Domain Controller Authentication

Password Filter DLL

Reversible Encryption

Multi-Factor Authentication

T1112 - Modify Registry Hybrid Identity

Binary Padding T1556 - Modify Authentication Process

Software Packing Invalid Code Signature

Steganography Right-to-Left Override

Compile After Delivery Rename System Utilities

Indicator Removal from Tools Masquerade Task or Service

HTML Smuggling Match Legitimate Name or Location

Dynamic API Resolution Double File Extension

Stripped Payloads T1036 - Masquerading

Embedded Payloads T1202 - Indirect Command Execution

T1027 - Obfuscated Files or Information Clear Windows Event Logs

System Firmware Clear Command History

Component Firmware File Deletion

Bootkit Network Share Connection Removal

T1542 - Pre-OS Boot Timestomp

Dynamic-link Library Injection Clear Network Connection History and Configurations

Portable Executable Injection Clear Mailbox Data

Thread Execution Hijacking Clear Persistence

Asynchronous Procedure Call T1070 - Indicator Removal

Thread Local Storage Disable or Modify Tools

Extra Window Memory Injection Disable Windows Event Logging

Process Hollowing Impair Command History Logging

Process Doppelgänging Disable or Modify System Firewall

ListPlanting Indicator Blocking

T1055 - Process Injection Safe Mode Boot

T1620 - Reflective Code Loading Downgrade Attack

T1207 - Rogue Domain Controller T1562 - Impair Defenses

T1014 - Rootkit DLL Search Order Hijacking

Code Signing DLL Side-Loading

SIP and Trust Provider Hijacking Executable Installer File Permissions Weakness

Install Root Certificate Path Interception by PATH Environment Variable

Mark-of-the-Web Bypass Path Interception by Search Order Hijacking

Code Signing Policy Modification Path Interception by Unquoted Path

T1553 - Subvert Trust Controls Services File Permissions Weakness

Compiled HTML File Services Registry Permissions Weakness

@hackinarticles
Control Panel COR_PROFILER

CMSTP KernelCallbackTable
https://github.com/Ignitetechnologies
InstallUtil T1574 - Hijack Execution Flow

Mshta Hidden Files and Directories

https://in.linkedin.com/company/hackingarticles
Msiexec Hidden Users

Odbcconf Hidden Window

Regsvcs/Regasm NTFS File Attributes

Regsvr32 Hidden File System

Rundll32 Run Virtual Instance

T1111 - Multi-Factor Authentication Interception
T1621 - Multi-Factor Authentication Request Generation
T1040 - Network Sniffing
LSASS Memory
Security Account Manager
NTDS
LSA Secrets
Cached Domain Credentials
DCSync
T1003 - OS Credential Dumping
T1649 - Steal or Forge Authentication Certificates
Golden Ticket
Silver Ticket
Kerberoasting
AS-REP Roasting
T1558 - Steal or Forge Kerberos Tickets
T1539 - Steal Web Session Cookie
Credentials In Files
Credentials in Registry
Domain Controller Authentication
Verclsid VBA Stomping
Password Filter DLL
Mavinject Email Hiding Rules
Reversible Encryption
MMC Process Argument Spoofing
Multi-Factor Authentication
T1218 - System Binary Proxy Execution T1564 - Hide Artifacts
Hybrid Identity
PubPrn Windows File and Directory Permissions Modification
T1556 - Modify Authentication Process
T1216 - System Script Proxy Execution T1222 - File and Directory Permissions Modification
Keylogging
T1221 - Template Injection T1211 - Exploitation for Defense Evasion
GUI Input Capture
Port Knocking Environmental Keying
Web Portal Capture
Socket Filters T1480 - Execution Guardrails
Credential API Hooking
T1205 - Traffic Signaling Group Policy Modification
T1056 - Input Capture
MSBuild Domain Trust Modification
Web Cookies
T1127 - Trusted Developer Utilities Proxy Execution T1484 - Domain Policy Modification
SAML Tokens
Pass the Hash T1006 - Direct Volume Access
T1606 - Forge Web Credentials
Pass the Ticket T1140 - Deobfuscate/Decode Files or Information
T1187 - Forced Authentication
T1550 - Use Alternate Authentication Material T1622 - Debugger Evasion
T1212 - Exploitation for Credential Access
Default Accounts T1197 - BITS Jobs
Credentials from Web Browsers
Domain Accounts Token Impersonation/Theft
Windows Credential Manager
Local Accounts Create Process with Token
Password Managers
T1078 - Valid Accounts Make and Impersonate Token
T1555 - Credentials from Password Stores
System Checks Parent PID Spoofing
Password Guessing
User Activity Based Checks SID-History Injection
Password Cracking
Time Based Evasion T1134 - Access Token Manipulation
Password Spraying
T1497 - Virtualization/Sandbox Evasion Bypass User Account Control
Credential Stuffing
T1220 - XSL Script Processing T1548 - Abuse Elevation Control Mechanism
T1110 - Brute Force
Defense Evasion
LLMNR/NBT-NS Poisoning and SMB Relay

Private Keys ARP Cache Poisoning

Change Default File Association
Group Policy Preferences DHCP Spoofing
Screensaver
T1552 - Unsecured Credentials T1157 - Adversary-in-the-Middle
Windows Management Instrumentation Event Subscription
Credential Access Netsh Helper DLL

Accessibility Features

AppCert DLLs

AppInit DLLs T1611 - Escape to Host

Application Shimming Default Accounts

Image File Execution Options Injection Domain Accounts

PowerShell Profile Local Accounts

T1057 - Process Discovery Local Groups Component Object Model Hijacking T1078 - Valid Accounts

T1012 - Query Registry
T1018 - Remote System Discovery
Security Software Discovery
T1518 - Software Discovery
T1082 - System Information Discovery
System Language Discovery
T1614 - System Location Discovery
Domain Groups Installer Packages Group Policy Modification
T1069 - Permission Groups Discovery T1546 - Event Triggered Execution Domain Trust Modification
T1120 - Peripheral Device Discovery T1068 - Exploitation for Privilege Escalation T1484 - Domain Policy Modification
T1201 - Password Policy Discovery DLL Search Order Hijacking Windows Service
T1040 - Network Sniffing DLL Side-Loading T1543 - Create or Modify System Process
T1135 - Network Share Discovery Executable Installer File Permissions Weakness Logon Script (Windows)
T1046 - Network Service Discovery Path Interception by PATH Environment Variable Network Logon Script

Internet Connection Discovery T1615 - Group Policy Discovery Path Interception by Search Order Hijacking T1037 - Boot or Logon Initialization Scripts

T1016 - System Network Configuration Discovery T1083 - File and Directory Discovery Path Interception by Unquoted Path Registry Run Keys / Startup Folder

T1049 - System Network Connections Discovery T1482 - Domain Trust Discovery Services File Permissions Weakness Authentication Package
T1033 - System Owner/User Discovery T1622 - Debugger Evasion Services Registry Permissions Weakness Time Providers
T1007 - System Service Discovery T1217 - Browser Bookmark Discovery COR_PROFILER Winlogon Helper DLL
T1124 - System Time Discovery T1010 - Application Window Discovery KernelCallbackTable Security Support Provider
System Checks Local Account T1574 - Hijack Execution Flow LSASS Driver
User Activity Based Checks Domain Account Dynamic-link Library Injection Shortcut Modification

Time Based Evasion Email Account Portable Executable Injection Port Monitors

T1497 - Virtualization/Sandbox Evasion T1087 - Account Discovery Thread Execution Hijacking Print Processors

Discovery Asynchronous Procedure Call Active Setup

Thread Local Storage T1547 - Boot or Logon Autostart Execution

Remote Desktop Protocol Extra Window Memory Injection Token Impersonation/Theft

SMB/Windows Admin Shares Process Hollowing Create Process with Token

Distributed Component Object Model Process Doppelgänging Make and Impersonate Token

VNC ListPlanting Parent PID Spoofing

Windows Remote Management T1055 - Process Injection SID-History Injection

T1091 - Replication Through Removable Media T1021 - Remote Services At T1134 - Access Token Manipulation

T1072 - Software Deployment Tools RDP Hijacking Scheduled Task Bypass User Account Control

T1080 - Taint Shared Content T1563 - Remote Service Session Hijacking T1053 - Scheduled Task/Job T1548 - Abuse Elevation Control Mechanism

Pass the Hash T1570 - Lateral Tool Transfer

Privilege Escalation
Pass the Ticket T1534 - Internal Spearphishing

T1550 - Use Alternate Authentication Material T1210 - Exploitation of Remote Services T1133 - External Remote Services

Lateral Movement DLL Search Order Hijacking

DLL Side-Loading

T1039 - Data from Network Shared Drive Executable Installer File Permissions Weakness

T1025 - Data from Removable Media T1005 - Data from Local System Path Interception by PATH Environment Variable

Local Data Staging Sharepoint Path Interception by Search Order Hijacking

Remote Data Staging T1213 - Data from Information Repositories Path Interception by Unquoted Path

T1074 - Data Staged T1115 - Clipboard Data Services File Permissions Weakness Change Default File Association

Local Email Collection T1185 - Browser Session Hijacking Services Registry Permissions Weakness Screensaver

Remote Email Collection T1119 - Automated Collection COR_PROFILER Windows Management Instrumentation Event Subscription

Email Forwarding Rule T1123 - Audio Capture KernelCallbackTable Netsh Helper DLL

T1114 - Email Collection Archive via Utility T1574 - Hijack Execution Flow Accessibility Features

Keylogging Archive via Library Domain Controller Authentication AppCert DLLs

GUI Input Capture Archive via Custom Method Password Filter DLL AppInit DLLs

Web Portal Capture T1560 - Archive Collected Data Reversible Encryption Application Shimming

Credential API Hooking LLMNR/NBT-NS Poisoning and SMB Relay Multi-Factor Authentication Image File Execution Options Injection

T1056 - Input Capture ARP Cache Poisoning Hybrid Identity PowerShell Profile

T1113 - Screen Capture DHCP Spoofing T1556 - Modify Authentication Process Component Object Model Hijacking

T1125 - Video Capture T1557 - Adversary-in-the-Middle Office Template Macros Installer Packages

Collection Office Test T1546 - Event Triggered Execution

Outlook Forms Windows Service

T1105 - Ingress Tool Transfer Outlook Home Page T1543 - Create or Modify System Process

T1008 - Fallback Channels Outlook Rules Local Account

Symmetric Cryptography Add-ins Domain Account

Asymmetric Cryptography T1137 - Office Application Startup T1136 - Create Account

T1573 - Encrypted Channel System Firmware T1554 - Compromise Client Software Binary

T1104 - Multi-Stage Channels Fast Flux DNS Component Firmware T1176 - Browser Extensions

T1095 - Non-Application Layer Protocol Domain Generation Algorithms Bootkit Logon Script (Windows)

T1571 - Non-Standard Port DNS Calculation T1542 - Pre-OS Boot Network Logon Script

T1572 - Protocol Tunneling T1568 - Dynamic Resolution At T1037 - Boot or Logon Initialization Scripts

Internal Proxy Junk Data Scheduled Task Registry Run Keys / Startup Folder

External Proxy Steganography T1053 - Scheduled Task/Job Authentication Package

Multi-hop Proxy Protocol Impersonation SQL Stored Procedures Time Providers

Domain Fronting T1001 - Data Obfuscation Transport Agent Winlogon Helper DLL

T1090 - Proxy Standard Encoding Web Shell Security Support Provider

T1219 - Remote Access Software Non-Standard Encoding IIS Components LSASS Driver

Port Knocking T1132 - Data Encoding Terminal Services DLL Shortcut Modification

Socket Filters T1092 - Communication Through Removable Media T1505 - Server Software Component Port Monitors

T1205 - Traffic Signaling Web Protocols Port Knocking Print Processors

Dead Drop Resolver File Transfer Protocols Socket Filters Active Setup

Bidirectional Communication Mail Protocols T1205 - Traffic Signaling T1547 - Boot or Logon Autostart Execution

One-Way Communication DNS Default Accounts T1197 - BITS Jobs

T1102 - Web Service T1071 - Application Layer Protocol Domain Accounts Additional Email Delegate Permissions

Local Accounts Device Registration

Command and Control
T1078 - Valid Accounts T1098 - Account Manipulation

Exfiltration Over Bluetooth

Persistence
T1011 - Exfiltration Over Other Network Medium T1041 - Exfiltration Over C2 Channel

Exfiltration over USB Exfiltration Over Symmetric Encrypted Non-C2 Protocol At

T1052 - Exfiltration Over Physical Medium Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Scheduled Task

Exfiltration to Code Repository Exfiltration Over Unencrypted Non-C2 Protocol T1053 - Scheduled Task/Job

Exfiltration to Cloud Storage T1048 - Exfiltration Over Alternative Protocol T1106 - Native API

T1567 - Exfiltration Over Web Service T1030 - Data Transfer Size Limits Component Object Model

T1029 -Scheduled Transfer T1020 - Automated Exfiltration Dynamic Data Exchange

T1129 - Shared Modules T1559 - Inter-Process Communication

Exfiltration
T1072 - Software Deployment Tools T1203 - Exploitation for Client Execution

OS Exhaustion Flood Service Execution PowerShell

Service Exhaustion Flood T1569 - System Services Windows Command Shell

Application Exhaustion Flood Malicious Link Visual Basic

Application or System Exploitation Malicious File Python

T1499 - Endpoint Denial of Service T1204 - User Execution JavaScript

Disk Content Wipe T1047 - Windows Management Instrumentation T1059 - Command and Scripting Interpreter

Disk Structure Wipe Execution

T1561 - Disk Wipe

Internal Defacement T1091 - Replication Through Removable Media

External Defacement Compromise Software Dependencies and Development Tools

T1495 - Firmware Corruption T1491 - Defacement Compromise Software Supply Chain Spearphishing Attachment

T1490 - Inhibit System Recovery Stored Data Manipulation Compromise Hardware Supply Chain Spearphishing Link

Direct Network Flood Transmitted Data Manipulation T1195 - Supply Chain Compromise Spearphishing via Service

Reflection Amplification Runtime Data Manipulation T1199 - Trusted Relationship T1566 - Phishing

T1498 - Network Denial of Service T1565 - Data Manipulation Default Accounts T1200 - Hardware Additions

T1496 - Resource Hijacking T1486 - Data Encrypted for Impact Domain Accounts T1133 - External Remote Services

T1489 - Service Stop T1485 - Data Destruction Local Accounts T1190 - Exploit Public-Facing Application

T1529 - System Shutdown/Reboot T1531 - Account Access Removal T1078 - Valid Accounts T1189 - Drive-by Compromise

Impact Initial Access

MITRE Windows
ATT&CK Tree