Atomic Red Team doc generator
17 KiB
17 KiB
ESXi Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Exploit Public-Facing Application CONTRIBUTE A TEST | Scheduled Task/Job: Cron CONTRIBUTE A TEST | Boot or Logon Initialization Scripts CONTRIBUTE A TEST | Boot or Logon Initialization Scripts CONTRIBUTE A TEST | Masquerading: Match Legitimate Name or Location CONTRIBUTE A TEST | Brute Force: Password Guessing CONTRIBUTE A TEST | System Network Configuration Discovery: Internet Connection Discovery CONTRIBUTE A TEST | Remote Services: SSH CONTRIBUTE A TEST | Data Staged: Local Data Staging CONTRIBUTE A TEST | Exfiltration Over Web Service CONTRIBUTE A TEST | Data Encoding: Standard Encoding CONTRIBUTE A TEST | Service Stop CONTRIBUTE A TEST |
| Valid Accounts: Default Accounts CONTRIBUTE A TEST | ESXi Administration Command CONTRIBUTE A TEST | Scheduled Task/Job: Cron CONTRIBUTE A TEST | Scheduled Task/Job: Cron CONTRIBUTE A TEST | Hide Artifacts CONTRIBUTE A TEST | Brute Force: Password Spraying CONTRIBUTE A TEST | Account Discovery: Local Account CONTRIBUTE A TEST | Remote Services CONTRIBUTE A TEST | Remote Data Staging CONTRIBUTE A TEST | Exfiltration Over Webhook CONTRIBUTE A TEST | Dynamic Resolution: Domain Generation Algorithms CONTRIBUTE A TEST | Defacement CONTRIBUTE A TEST |
| Valid Accounts CONTRIBUTE A TEST | Scheduled Task/Job CONTRIBUTE A TEST | Scheduled Task/Job CONTRIBUTE A TEST | Scheduled Task/Job CONTRIBUTE A TEST | Indicator Removal on Host: Clear Command History CONTRIBUTE A TEST | Brute Force CONTRIBUTE A TEST | System Information Discovery CONTRIBUTE A TEST | Exploitation of Remote Services CONTRIBUTE A TEST | Data from Local System CONTRIBUTE A TEST | Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST | Application Layer Protocol: DNS CONTRIBUTE A TEST | Defacement: Internal Defacement CONTRIBUTE A TEST |
| Domain Accounts CONTRIBUTE A TEST | Command and Scripting Interpreter CONTRIBUTE A TEST | Valid Accounts: Default Accounts CONTRIBUTE A TEST | Escape to Host CONTRIBUTE A TEST | Deobfuscate/Decode Files or Information CONTRIBUTE A TEST | Brute Force: Credential Stuffing CONTRIBUTE A TEST | Virtual Machine Discovery CONTRIBUTE A TEST | Lateral Tool Transfer CONTRIBUTE A TEST | Data Staged CONTRIBUTE A TEST | Exfiltration to Code Repository CONTRIBUTE A TEST | Symmetric Cryptography CONTRIBUTE A TEST | Account Access Removal CONTRIBUTE A TEST |
| Valid Accounts: Local Accounts CONTRIBUTE A TEST | Command and Scripting Interpreter: Bash CONTRIBUTE A TEST | Create Account: Local Account CONTRIBUTE A TEST | Valid Accounts: Default Accounts CONTRIBUTE A TEST | Impair Defenses CONTRIBUTE A TEST | System Network Configuration Discovery CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST | Fast Flux DNS CONTRIBUTE A TEST | Data Encrypted for Impact CONTRIBUTE A TEST | |||
| Command and Scripting Interpreter: Python CONTRIBUTE A TEST | SSH Authorized Keys CONTRIBUTE A TEST | SSH Authorized Keys CONTRIBUTE A TEST | Masquerading CONTRIBUTE A TEST | Account Discovery CONTRIBUTE A TEST | Exfiltration Over C2 Channel CONTRIBUTE A TEST | Application Layer Protocol CONTRIBUTE A TEST | Data Destruction CONTRIBUTE A TEST | ||||
| Hypervisor CLI CONTRIBUTE A TEST | Compromise Host Software Binary CONTRIBUTE A TEST | Account Manipulation CONTRIBUTE A TEST | Indicator Removal on Host: Timestomp CONTRIBUTE A TEST | File and Directory Discovery CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol CONTRIBUTE A TEST | Protocol Tunneling CONTRIBUTE A TEST | Inhibit System Recovery CONTRIBUTE A TEST | ||||
| Account Manipulation CONTRIBUTE A TEST | Valid Accounts CONTRIBUTE A TEST | Impair Defenses: Disable or Modify System Firewall CONTRIBUTE A TEST | System Network Connections Discovery CONTRIBUTE A TEST | Exfiltration Over Web Service: Exfiltration to Text Storage Sites CONTRIBUTE A TEST | External Proxy CONTRIBUTE A TEST | System Shutdown/Reboot CONTRIBUTE A TEST | |||||
| Valid Accounts CONTRIBUTE A TEST | Domain Accounts CONTRIBUTE A TEST | Valid Accounts: Default Accounts CONTRIBUTE A TEST | Log Enumeration CONTRIBUTE A TEST | Exfiltration Over Web Service: Exfiltration to Cloud Storage CONTRIBUTE A TEST | Proxy CONTRIBUTE A TEST | ||||||
| Domain Accounts CONTRIBUTE A TEST | Boot or Logon Initialization Scripts: Rc.common CONTRIBUTE A TEST | File and Directory Permissions Modification CONTRIBUTE A TEST | Process Discovery CONTRIBUTE A TEST | Data Transfer Size Limits CONTRIBUTE A TEST | Dynamic Resolution CONTRIBUTE A TEST | ||||||
| Server Software Component CONTRIBUTE A TEST | Valid Accounts: Local Accounts CONTRIBUTE A TEST | Impair Defenses: Indicator Blocking CONTRIBUTE A TEST | Remote System Discovery CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol CONTRIBUTE A TEST | Web Service CONTRIBUTE A TEST | ||||||
| Boot or Logon Initialization Scripts: Rc.common CONTRIBUTE A TEST | Indicator Removal on Host CONTRIBUTE A TEST | Software Discovery CONTRIBUTE A TEST | DNS Calculation CONTRIBUTE A TEST | ||||||||
| Create Account CONTRIBUTE A TEST | Execution Guardrails CONTRIBUTE A TEST | Local Storage Discovery CONTRIBUTE A TEST | Multi-Stage Channels CONTRIBUTE A TEST | ||||||||
| vSphere Installation Bundles CONTRIBUTE A TEST | Impair Defenses: Impair Command History Logging CONTRIBUTE A TEST | System Time Discovery CONTRIBUTE A TEST | File Transfer Protocols CONTRIBUTE A TEST | ||||||||
| Valid Accounts: Local Accounts CONTRIBUTE A TEST | Valid Accounts CONTRIBUTE A TEST | One-Way Communication CONTRIBUTE A TEST | |||||||||
| Obfuscated Files or Information CONTRIBUTE A TEST | Proxy: Multi-hop Proxy CONTRIBUTE A TEST | ||||||||||
| Run Virtual Instance CONTRIBUTE A TEST | Data Obfuscation CONTRIBUTE A TEST | ||||||||||
| Domain Accounts CONTRIBUTE A TEST | Non-Standard Port CONTRIBUTE A TEST | ||||||||||
| Clear Persistence CONTRIBUTE A TEST | Encrypted Channel CONTRIBUTE A TEST | ||||||||||
| Indicator Removal on Host: File Deletion CONTRIBUTE A TEST | Bidirectional Communication CONTRIBUTE A TEST | ||||||||||
| Valid Accounts: Local Accounts CONTRIBUTE A TEST | Asymmetric Cryptography CONTRIBUTE A TEST | ||||||||||
| Non-Application Layer Protocol CONTRIBUTE A TEST | |||||||||||
| Protocol or Service Impersonation CONTRIBUTE A TEST | |||||||||||
| Domain Fronting CONTRIBUTE A TEST | |||||||||||
| Data Encoding CONTRIBUTE A TEST | |||||||||||
| Non-Standard Encoding CONTRIBUTE A TEST | |||||||||||
| Application Layer Protocol: Web Protocols CONTRIBUTE A TEST | |||||||||||
| Ingress Tool Transfer CONTRIBUTE A TEST | |||||||||||
| Hide Infrastructure CONTRIBUTE A TEST | |||||||||||
| Data Obfuscation via Steganography CONTRIBUTE A TEST | |||||||||||
| Fallback Channels CONTRIBUTE A TEST | |||||||||||
| Proxy: Internal Proxy CONTRIBUTE A TEST | |||||||||||
| Dead Drop Resolver CONTRIBUTE A TEST | |||||||||||
| Junk Data CONTRIBUTE A TEST |