security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ffb170aa83e84166b52db8ff449b3f5f9deeea49
atomic-red-team/atomics/Indexes/Matrices/matrix.md
T
Carrie Roberts 24549e3866 Convert to Mitre ATT&CK sub-technique schema (#1056) 
* Initial transfer of atomics to MITRE subtechniques

* Add GUIDs back in, attack_technique to string (#1019)

* technique to string and add guids back in

* technique to string and add guids back in

* technique to string and add guids back in

* technique to string and add guids back in

* Subtechnique transfer T1220-T1546.005 (#1020)

* Create T1222.001.yaml

* Create T1222.002.yaml

* Create T1505.002.yaml

* Update T1543.003.yaml

* Update AtomicService.cs

* Update T1546.005.yaml

* Delete T1222.yaml

* Update T1482.yaml

* Update T1485.yaml

* Update T1220.yaml

* Update T1489.yaml

* Update T1490.yaml

* Update T1496.yaml

* Update T1505.003.yaml

* Update T1505.yaml

* Update T1518.001.yaml

* Update T1518.yaml

* Update T1529.yaml

* Update T1543.004.yaml

* Update T1546.001.yaml

* Update T1546.002.yaml

* Update T1546.002.yaml

* Update T1546.001.yaml

* Update T1543.004.yaml

* Update T1543.002.yaml

* Update T1543.001.yaml

* Update T1518.001.yaml

* Update T1546.004.yaml

* Update T1546.003.yaml

* Update T1531.yaml

* Update T1222.001.yaml

* Update T1222.002.yaml

* Update T1505.002.yaml

* Update T1505.003.yaml

* Update T1518.001.yaml

* Update T1543.001.yaml

* Update T1546.005.yaml

* Update T1546.004.yaml

* Update T1546.003.yaml

* Update T1546.002.yaml

* Update T1546.001.yaml

* Update T1543.004.yaml

* Update T1543.003.yaml

* Update T1543.002.yaml

* added auto_generated_guid 1220

* added T1222.001 auto_generated_guid

* Update T1222.002.yaml

added   auto_generated_guid entries

* Update T1482.yaml

  auto_generated_guid added

* Update T1485.yaml

added   auto_generated_guids

* Update T1489.yaml

added   auto_generated_guids

* Update T1490.yaml

added   auto_generated_guids

* Update T1496.yaml

added   auto_generated_guid

* Update T1505.002.yaml

added   auto_generated_guid from old T1505 same atomic

* Update T1505.003.yaml

added  auto_generated_guid from previous atomic 1100

* Delete T1505.yaml

no longer needed, moved to 1505.002

* Update T1518.yaml

added  auto_generated_guids

* Update T1529.yaml

added   auto_generated_guids

* Update T1531.yaml

added   auto_generated_guids

* Update T1543.001.yaml

added   auto_generated_guid

* Update T1543.002.yaml

added   auto_generated_guid

* Update T1543.004.yaml

added   auto_generated_guid

* Update T1546.001.yaml

added   auto_generated_guid

* Update T1546.002.yaml

added   auto_generated_guid

* Update T1546.003.yaml

* Update T1546.004.yaml

added  auto_generated_guid

* Update T1546.005.yaml

added  auto_generated_guid

* add guids back in

* fix spacing issue

* fix spacing

* fix spacing

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

* Sub-techniques T1053-T1113 - Updates (#1022)

* Sub-techniques T1053-T1113 - Updates

Updated techniques for sub-techniques.

* minor fixes

format fixing

* Added GUIDs

- Added GUIDs back
- Fixed typo (T1054)
- Fixed attack_technique from an array to a string

* Sub-technique updates T1546.008 through T1574.011 (#1024)

* sub technique updates

* sub technique updates

* sub technique updates

* Carrie updates (#1017)

* updated T1110,12,13

* updated T1114

* updated T1114

* updated T1115

* updated T1119

* updated T1123,24

* updated T1127

* updated T1114

* updated T1127

* updated T1132

* T1134.004

* T1134.004

* updated T1135

* updated T1136

* updated T1137

* updated T1140

* remove depracted T1153

* updated T1176

* updated T1197

* updated T1201

* updated T1202

* updated T1204

* updated T1207

* updated T1216

* updated T1204

* updated T1217

* updated T1218

* updated T1218

* updated T1219

* updated T1218

* attack_technique to string

* Subtechnique transfer (#1025)

* T1003 review

* T1005 manual review changes

* T1027.002 sub-technique review

* T1027.004 sub-technique review

* T1036 sub-technique review

* T1037 sub-technique review

* T1048 sub-technique review

* YAML bugfixes

* Adding auto-generated GUIDs back to tests

* merging with Mike's PR

* Merging with Carrie's PR

* fix spacing

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

* Subtechnique fix (#1026)

* add atomic_tests: element

* add atomic_tests: element

* more fixes

* more fixes

* more fixes

* sub technique minor fixes 1 (#1027)

* fixes

* fixes

* more fixes

* more fixes

* display name fix (#1028)

* remove some deprecated stuff. reorganize a little (#1031)

* Gendocs fix (#1033)

* gendocs updates for subtechniques

* add folders

* ignore auto generated markdown files

* remove tmp files

* add tmp files

* Generate docs from job=validate_atomics_generate_docs branch=subtechnique_transfer

* navigator layer v3.0

* Generate docs from job=validate_atomics_generate_docs branch=subtechnique_transfer

Co-authored-by: Matt Graeber <60448025+mgraeber-rc@users.noreply.github.com>
Co-authored-by: Tsora-Pop <35981510+Tsora-Pop@users.noreply.github.com>
Co-authored-by: Michael Haag <mike@redcanary.com>
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
2020-06-17 12:55:46 -06:00

43 KiB
Raw Blame History

All Atomic Tests by ATT&CK Tactic & Technique

initial-access execution persistence privilege-escalation defense-evasion credential-access discovery lateral-movement collection exfiltration command-and-control impact
Cloud Accounts CONTRIBUTE A TEST AppleScript .bash_profile and .bashrc .bash_profile and .bashrc Abuse Elevation Control Mechanism CONTRIBUTE A TEST /etc/passwd and /etc/shadow CONTRIBUTE A TEST Account Discovery CONTRIBUTE A TEST Application Access Token CONTRIBUTE A TEST Archive Collected Data Automated Exfiltration CONTRIBUTE A TEST Application Layer Protocol CONTRIBUTE A TEST Account Access Removal
Compromise Hardware Supply Chain CONTRIBUTE A TEST At (Linux) CONTRIBUTE A TEST Accessibility Features Abuse Elevation Control Mechanism CONTRIBUTE A TEST Access Token Manipulation CONTRIBUTE A TEST Bash History Application Window Discovery Component Object Model and Distributed COM CONTRIBUTE A TEST Archive via Custom Method CONTRIBUTE A TEST Data Transfer Size Limits Asymmetric Cryptography CONTRIBUTE A TEST Application Exhaustion Flood CONTRIBUTE A TEST
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST At (Windows) Account Manipulation Access Token Manipulation CONTRIBUTE A TEST Application Access Token CONTRIBUTE A TEST Brute Force CONTRIBUTE A TEST Browser Bookmark Discovery Distributed Component Object Model CONTRIBUTE A TEST Archive via Library CONTRIBUTE A TEST Exfiltration Over Alternative Protocol Bidirectional Communication CONTRIBUTE A TEST Application or System Exploitation CONTRIBUTE A TEST
Compromise Software Supply Chain CONTRIBUTE A TEST Bash Add Office 365 Global Administrator Role CONTRIBUTE A TEST Accessibility Features Asynchronous Procedure Call Cached Domain Credentials CONTRIBUTE A TEST Cloud Account CONTRIBUTE A TEST Exploitation of Remote Services CONTRIBUTE A TEST Archive via Utility Exfiltration Over Asymmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST Communication Through Removable Media CONTRIBUTE A TEST Data Destruction
Default Accounts CONTRIBUTE A TEST Command and Scripting Interpreter CONTRIBUTE A TEST Add-ins CONTRIBUTE A TEST AppCert DLLs CONTRIBUTE A TEST BITS Jobs Cloud Instance Metadata API CONTRIBUTE A TEST Cloud Groups CONTRIBUTE A TEST Internal Spearphishing CONTRIBUTE A TEST Audio Capture Exfiltration Over Bluetooth CONTRIBUTE A TEST DNS Data Encrypted for Impact CONTRIBUTE A TEST
Domain Accounts CONTRIBUTE A TEST Component Object Model CONTRIBUTE A TEST Additional Azure Service Principal Credentials CONTRIBUTE A TEST AppInit DLLs Binary Padding Credential API Hooking Cloud Service Dashboard CONTRIBUTE A TEST Lateral Tool Transfer CONTRIBUTE A TEST Automated Collection Exfiltration Over C2 Channel CONTRIBUTE A TEST DNS Calculation CONTRIBUTE A TEST Data Manipulation CONTRIBUTE A TEST
Drive-by Compromise CONTRIBUTE A TEST Component Object Model and Distributed COM CONTRIBUTE A TEST AppCert DLLs CONTRIBUTE A TEST Application Shimming Bootkit CONTRIBUTE A TEST Credential Stuffing CONTRIBUTE A TEST Cloud Service Discovery CONTRIBUTE A TEST Pass the Hash Clipboard Data Exfiltration Over Other Network Medium CONTRIBUTE A TEST Data Encoding CONTRIBUTE A TEST Defacement CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST Cron AppInit DLLs Asynchronous Procedure Call Bypass User Access Control Credentials In Files Domain Account Pass the Ticket Confluence CONTRIBUTE A TEST Exfiltration Over Physical Medium CONTRIBUTE A TEST Data Obfuscation CONTRIBUTE A TEST Direct Network Flood CONTRIBUTE A TEST
External Remote Services CONTRIBUTE A TEST Dynamic Data Exchange Application Shimming At (Linux) CONTRIBUTE A TEST CMSTP Credentials from Password Stores CONTRIBUTE A TEST Domain Groups RDP Hijacking CONTRIBUTE A TEST Credential API Hooking Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST Dead Drop Resolver CONTRIBUTE A TEST Disk Content Wipe CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST Exploitation for Client Execution CONTRIBUTE A TEST At (Linux) CONTRIBUTE A TEST At (Windows) Clear Command History Credentials from Web Browsers Domain Trust Discovery Remote Desktop Protocol Data Staged CONTRIBUTE A TEST Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Domain Fronting CONTRIBUTE A TEST Disk Structure Wipe CONTRIBUTE A TEST
Local Accounts CONTRIBUTE A TEST Graphical User Interface CONTRIBUTE A TEST At (Windows) Authentication Package CONTRIBUTE A TEST Clear Linux or Mac System Logs Credentials in Registry Email Account CONTRIBUTE A TEST Remote Service Session Hijacking CONTRIBUTE A TEST Data from Cloud Storage Object CONTRIBUTE A TEST Exfiltration Over Web Service CONTRIBUTE A TEST Domain Generation Algorithms CONTRIBUTE A TEST Disk Wipe CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST Inter-Process Communication CONTRIBUTE A TEST Authentication Package CONTRIBUTE A TEST Boot or Logon Autostart Execution CONTRIBUTE A TEST Clear Windows Event Logs DCSync CONTRIBUTE A TEST File and Directory Discovery Remote Services CONTRIBUTE A TEST Data from Information Repositories CONTRIBUTE A TEST Exfiltration over USB CONTRIBUTE A TEST Dynamic Resolution CONTRIBUTE A TEST Endpoint Denial of Service CONTRIBUTE A TEST
Replication Through Removable Media CONTRIBUTE A TEST Launchctl BITS Jobs Boot or Logon Initialization Scripts CONTRIBUTE A TEST Cloud Accounts CONTRIBUTE A TEST Domain Controller Authentication CONTRIBUTE A TEST Local Account Replication Through Removable Media CONTRIBUTE A TEST Data from Local System CONTRIBUTE A TEST Exfiltration to Cloud Storage CONTRIBUTE A TEST Encrypted Channel External Defacement CONTRIBUTE A TEST
Spearphishing Attachment Launchd Boot or Logon Autostart Execution CONTRIBUTE A TEST Bypass User Access Control Code Signing CONTRIBUTE A TEST Exploitation for Credential Access CONTRIBUTE A TEST Local Groups SMB/Windows Admin Shares Data from Network Shared Drive CONTRIBUTE A TEST Exfiltration to Code Repository CONTRIBUTE A TEST External Proxy CONTRIBUTE A TEST Firmware Corruption CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST Malicious File Boot or Logon Initialization Scripts CONTRIBUTE A TEST Change Default File Association Compile After Delivery Forced Authentication CONTRIBUTE A TEST Network Service Scanning SSH CONTRIBUTE A TEST Data from Removable Media CONTRIBUTE A TEST Scheduled Transfer CONTRIBUTE A TEST Fallback Channels CONTRIBUTE A TEST Inhibit System Recovery
Spearphishing via Service CONTRIBUTE A TEST Malicious Link CONTRIBUTE A TEST Bootkit CONTRIBUTE A TEST Cloud Accounts CONTRIBUTE A TEST Compiled HTML File GUI Input Capture Network Share Discovery SSH Hijacking CONTRIBUTE A TEST Email Collection CONTRIBUTE A TEST Transfer Data to Cloud Account CONTRIBUTE A TEST Fast Flux DNS CONTRIBUTE A TEST Internal Defacement CONTRIBUTE A TEST
Supply Chain Compromise CONTRIBUTE A TEST Native API Browser Extensions Component Object Model Hijacking Component Firmware CONTRIBUTE A TEST Golden Ticket CONTRIBUTE A TEST Network Sniffing Shared Webroot CONTRIBUTE A TEST Email Forwarding Rule CONTRIBUTE A TEST File Transfer Protocols CONTRIBUTE A TEST Network Denial of Service CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST PowerShell Change Default File Association Create Process with Token CONTRIBUTE A TEST Control Panel Group Policy Preferences Password Policy Discovery Software Deployment Tools CONTRIBUTE A TEST GUI Input Capture Ingress Tool Transfer OS Exhaustion Flood CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST Python CONTRIBUTE A TEST Cloud Account CONTRIBUTE A TEST Create or Modify System Process CONTRIBUTE A TEST Create Process with Token CONTRIBUTE A TEST Input Capture CONTRIBUTE A TEST Peripheral Device Discovery CONTRIBUTE A TEST Taint Shared Content CONTRIBUTE A TEST Input Capture CONTRIBUTE A TEST Internal Proxy Reflection Amplification CONTRIBUTE A TEST
Scheduled Task Cloud Accounts CONTRIBUTE A TEST Cron DLL Search Order Hijacking Kerberoasting Permission Groups Discovery CONTRIBUTE A TEST Use Alternate Authentication Material CONTRIBUTE A TEST Keylogging Junk Data CONTRIBUTE A TEST Resource Hijacking
Scheduled Task/Job CONTRIBUTE A TEST Component Firmware CONTRIBUTE A TEST DLL Search Order Hijacking DLL Side-Loading Keychain Process Discovery VNC CONTRIBUTE A TEST LLMNR/NBT-NS Poisoning and SMB Relay CONTRIBUTE A TEST Mail Protocols CONTRIBUTE A TEST Runtime Data Manipulation CONTRIBUTE A TEST
Scripting CONTRIBUTE A TEST Component Object Model Hijacking DLL Side-Loading Default Accounts CONTRIBUTE A TEST Keylogging Query Registry Web Session Cookie CONTRIBUTE A TEST Local Data Staging Multi-Stage Channels CONTRIBUTE A TEST Service Exhaustion Flood CONTRIBUTE A TEST
Service Execution Compromise Client Software Binary CONTRIBUTE A TEST Default Accounts CONTRIBUTE A TEST Deobfuscate/Decode Files or Information LLMNR/NBT-NS Poisoning and SMB Relay CONTRIBUTE A TEST Remote System Discovery Windows Remote Management Local Email Collection Multi-hop Proxy CONTRIBUTE A TEST Service Stop
Shared Modules CONTRIBUTE A TEST Create Account CONTRIBUTE A TEST Domain Accounts CONTRIBUTE A TEST Direct Volume Access CONTRIBUTE A TEST LSA Secrets CONTRIBUTE A TEST Security Software Discovery Man in the Browser CONTRIBUTE A TEST Multiband Communication CONTRIBUTE A TEST Stored Data Manipulation CONTRIBUTE A TEST
Software Deployment Tools CONTRIBUTE A TEST Create or Modify System Process CONTRIBUTE A TEST Dylib Hijacking CONTRIBUTE A TEST Disable Windows Event Logging LSASS Memory Software Discovery Man-in-the-Middle CONTRIBUTE A TEST Non-Application Layer Protocol System Shutdown/Reboot
Source CONTRIBUTE A TEST Cron Dynamic-link Library Injection CONTRIBUTE A TEST Disable or Modify System Firewall Man-in-the-Middle CONTRIBUTE A TEST System Information Discovery Remote Data Staging CONTRIBUTE A TEST Non-Standard Encoding CONTRIBUTE A TEST Transmitted Data Manipulation CONTRIBUTE A TEST
System Services CONTRIBUTE A TEST DLL Search Order Hijacking Elevated Execution with Prompt CONTRIBUTE A TEST Disable or Modify Tools Modify Authentication Process CONTRIBUTE A TEST System Network Configuration Discovery Remote Email Collection CONTRIBUTE A TEST Non-Standard Port
User Execution CONTRIBUTE A TEST DLL Side-Loading Emond Domain Accounts CONTRIBUTE A TEST NTDS System Network Connections Discovery Screen Capture One-Way Communication CONTRIBUTE A TEST
VBScript CONTRIBUTE A TEST Default Accounts CONTRIBUTE A TEST Event Triggered Execution CONTRIBUTE A TEST Domain Controller Authentication CONTRIBUTE A TEST Network Sniffing System Owner/User Discovery Sharepoint CONTRIBUTE A TEST Port Knocking CONTRIBUTE A TEST
Windows Command Shell Domain Account CONTRIBUTE A TEST Executable Installer File Permissions Weakness CONTRIBUTE A TEST Dylib Hijacking CONTRIBUTE A TEST OS Credential Dumping System Service Discovery Video Capture CONTRIBUTE A TEST Protocol Impersonation CONTRIBUTE A TEST
Windows Management Instrumentation Domain Accounts CONTRIBUTE A TEST Exploitation for Privilege Escalation CONTRIBUTE A TEST Dynamic-link Library Injection CONTRIBUTE A TEST Password Cracking CONTRIBUTE A TEST System Time Discovery Web Portal Capture CONTRIBUTE A TEST Protocol Tunneling CONTRIBUTE A TEST
Dylib Hijacking CONTRIBUTE A TEST Extra Window Memory Injection CONTRIBUTE A TEST Elevated Execution with Prompt CONTRIBUTE A TEST Password Filter DLL Proxy CONTRIBUTE A TEST
Emond Group Policy Modification CONTRIBUTE A TEST Executable Installer File Permissions Weakness CONTRIBUTE A TEST Password Guessing Remote Access Software
Event Triggered Execution CONTRIBUTE A TEST Hijack Execution Flow CONTRIBUTE A TEST Execution Guardrails CONTRIBUTE A TEST Password Spraying CONTRIBUTE A TEST Standard Encoding
Exchange Email Delegate Permissions CONTRIBUTE A TEST Image File Execution Options Injection Exploitation for Defense Evasion CONTRIBUTE A TEST Private Keys Steganography CONTRIBUTE A TEST
Executable Installer File Permissions Weakness CONTRIBUTE A TEST Kernel Modules and Extensions Extra Window Memory Injection CONTRIBUTE A TEST Proc Filesystem CONTRIBUTE A TEST Symmetric Cryptography CONTRIBUTE A TEST
External Remote Services CONTRIBUTE A TEST LC_LOAD_DYLIB Addition CONTRIBUTE A TEST File Deletion Security Account Manager Traffic Signaling CONTRIBUTE A TEST
Hijack Execution Flow CONTRIBUTE A TEST LD_PRELOAD File and Directory Permissions Modification CONTRIBUTE A TEST Securityd Memory CONTRIBUTE A TEST Web Protocols
Hypervisor CONTRIBUTE A TEST LSASS Driver CONTRIBUTE A TEST Gatekeeper Bypass Silver Ticket CONTRIBUTE A TEST Web Service CONTRIBUTE A TEST
Image File Execution Options Injection Launch Agent Group Policy Modification CONTRIBUTE A TEST Steal Application Access Token CONTRIBUTE A TEST
Implant Container Image CONTRIBUTE A TEST Launch Daemon HISTCONTROL Steal Web Session Cookie CONTRIBUTE A TEST
Kernel Modules and Extensions Launchd Hidden Files and Directories Steal or Forge Kerberos Tickets CONTRIBUTE A TEST
LC_LOAD_DYLIB Addition CONTRIBUTE A TEST Local Accounts CONTRIBUTE A TEST Hidden Users Two-Factor Authentication Interception CONTRIBUTE A TEST
LD_PRELOAD Logon Script (Mac) Hidden Window Unsecured Credentials CONTRIBUTE A TEST
LSASS Driver CONTRIBUTE A TEST Logon Script (Windows) Hide Artifacts CONTRIBUTE A TEST Web Portal Capture CONTRIBUTE A TEST
Launch Agent Make and Impersonate Token CONTRIBUTE A TEST Hijack Execution Flow CONTRIBUTE A TEST
Launch Daemon Netsh Helper DLL Impair Defenses CONTRIBUTE A TEST
Launchd Network Logon Script CONTRIBUTE A TEST Indicator Blocking CONTRIBUTE A TEST
Local Account Parent PID Spoofing Indicator Removal from Tools CONTRIBUTE A TEST
Local Accounts CONTRIBUTE A TEST Path Interception CONTRIBUTE A TEST Indicator Removal on Host
Logon Script (Mac) Path Interception by PATH Environment Variable CONTRIBUTE A TEST Indirect Command Execution
Logon Script (Windows) Path Interception by Search Order Hijacking CONTRIBUTE A TEST Install Root Certificate
Netsh Helper DLL Path Interception by Unquoted Path CONTRIBUTE A TEST InstallUtil
Network Logon Script CONTRIBUTE A TEST Plist Modification Invalid Code Signature CONTRIBUTE A TEST
Office Application Startup CONTRIBUTE A TEST Port Monitors CONTRIBUTE A TEST LC_MAIN Hijacking CONTRIBUTE A TEST
Office Template Macros CONTRIBUTE A TEST Portable Executable Injection CONTRIBUTE A TEST LD_PRELOAD
Office Test CONTRIBUTE A TEST PowerShell Profile Linux and Mac File and Directory Permissions Modification
Outlook Forms CONTRIBUTE A TEST Proc Memory CONTRIBUTE A TEST Local Accounts CONTRIBUTE A TEST
Outlook Home Page CONTRIBUTE A TEST Process Doppelgänging CONTRIBUTE A TEST MSBuild
Outlook Rules CONTRIBUTE A TEST Process Hollowing Make and Impersonate Token CONTRIBUTE A TEST
Path Interception CONTRIBUTE A TEST Process Injection Masquerade Task or Service CONTRIBUTE A TEST
Path Interception by PATH Environment Variable CONTRIBUTE A TEST Ptrace System Calls CONTRIBUTE A TEST Masquerading CONTRIBUTE A TEST
Path Interception by Search Order Hijacking CONTRIBUTE A TEST Rc.common Match Legitimate Name or Location CONTRIBUTE A TEST
Path Interception by Unquoted Path CONTRIBUTE A TEST Re-opened Applications Modify Authentication Process CONTRIBUTE A TEST
Plist Modification Registry Run Keys / Startup Folder Modify Registry
Port Knocking CONTRIBUTE A TEST SID-History Injection CONTRIBUTE A TEST Mshta
Port Monitors CONTRIBUTE A TEST Scheduled Task Msiexec
PowerShell Profile Scheduled Task/Job CONTRIBUTE A TEST NTFS File Attributes
Pre-OS Boot CONTRIBUTE A TEST Screensaver Network Share Connection Removal
Rc.common Security Support Provider Obfuscated Files or Information
Re-opened Applications Services File Permissions Weakness Odbcconf
Redundant Access CONTRIBUTE A TEST Services Registry Permissions Weakness Parent PID Spoofing
Registry Run Keys / Startup Folder Setuid and Setgid Pass the Hash
SQL Stored Procedures CONTRIBUTE A TEST Shortcut Modification Pass the Ticket
Scheduled Task Startup Items Password Filter DLL
Scheduled Task/Job CONTRIBUTE A TEST Sudo and Sudo Caching Path Interception by PATH Environment Variable CONTRIBUTE A TEST
Screensaver Systemd Service Path Interception by Search Order Hijacking CONTRIBUTE A TEST
Security Support Provider Thread Execution Hijacking CONTRIBUTE A TEST Path Interception by Unquoted Path CONTRIBUTE A TEST
Server Software Component CONTRIBUTE A TEST Thread Local Storage CONTRIBUTE A TEST Port Knocking CONTRIBUTE A TEST
Services File Permissions Weakness Time Providers CONTRIBUTE A TEST Portable Executable Injection CONTRIBUTE A TEST
Services Registry Permissions Weakness Token Impersonation/Theft CONTRIBUTE A TEST Pre-OS Boot CONTRIBUTE A TEST
Shortcut Modification Trap Proc Memory CONTRIBUTE A TEST
Startup Items VDSO Hijacking CONTRIBUTE A TEST Process Doppelgänging CONTRIBUTE A TEST
System Firmware CONTRIBUTE A TEST Valid Accounts CONTRIBUTE A TEST Process Hollowing
Systemd Service Windows Management Instrumentation Event Subscription Process Injection
Time Providers CONTRIBUTE A TEST Windows Service Ptrace System Calls CONTRIBUTE A TEST
Traffic Signaling CONTRIBUTE A TEST Winlogon Helper DLL PubPrn
Transport Agent Redundant Access CONTRIBUTE A TEST
Trap Regsvcs/Regasm
Valid Accounts CONTRIBUTE A TEST Regsvr32
Web Shell Rename System Utilities
Windows Management Instrumentation Event Subscription Revert Cloud Instance CONTRIBUTE A TEST
Windows Service Right-to-Left Override CONTRIBUTE A TEST
Winlogon Helper DLL Rogue Domain Controller
Rootkit
Rundll32
SID-History Injection CONTRIBUTE A TEST
SIP and Trust Provider Hijacking CONTRIBUTE A TEST
Scripting CONTRIBUTE A TEST
Services File Permissions Weakness
Services Registry Permissions Weakness
Setuid and Setgid
Signed Binary Proxy Execution
Signed Script Proxy Execution
Software Packing
Space after Filename
Steganography CONTRIBUTE A TEST
Subvert Trust Controls CONTRIBUTE A TEST
Sudo and Sudo Caching
System Checks CONTRIBUTE A TEST
System Firmware CONTRIBUTE A TEST
Template Injection CONTRIBUTE A TEST
Thread Execution Hijacking CONTRIBUTE A TEST
Thread Local Storage CONTRIBUTE A TEST
Time Based Evasion CONTRIBUTE A TEST
Timestomp
Token Impersonation/Theft CONTRIBUTE A TEST
Traffic Signaling CONTRIBUTE A TEST
Trusted Developer Utilities Proxy Execution CONTRIBUTE A TEST
Unused/Unsupported Cloud Regions CONTRIBUTE A TEST
Use Alternate Authentication Material CONTRIBUTE A TEST
User Activity Based Checks CONTRIBUTE A TEST
VDSO Hijacking CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST
Virtualization/Sandbox Evasion CONTRIBUTE A TEST
Web Session Cookie CONTRIBUTE A TEST
Windows File and Directory Permissions Modification
XSL Script Processing
Reference in New Issue View Git Blame Copy Permalink