MITRE - ATT&CKcon, profile picture
Uploaded byMITRE - ATT&CKcon
PDF, PPTX2,522 views

MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire

The document discusses various cyber exploitation techniques utilized by attackers, outlining their complexity and requirements for successful execution. It emphasizes the importance of understanding operating systems and potential infrastructures needed for methods such as process injection, web shell exploitation, and privilege escalation. Additionally, it highlights the procedures for initial access, lateral movement, and data exfiltration, while also mentioning the challenges and defenses against these techniques.

Embed presentation

Download as PDF, PPTX
ATT&CK as a Teacher Travis Smith Principal Security Researcher
• Not really an exploit • Requires the use of other techniques to be truly viable • Example – Graphical User Interface • Easy to exploit (my mom could probably do it) • No need for POC malware, scripts, or other tools • Example – Accessibility Features • Need some sort of tooling such as Metasploit or POC scripts • Could be more advanced than those found in green • Example – Exploitation for * • Might require custom DLL/EXE • In-Depth Understanding of the OS • Example – Process Injection • Requires additional infrastructure to be able to exploit • Some are quite easy, some can be more advanced. • Example – Web Shell Exploitable to Anyone Additional Steps Required Cost Prohibitive Hard Techniques OnlyT E A C H
Initial Access Drive-by Compromise Exploit Public-Facing Application Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution CMSTP Command-Line Interface Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Third-party Software Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management Persistence Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Port Monitors Redundant Access Registry Run Keys / Start Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Shortcut Modification SIP and Trust Provider Hijacking System Firmware Time Providers Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection New Service Path Interception Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness SID-History Injection Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control CMSTP Code Signing Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File System Logical Offsets Hidden Files and Directories Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Timestomp Trusted Developer Utilities Valid Accounts Web Service Credential Access Account Manipulation Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Kerberoasting LLMNR/NBT-NS Poisoning Network Sniffing Password Filter DLL Private Keys Replication Through Removable Media Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Lateral Movement Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service
Initial Access Drive-by Compromise Exploit Public-Facing Application Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution CMSTP Command-Line Interface Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Third-party Software Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management Persistence Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Port Monitors Redundant Access Registry Run Keys / Start Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Shortcut Modification SIP and Trust Provider Hijacking System Firmware Time Providers Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection New Service Path Interception Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness SID-History Injection Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control CMSTP Code Signing Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File System Logical Offsets Hidden Files and Directories Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Timestomp Trusted Developer Utilities Valid Accounts Web Service Credential Access Account Manipulation Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Kerberoasting LLMNR/NBT-NS Poisoning Network Sniffing Password Filter DLL Private Keys Replication Through Removable Media Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Lateral Movement Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service
Initial Access Drive-by Compromise Exploit Public-Facing Application Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution CMSTP Command-Line Interface Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Third-party Software Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management Persistence Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Port Monitors Redundant Access Registry Run Keys / Start Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Shortcut Modification SIP and Trust Provider Hijacking System Firmware Time Providers Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection New Service Path Interception Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness SID-History Injection Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control CMSTP Code Signing Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File System Logical Offsets Hidden Files and Directories Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Timestomp Trusted Developer Utilities Valid Accounts Web Service Credential Access Account Manipulation Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Kerberoasting LLMNR/NBT-NS Poisoning Network Sniffing Password Filter DLL Private Keys Replication Through Removable Media Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Lateral Movement Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service
Initial Access Drive-by Compromise Exploit Public-Facing Application Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution CMSTP Command-Line Interface Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Third-party Software Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management Persistence Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Port Monitors Redundant Access Registry Run Keys / Start Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Shortcut Modification SIP and Trust Provider Hijacking System Firmware Time Providers Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection New Service Path Interception Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness SID-History Injection Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control CMSTP Code Signing Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File System Logical Offsets Hidden Files and Directories Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Timestomp Trusted Developer Utilities Valid Accounts Web Service Credential Access Account Manipulation Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Kerberoasting LLMNR/NBT-NS Poisoning Network Sniffing Password Filter DLL Private Keys Replication Through Removable Media Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Lateral Movement Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service
Initial Access Drive-by Compromise Exploit Public-Facing Application Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution CMSTP Command-Line Interface Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Third-party Software Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management Persistence Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Port Monitors Redundant Access Registry Run Keys / Start Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Shortcut Modification SIP and Trust Provider Hijacking System Firmware Time Providers Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection New Service Path Interception Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness SID-History Injection Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control CMSTP Code Signing Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File System Logical Offsets Hidden Files and Directories Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Timestomp Trusted Developer Utilities Valid Accounts Web Service Credential Access Account Manipulation Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Kerberoasting LLMNR/NBT-NS Poisoning Network Sniffing Password Filter DLL Private Keys Replication Through Removable Media Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Lateral Movement Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service
Initial Access Drive-by Compromise Exploit Public-Facing Application Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution CMSTP Command-Line Interface Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Third-party Software Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management Persistence Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Port Monitors Redundant Access Registry Run Keys / Start Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Shortcut Modification SIP and Trust Provider Hijacking System Firmware Time Providers Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection New Service Path Interception Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness SID-History Injection Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control CMSTP Code Signing Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File System Logical Offsets Hidden Files and Directories Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Timestomp Trusted Developer Utilities Valid Accounts Web Service Credential Access Account Manipulation Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Kerberoasting LLMNR/NBT-NS Poisoning Network Sniffing Password Filter DLL Private Keys Replication Through Removable Media Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Lateral Movement Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service
Detections Did they work? Can any be added? Mitigations Did they work? Can any be added? What Did You Learn Was it in ATT&CK? Was it From Original Research
tripwire.com | @TripwireInc

More Related Content

PDF
State of the ATT&CK
byMITRE ATT&CK
 
PDF
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
byMITRE ATT&CK
 
PDF
Sharpening your Threat-Hunting Program with ATTACK Framework
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
byMITRE - ATT&CKcon
 
PDF
A Threat Hunter Himself
bySergey Soldatov
 
PDF
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
byMITRE ATT&CK
 
PDF
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
byMITRE ATT&CK
 
PDF
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
byMITRE - ATT&CKcon
 
State of the ATT&CK
byMITRE ATT&CK
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
byMITRE ATT&CK
 
Sharpening your Threat-Hunting Program with ATTACK Framework
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
byMITRE - ATT&CKcon
 
A Threat Hunter Himself
bySergey Soldatov
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
byMITRE ATT&CK
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
byMITRE ATT&CK
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
byMITRE - ATT&CKcon
 

What's hot

PPTX
Adversary Emulation and the C2 Matrix
byJorge Orchilles
 
PDF
Threat Modelling - It's not just for developers
byMITRE ATT&CK
 
PDF
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
PDF
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
byMITRE ATT&CK
 
PDF
Mapping ATT&CK Techniques to ENGAGE Activities
byMITRE ATT&CK
 
PDF
Projects to Impact- Operationalizing Work from the Center
byMITRE ATT&CK
 
PPTX
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
PDF
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
byMITRE ATT&CK
 
PDF
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
byKatie Nickels
 
PDF
ATT&CKING Containers in The Cloud
byMITRE ATT&CK
 
PDF
ATT&CKing the Red/Blue Divide
byMITRE ATT&CK
 
PDF
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
byMITRE ATT&CK
 
PDF
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
byMITRE - ATT&CKcon
 
PPTX
ATT&CKing with Threat Intelligence
byChristopher Korban
 
PDF
ATT&CK Updates- ATT&CK's Open Source
byMITRE ATT&CK
 
PDF
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
byMITRE ATT&CK
 
PDF
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2018 Keynote: Advancing Infosec, John Lambert, Microsoft
byMITRE - ATT&CKcon
 
PDF
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
byMITRE - ATT&CKcon
 
Adversary Emulation and the C2 Matrix
byJorge Orchilles
 
Threat Modelling - It's not just for developers
byMITRE ATT&CK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
byMITRE ATT&CK
 
Mapping ATT&CK Techniques to ENGAGE Activities
byMITRE ATT&CK
 
Projects to Impact- Operationalizing Work from the Center
byMITRE ATT&CK
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
byMITRE ATT&CK
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
byKatie Nickels
 
ATT&CKING Containers in The Cloud
byMITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
byMITRE ATT&CK
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
byMITRE ATT&CK
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
byMITRE - ATT&CKcon
 
ATT&CKing with Threat Intelligence
byChristopher Korban
 
ATT&CK Updates- ATT&CK's Open Source
byMITRE ATT&CK
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
byMITRE ATT&CK
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018 Keynote: Advancing Infosec, John Lambert, Microsoft
byMITRE - ATT&CKcon
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
byMITRE - ATT&CKcon
 

Similar to MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire

PDF
State of the ATTACK
byMITRE - ATT&CKcon
 
PPTX
Defend Your Data Now with the MITRE ATT&CK Framework
byTripwire
 
PDF
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
byKatie Nickels
 
PDF
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
byAdam Pennington
 
PPTX
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
PDF
Getting Bear-y Cozy with PowerShell
byJamieWilliams130
 
PDF
Which Came First: The Phish or the Opportunity to Defend Against It
byJamieWilliams130
 
PPTX
Defending Your "Gold"
byWill Schroeder
 
PDF
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
PDF
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
byRobert Brandel
 
PDF
MITRE-Module 1 Slides.pdf
byReZa AdineH
 
PDF
74 Methods for Privilege Escalation Part 2
byHadess
 
PDF
CNIT 126 Ch 11: Malware Behavior
bySam Bowne
 
PPTX
Windows Privilege Escalation Techniques.pptx
bypentest716
 
PPTX
Hunting for Cyber Threats Using Threat Modeling & Frameworks
byTripwire
 
PDF
Update from the MITRE ATT&CK Team
byAdam Pennington
 
PDF
State of the ATT&CK - ATT&CKcon Power Hour
byAdam Pennington
 
PDF
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
byAdam Pennington
 
PDF
MITRE_ATTACK_Enterprise_11x17.pdf
byAisyiFree
 
PDF
1000 to 0
bySunny Neo
 
State of the ATTACK
byMITRE - ATT&CKcon
 
Defend Your Data Now with the MITRE ATT&CK Framework
byTripwire
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
byKatie Nickels
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
byAdam Pennington
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
Getting Bear-y Cozy with PowerShell
byJamieWilliams130
 
Which Came First: The Phish or the Opportunity to Defend Against It
byJamieWilliams130
 
Defending Your "Gold"
byWill Schroeder
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
byRobert Brandel
 
MITRE-Module 1 Slides.pdf
byReZa AdineH
 
74 Methods for Privilege Escalation Part 2
byHadess
 
CNIT 126 Ch 11: Malware Behavior
bySam Bowne
 
Windows Privilege Escalation Techniques.pptx
bypentest716
 
Hunting for Cyber Threats Using Threat Modeling & Frameworks
byTripwire
 
Update from the MITRE ATT&CK Team
byAdam Pennington
 
State of the ATT&CK - ATT&CKcon Power Hour
byAdam Pennington
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
byAdam Pennington
 
MITRE_ATTACK_Enterprise_11x17.pdf
byAisyiFree
 
1000 to 0
bySunny Neo
 

More from MITRE - ATT&CKcon

PDF
From Theory to Practice: How My ATTACK Perspectives Have Changed
byMITRE - ATT&CKcon
 
PDF
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
byMITRE - ATT&CKcon
 
PDF
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon Power Hour - November
byMITRE - ATT&CKcon
 
PDF
MITRE ATTACKcon Power Hour - January
byMITRE - ATT&CKcon
 
PDF
MITRE ATTACKCon Power Hour - December
byMITRE - ATT&CKcon
 
PDF
ATTACKing the Cloud: Hopping Between the Matrices
byMITRE - ATT&CKcon
 
PDF
What's New with ATTACK for ICS?
byMITRE - ATT&CKcon
 
PDF
Putting the PRE into ATTACK
byMITRE - ATT&CKcon
 
PDF
TA505: A Study of High End Big Game Hunting in 2020
byMITRE - ATT&CKcon
 
PDF
MITRE ATTACKcon Power Hour - October
byMITRE - ATT&CKcon
 
PDF
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
byMITRE - ATT&CKcon
 
PDF
What's New with ATTACK for Cloud?
byMITRE - ATT&CKcon
 
PDF
Transforming Adversary Emulation Into a Data Analysis Question
byMITRE - ATT&CKcon
 
PDF
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
byMITRE - ATT&CKcon
 
PDF
What's a MITRE with your Security?
byMITRE - ATT&CKcon
 
PDF
Starting Over with Sub-Techniques
byMITRE - ATT&CKcon
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
byMITRE - ATT&CKcon
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
byMITRE - ATT&CKcon
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon Power Hour - November
byMITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - January
byMITRE - ATT&CKcon
 
MITRE ATTACKCon Power Hour - December
byMITRE - ATT&CKcon
 
ATTACKing the Cloud: Hopping Between the Matrices
byMITRE - ATT&CKcon
 
What's New with ATTACK for ICS?
byMITRE - ATT&CKcon
 
Putting the PRE into ATTACK
byMITRE - ATT&CKcon
 
TA505: A Study of High End Big Game Hunting in 2020
byMITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - October
byMITRE - ATT&CKcon
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
byMITRE - ATT&CKcon
 
What's New with ATTACK for Cloud?
byMITRE - ATT&CKcon
 
Transforming Adversary Emulation Into a Data Analysis Question
byMITRE - ATT&CKcon
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
byMITRE - ATT&CKcon
 
What's a MITRE with your Security?
byMITRE - ATT&CKcon
 
Starting Over with Sub-Techniques
byMITRE - ATT&CKcon
 

Recently uploaded

PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PDF
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
December Patch Tuesday
byIvanti
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
software-security-intro in information security.ppt
byismaeelsahib032
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
December Patch Tuesday
byIvanti
 
API-First Architecture in Financial Systems
bycyy111112
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 

MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire

  • 1.
    ATT&CK as aTeacher Travis Smith Principal Security Researcher
  • 4.
    • Not reallyan exploit • Requires the use of other techniques to be truly viable • Example – Graphical User Interface • Easy to exploit (my mom could probably do it) • No need for POC malware, scripts, or other tools • Example – Accessibility Features • Need some sort of tooling such as Metasploit or POC scripts • Could be more advanced than those found in green • Example – Exploitation for * • Might require custom DLL/EXE • In-Depth Understanding of the OS • Example – Process Injection • Requires additional infrastructure to be able to exploit • Some are quite easy, some can be more advanced. • Example – Web Shell Exploitable to Anyone Additional Steps Required Cost Prohibitive Hard Techniques OnlyT E A C H
  • 5.
    Initial Access Drive-by Compromise ExploitPublic-Facing Application Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution CMSTP Command-Line Interface Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Third-party Software Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management Persistence Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Port Monitors Redundant Access Registry Run Keys / Start Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Shortcut Modification SIP and Trust Provider Hijacking System Firmware Time Providers Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection New Service Path Interception Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness SID-History Injection Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control CMSTP Code Signing Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File System Logical Offsets Hidden Files and Directories Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Timestomp Trusted Developer Utilities Valid Accounts Web Service Credential Access Account Manipulation Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Kerberoasting LLMNR/NBT-NS Poisoning Network Sniffing Password Filter DLL Private Keys Replication Through Removable Media Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Lateral Movement Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service
  • 6.
    Initial Access Drive-by Compromise ExploitPublic-Facing Application Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution CMSTP Command-Line Interface Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Third-party Software Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management Persistence Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Port Monitors Redundant Access Registry Run Keys / Start Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Shortcut Modification SIP and Trust Provider Hijacking System Firmware Time Providers Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection New Service Path Interception Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness SID-History Injection Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control CMSTP Code Signing Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File System Logical Offsets Hidden Files and Directories Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Timestomp Trusted Developer Utilities Valid Accounts Web Service Credential Access Account Manipulation Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Kerberoasting LLMNR/NBT-NS Poisoning Network Sniffing Password Filter DLL Private Keys Replication Through Removable Media Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Lateral Movement Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service
  • 7.
    Initial Access Drive-by Compromise ExploitPublic-Facing Application Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution CMSTP Command-Line Interface Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Third-party Software Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management Persistence Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Port Monitors Redundant Access Registry Run Keys / Start Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Shortcut Modification SIP and Trust Provider Hijacking System Firmware Time Providers Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection New Service Path Interception Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness SID-History Injection Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control CMSTP Code Signing Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File System Logical Offsets Hidden Files and Directories Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Timestomp Trusted Developer Utilities Valid Accounts Web Service Credential Access Account Manipulation Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Kerberoasting LLMNR/NBT-NS Poisoning Network Sniffing Password Filter DLL Private Keys Replication Through Removable Media Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Lateral Movement Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service
  • 8.
    Initial Access Drive-by Compromise ExploitPublic-Facing Application Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution CMSTP Command-Line Interface Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Third-party Software Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management Persistence Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Port Monitors Redundant Access Registry Run Keys / Start Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Shortcut Modification SIP and Trust Provider Hijacking System Firmware Time Providers Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection New Service Path Interception Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness SID-History Injection Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control CMSTP Code Signing Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File System Logical Offsets Hidden Files and Directories Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Timestomp Trusted Developer Utilities Valid Accounts Web Service Credential Access Account Manipulation Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Kerberoasting LLMNR/NBT-NS Poisoning Network Sniffing Password Filter DLL Private Keys Replication Through Removable Media Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Lateral Movement Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service
  • 9.
    Initial Access Drive-by Compromise ExploitPublic-Facing Application Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution CMSTP Command-Line Interface Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Third-party Software Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management Persistence Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Port Monitors Redundant Access Registry Run Keys / Start Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Shortcut Modification SIP and Trust Provider Hijacking System Firmware Time Providers Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection New Service Path Interception Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness SID-History Injection Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control CMSTP Code Signing Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File System Logical Offsets Hidden Files and Directories Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Timestomp Trusted Developer Utilities Valid Accounts Web Service Credential Access Account Manipulation Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Kerberoasting LLMNR/NBT-NS Poisoning Network Sniffing Password Filter DLL Private Keys Replication Through Removable Media Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Lateral Movement Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service
  • 10.
    Initial Access Drive-by Compromise ExploitPublic-Facing Application Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution CMSTP Command-Line Interface Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Third-party Software Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management Persistence Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Port Monitors Redundant Access Registry Run Keys / Start Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Shortcut Modification SIP and Trust Provider Hijacking System Firmware Time Providers Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection New Service Path Interception Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness SID-History Injection Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control CMSTP Code Signing Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File System Logical Offsets Hidden Files and Directories Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Timestomp Trusted Developer Utilities Valid Accounts Web Service Credential Access Account Manipulation Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Kerberoasting LLMNR/NBT-NS Poisoning Network Sniffing Password Filter DLL Private Keys Replication Through Removable Media Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Lateral Movement Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service
  • 19.
    Detections Did they work? Can any beadded? Mitigations Did they work? Can any be added? What Did You Learn Was it in ATT&CK? Was it From Original Research
  • 21.