Permalink
0d9f652 Dec 4, 2018
4 contributors

Users who have contributed to this file

@caseysmithrc @ForensicITGuy @MHaggis @brianebeyer
57 lines (56 sloc) 16.1 KB

Windows Atomic Tests by ATT&CK Tactic & Technique

initial-access execution persistence privilege-escalation defense-evasion credential-access discovery lateral-movement collection exfiltration command-and-control
Drive-by Compromise CONTRIBUTE A TEST CMSTP Accessibility Features Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software CONTRIBUTE A TEST Audio Capture Automated Exfiltration CONTRIBUTE A TEST Commonly Used Port CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST Command-Line Interface Account Manipulation Accessibility Features BITS Jobs Brute Force Application Window Discovery CONTRIBUTE A TEST Distributed Component Object Model CONTRIBUTE A TEST Automated Collection Data Compressed Communication Through Removable Media CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST Compiled HTML File AppCert DLLs CONTRIBUTE A TEST AppCert DLLs CONTRIBUTE A TEST Binary Padding Credential Dumping Browser Bookmark Discovery Exploitation of Remote Services CONTRIBUTE A TEST Clipboard Data Data Encrypted Custom Command and Control Protocol CONTRIBUTE A TEST
Replication Through Removable Media CONTRIBUTE A TEST Control Panel Items CONTRIBUTE A TEST AppInit DLLs AppInit DLLs Bypass User Account Control Credentials in Files File and Directory Discovery Logon Scripts Data Staged Data Transfer Size Limits Custom Cryptographic Protocol CONTRIBUTE A TEST
Spearphishing Attachment Dynamic Data Exchange Application Shimming Application Shimming CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Information Repositories CONTRIBUTE A TEST Exfiltration Over Alternative Protocol Data Encoding
Spearphishing Link CONTRIBUTE A TEST Execution through API CONTRIBUTE A TEST Authentication Package CONTRIBUTE A TEST Bypass User Account Control Code Signing CONTRIBUTE A TEST Exploitation for Credential Access CONTRIBUTE A TEST Network Share Discovery Pass the Ticket CONTRIBUTE A TEST Data from Local System CONTRIBUTE A TEST Exfiltration Over Command and Control Channel CONTRIBUTE A TEST Data Obfuscation CONTRIBUTE A TEST
Spearphishing via Service CONTRIBUTE A TEST Execution through Module Load CONTRIBUTE A TEST BITS Jobs DLL Search Order Hijacking CONTRIBUTE A TEST Compiled HTML File Forced Authentication CONTRIBUTE A TEST Network Sniffing Remote Desktop Protocol Data from Network Shared Drive CONTRIBUTE A TEST Exfiltration Over Other Network Medium CONTRIBUTE A TEST Domain Fronting CONTRIBUTE A TEST
Supply Chain Compromise CONTRIBUTE A TEST Exploitation for Client Execution CONTRIBUTE A TEST Bootkit CONTRIBUTE A TEST Exploitation for Privilege Escalation CONTRIBUTE A TEST Component Firmware CONTRIBUTE A TEST Hooking Password Policy Discovery Remote File Copy Data from Removable Media CONTRIBUTE A TEST Exfiltration Over Physical Medium CONTRIBUTE A TEST Fallback Channels CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST Graphical User Interface CONTRIBUTE A TEST Browser Extensions Extra Window Memory Injection CONTRIBUTE A TEST Component Object Model Hijacking Input Capture Peripheral Device Discovery CONTRIBUTE A TEST Remote Services CONTRIBUTE A TEST Email Collection CONTRIBUTE A TEST Scheduled Transfer CONTRIBUTE A TEST Multi-Stage Channels CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST InstallUtil Change Default File Association File System Permissions Weakness CONTRIBUTE A TEST Control Panel Items CONTRIBUTE A TEST Kerberoasting CONTRIBUTE A TEST Permission Groups Discovery Replication Through Removable Media CONTRIBUTE A TEST Input Capture Multi-hop Proxy CONTRIBUTE A TEST
LSASS Driver CONTRIBUTE A TEST Component Firmware CONTRIBUTE A TEST Hooking DCShadow LLMNR/NBT-NS Poisoning CONTRIBUTE A TEST Process Discovery Shared Webroot CONTRIBUTE A TEST Man in the Browser CONTRIBUTE A TEST Multiband Communication CONTRIBUTE A TEST
Mshta Component Object Model Hijacking Image File Execution Options Injection DLL Search Order Hijacking CONTRIBUTE A TEST Network Sniffing Query Registry Taint Shared Content CONTRIBUTE A TEST Screen Capture Multilayer Encryption CONTRIBUTE A TEST
PowerShell Create Account New Service DLL Side-Loading CONTRIBUTE A TEST Password Filter DLL CONTRIBUTE A TEST Remote System Discovery Third-party Software CONTRIBUTE A TEST Video Capture CONTRIBUTE A TEST Remote Access Tools CONTRIBUTE A TEST
Regsvcs/Regasm DLL Search Order Hijacking CONTRIBUTE A TEST Path Interception CONTRIBUTE A TEST Deobfuscate/Decode Files or Information Private Keys Security Software Discovery Windows Admin Shares Remote File Copy
Regsvr32 External Remote Services CONTRIBUTE A TEST Port Monitors CONTRIBUTE A TEST Disabling Security Tools Two-Factor Authentication Interception CONTRIBUTE A TEST System Information Discovery Windows Remote Management Standard Application Layer Protocol CONTRIBUTE A TEST
Rundll32 File System Permissions Weakness CONTRIBUTE A TEST Process Injection Exploitation for Defense Evasion CONTRIBUTE A TEST System Network Configuration Discovery Standard Cryptographic Protocol CONTRIBUTE A TEST
Scheduled Task Hidden Files and Directories SID-History Injection CONTRIBUTE A TEST Extra Window Memory Injection CONTRIBUTE A TEST System Network Connections Discovery Standard Non-Application Layer Protocol CONTRIBUTE A TEST
Scripting Hooking Scheduled Task File Deletion System Owner/User Discovery Uncommonly Used Port
Service Execution Hypervisor Service Registry Permissions Weakness CONTRIBUTE A TEST File Permissions Modification System Service Discovery Web Service CONTRIBUTE A TEST
Signed Binary Proxy Execution Image File Execution Options Injection Valid Accounts CONTRIBUTE A TEST File System Logical Offsets CONTRIBUTE A TEST System Time Discovery
Signed Script Proxy Execution LSASS Driver CONTRIBUTE A TEST Web Shell CONTRIBUTE A TEST Hidden Files and Directories
Third-party Software CONTRIBUTE A TEST Logon Scripts Image File Execution Options Injection
Trusted Developer Utilities Modify Existing Service Indicator Blocking CONTRIBUTE A TEST
User Execution CONTRIBUTE A TEST Netsh Helper DLL Indicator Removal from Tools CONTRIBUTE A TEST
Windows Management Instrumentation New Service Indicator Removal on Host
Windows Remote Management Office Application Startup Indirect Command Execution
XSL Script Processing Path Interception CONTRIBUTE A TEST Install Root Certificate
Port Monitors CONTRIBUTE A TEST InstallUtil
Redundant Access CONTRIBUTE A TEST Masquerading
Registry Run Keys / Startup Folder Modify Registry
SIP and Trust Provider Hijacking CONTRIBUTE A TEST Mshta
Scheduled Task NTFS File Attributes
Screensaver Network Share Connection Removal
Security Support Provider CONTRIBUTE A TEST Obfuscated Files or Information
Service Registry Permissions Weakness CONTRIBUTE A TEST Process Doppelgänging CONTRIBUTE A TEST
Shortcut Modification CONTRIBUTE A TEST Process Hollowing CONTRIBUTE A TEST
System Firmware CONTRIBUTE A TEST Process Injection
Time Providers CONTRIBUTE A TEST Redundant Access CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST Regsvcs/Regasm
Web Shell CONTRIBUTE A TEST Regsvr32
Windows Management Instrumentation Event Subscription Rootkit
Winlogon Helper DLL CONTRIBUTE A TEST Rundll32
SIP and Trust Provider Hijacking CONTRIBUTE A TEST
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
Software Packing CONTRIBUTE A TEST
Template Injection CONTRIBUTE A TEST
Timestomp
Trusted Developer Utilities
Valid Accounts CONTRIBUTE A TEST
Web Service CONTRIBUTE A TEST
XSL Script Processing