security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
029110b694bc5925fe2ed5cb3a7a1b4b80098265
atomic-red-team/atomics/Indexes/Matrices/matrix.md
T
Atomic Red Team doc generator 029110b694 Generated docs from job=generate-docs branch=master [ci skip]
2024-03-01 19:23:30 +00:00

67 KiB
Raw Blame History

All Atomic Tests by ATT&CK Tactic & Technique

initial-access execution persistence privilege-escalation defense-evasion credential-access discovery lateral-movement collection exfiltration command-and-control impact
External Remote Services Scheduled Task/Job: Scheduled Task Scheduled Task/Job: Scheduled Task Process Injection: Extra Window Memory Injection Process Injection: Extra Window Memory Injection Adversary-in-the-Middle CONTRIBUTE A TEST System Owner/User Discovery Remote Services:VNC Archive Collected Data: Archive via Utility Exfiltration Over Web Service CONTRIBUTE A TEST Socket Filters CONTRIBUTE A TEST Disk Structure Wipe CONTRIBUTE A TEST
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST Windows Management Instrumentation Socket Filters CONTRIBUTE A TEST Scheduled Task/Job: Scheduled Task Socket Filters CONTRIBUTE A TEST Modify Authentication Process: Pluggable Authentication Modules Container and Resource Discovery Taint Shared Content CONTRIBUTE A TEST Screen Capture Exfiltration Over Webhook CONTRIBUTE A TEST Data Encoding: Standard Encoding Direct Network Flood CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST Server Software Component Boot or Logon Initialization Scripts CONTRIBUTE A TEST Boot or Logon Initialization Scripts CONTRIBUTE A TEST Fileless Storage CONTRIBUTE A TEST Input Capture: Keylogging Internet Connection Discovery CONTRIBUTE A TEST Remote Services: SSH Adversary-in-the-Middle CONTRIBUTE A TEST Scheduled Transfer CONTRIBUTE A TEST Domain Generation Algorithms CONTRIBUTE A TEST External Defacement CONTRIBUTE A TEST
Phishing: Spearphishing Attachment Command and Scripting Interpreter: JavaScript Modify Authentication Process: Pluggable Authentication Modules Path Interception by PATH Environment Variable CONTRIBUTE A TEST Signed Binary Proxy Execution: Rundll32 Brute Force: Password Guessing Permission Groups Discovery CONTRIBUTE A TEST Replication Through Removable Media Input Capture: Keylogging Exfiltration Over Other Network Medium CONTRIBUTE A TEST Application Layer Protocol: DNS OS Exhaustion Flood CONTRIBUTE A TEST
Compromise Hardware Supply Chain CONTRIBUTE A TEST Kubernetes Cronjob Path Interception by PATH Environment Variable CONTRIBUTE A TEST Event Triggered Execution: PowerShell Profile Embedded Payloads CONTRIBUTE A TEST OS Credential Dumping Cloud Groups CONTRIBUTE A TEST Direct Cloud VM Connections CONTRIBUTE A TEST Data from Configuration Repository CONTRIBUTE A TEST Exfiltration Over Bluetooth CONTRIBUTE A TEST Symmetric Cryptography CONTRIBUTE A TEST Application Exhaustion Flood CONTRIBUTE A TEST
Replication Through Removable Media Inter-Process Communication: Dynamic Data Exchange Event Triggered Execution: PowerShell Profile Create or Modify System Process CONTRIBUTE A TEST Modify Authentication Process: Pluggable Authentication Modules Steal Web Session Cookie Group Policy Discovery SSH Hijacking CONTRIBUTE A TEST Sharepoint CONTRIBUTE A TEST Automated Exfiltration Fast Flux DNS CONTRIBUTE A TEST Disk Wipe CONTRIBUTE A TEST
Supply Chain Compromise User Execution: Malicious File Create or Modify System Process CONTRIBUTE A TEST LC_LOAD_DYLIB Addition CONTRIBUTE A TEST Revert Cloud Instance CONTRIBUTE A TEST OS Credential Dumping: Security Account Manager Device Driver Discovery CONTRIBUTE A TEST Remote Services: SMB/Windows Admin Shares Audio Capture Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST Application Layer Protocol Stored Data Manipulation CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST Scheduled Task/Job: Cron External Remote Services Kubernetes Cronjob File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification Unsecured Credentials: Cloud Instance Metadata API Account Discovery: Domain Account Use Alternate Authentication Material CONTRIBUTE A TEST Archive via Custom Method CONTRIBUTE A TEST Traffic Duplication CONTRIBUTE A TEST Remote Access Software Service Stop
Content Injection CONTRIBUTE A TEST Component Object Model CONTRIBUTE A TEST LC_LOAD_DYLIB Addition CONTRIBUTE A TEST Abuse Elevation Control Mechanism: Bypass User Account Control Signed Script Proxy Execution: Pubprn Securityd Memory CONTRIBUTE A TEST Account Discovery: Local Account Remote Services CONTRIBUTE A TEST Email Collection CONTRIBUTE A TEST Exfiltration to Code Repository CONTRIBUTE A TEST Content Injection CONTRIBUTE A TEST Application or System Exploitation CONTRIBUTE A TEST
Valid Accounts: Default Accounts Scheduled Task/Job CONTRIBUTE A TEST Kubernetes Cronjob Abuse Elevation Control Mechanism: Sudo and Sudo Caching Path Interception by PATH Environment Variable CONTRIBUTE A TEST Brute Force: Password Cracking Virtualization/Sandbox Evasion: System Checks Remote Service Session Hijacking CONTRIBUTE A TEST Data from Removable Media CONTRIBUTE A TEST Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Traffic Signaling CONTRIBUTE A TEST Runtime Data Manipulation CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST Command and Scripting Interpreter: AppleScript Pre-OS Boot: System Firmware Hijack Execution Flow: Services Registry Permissions Weakness Direct Volume Access Credentials from Password Stores: Keychain Permission Groups Discovery: Domain Groups Remote Services: Windows Remote Management Data Staged: Local Data Staging Exfiltration Over C2 Channel Protocol Tunneling Reflection Amplification CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST Native API Hijack Execution Flow: Services Registry Permissions Weakness Boot or Logon Autostart Execution Email Hiding Rules CONTRIBUTE A TEST OS Credential Dumping: LSA Secrets System Service Discovery Remote Services: Distributed Component Object Model Email Collection: Local Email Collection Exfiltration Over Alternative Protocol Mail Protocols CONTRIBUTE A TEST Service Exhaustion Flood CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST Cloud API CONTRIBUTE A TEST Bootkit CONTRIBUTE A TEST Active Setup Rootkit Forge Web Credentials: SAML token Network Sniffing Use Alternate Authentication Material: Pass the Ticket Automated Collection Exfiltration over USB CONTRIBUTE A TEST Communication Through Removable Media CONTRIBUTE A TEST Defacement CONTRIBUTE A TEST
Spearphishing Voice CONTRIBUTE A TEST Deploy a container Boot or Logon Autostart Execution Domain Trust Modification Double File Extension CONTRIBUTE A TEST OS Credential Dumping: Proc Filesystem Network Share Discovery Cloud Services CONTRIBUTE A TEST Clipboard Data Exfiltration Over Web Service: Exfiltration to Text Storage Sites External Proxy CONTRIBUTE A TEST Financial Theft CONTRIBUTE A TEST
Compromise Software Supply Chain CONTRIBUTE A TEST Command and Scripting Interpreter Active Setup Create or Modify System Process: Windows Service Abuse Elevation Control Mechanism: Bypass User Account Control Password Managers CONTRIBUTE A TEST Peripheral Device Discovery Software Deployment Tools Data from Cloud Storage Object Exfiltration Over Web Service: Exfiltration to Cloud Storage Proxy CONTRIBUTE A TEST Defacement: Internal Defacement
Domain Accounts CONTRIBUTE A TEST Kubernetes Exec Into Container TFTP Boot CONTRIBUTE A TEST Scheduled Task/Job: Cron Abuse Elevation Control Mechanism: Sudo and Sudo Caching Network Sniffing System Information Discovery Exploitation of Remote Services CONTRIBUTE A TEST Remote Data Staging CONTRIBUTE A TEST Data Transfer Size Limits Dynamic Resolution CONTRIBUTE A TEST Data Manipulation CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST System Services: Launchctl Create or Modify System Process: Windows Service Account Manipulation: Additional Cloud Roles Modify Cloud Compute Infrastructure CONTRIBUTE A TEST Unsecured Credentials: Credentials in Registry Wi-Fi Discovery CONTRIBUTE A TEST Internal Spearphishing CONTRIBUTE A TEST Data from Local System Transfer Data to Cloud Account CONTRIBUTE A TEST Web Service CONTRIBUTE A TEST Account Access Removal
Drive-by Compromise CONTRIBUTE A TEST Network Device CLI CONTRIBUTE A TEST Scheduled Task/Job: Cron Boot or Logon Autostart Execution: Print Processors Pre-OS Boot: System Firmware Modify Authentication Process: Password Filter DLL Application Window Discovery Lateral Tool Transfer Archive Collected Data: Archive via Library Exfiltration Over Physical Medium CONTRIBUTE A TEST DNS Calculation CONTRIBUTE A TEST Data Encrypted for Impact
Valid Accounts: Cloud Accounts XPC Services CONTRIBUTE A TEST Office Application Startup Hijack Execution Flow: DLL Search Order Hijacking Hijack Execution Flow: Services Registry Permissions Weakness Steal or Forge Kerberos Tickets: AS-REP Roasting Email Account CONTRIBUTE A TEST Web Session Cookie CONTRIBUTE A TEST Network Device Configuration Dump CONTRIBUTE A TEST Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Multi-Stage Channels CONTRIBUTE A TEST Endpoint Denial of Service CONTRIBUTE A TEST
Spearphishing via Service CONTRIBUTE A TEST User Execution CONTRIBUTE A TEST Account Manipulation: Additional Cloud Roles Additional Container Cluster Roles CONTRIBUTE A TEST Bootkit CONTRIBUTE A TEST Steal or Forge Kerberos Tickets CONTRIBUTE A TEST Time Based Evasion CONTRIBUTE A TEST Remote Service Session Hijacking: RDP Hijacking Archive Collected Data Port Knocking CONTRIBUTE A TEST Resource Hijacking
Valid Accounts: Local Accounts Software Deployment Tools Boot or Logon Autostart Execution: Print Processors Scheduled Task/Job CONTRIBUTE A TEST Mavinject CONTRIBUTE A TEST Credentials from Password Stores Cloud Infrastructure Discovery Use Alternate Authentication Material: Pass the Hash Browser Session Hijacking CONTRIBUTE A TEST File Transfer Protocols CONTRIBUTE A TEST Transmitted Data Manipulation CONTRIBUTE A TEST
Command and Scripting Interpreter: PowerShell Hijack Execution Flow: DLL Search Order Hijacking Thread Execution Hijacking Masquerading: Match Legitimate Name or Location Unsecured Credentials Browser Bookmark Discovery Remote Services: Remote Desktop Protocol DHCP Spoofing CONTRIBUTE A TEST One-Way Communication CONTRIBUTE A TEST Data Destruction
Scheduled Task/Job: Systemd Timers Office Application Startup: Add-ins Event Triggered Execution: Application Shimming Weaken Encryption CONTRIBUTE A TEST Hybrid Identity CONTRIBUTE A TEST System Network Configuration Discovery Application Access Token CONTRIBUTE A TEST Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay Proxy: Multi-hop Proxy Network Denial of Service CONTRIBUTE A TEST
Command and Scripting Interpreter: Bash Server Software Component: Transport Agent Boot or Logon Autostart Execution: Port Monitors Masquerade File Type CONTRIBUTE A TEST Credentials from Password Stores: Credentials from Web Browsers Account Discovery CONTRIBUTE A TEST Web Portal Capture CONTRIBUTE A TEST Data Obfuscation CONTRIBUTE A TEST Firmware Corruption CONTRIBUTE A TEST
Inter-Process Communication Additional Container Cluster Roles CONTRIBUTE A TEST Boot or Logon Initialization Scripts: Logon Script (Mac) Hide Artifacts DHCP Spoofing CONTRIBUTE A TEST Domain Trust Discovery Video Capture Non-Standard Port Inhibit System Recovery
User Execution: Malicious Image Scheduled Task/Job CONTRIBUTE A TEST Process Injection Domain Trust Modification Unsecured Credentials: Private Keys File and Directory Discovery Confluence CONTRIBUTE A TEST Encrypted Channel Disk Content Wipe CONTRIBUTE A TEST
Exploitation for Client Execution CONTRIBUTE A TEST Modify Authentication Process: Password Filter DLL Escape to Host Impair Defenses: Safe Boot Mode Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay System Network Connections Discovery Email Collection: Email Forwarding Rule Bidirectional Communication CONTRIBUTE A TEST System Shutdown/Reboot
Command and Scripting Interpreter: Python Server Software Component: Terminal Services DLL Boot or Logon Autostart Execution: Shortcut Modification TFTP Boot CONTRIBUTE A TEST OS Credential Dumping: LSASS Memory Virtualization/Sandbox Evasion CONTRIBUTE A TEST Data Staged CONTRIBUTE A TEST Asymmetric Cryptography CONTRIBUTE A TEST
System Services CONTRIBUTE A TEST Browser Extensions Boot or Logon Autostart Execution: Security Support Provider Virtualization/Sandbox Evasion: System Checks Brute Force: Password Spraying Cloud Storage Object Discovery Input Capture: GUI Input Capture Non-Application Layer Protocol
Command and Scripting Interpreter: Windows Command Shell Outlook Rules CONTRIBUTE A TEST Create or Modify System Process: Launch Daemon Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs Web Portal Capture CONTRIBUTE A TEST Log Enumeration Data from Network Shared Drive Protocol Impersonation CONTRIBUTE A TEST
Cloud Administration Command CONTRIBUTE A TEST Event Triggered Execution: Application Shimming Hijack Execution Flow: Path Interception by Search Order Hijacking Signed Binary Proxy Execution: InstallUtil OS Credential Dumping: Cached Domain Credentials Cloud Account CONTRIBUTE A TEST Remote Email Collection CONTRIBUTE A TEST Domain Fronting CONTRIBUTE A TEST
Command and Scripting Interpreter: Visual Basic Boot or Logon Autostart Execution: Port Monitors Domain Policy Modification: Group Policy Modification Stripped Payloads CONTRIBUTE A TEST Steal or Forge Kerberos Tickets: Golden Ticket Process Discovery Input Capture CONTRIBUTE A TEST Data Encoding CONTRIBUTE A TEST
Serverless Execution CONTRIBUTE A TEST Boot or Logon Initialization Scripts: Logon Script (Mac) Valid Accounts: Default Accounts Hijack Execution Flow: DLL Search Order Hijacking Steal or Forge Authentication Certificates User Activity Based Checks CONTRIBUTE A TEST ARP Cache Poisoning CONTRIBUTE A TEST Non-Standard Encoding CONTRIBUTE A TEST
Malicious Link CONTRIBUTE A TEST Traffic Signaling CONTRIBUTE A TEST Time Providers Subvert Trust Controls: Gatekeeper Bypass Unsecured Credentials: Bash History Permission Groups Discovery: Local Groups Code Repositories CONTRIBUTE A TEST Application Layer Protocol: Web Protocols
System Services: Service Execution Boot or Logon Autostart Execution: Shortcut Modification Event Triggered Execution: Trap Code Signing CONTRIBUTE A TEST Unsecured Credentials: Credentials In Files Password Policy Discovery Data from Information Repositories CONTRIBUTE A TEST Ingress Tool Transfer
Scheduled Task/Job: At Implant Internal Image CONTRIBUTE A TEST Hijack Execution Flow: LD_PRELOAD Break Process Trees CONTRIBUTE A TEST Web Cookies CONTRIBUTE A TEST System Location Discovery: System Language Discovery SNMP (MIB Dump) CONTRIBUTE A TEST Steganography CONTRIBUTE A TEST
Boot or Logon Autostart Execution: Security Support Provider Abuse Elevation Control Mechanism CONTRIBUTE A TEST File and Directory Permissions Modification: Windows File and Directory Permissions Modification Steal Application Access Token Query Registry Input Capture: Credential API Hooking Fallback Channels CONTRIBUTE A TEST
Hybrid Identity CONTRIBUTE A TEST Create Process with Token Signed Binary Proxy Execution: Msiexec Unsecured Credentials: Group Policy Preferences System Location Discovery CONTRIBUTE A TEST Proxy: Internal Proxy
Create or Modify System Process: Launch Daemon Abuse Elevation Control Mechanism: Setuid and Setgid Modify Authentication Process: Password Filter DLL Network Provider DLL CONTRIBUTE A TEST Software Discovery: Security Software Discovery Dead Drop Resolver CONTRIBUTE A TEST
Hijack Execution Flow: Path Interception by Search Order Hijacking Boot or Logon Autostart Execution: Winlogon Helper DLL Clear Network Connection History and Configurations CONTRIBUTE A TEST Forge Web Credentials CONTRIBUTE A TEST Cloud Service Discovery Junk Data CONTRIBUTE A TEST
Server Software Component: Web Shell SSH Authorized Keys Reduce Key Space CONTRIBUTE A TEST Multi-Factor Authentication Request Generation CONTRIBUTE A TEST Remote System Discovery
Valid Accounts: Default Accounts Event Triggered Execution: Image File Execution Options Injection Indicator Removal on Host: Clear Command History Chat Messages CONTRIBUTE A TEST Network Service Discovery
Time Providers Temporary Elevated Cloud Access CONTRIBUTE A TEST Indirect Command Execution Exploitation for Credential Access CONTRIBUTE A TEST Software Discovery
Event Triggered Execution: Trap Process Doppelgänging CONTRIBUTE A TEST Deobfuscate/Decode Files or Information Input Capture: GUI Input Capture Cloud Service Dashboard CONTRIBUTE A TEST
Hijack Execution Flow: LD_PRELOAD Executable Installer File Permissions Weakness CONTRIBUTE A TEST Impair Defenses Brute Force CONTRIBUTE A TEST Debugger Evasion CONTRIBUTE A TEST
Create Account: Local Account Event Triggered Execution: Accessibility Features Thread Execution Hijacking Brute Force: Credential Stuffing System Time Discovery
Boot or Logon Autostart Execution: Winlogon Helper DLL Process Injection: Asynchronous Procedure Call Masquerading Multi-Factor Authentication CONTRIBUTE A TEST
SSH Authorized Keys Event Triggered Execution: AppCert DLLs Email Collection: Mailbox Manipulation Forced Authentication
Event Triggered Execution: Image File Execution Options Injection Device Registration CONTRIBUTE A TEST Process Injection Input Capture CONTRIBUTE A TEST
Executable Installer File Permissions Weakness CONTRIBUTE A TEST Process Injection: Portable Executable Injection Traffic Signaling CONTRIBUTE A TEST ARP Cache Poisoning CONTRIBUTE A TEST
Event Triggered Execution: Accessibility Features Boot or Logon Autostart Execution: Login Items Signed Binary Proxy Execution Cloud Secrets Management Stores CONTRIBUTE A TEST
Create Account: Domain Account Access Token Manipulation: Token Impersonation/Theft Indicator Removal on Host: Timestomp OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow
Component Firmware CONTRIBUTE A TEST Account Manipulation: Additional Cloud Credentials Reflective Code Loading Steal or Forge Kerberos Tickets: Silver Ticket
Office Application Startup: Office Template Macros. Make and Impersonate Token CONTRIBUTE A TEST Ignore Process Interrupts CONTRIBUTE A TEST Credentials from Password Stores: Windows Credential Manager
Event Triggered Execution: AppCert DLLs Event Triggered Execution: Windows Management Instrumentation Event Subscription Time Based Evasion CONTRIBUTE A TEST Domain Controller Authentication CONTRIBUTE A TEST
Device Registration CONTRIBUTE A TEST Access Token Manipulation: Parent PID Spoofing Signed Binary Proxy Execution: CMSTP Reversible Encryption CONTRIBUTE A TEST
Pre-OS Boot CONTRIBUTE A TEST Event Triggered Execution: Change Default File Association Impair Defenses: Disable Windows Event Logging Multi-Factor Authentication Interception CONTRIBUTE A TEST
Boot or Logon Autostart Execution: Login Items VDSO Hijacking CONTRIBUTE A TEST Signed Binary Proxy Execution: Control Panel OS Credential Dumping: NTDS
Port Knocking CONTRIBUTE A TEST Event Triggered Execution: Emond Network Address Translation Traversal CONTRIBUTE A TEST Steal or Forge Kerberos Tickets: Kerberoasting
Account Manipulation: Additional Cloud Credentials Services File Permissions Weakness CONTRIBUTE A TEST Use Alternate Authentication Material CONTRIBUTE A TEST OS Credential Dumping: DCSync
Network Provider DLL CONTRIBUTE A TEST Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Impair Defenses: Disable or Modify System Firewall Modify Authentication Process CONTRIBUTE A TEST
Event Triggered Execution: Windows Management Instrumentation Event Subscription Account Manipulation Subvert Trust Controls: SIP and Trust Provider Hijacking Input Capture: Credential API Hooking
Compromise Client Software Binary CONTRIBUTE A TEST Boot or Logon Autostart Execution: Kernel Modules and Extensions Hybrid Identity CONTRIBUTE A TEST Kubernetes List Secrets
Event Triggered Execution: Change Default File Association KernelCallbackTable CONTRIBUTE A TEST Disable or Modify Linux Audit System CONTRIBUTE A TEST Network Device Authentication CONTRIBUTE A TEST
Event Triggered Execution: Emond Scheduled Task/Job: Systemd Timers Rogue Domain Controller
Services File Permissions Weakness CONTRIBUTE A TEST Hijack Execution Flow CONTRIBUTE A TEST Code Signing Policy Modification CONTRIBUTE A TEST
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Valid Accounts CONTRIBUTE A TEST Deploy a container
Create Account: Cloud Account Process Injection: Process Hollowing Modify Registry
Account Manipulation Exploitation for Privilege Escalation CONTRIBUTE A TEST Hijack Execution Flow: Path Interception by Search Order Hijacking
Boot or Logon Autostart Execution: Kernel Modules and Extensions Event Triggered Execution Unused/Unsupported Cloud Regions CONTRIBUTE A TEST
KernelCallbackTable CONTRIBUTE A TEST Event Triggered Execution: .bash_profile .bashrc and .shrc Obfuscated Files or Information: Binary Padding
Scheduled Task/Job: Systemd Timers Access Token Manipulation: SID-History Injection Domain Policy Modification: Group Policy Modification
ROMMONkit CONTRIBUTE A TEST Elevated Execution with Prompt CONTRIBUTE A TEST Valid Accounts: Default Accounts
Outlook Forms CONTRIBUTE A TEST Authentication Package Hijack Execution Flow: LD_PRELOAD
Hijack Execution Flow CONTRIBUTE A TEST Event Triggered Execution: Component Object Model Hijacking Indicator Removal on Host: Clear Windows Event Logs
Valid Accounts CONTRIBUTE A TEST Hijack Execution Flow: Path Interception by Unquoted Path File and Directory Permissions Modification CONTRIBUTE A TEST
Multi-Factor Authentication CONTRIBUTE A TEST Boot or Logon Initialization Scripts: Startup Items Abuse Elevation Control Mechanism CONTRIBUTE A TEST
IIS Components Domain Accounts CONTRIBUTE A TEST Create Process with Token
Event Triggered Execution Network Logon Script CONTRIBUTE A TEST Abuse Elevation Control Mechanism: Setuid and Setgid
Event Triggered Execution: .bash_profile .bashrc and .shrc Event Triggered Execution: AppInit DLLs Signed Binary Proxy Execution: Odbcconf
Authentication Package Event Triggered Execution: Screensaver Temporary Elevated Cloud Access CONTRIBUTE A TEST
Event Triggered Execution: Component Object Model Hijacking Create or Modify System Process: Launch Agent Process Doppelgänging CONTRIBUTE A TEST
Office Application Startup: Outlook Home Page Proc Memory CONTRIBUTE A TEST Delete Cloud Instance CONTRIBUTE A TEST
Hijack Execution Flow: Path Interception by Unquoted Path Installer Packages CONTRIBUTE A TEST Executable Installer File Permissions Weakness CONTRIBUTE A TEST
Boot or Logon Initialization Scripts: Startup Items Boot or Logon Initialization Scripts: Rc.common Impair Defenses: Indicator Blocking
Domain Accounts CONTRIBUTE A TEST Access Token Manipulation CONTRIBUTE A TEST Disable or Modify Cloud Firewall CONTRIBUTE A TEST
Network Logon Script CONTRIBUTE A TEST Create or Modify System Process: SysV/Systemd Service Right-to-Left Override CONTRIBUTE A TEST
BITS Jobs XDG Autostart Entries CONTRIBUTE A TEST Component Firmware CONTRIBUTE A TEST
Event Triggered Execution: AppInit DLLs Thread Local Storage CONTRIBUTE A TEST Indicator Removal on Host
Event Triggered Execution: Screensaver Boot or Logon Autostart Execution: Re-opened Applications Use Alternate Authentication Material: Pass the Ticket
Create or Modify System Process: Launch Agent Hijack Execution Flow: DLL Side-Loading Masquerading: Masquerade Task or Service
Server Software Component CONTRIBUTE A TEST Account Manipulation: Additional Email Delegate Permissions Process Injection: Asynchronous Procedure Call
Domain Controller Authentication CONTRIBUTE A TEST Ptrace System Calls CONTRIBUTE A TEST Plist File Modification
Reversible Encryption CONTRIBUTE A TEST Boot or Logon Initialization Scripts: Logon Script (Windows) Subvert Trust Controls: Mark-of-the-Web Bypass
Installer Packages CONTRIBUTE A TEST Process Injection: ListPlanting Disable Crypto Hardware CONTRIBUTE A TEST
Boot or Logon Initialization Scripts: Rc.common Domain Policy Modification CONTRIBUTE A TEST Pre-OS Boot CONTRIBUTE A TEST
Create or Modify System Process: SysV/Systemd Service Boot or Logon Autostart Execution: LSASS Driver Build Image on Host
Create Account CONTRIBUTE A TEST Valid Accounts: Cloud Accounts Process Injection: Portable Executable Injection
XDG Autostart Entries CONTRIBUTE A TEST Scheduled Task/Job: At Verclsid CONTRIBUTE A TEST
Boot or Logon Autostart Execution: Re-opened Applications Process Injection: Dynamic-link Library Injection Impair Defenses: Downgrade Attack
Hijack Execution Flow: DLL Side-Loading Event Triggered Execution: Netsh Helper DLL Virtualization/Sandbox Evasion CONTRIBUTE A TEST
Account Manipulation: Additional Email Delegate Permissions Dylib Hijacking CONTRIBUTE A TEST Signed Binary Proxy Execution: Mshta
Power Settings CONTRIBUTE A TEST Valid Accounts: Local Accounts Execution Guardrails CONTRIBUTE A TEST
Boot or Logon Initialization Scripts: Logon Script (Windows) Hijack Execution Flow: COR_PROFILER Access Token Manipulation: Token Impersonation/Theft
Office Application Startup: Office Test Port Knocking CONTRIBUTE A TEST
Boot or Logon Autostart Execution: LSASS Driver LNK Icon Smuggling CONTRIBUTE A TEST
Valid Accounts: Cloud Accounts Hide Artifacts: Hidden Users
Scheduled Task/Job: At Make and Impersonate Token CONTRIBUTE A TEST
Modify Authentication Process CONTRIBUTE A TEST Impair Defenses: HISTCONTROL
Event Triggered Execution: Netsh Helper DLL Network Provider DLL CONTRIBUTE A TEST
SQL Stored Procedures CONTRIBUTE A TEST User Activity Based Checks CONTRIBUTE A TEST
Network Device Authentication CONTRIBUTE A TEST Access Token Manipulation: Parent PID Spoofing
Dylib Hijacking CONTRIBUTE A TEST VDSO Hijacking CONTRIBUTE A TEST
Valid Accounts: Local Accounts Services File Permissions Weakness CONTRIBUTE A TEST
Hijack Execution Flow: COR_PROFILER KernelCallbackTable CONTRIBUTE A TEST
ROMMONkit CONTRIBUTE A TEST
Signed Binary Proxy Execution: Compiled HTML File
Indicator Removal on Host: Network Share Connection Removal
Impair Defenses: Disable or Modify Tools
Modify System Image CONTRIBUTE A TEST
Hijack Execution Flow CONTRIBUTE A TEST
Indicator Removal from Tools CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST
Process Injection: Process Hollowing
Resource Forking CONTRIBUTE A TEST
Obfuscated Files or Information
Multi-Factor Authentication CONTRIBUTE A TEST
Invalid Code Signature CONTRIBUTE A TEST
Run Virtual Instance
Access Token Manipulation: SID-History Injection
Network Boundary Bridging CONTRIBUTE A TEST
Subvert Trust Controls CONTRIBUTE A TEST
Elevated Execution with Prompt CONTRIBUTE A TEST
Signed Binary Proxy Execution: Regsvr32
Masquerading: Rename System Utilities
Spoof Security Alerting CONTRIBUTE A TEST
Hijack Execution Flow: Path Interception by Unquoted Path
Steganography CONTRIBUTE A TEST
Web Session Cookie CONTRIBUTE A TEST
Domain Accounts CONTRIBUTE A TEST
Signed Binary Proxy Execution: Regsvcs/Regasm
Subvert Trust Controls: Install Root Certificate
Obfuscated Files or Information: Compile After Delivery
VBA Stomping CONTRIBUTE A TEST
BITS Jobs
Trusted Developer Utilities Proxy Execution: MSBuild
Impersonation CONTRIBUTE A TEST
Modify Cloud Compute Configurations CONTRIBUTE A TEST
Impair Defenses: Disable Cloud Logs
Hide Artifacts: Hidden Window
Create Cloud Instance CONTRIBUTE A TEST
Proc Memory CONTRIBUTE A TEST
Patch System Image CONTRIBUTE A TEST
Clear Persistence CONTRIBUTE A TEST
Domain Controller Authentication CONTRIBUTE A TEST
HTML Smuggling
Reversible Encryption CONTRIBUTE A TEST
Command Obfuscation CONTRIBUTE A TEST
Indicator Removal on Host: File Deletion
Template Injection
Access Token Manipulation CONTRIBUTE A TEST
Obfuscated Files or Information: Software Packing
Hidden File System CONTRIBUTE A TEST
Thread Local Storage CONTRIBUTE A TEST
Debugger Evasion CONTRIBUTE A TEST
Masquerading: Space after Filename
Use Alternate Authentication Material: Pass the Hash
Hijack Execution Flow: DLL Side-Loading
Ptrace System Calls CONTRIBUTE A TEST
Obfuscated Files or Information: Dynamic API Resolution
Process Injection: ListPlanting
Domain Policy Modification CONTRIBUTE A TEST
XSL Script Processing
Hide Artifacts: Hidden Files and Directories
Create Snapshot CONTRIBUTE A TEST
Application Access Token CONTRIBUTE A TEST
Valid Accounts: Cloud Accounts
Environmental Keying CONTRIBUTE A TEST
Hide Artifacts: NTFS File Attributes
Process Injection: Dynamic-link Library Injection
Modify Authentication Process CONTRIBUTE A TEST
Signed Script Proxy Execution
Network Device Authentication CONTRIBUTE A TEST
Dylib Hijacking CONTRIBUTE A TEST
Downgrade System Image CONTRIBUTE A TEST
Valid Accounts: Local Accounts
Exploitation for Defense Evasion CONTRIBUTE A TEST
Trusted Developer Utilities Proxy Execution
MMC CONTRIBUTE A TEST
Process Argument Spoofing CONTRIBUTE A TEST
Hijack Execution Flow: COR_PROFILER
Reference in New Issue View Git Blame Copy Permalink