Permalink
0d9f652 Dec 5, 2018
4 contributors

Users who have contributed to this file

@caseysmithrc @ForensicITGuy @MHaggis @brianebeyer
67 lines (66 sloc) 18.5 KB

All Atomic Tests by ATT&CK Tactic & Technique

initial-access execution persistence privilege-escalation defense-evasion credential-access discovery lateral-movement collection exfiltration command-and-control
Drive-by Compromise CONTRIBUTE A TEST AppleScript .bash_profile and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript Audio Capture Automated Exfiltration CONTRIBUTE A TEST Commonly Used Port CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST CMSTP Accessibility Features Accessibility Features BITS Jobs Bash History Application Window Discovery CONTRIBUTE A TEST Application Deployment Software CONTRIBUTE A TEST Automated Collection Data Compressed Communication Through Removable Media CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST Command-Line Interface Account Manipulation AppCert DLLs CONTRIBUTE A TEST Binary Padding Brute Force Browser Bookmark Discovery Distributed Component Object Model CONTRIBUTE A TEST Clipboard Data Data Encrypted Connection Proxy
Replication Through Removable Media CONTRIBUTE A TEST Compiled HTML File AppCert DLLs CONTRIBUTE A TEST AppInit DLLs Bypass User Account Control Credential Dumping File and Directory Discovery Exploitation of Remote Services CONTRIBUTE A TEST Data Staged Data Transfer Size Limits Custom Command and Control Protocol CONTRIBUTE A TEST
Spearphishing Attachment Control Panel Items CONTRIBUTE A TEST AppInit DLLs Application Shimming CMSTP Credentials in Files Network Service Scanning Logon Scripts Data from Information Repositories CONTRIBUTE A TEST Exfiltration Over Alternative Protocol Custom Cryptographic Protocol CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST Dynamic Data Exchange Application Shimming Bypass User Account Control Clear Command History Credentials in Registry Network Share Discovery Pass the Hash Data from Local System CONTRIBUTE A TEST Exfiltration Over Command and Control Channel CONTRIBUTE A TEST Data Encoding
Spearphishing via Service CONTRIBUTE A TEST Execution through API CONTRIBUTE A TEST Authentication Package CONTRIBUTE A TEST DLL Search Order Hijacking CONTRIBUTE A TEST Code Signing CONTRIBUTE A TEST Exploitation for Credential Access CONTRIBUTE A TEST Network Sniffing Pass the Ticket CONTRIBUTE A TEST Data from Network Shared Drive CONTRIBUTE A TEST Exfiltration Over Other Network Medium CONTRIBUTE A TEST Data Obfuscation CONTRIBUTE A TEST
Supply Chain Compromise CONTRIBUTE A TEST Execution through Module Load CONTRIBUTE A TEST BITS Jobs Dylib Hijacking CONTRIBUTE A TEST Compiled HTML File Forced Authentication CONTRIBUTE A TEST Password Policy Discovery Remote Desktop Protocol Data from Removable Media CONTRIBUTE A TEST Exfiltration Over Physical Medium CONTRIBUTE A TEST Domain Fronting CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST Exploitation for Client Execution CONTRIBUTE A TEST Bootkit CONTRIBUTE A TEST Exploitation for Privilege Escalation CONTRIBUTE A TEST Component Firmware CONTRIBUTE A TEST Hooking Peripheral Device Discovery CONTRIBUTE A TEST Remote File Copy Email Collection CONTRIBUTE A TEST Scheduled Transfer CONTRIBUTE A TEST Fallback Channels CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST Graphical User Interface CONTRIBUTE A TEST Browser Extensions Extra Window Memory Injection CONTRIBUTE A TEST Component Object Model Hijacking Input Capture Permission Groups Discovery Remote Services CONTRIBUTE A TEST Input Capture Multi-Stage Channels CONTRIBUTE A TEST
InstallUtil Change Default File Association File System Permissions Weakness CONTRIBUTE A TEST Control Panel Items CONTRIBUTE A TEST Input Prompt Process Discovery Replication Through Removable Media CONTRIBUTE A TEST Man in the Browser CONTRIBUTE A TEST Multi-hop Proxy CONTRIBUTE A TEST
LSASS Driver CONTRIBUTE A TEST Component Firmware CONTRIBUTE A TEST Hooking DCShadow Kerberoasting CONTRIBUTE A TEST Query Registry SSH Hijacking CONTRIBUTE A TEST Screen Capture Multiband Communication CONTRIBUTE A TEST
Launchctl Component Object Model Hijacking Image File Execution Options Injection DLL Search Order Hijacking CONTRIBUTE A TEST Keychain Remote System Discovery Shared Webroot CONTRIBUTE A TEST Video Capture CONTRIBUTE A TEST Multilayer Encryption CONTRIBUTE A TEST
Local Job Scheduling Create Account Launch Daemon DLL Side-Loading CONTRIBUTE A TEST LLMNR/NBT-NS Poisoning CONTRIBUTE A TEST Security Software Discovery Taint Shared Content CONTRIBUTE A TEST Port Knocking CONTRIBUTE A TEST
Mshta DLL Search Order Hijacking CONTRIBUTE A TEST New Service Deobfuscate/Decode Files or Information Network Sniffing System Information Discovery Third-party Software CONTRIBUTE A TEST Remote Access Tools CONTRIBUTE A TEST
PowerShell Dylib Hijacking CONTRIBUTE A TEST Path Interception CONTRIBUTE A TEST Disabling Security Tools Password Filter DLL CONTRIBUTE A TEST System Network Configuration Discovery Windows Admin Shares Remote File Copy
Regsvcs/Regasm External Remote Services CONTRIBUTE A TEST Plist Modification Exploitation for Defense Evasion CONTRIBUTE A TEST Private Keys System Network Connections Discovery Windows Remote Management Standard Application Layer Protocol CONTRIBUTE A TEST
Regsvr32 File System Permissions Weakness CONTRIBUTE A TEST Port Monitors CONTRIBUTE A TEST Extra Window Memory Injection CONTRIBUTE A TEST Securityd Memory CONTRIBUTE A TEST System Owner/User Discovery Standard Cryptographic Protocol CONTRIBUTE A TEST
Rundll32 Hidden Files and Directories Process Injection File Deletion Two-Factor Authentication Interception CONTRIBUTE A TEST System Service Discovery Standard Non-Application Layer Protocol CONTRIBUTE A TEST
Scheduled Task Hooking SID-History Injection CONTRIBUTE A TEST File Permissions Modification System Time Discovery Uncommonly Used Port
Scripting Hypervisor Scheduled Task File System Logical Offsets CONTRIBUTE A TEST Web Service CONTRIBUTE A TEST
Service Execution Image File Execution Options Injection Service Registry Permissions Weakness CONTRIBUTE A TEST Gatekeeper Bypass
Signed Binary Proxy Execution Kernel Modules and Extensions CONTRIBUTE A TEST Setuid and Setgid HISTCONTROL
Signed Script Proxy Execution LC_LOAD_DYLIB Addition CONTRIBUTE A TEST Startup Items Hidden Files and Directories
Source LSASS Driver CONTRIBUTE A TEST Sudo Hidden Users
Space after Filename Launch Agent Sudo Caching Hidden Window CONTRIBUTE A TEST
Third-party Software CONTRIBUTE A TEST Launch Daemon Valid Accounts CONTRIBUTE A TEST Image File Execution Options Injection
Trap Launchctl Web Shell CONTRIBUTE A TEST Indicator Blocking CONTRIBUTE A TEST
Trusted Developer Utilities Local Job Scheduling Indicator Removal from Tools CONTRIBUTE A TEST
User Execution CONTRIBUTE A TEST Login Item CONTRIBUTE A TEST Indicator Removal on Host
Windows Management Instrumentation Logon Scripts Indirect Command Execution
Windows Remote Management Modify Existing Service Install Root Certificate
XSL Script Processing Netsh Helper DLL InstallUtil
New Service LC_MAIN Hijacking CONTRIBUTE A TEST
Office Application Startup Launchctl
Path Interception CONTRIBUTE A TEST Masquerading
Plist Modification Modify Registry
Port Knocking CONTRIBUTE A TEST Mshta
Port Monitors CONTRIBUTE A TEST NTFS File Attributes
Rc.common Network Share Connection Removal
Re-opened Applications Obfuscated Files or Information
Redundant Access CONTRIBUTE A TEST Plist Modification
Registry Run Keys / Startup Folder Port Knocking CONTRIBUTE A TEST
SIP and Trust Provider Hijacking CONTRIBUTE A TEST Process Doppelgänging CONTRIBUTE A TEST
Scheduled Task Process Hollowing CONTRIBUTE A TEST
Screensaver Process Injection
Security Support Provider CONTRIBUTE A TEST Redundant Access CONTRIBUTE A TEST
Service Registry Permissions Weakness CONTRIBUTE A TEST Regsvcs/Regasm
Setuid and Setgid Regsvr32
Shortcut Modification CONTRIBUTE A TEST Rootkit
Startup Items Rundll32
System Firmware CONTRIBUTE A TEST SIP and Trust Provider Hijacking CONTRIBUTE A TEST
Time Providers CONTRIBUTE A TEST Scripting
Trap Signed Binary Proxy Execution
Valid Accounts CONTRIBUTE A TEST Signed Script Proxy Execution
Web Shell CONTRIBUTE A TEST Software Packing CONTRIBUTE A TEST
Windows Management Instrumentation Event Subscription Space after Filename
Winlogon Helper DLL CONTRIBUTE A TEST Template Injection CONTRIBUTE A TEST
Timestomp
Trusted Developer Utilities
Valid Accounts CONTRIBUTE A TEST
Web Service CONTRIBUTE A TEST
XSL Script Processing