Professional Documents
Culture Documents
Reversible Encryption
Multi-Factor Authentication
SIP and Trust Provider Hijacking Executable Installer File Permissions Weakness
CMSTP KernelCallbackTable
https://github.com/Ignitetechnologies
InstallUtil T1574 - Hijack Execution Flow
Accessibility Features
AppCert DLLs
T1057 - Process Discovery Local Groups Component Object Model Hijacking T1078 - Valid Accounts
T1012 - Query Registry Domain Groups Installer Packages Group Policy Modification
T1018 - Remote System Discovery T1069 - Permission Groups Discovery T1546 - Event Triggered Execution Domain Trust Modification
Security Software Discovery T1120 - Peripheral Device Discovery T1068 - Exploitation for Privilege Escalation T1484 - Domain Policy Modification
T1518 - Software Discovery T1201 - Password Policy Discovery DLL Search Order Hijacking Windows Service
T1082 - System Information Discovery T1040 - Network Sniffing DLL Side-Loading T1543 - Create or Modify System Process
System Language Discovery T1135 - Network Share Discovery Executable Installer File Permissions Weakness Logon Script (Windows)
T1614 - System Location Discovery T1046 - Network Service Discovery Path Interception by PATH Environment Variable Network Logon Script
Internet Connection Discovery T1615 - Group Policy Discovery Path Interception by Search Order Hijacking T1037 - Boot or Logon Initialization Scripts
T1016 - System Network Configuration Discovery T1083 - File and Directory Discovery Path Interception by Unquoted Path Registry Run Keys / Startup Folder
T1049 - System Network Connections Discovery T1482 - Domain Trust Discovery Services File Permissions Weakness Authentication Package
T1033 - System Owner/User Discovery T1622 - Debugger Evasion Services Registry Permissions Weakness Time Providers
T1007 - System Service Discovery T1217 - Browser Bookmark Discovery COR_PROFILER Winlogon Helper DLL
T1124 - System Time Discovery T1010 - Application Window Discovery KernelCallbackTable Security Support Provider
System Checks Local Account T1574 - Hijack Execution Flow LSASS Driver
User Activity Based Checks Domain Account Dynamic-link Library Injection Shortcut Modification
Time Based Evasion Email Account Portable Executable Injection Port Monitors
T1497 - Virtualization/Sandbox Evasion T1087 - Account Discovery Thread Execution Hijacking Print Processors
Distributed Component Object Model Process Doppelgänging Make and Impersonate Token
T1091 - Replication Through Removable Media T1021 - Remote Services At T1134 - Access Token Manipulation
T1072 - Software Deployment Tools RDP Hijacking Scheduled Task Bypass User Account Control
T1080 - Taint Shared Content T1563 - Remote Service Session Hijacking T1053 - Scheduled Task/Job T1548 - Abuse Elevation Control Mechanism
T1550 - Use Alternate Authentication Material T1210 - Exploitation of Remote Services T1133 - External Remote Services
DLL Side-Loading
T1039 - Data from Network Shared Drive Executable Installer File Permissions Weakness
T1025 - Data from Removable Media T1005 - Data from Local System Path Interception by PATH Environment Variable
Remote Data Staging T1213 - Data from Information Repositories Path Interception by Unquoted Path
T1074 - Data Staged T1115 - Clipboard Data Services File Permissions Weakness Change Default File Association
Local Email Collection T1185 - Browser Session Hijacking Services Registry Permissions Weakness Screensaver
Remote Email Collection T1119 - Automated Collection COR_PROFILER Windows Management Instrumentation Event Subscription
Email Forwarding Rule T1123 - Audio Capture KernelCallbackTable Netsh Helper DLL
T1114 - Email Collection Archive via Utility T1574 - Hijack Execution Flow Accessibility Features
GUI Input Capture Archive via Custom Method Password Filter DLL AppInit DLLs
Web Portal Capture T1560 - Archive Collected Data Reversible Encryption Application Shimming
Credential API Hooking LLMNR/NBT-NS Poisoning and SMB Relay Multi-Factor Authentication Image File Execution Options Injection
T1056 - Input Capture ARP Cache Poisoning Hybrid Identity PowerShell Profile
T1113 - Screen Capture DHCP Spoofing T1556 - Modify Authentication Process Component Object Model Hijacking
T1125 - Video Capture T1557 - Adversary-in-the-Middle Office Template Macros Installer Packages
T1105 - Ingress Tool Transfer Outlook Home Page T1543 - Create or Modify System Process
T1573 - Encrypted Channel System Firmware T1554 - Compromise Client Software Binary
T1104 - Multi-Stage Channels Fast Flux DNS Component Firmware T1176 - Browser Extensions
T1095 - Non-Application Layer Protocol Domain Generation Algorithms Bootkit Logon Script (Windows)
T1571 - Non-Standard Port DNS Calculation T1542 - Pre-OS Boot Network Logon Script
T1572 - Protocol Tunneling T1568 - Dynamic Resolution At T1037 - Boot or Logon Initialization Scripts
Internal Proxy Junk Data Scheduled Task Registry Run Keys / Startup Folder
Domain Fronting T1001 - Data Obfuscation Transport Agent Winlogon Helper DLL
T1219 - Remote Access Software Non-Standard Encoding IIS Components LSASS Driver
Port Knocking T1132 - Data Encoding Terminal Services DLL Shortcut Modification
Socket Filters T1092 - Communication Through Removable Media T1505 - Server Software Component Port Monitors
Dead Drop Resolver File Transfer Protocols Socket Filters Active Setup
Bidirectional Communication Mail Protocols T1205 - Traffic Signaling T1547 - Boot or Logon Autostart Execution
T1102 - Web Service T1071 - Application Layer Protocol Domain Accounts Additional Email Delegate Permissions
T1052 - Exfiltration Over Physical Medium Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Scheduled Task
Exfiltration to Code Repository Exfiltration Over Unencrypted Non-C2 Protocol T1053 - Scheduled Task/Job
Exfiltration to Cloud Storage T1048 - Exfiltration Over Alternative Protocol T1106 - Native API
T1567 - Exfiltration Over Web Service T1030 - Data Transfer Size Limits Component Object Model
Disk Content Wipe T1047 - Windows Management Instrumentation T1059 - Command and Scripting Interpreter
T1495 - Firmware Corruption T1491 - Defacement Compromise Software Supply Chain Spearphishing Attachment
T1490 - Inhibit System Recovery Stored Data Manipulation Compromise Hardware Supply Chain Spearphishing Link
Direct Network Flood Transmitted Data Manipulation T1195 - Supply Chain Compromise Spearphishing via Service
Reflection Amplification Runtime Data Manipulation T1199 - Trusted Relationship T1566 - Phishing
T1498 - Network Denial of Service T1565 - Data Manipulation Default Accounts T1200 - Hardware Additions
T1496 - Resource Hijacking T1486 - Data Encrypted for Impact Domain Accounts T1133 - External Remote Services
T1489 - Service Stop T1485 - Data Destruction Local Accounts T1190 - Exploit Public-Facing Application
T1529 - System Shutdown/Reboot T1531 - Account Access Removal T1078 - Valid Accounts T1189 - Drive-by Compromise
MITRE Windows
ATT&CK Tree