Bitsadmin.md) \| [Bypass User Account Control](Privilege_Escalation/Bypass_User_Account_Control.md) \| Code Signing \| Exploitation for Credential Access \| Network Share Discovery \| Pass the Ticket \| Data from Local System \| Exfiltration Over Command and Control Channel \|Data Encoding \| \|`
updated link for April update 2018-04-16 16:05:01 +08:00			`\| Spearphishing via Service \| Exploitation for Client Execution \| Bootkit \|DLL Search Order Hijacking \| Component Firmware \| Forced Authentication \| Password Policy Discovery \| [Remote Desktop Protocol](Lateral_Movement/Remote_Desktop_Protocol.md) \| Data from Network Shared Drive \| Exfiltration Over Other Network Medium \| Data Obfuscation \|`
Credential_Access/Hooking 2018-04-24 10:17:42 -04:00			`\| Supply Chain Compromise \| Graphical User Interface \| [Browser Extensions](Persistence/Browser_Extensions.md) \| Exploitation for Privilege Escalation \| [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) \| [Hooking](Credential_Access/Hooking.md) \| Peripheral Device Discovery \| Remote File Copy \| Data from Removable Media \| Exfiltration Over Physical Medium \| Domain Fronting \|`
updated link for April update 2018-04-16 16:05:01 +08:00			`\|Trusted Relationship \| [InstallUtil](Execution/InstallUtil.md) \| [Change Default File Association](Persistence/Change_Default_File_Association.md) \| Extra Window Memory Injection \| Control Panel Items \| [Input Capture](Collection/Input_Capture.md) \| Permission Groups Discovery \| Remote Services \| Email Collection \| Scheduled Transfer \| Fallback Channels \|`
			`\| Valid Accounts \| LSASS Driver \| Component Firmware \| File System Permissions Weakness \| DCShadow \| Kerberoasting \| Process Discovery \| Replication Through Removable Media \| [Input Capture](Collection/Input_Capture.md) \| \| Multi-Stage Channels \|`
Credential_Access/Hooking 2018-04-24 10:17:42 -04:00			`\| \| [Mshta](Execution/Mshta.md) \| [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) \| [Hooking](Credential_Access/Hooking.md) \| DLL Search Order Hijacking \| LLMNR/NBT-NS Poisoning \| [Query Registry](Discovery/Query_Registry.md) \| Shared Webroot \| Man in the Browser \| \| Multi-hop Proxy \|`
updated link for Mitre April update 2018-04-16 16:19:46 +08:00			`\| \|[PowerShell](Execution/PowerShell.md) \| [Create Account](Credential_Access/Create_Account.md) \| Image File Execution Options Injection \| DLL Side-Loading \| Network Sniffing \| [Remote System Discovery](Discovery/Remote_System_Discovery.md) \| Taint Shared Content \| Screen Capture \| \| Multiband Communication \|`
updated link for April update 2018-04-16 16:05:01 +08:00			`\| \|[Regsvcs/Regasm](Execution/RegsvcsRegasm.md) \| DLL Search Order Hijacking \| [New Service](Persistence/New_Service.md) \| [Deobfuscate/Decode Files or Information](Defense_Evasion/Deobfuscate_Decode_Files_Or_Information.md) \| Password Filter DLL \| [Security Software Discovery](Discovery/Security_Software_Discovery.md) \| Third-party Software \| Video Capture \| \| Multilayer Encryption \|`
			`\| \|[Regsvr32](Execution/Regsvr32.md) \| External Remote Services \| Path Interception \| [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) \| [Private Keys](Credential_Access/Private_Keys.md) \| [System Information Discovery](Discovery/System_Information_Discovery.md) \| [Windows Admin Shares](Lateral_Movement/Windows_Admin_Shares.md) \| \| \| Remote Access Tools \|`
			`\| \|[Rundll32](Execution/rundll32.md) \| File System Permissions Weakness \| Port Monitors \| Exploitation for Defense Evasion \| Replication Through Removable Media \| [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) \| [Windows Remote Management](Lateral_Movement/Windows_Remote_Management.md) \| \| \| Remote File Copy \| \|`
updated link for Mitre April update 2018-04-16 16:19:46 +08:00			`\| \|[Scheduled Task](Persistence/Scheduled_Task.md) \| [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories.md) \| [Process Injection](Privilege_Escalation/Process_Injection.md) \| Extra Window Memory Injection \| Two-Factor Authentication Interception \| System Network Connections Discovery \| \| \| \| Standard Application Layer Protocol \|`
Credential_Access/Hooking 2018-04-24 10:17:42 -04:00			`\| \| Scripting \| [Hooking](Credential_Access/Hooking.md) \| SID-History Injection \| [File Deletion](Defense_Evasion/File_Deletion.md) \| \| [System Owner/User Discovery](Discovery/System_Owner-User_Discovery.md) \| \| \| \| Standard Cryptographic Protocol\|`
updated link for April update 2018-04-16 16:05:01 +08:00			`\| \|Service Execution \| Hypervisor \| [Scheduled Task](Persistence/Scheduled_Task.md) \| File System Logical Offsets \| \| [System Service Discovery](Discovery/System_Service_Discovery.md) \| \| \| \| Standard Non-Application Layer Protocol\|`
			`\| \|Signed Binary Proxy Execution \| Image File Execution Options Injection \| Service Registry Permissions Weakness \| [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories.md) \| \| [System Time Discovery](Discovery/System_Time_Discovery.md) \| \| \| \| Uncommonly Used Port\|`
changed as april update 2018-04-16 15:22:25 +08:00			`\| \| Signed Script Proxy Execution \| LSASS Driver \| Valid Accounts \| Image File Execution Options Injection \| \| \| \| \| \| Web Service \|`
updated link for April update 2018-04-16 16:05:01 +08:00			`\| \| Third-party Software \| [Logon Scripts](Persistence/Logon_Scripts.md) \| Web Shell \| Indicator Blocking \| \| \| \| \| \| \|`
			`\| \| [Trusted Developer Utilities](Execution/Trusted_Developer_Utilities.md) \| Modify Existing Service \| \| Indicator Removal from Tools \| \| \| \| \| \| \|`
			`\| \| User Execution \| [Netsh Helper DLL](Persistence/Netsh_Helper_DLL.md) \| \| [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_on_Host.md) \| \| \| \| \| \| \|`
Credential_Access/Hooking 2018-04-24 10:17:42 -04:00			`\| \| [Windows Management Instrumentation](Execution/Windows_Management_Instrumentation.md) \| [New Service](Persistence/New_Service.md) \| \|Indirect Command Execution \| \| \| \| \| \| \|`
updated link for Mitre April update 2018-04-16 16:19:46 +08:00			`\| \| [Windows Remote Management](Lateral_Movement/Windows_Remote_Management.md) \| [Office Application Startup](Persistence/Office_Application_Startup.md) \| \|Install Root Certificate \| \| \| \| \| \| \|`
updated link for April update 2018-04-16 16:05:01 +08:00			`\| \| \| Path Interception \| \|[InstallUtil](Execution/InstallUtil.md) \| \| \| \| \| \| \|`
changed as april update 2018-04-16 15:22:25 +08:00			`\| \| \| Port Monitors \| \|Masquerading \| \| \| \| \| \| \|`
			`\| \| \| Redundant Access \| \|Modify Registry \| \| \| \| \| \| \|`
updated link for April update 2018-04-16 16:05:01 +08:00			`\| \| \| [Registry Run Keys / Start Folder](Persistence/Registry_Run_Keys_Start_Folder.md) \| \|[Mshta](Execution/Mshta.md) \| \| \| \| \| \| \|`
changed as april update 2018-04-16 15:22:25 +08:00			`\| \| \| SIP and Trust Provider Hijacking \| \|NTFS File Attributes \| \| \| \| \| \| \|`
updated link for April update 2018-04-16 16:05:01 +08:00			`\| \| \| [Scheduled Task](Persistence/Scheduled_Task.md) \| \|Network Share Connection Removal \| \| \| \| \| \| \|`
changed as april update 2018-04-16 15:22:25 +08:00			`\| \| \| Screensaver \| \|Obfuscated Files or Information \| \| \| \| \| \| \|`
			`\| \| \| Security Support Provider \| \| Process Doppelgänging \| \| \| \| \| \| \|`
			`\| \| \| Service Registry Permissions Weakness \| \| Process Hollowing \| \| \| \| \| \| \|`
updated link for April update 2018-04-16 16:05:01 +08:00			`\| \| \| Shortcut Modification \| \| [Process Injection](Privilege_Escalation/Process_Injection.md) \| \| \| \| \| \| \|`
changed as april update 2018-04-16 15:22:25 +08:00			`\| \| \| System Firmware \| \| Redundant Access \| \| \| \| \| \| \|`
updated link for April update 2018-04-16 16:05:01 +08:00			`\| \| \| Time Providers \| \| [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) \| \| \| \| \| \| \|`
			`\| \| \| Valid Accounts \| \| [Regsvr32](Execution/Regsvr32.md) \| \| \| \| \| \| \|`
changed as april update 2018-04-16 15:22:25 +08:00			`\| \| \| Web Shell \| \| Rootkit \| \| \| \| \| \| \|`
updated link for April update 2018-04-16 16:05:01 +08:00			`\| \| \| [Windows Management Instrumentation Event Subscription](Persistence/Windows_Management_Instrumentation_Event_Subscription.md) \| \| [Rundll32](Execution/rundll32.md) \| \| \| \| \| \| \|`
			`\| \| \| Winlogon Helper DLL \| \| SIP and Trust Provider Hijacking \| \| \| \| \| \| \|`
changed as april update 2018-04-16 15:22:25 +08:00			`\| \| \| \| \| Scripting \| \| \| \| \| \| \|`
			`\| \| \| \| \| Signed Binary Proxy Execution \| \| \| \| \| \| \|`
			`\| \| \| \| \| Signed Script Proxy Execution \| \| \| \| \| \| \|`
			`\| \| \| \| \| Software Packing \| \| \| \| \| \| \|`
updated link for April update 2018-04-16 16:05:01 +08:00			`\| \| \| \| \| [Timestomp](Defense_Evasion/Timestomp.md) \| \| \| \| \| \| \|`
			`\| \| \| \| \| [Trusted Developer Utilities](Execution/Trusted_Developer_Utilities.md) \| \| \| \| \| \| \|`
changed as april update 2018-04-16 15:22:25 +08:00			`\| \| \| \| \| Valid Accounts \| \| \| \| \| \| \|`
			`\| \| \| \| \| Web Service \| \| \| \| \| \| \|`