Professional Documents
Culture Documents
LinkedIn.com Google.com
SMTP Send Office365 A�acks NA sequen�ally
Large numbers of HTTP NTLM
exposure.
Monitor domain expira�ons
Server Test OWA
Data.com Bing.com
Cmds Emails MS APIs from public resources requests
Send Phishing
Email filters, thresholds, and spam User awareness training
Email Sources Email Targets Email Content rules Incident response procedures
Email source verifica�on
Spoofed Spoofed Domain
Hacked Mass Targeted Pretext Malicious
Malicious Emails NA Blacklist checks
SPF record checks
Internal External Similar to Files &
Domain Domain Company
Account Mailing Mailing Scenario Links
Embedding to employee addresses Logs / SEIM / Alerts
Deliver the
Asset / config / patch mgmt. Email filters, thresholds, and spam User awareness training
Malicious Links Website Components Files An�-virus / HIDs / HIPs rules Incident response procedures
@ Secure group policy Deny / log relay requests
Port Geo
Phish Creden�al Java Applet
Brower
Browser Common Office Payloads Mail client configura�ons
MS Office Security Se�ngs
Secure caching provider
Web filtering / white lis�ng
Web Collec�on ClickOnce Add-On exec file Docs + Web browser configura�ons Authen�cated HTTP proxies
Scan Locate Exploit
Site Form HTA Exploit formats Macros to employee systems Logs / SEIM / Alerts Logs / SEIM / Alerts
Common Payload Command Types Run the Payload Asset / config / patch mgmt.
An�-virus / HIDs / HIPs
Commands
Secure group policy se�ngs User awareness training
NA
Commands Binaries Scripts Standard Assembly Byte Applica�on white lis�ng Incident response procedures
Code Least privilege enforcement
cmd, wmi, wrm, Executable, PS, VB, VBS, Code Code
�p, net, etc Installer, Library JS, Bat C, C++, C# shellcode Java, .Net on employee systems Logs / SEIM / Alerts
Persistence
User awareness training
Applica�on white lis�ng NA
PW / Pvt Key File, Registry, WMI Incident response procedures
Custom Windows Scheduled Code / File Driver Least privilege enforcement
PW Hash & Applica�on Event Logs / SEIM / Alerts
Providers Service Task Modifica�on BIOS
Kerb Ticket Autoruns Trigger on employee systems FIM / WMI event triggers
Egress Ports Common Protocols Common Types Obtain Command & Asset / config / patch mgmt.
An�-virus / HIDs / HIPs
Firewall Rules / Segmenta�on
NIDs / NIPs
Control Channel
Secure group policy se�ngs Fix Up Protocols User awareness training
DNS SSH FTP Torrent Bind Shell Applica�on white lis�ng Web Filtering / White Lis�ng Incident response procedures
TCP IPv4 HTTP Least privilege enforcement Authen�cated HTTP Proxies
ICMP Telnet NFS IM Beacon Reverse Shell
UDP IPv6 HTTPS Logs / SEIM / Alerts Logs / SEIM / Alerts
NTP Rlogin SMB SMTP Web Shell from employee systems
Privileges
Admin awareness training
Least privilege enforcement Logs / SEIM / Alerts
Weak Password Incident response procedures
Insecure Insecure Insecure Insecure Excessive Logs / SEIM / Alerts
or Password OS APP DEP / ASLR / SEH
Service Schtask GPO Protocol Privilege
Storage Method on employee systems Micro virtualizing / sandboxes
Steal
Common local Targets Perform Local Asset / config / patch mgmt.
An�-virus / HIDs / HIPs
Authen�ca�on Tokens
Password /
Password Kerberos OS, Domain,
Users & Cache Services & Installed Files &
Recon / Discovery Secure group policy se�ngs
Applica�on white lis�ng
Least privilege enforcement
Logs / SEIM / Alerts
Admin awareness training
Incident response procedures
Hash Ticket & Network
Private Key
(PTH) (PTT) Informa�on
Groups & Logs Processes Apps Registry on employee systems Logs / SEIM / Alerts
Authen�ca�on Tokens
Common Methods Perform Lateral An�-virus / HIDs / HIPs
Secure group policy se�ngs
Firewall Rules / Segmenta�on
NIDs / NIPs
Don’t use shared local accounts
Use a separate domain user and
Web
Movement
Honey Pots
Applica�on white lis�ng server admin accounts
Password Kerberos ShellsDB, App Remote Tarpits
Password / MGMT Windows Sched File GPO, Least privilege enforcement Maintain secure configs
Canary networks, systems, & accounts
Hash Ticket & VM Exploit, Logs / SEIM / Alerts Incident response procedures
Private Key Services Service Task Share SCCM
(PTH) (PTT) Servers Physical between systems/networks Host-based Firewall
Logs / SEIM / Alerts
Sensi�ve Data
User awareness training
Large file upload detec�on Fix Up Protocols
Common & Standard & C2 and Staged Large Compression Incident response procedures
LAN & USB CD Mail client/server se�ngs Web Filtering / Auth Proxy
Wireless Uncommon Custom Alterna�ve & not & Small Encoding Logs / SEIM / Alerts Canary Data Samples
& SD DVD using common channels
Ports Protocols Channels Staged Files Encryp�on Logs / SEIM / Alerts
Without a C2
Limit Terminal Service, Citrix, and
Canary networks, systems, Incident response procedures
Password Kerberos Private Key RDP Office365 VDE access to specific groups during
Password / Web Based applica�ons, and accounts Enforce strong account policies
specific hours
Hash Ticket Token Seed VPN SSH Azure Logged events / SEIM / alerts
Private Key Citrix & TS using common interfaces Geo / IP limi�ng
(PTH) (PTT) Skeleton Key VDE AWS