Windows Atomic Tests by ATT&CK Tactic & Technique

| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact | |—–|—–|—–|—–|—–|—–|—–|—–|—–|—–|—–|—–| | External Remote Services | Scheduled Task/Job: Scheduled Task | Scheduled Task/Job: Scheduled Task | Process Injection: Extra Window Memory Injection | Process Injection: Extra Window Memory Injection | Adversary-in-the-Middle CONTRIBUTE A TEST | System Owner/User Discovery | Remote Services:VNC CONTRIBUTE A TEST | Archive Collected Data: Archive via Utility | Exfiltration Over Web Service CONTRIBUTE A TEST | Socket Filters CONTRIBUTE A TEST | Disk Structure Wipe CONTRIBUTE A TEST | | Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST | Windows Management Instrumentation | Socket Filters CONTRIBUTE A TEST | Scheduled Task/Job: Scheduled Task | Socket Filters CONTRIBUTE A TEST | Input Capture: Keylogging | Internet Connection Discovery CONTRIBUTE A TEST | Taint Shared Content CONTRIBUTE A TEST | Screen Capture | Exfiltration Over Webhook CONTRIBUTE A TEST | Data Encoding: Standard Encoding | Direct Network Flood CONTRIBUTE A TEST | | Spearphishing Link CONTRIBUTE A TEST | Server Software Component | Boot or Logon Initialization Scripts CONTRIBUTE A TEST | Boot or Logon Initialization Scripts CONTRIBUTE A TEST | Fileless Storage CONTRIBUTE A TEST | Brute Force: Password Guessing | Permission Groups Discovery CONTRIBUTE A TEST | Replication Through Removable Media | Adversary-in-the-Middle CONTRIBUTE A TEST | Scheduled Transfer CONTRIBUTE A TEST | Domain Generation Algorithms CONTRIBUTE A TEST | External Defacement CONTRIBUTE A TEST | | Phishing: Spearphishing Attachment | Command and Scripting Interpreter: JavaScript | Path Interception by PATH Environment Variable CONTRIBUTE A TEST | Path Interception by PATH Environment Variable CONTRIBUTE A TEST | Signed Binary Proxy Execution: Rundll32 | OS Credential Dumping | Group Policy Discovery | Remote Services: SMB/Windows Admin Shares | Input Capture: Keylogging | Exfiltration Over Other Network Medium CONTRIBUTE A TEST | Application Layer Protocol: DNS | OS Exhaustion Flood CONTRIBUTE A TEST | | Compromise Hardware Supply Chain CONTRIBUTE A TEST | Inter-Process Communication: Dynamic Data Exchange | Event Triggered Execution: PowerShell Profile | Event Triggered Execution: PowerShell Profile | Embedded Payloads CONTRIBUTE A TEST | Steal Web Session Cookie | Device Driver Discovery CONTRIBUTE A TEST | Use Alternate Authentication Material CONTRIBUTE A TEST | Sharepoint CONTRIBUTE A TEST | Exfiltration Over Bluetooth CONTRIBUTE A TEST | Symmetric Cryptography CONTRIBUTE A TEST | Application Exhaustion Flood CONTRIBUTE A TEST | | Replication Through Removable Media | User Execution: Malicious File | Create or Modify System Process CONTRIBUTE A TEST | Create or Modify System Process CONTRIBUTE A TEST | File/Path Exclusions CONTRIBUTE A TEST | OS Credential Dumping: Security Account Manager | Account Discovery: Domain Account | Remote Services CONTRIBUTE A TEST | Audio Capture | Automated Exfiltration | Fast Flux DNS CONTRIBUTE A TEST | Disk Wipe CONTRIBUTE A TEST | | Supply Chain Compromise | Component Object Model CONTRIBUTE A TEST | External Remote Services | Abuse Elevation Control Mechanism: Bypass User Account Control | Signed Script Proxy Execution: Pubprn | Brute Force: Password Cracking | Account Discovery: Local Account | Remote Service Session Hijacking CONTRIBUTE A TEST | Archive via Custom Method CONTRIBUTE A TEST | Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST | Application Layer Protocol | Stored Data Manipulation CONTRIBUTE A TEST | | Exploit Public-Facing Application CONTRIBUTE A TEST | Scheduled Task/Job CONTRIBUTE A TEST | Pre-OS Boot: System Firmware | Hijack Execution Flow: Services Registry Permissions Weakness | Path Interception by PATH Environment Variable CONTRIBUTE A TEST | OS Credential Dumping: LSA Secrets | Virtualization/Sandbox Evasion: System Checks | Remote Services: Windows Remote Management | Email Collection CONTRIBUTE A TEST | Exfiltration to Code Repository CONTRIBUTE A TEST | Remote Access Software | Service Stop | | Content Injection CONTRIBUTE A TEST | Native API | Hijack Execution Flow: Services Registry Permissions Weakness | Boot or Logon Autostart Execution | Direct Volume Access | Forge Web Credentials: SAML token CONTRIBUTE A TEST | Permission Groups Discovery: Domain Groups | Remote Services: Distributed Component Object Model | Data from Removable Media CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Content Injection CONTRIBUTE A TEST | Application or System Exploitation CONTRIBUTE A TEST | | Valid Accounts: Default Accounts | AutoHotKey & AutoIT CONTRIBUTE A TEST | Bootkit CONTRIBUTE A TEST | Active Setup | Email Hiding Rules CONTRIBUTE A TEST | Password Managers CONTRIBUTE A TEST | System Service Discovery | Use Alternate Authentication Material: Pass the Ticket | Data Staged: Local Data Staging | Exfiltration Over C2 Channel | Traffic Signaling CONTRIBUTE A TEST | Runtime Data Manipulation CONTRIBUTE A TEST | | Trusted Relationship CONTRIBUTE A TEST | Command and Scripting Interpreter | Boot or Logon Autostart Execution | Domain Trust Modification CONTRIBUTE A TEST | Encrypted/Encoded File CONTRIBUTE A TEST | Network Sniffing | Network Sniffing | Software Deployment Tools | Email Collection: Local Email Collection | Exfiltration Over Alternative Protocol | Protocol Tunneling | Reflection Amplification CONTRIBUTE A TEST | | Phishing CONTRIBUTE A TEST | User Execution CONTRIBUTE A TEST | Active Setup | Create or Modify System Process: Windows Service | Rootkit CONTRIBUTE A TEST | Unsecured Credentials: Credentials in Registry | Network Share Discovery | Exploitation of Remote Services CONTRIBUTE A TEST | Automated Collection | Exfiltration over USB CONTRIBUTE A TEST | Mail Protocols CONTRIBUTE A TEST | Service Exhaustion Flood CONTRIBUTE A TEST | | Valid Accounts CONTRIBUTE A TEST | Software Deployment Tools | Create or Modify System Process: Windows Service | Boot or Logon Autostart Execution: Print Processors | Double File Extension CONTRIBUTE A TEST | Modify Authentication Process: Password Filter DLL | Peripheral Device Discovery | Internal Spearphishing CONTRIBUTE A TEST | Clipboard Data | Exfiltration Over Web Service: Exfiltration to Text Storage Sites | Communication Through Removable Media CONTRIBUTE A TEST | Defacement CONTRIBUTE A TEST | | Spearphishing Voice CONTRIBUTE A TEST | Command and Scripting Interpreter: PowerShell | Office Application Startup | Hijack Execution Flow: DLL Search Order Hijacking | Abuse Elevation Control Mechanism: Bypass User Account Control | Steal or Forge Kerberos Tickets: AS-REP Roasting | System Information Discovery | Lateral Tool Transfer | Remote Data Staging CONTRIBUTE A TEST | Exfiltration Over Web Service: Exfiltration to Cloud Storage | External Proxy CONTRIBUTE A TEST | Financial Theft CONTRIBUTE A TEST | | Compromise Software Supply Chain CONTRIBUTE A TEST | Inter-Process Communication | Boot or Logon Autostart Execution: Print Processors | AppDomainManager CONTRIBUTE A TEST | Pre-OS Boot: System Firmware | Steal or Forge Kerberos Tickets CONTRIBUTE A TEST | System Network Configuration Discovery: Wi-Fi Discovery | Remote Service Session Hijacking: RDP Hijacking | Data from Local System | Data Transfer Size Limits | Proxy CONTRIBUTE A TEST | Defacement: Internal Defacement | | Domain Accounts CONTRIBUTE A TEST | Exploitation for Client Execution CONTRIBUTE A TEST | Hijack Execution Flow: DLL Search Order Hijacking | Scheduled Task/Job CONTRIBUTE A TEST | Hijack Execution Flow: Services Registry Permissions Weakness | Credentials from Password Stores | Application Window Discovery | Use Alternate Authentication Material: Pass the Hash | Archive Collected Data: Archive via Library CONTRIBUTE A TEST | Exfiltration Over Physical Medium CONTRIBUTE A TEST | Dynamic Resolution CONTRIBUTE A TEST | Data Manipulation CONTRIBUTE A TEST | | Hardware Additions CONTRIBUTE A TEST | Command and Scripting Interpreter: Python CONTRIBUTE A TEST | Office Application Startup: Add-ins | Thread Execution Hijacking | Bootkit CONTRIBUTE A TEST | Unsecured Credentials CONTRIBUTE A TEST | Email Account CONTRIBUTE A TEST | Remote Services: Remote Desktop Protocol | Archive Collected Data | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | Web Service CONTRIBUTE A TEST | Account Access Removal | | Drive-by Compromise CONTRIBUTE A TEST | System Services CONTRIBUTE A TEST | Server Software Component: Transport Agent | Event Triggered Execution: Application Shimming | Mavinject CONTRIBUTE A TEST | Hybrid Identity CONTRIBUTE A TEST | Time Based Evasion CONTRIBUTE A TEST | | Browser Session Hijacking CONTRIBUTE A TEST | | DNS Calculation CONTRIBUTE A TEST | Data Encrypted for Impact | | Spearphishing via Service CONTRIBUTE A TEST | Command and Scripting Interpreter: Windows Command Shell | AppDomainManager CONTRIBUTE A TEST | Boot or Logon Autostart Execution: Port Monitors | Masquerading: Match Legitimate Name or Location | Credentials from Password Stores: Credentials from Web Browsers | Browser Bookmark Discovery | | DHCP Spoofing CONTRIBUTE A TEST | | Multi-Stage Channels CONTRIBUTE A TEST | Endpoint Denial of Service CONTRIBUTE A TEST | | Valid Accounts: Local Accounts | Command and Scripting Interpreter: Visual Basic | Scheduled Task/Job CONTRIBUTE A TEST | Process Injection | Masquerade File Type CONTRIBUTE A TEST | DHCP Spoofing CONTRIBUTE A TEST | System Network Configuration Discovery | | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay | | Port Knocking CONTRIBUTE A TEST | Resource Hijacking CONTRIBUTE A TEST | | | Malicious Link CONTRIBUTE A TEST | Modify Authentication Process: Password Filter DLL | Escape to Host CONTRIBUTE A TEST | Hide Artifacts | Unsecured Credentials: Private Keys | Account Discovery CONTRIBUTE A TEST | | Web Portal Capture CONTRIBUTE A TEST | | File Transfer Protocols CONTRIBUTE A TEST | Transmitted Data Manipulation CONTRIBUTE A TEST | | | System Services: Service Execution | Server Software Component: Terminal Services DLL | Boot or Logon Autostart Execution: Shortcut Modification | Domain Trust Modification CONTRIBUTE A TEST | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay | Domain Trust Discovery | | Video Capture | | One-Way Communication CONTRIBUTE A TEST | Data Destruction | | | Scheduled Task/Job: At | Browser Extensions | Boot or Logon Autostart Execution: Security Support Provider | Impair Defenses: Safe Boot Mode | OS Credential Dumping: LSASS Memory | File and Directory Discovery | | Email Collection: Email Forwarding Rule CONTRIBUTE A TEST | | Proxy: Multi-hop Proxy | Network Denial of Service CONTRIBUTE A TEST | | | | Outlook Rules CONTRIBUTE A TEST | Hijack Execution Flow: Path Interception by Search Order Hijacking | Virtualization/Sandbox Evasion: System Checks | Brute Force: Password Spraying | System Network Connections Discovery | | Data Staged CONTRIBUTE A TEST | | Data Obfuscation CONTRIBUTE A TEST | Firmware Corruption CONTRIBUTE A TEST | | | | Event Triggered Execution: Application Shimming | Domain Policy Modification: Group Policy Modification | Signed Binary Proxy Execution: InstallUtil | Web Portal Capture CONTRIBUTE A TEST | Virtualization/Sandbox Evasion CONTRIBUTE A TEST | | Input Capture: GUI Input Capture | | Non-Standard Port | Inhibit System Recovery | | | | Boot or Logon Autostart Execution: Port Monitors | Valid Accounts: Default Accounts | Stripped Payloads CONTRIBUTE A TEST | OS Credential Dumping: Cached Domain Credentials | Log Enumeration | | Data from Network Shared Drive | | Encrypted Channel | Disk Content Wipe CONTRIBUTE A TEST | | | | Traffic Signaling CONTRIBUTE A TEST | Time Providers | Hijack Execution Flow: DLL Search Order Hijacking | Steal or Forge Kerberos Tickets: Golden Ticket | Process Discovery | | Email Collection: Remote Email Collection CONTRIBUTE A TEST | | Bidirectional Communication CONTRIBUTE A TEST | System Shutdown/Reboot | | | | Boot or Logon Autostart Execution: Shortcut Modification | Abuse Elevation Control Mechanism CONTRIBUTE A TEST | Code Signing CONTRIBUTE A TEST | Steal or Forge Authentication Certificates | User Activity Based Checks CONTRIBUTE A TEST | | Input Capture CONTRIBUTE A TEST | | Asymmetric Cryptography CONTRIBUTE A TEST | | | | | Boot or Logon Autostart Execution: Security Support Provider | Create Process with Token | File and Directory Permissions Modification: Windows File and Directory Permissions Modification | Unsecured Credentials: Credentials In Files | Permission Groups Discovery: Local Groups | | ARP Cache Poisoning CONTRIBUTE A TEST | | Non-Application Layer Protocol | | | | | Hybrid Identity CONTRIBUTE A TEST | Boot or Logon Autostart Execution: Winlogon Helper DLL | AppDomainManager CONTRIBUTE A TEST | Web Cookies CONTRIBUTE A TEST | Password Policy Discovery | | Data from Information Repositories CONTRIBUTE A TEST | | Protocol Impersonation CONTRIBUTE A TEST | | | | | Hijack Execution Flow: Path Interception by Search Order Hijacking | Event Triggered Execution: Image File Execution Options Injection | Signed Binary Proxy Execution: Msiexec | Unsecured Credentials: Group Policy Preferences | System Location Discovery: System Language Discovery | | Input Capture: Credential API Hooking | | Domain Fronting CONTRIBUTE A TEST | | | | | Server Software Component: Web Shell | Process Doppelgänging CONTRIBUTE A TEST | Modify Authentication Process: Password Filter DLL | Network Provider DLL CONTRIBUTE A TEST | Query Registry | | | | Data Encoding CONTRIBUTE A TEST | | | | | Valid Accounts: Default Accounts | Executable Installer File Permissions Weakness CONTRIBUTE A TEST | Clear Network Connection History and Configurations CONTRIBUTE A TEST | Forge Web Credentials CONTRIBUTE A TEST | System Location Discovery CONTRIBUTE A TEST | | | | Non-Standard Encoding CONTRIBUTE A TEST | | | | | Time Providers | Event Triggered Execution: Accessibility Features | Indicator Removal on Host: Clear Command History | Multi-Factor Authentication Request Generation CONTRIBUTE A TEST | Software Discovery: Security Software Discovery | | | | Application Layer Protocol: Web Protocols | | | | | Create Account: Local Account | Process Injection: Asynchronous Procedure Call | Indirect Command Execution | Exploitation for Credential Access CONTRIBUTE A TEST | Remote System Discovery | | | | Ingress Tool Transfer | | | | | Boot or Logon Autostart Execution: Winlogon Helper DLL | Event Triggered Execution: AppCert DLLs | Deobfuscate/Decode Files or Information | Input Capture: GUI Input Capture | Network Service Discovery | | | | Hide Infrastructure CONTRIBUTE A TEST | | | | | Event Triggered Execution: Image File Execution Options Injection | Device Registration CONTRIBUTE A TEST | Impair Defenses | Brute Force CONTRIBUTE A TEST | Software Discovery | | | | Data Obfuscation via Steganography | | | | | Executable Installer File Permissions Weakness CONTRIBUTE A TEST | Process Injection: Portable Executable Injection | Thread Execution Hijacking | Brute Force: Credential Stuffing | Debugger Evasion | | | | Fallback Channels CONTRIBUTE A TEST | | | | | Event Triggered Execution: Accessibility Features | Access Token Manipulation: Token Impersonation/Theft | Masquerading | Multi-Factor Authentication CONTRIBUTE A TEST | System Time Discovery | | | | Proxy: Internal Proxy | | | | | Create Account: Domain Account | Make and Impersonate Token CONTRIBUTE A TEST | Email Collection: Mailbox Manipulation | Forced Authentication | | | | | Dead Drop Resolver CONTRIBUTE A TEST | | | | | Component Firmware CONTRIBUTE A TEST | Event Triggered Execution: Windows Management Instrumentation Event Subscription | Process Injection | Input Capture CONTRIBUTE A TEST | | | | | Junk Data CONTRIBUTE A TEST | | | | | Office Application Startup: Office Template Macros. | Access Token Manipulation: Parent PID Spoofing | Traffic Signaling CONTRIBUTE A TEST | ARP Cache Poisoning CONTRIBUTE A TEST | | | | | | | | | | Event Triggered Execution: AppCert DLLs | Event Triggered Execution: Change Default File Association | Signed Binary Proxy Execution | Steal or Forge Kerberos Tickets: Silver Ticket | | | | | | | | | | Device Registration CONTRIBUTE A TEST | Services File Permissions Weakness CONTRIBUTE A TEST | Indicator Removal on Host: Timestomp | Credentials from Password Stores: Windows Credential Manager | | | | | | | | | | Pre-OS Boot CONTRIBUTE A TEST | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Reflective Code Loading | Domain Controller Authentication CONTRIBUTE A TEST | | | | | | | | | | Port Knocking CONTRIBUTE A TEST | Account Manipulation | Ignore Process Interrupts CONTRIBUTE A TEST | Reversible Encryption CONTRIBUTE A TEST | | | | | | | | | | Network Provider DLL CONTRIBUTE A TEST | KernelCallbackTable CONTRIBUTE A TEST | Time Based Evasion CONTRIBUTE A TEST | Multi-Factor Authentication Interception CONTRIBUTE A TEST | | | | | | | | | | Event Triggered Execution: Windows Management Instrumentation Event Subscription | Hijack Execution Flow CONTRIBUTE A TEST | Signed Binary Proxy Execution: CMSTP | OS Credential Dumping: NTDS | | | | | | | | | | Compromise Host Software Binary CONTRIBUTE A TEST | Valid Accounts CONTRIBUTE A TEST | Impair Defenses: Disable Windows Event Logging | Steal or Forge Kerberos Tickets: Kerberoasting | | | | | | | | | | Event Triggered Execution: Change Default File Association | Process Injection: Process Hollowing | Signed Binary Proxy Execution: Control Panel | OS Credential Dumping: DCSync | | | | | | | | | | Services File Permissions Weakness CONTRIBUTE A TEST | Exploitation for Privilege Escalation CONTRIBUTE A TEST | Use Alternate Authentication Material CONTRIBUTE A TEST | Modify Authentication Process CONTRIBUTE A TEST | | | | | | | | | | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Event Triggered Execution | Impair Defenses: Disable or Modify System Firewall | Input Capture: Credential API Hooking | | | | | | | | | | Account Manipulation | Access Token Manipulation: SID-History Injection | Subvert Trust Controls: SIP and Trust Provider Hijacking | | | | | | | | | | | KernelCallbackTable CONTRIBUTE A TEST | Authentication Package | Hybrid Identity CONTRIBUTE A TEST | | | | | | | | | | | Outlook Forms CONTRIBUTE A TEST | Event Triggered Execution: Component Object Model Hijacking | Electron Applications CONTRIBUTE A TEST | | | | | | | | | | | Hijack Execution Flow CONTRIBUTE A TEST | Hijack Execution Flow: Path Interception by Unquoted Path | Rogue Domain Controller | | | | | | | | | | | Valid Accounts CONTRIBUTE A TEST | Domain Accounts CONTRIBUTE A TEST | Subvert Trust Controls: Code Signing Policy Modification | | | | | | | | | | | Multi-Factor Authentication CONTRIBUTE A TEST | Network Logon Script CONTRIBUTE A TEST | Modify Registry | | | | | | | | | | | IIS Components | Event Triggered Execution: AppInit DLLs | Hijack Execution Flow: Path Interception by Search Order Hijacking | | | | | | | | | | | Event Triggered Execution | Event Triggered Execution: Screensaver | Obfuscated Files or Information: Binary Padding CONTRIBUTE A TEST | | | | | | | | | | | Authentication Package | Installer Packages CONTRIBUTE A TEST | Domain Policy Modification: Group Policy Modification | | | | | | | | | | | Event Triggered Execution: Component Object Model Hijacking | Access Token Manipulation CONTRIBUTE A TEST | Valid Accounts: Default Accounts | | | | | | | | | | | Office Application Startup: Outlook Home Page | Thread Local Storage CONTRIBUTE A TEST | Indicator Removal on Host: Clear Windows Event Logs | | | | | | | | | | | Hijack Execution Flow: Path Interception by Unquoted Path | Hijack Execution Flow: DLL Side-Loading | File and Directory Permissions Modification CONTRIBUTE A TEST | | | | | | | | | | | Domain Accounts CONTRIBUTE A TEST | Account Manipulation: Additional Email Delegate Permissions CONTRIBUTE A TEST | Abuse Elevation Control Mechanism CONTRIBUTE A TEST | | | | | | | | | | | Network Logon Script CONTRIBUTE A TEST | Boot or Logon Initialization Scripts: Logon Script (Windows) | Create Process with Token | | | | | | | | | | | BITS Jobs | Process Injection: ListPlanting | Signed Binary Proxy Execution: Odbcconf | | | | | | | | | | | Event Triggered Execution: AppInit DLLs | Domain or Tenant Policy Modification CONTRIBUTE A TEST | Process Doppelgänging CONTRIBUTE A TEST | | | | | | | | | | | Event Triggered Execution: Screensaver | Boot or Logon Autostart Execution: LSASS Driver | Executable Installer File Permissions Weakness CONTRIBUTE A TEST | | | | | | | | | | | Server Software Component CONTRIBUTE A TEST | Scheduled Task/Job: At | Impair Defenses: Indicator Blocking | | | | | | | | | | | Domain Controller Authentication CONTRIBUTE A TEST | Process Injection: Dynamic-link Library Injection | Right-to-Left Override CONTRIBUTE A TEST | | | | | | | | | | | Reversible Encryption CONTRIBUTE A TEST | Event Triggered Execution: Netsh Helper DLL | Component Firmware CONTRIBUTE A TEST | | | | | | | | | | | Installer Packages CONTRIBUTE A TEST | Valid Accounts: Local Accounts | Indicator Removal on Host | | | | | | | | | | | Create Account CONTRIBUTE A TEST | Hijack Execution Flow: COR_PROFILER | Use Alternate Authentication Material: Pass the Ticket | | | | | | | | | | | Hijack Execution Flow: DLL Side-Loading | | Masquerading: Masquerade Task or Service | | | | | | | | | | | Account Manipulation: Additional Email Delegate Permissions CONTRIBUTE A TEST | | Process Injection: Asynchronous Procedure Call | | | | | | | | | | | Power Settings CONTRIBUTE A TEST | | Subvert Trust Controls: Mark-of-the-Web Bypass | | | | | | | | | | | Boot or Logon Initialization Scripts: Logon Script (Windows) | | Pre-OS Boot CONTRIBUTE A TEST | | | | | | | | | | | Office Application Startup: Office Test | | Process Injection: Portable Executable Injection | | | | | | | | | | | Boot or Logon Autostart Execution: LSASS Driver | | Verclsid CONTRIBUTE A TEST | | | | | | | | | | | Scheduled Task/Job: At | | Impair Defenses: Downgrade Attack | | | | | | | | | | | Modify Authentication Process CONTRIBUTE A TEST | | Virtualization/Sandbox Evasion CONTRIBUTE A TEST | | | | | | | | | | | Event Triggered Execution: Netsh Helper DLL | | Signed Binary Proxy Execution: Mshta | | | | | | | | | | | SQL Stored Procedures CONTRIBUTE A TEST | | Execution Guardrails CONTRIBUTE A TEST | | | | | | | | | | | Valid Accounts: Local Accounts | | Access Token Manipulation: Token Impersonation/Theft | | | | | | | | | | | Hijack Execution Flow: COR_PROFILER | | Port Knocking CONTRIBUTE A TEST | | | | | | | | | | | | | LNK Icon Smuggling CONTRIBUTE A TEST | | | | | | | | | | | | | Hide Artifacts: Hidden Users | | | | | | | | | | | | | Make and Impersonate Token CONTRIBUTE A TEST | | | | | | | | | | | | | Impair Defenses: Impair Command History Logging | | | | | | | | | | | | | Network Provider DLL CONTRIBUTE A TEST | | | | | | | | | | | | | User Activity Based Checks CONTRIBUTE A TEST | | | | | | | | | | | | | Access Token Manipulation: Parent PID Spoofing | | | | | | | | | | | | | Services File Permissions Weakness CONTRIBUTE A TEST | | | | | | | | | | | | | KernelCallbackTable CONTRIBUTE A TEST | | | | | | | | | | | | | Signed Binary Proxy Execution: Compiled HTML File | | | | | | | | | | | | | Indicator Removal on Host: Network Share Connection Removal | | | | | | | | | | | | | Impair Defenses: Disable or Modify Tools | | | | | | | | | | | | | Hijack Execution Flow CONTRIBUTE A TEST | | | | | | | | | | | | | Indicator Removal from Tools CONTRIBUTE A TEST | | | | | | | | | | | | | Valid Accounts CONTRIBUTE A TEST | | | | | | | | | | | | | Process Injection: Process Hollowing | | | | | | | | | | | | | Obfuscated Files or Information | | | | | | | | | | | | | Multi-Factor Authentication CONTRIBUTE A TEST | | | | | | | | | | | | | Invalid Code Signature CONTRIBUTE A TEST | | | | | | | | | | | | | Run Virtual Instance | | | | | | | | | | | | | Access Token Manipulation: SID-History Injection | | | | | | | | | | | | | Subvert Trust Controls CONTRIBUTE A TEST | | | | | | | | | | | | | Signed Binary Proxy Execution: Regsvr32 | | | | | | | | | | | | | Masquerading: Rename System Utilities | | | | | | | | | | | | | Spoof Security Alerting CONTRIBUTE A TEST | | | | | | | | | | | | | Hijack Execution Flow: Path Interception by Unquoted Path | | | | | | | | | | | | | Steganography CONTRIBUTE A TEST | | | | | | | | | | | | | Domain Accounts CONTRIBUTE A TEST | | | | | | | | | | | | | Signed Binary Proxy Execution: Regsvcs/Regasm | | | | | | | | | | | | | Subvert Trust Controls: Install Root Certificate | | | | | | | | | | | | | Obfuscated Files or Information: Compile After Delivery | | | | | | | | | | | | | VBA Stomping CONTRIBUTE A TEST | | | | | | | | | | | | | BITS Jobs | | | | | | | | | | | | | Trusted Developer Utilities Proxy Execution: MSBuild | | | | | | | | | | | | | Impersonation CONTRIBUTE A TEST | | | | | | | | | | | | | Hide Artifacts: Hidden Window | | | | | | | | | | | | | Clear Persistence CONTRIBUTE A TEST | | | | | | | | | | | | | Domain Controller Authentication CONTRIBUTE A TEST | | | | | | | | | | | | | HTML Smuggling | | | | | | | | | | | | | Reversible Encryption CONTRIBUTE A TEST | | | | | | | | | | | | | Command Obfuscation CONTRIBUTE A TEST | | | | | | | | | | | | | Indicator Removal on Host: File Deletion | | | | | | | | | | | | | Template Injection | | | | | | | | | | | | | Access Token Manipulation CONTRIBUTE A TEST | | | | | | | | | | | | | Obfuscated Files or Information: Software Packing CONTRIBUTE A TEST | | | | | | | | | | | | | Hidden File System CONTRIBUTE A TEST | | | | | | | | | | | | | Thread Local Storage CONTRIBUTE A TEST | | | | | | | | | | | | | Debugger Evasion | | | | | | | | | | | | | Use Alternate Authentication Material: Pass the Hash | | | | | | | | | | | | | Hijack Execution Flow: DLL Side-Loading | | | | | | | | | | | | | SyncAppvPublishingServer CONTRIBUTE A TEST | | | | | | | | | | | | | Obfuscated Files or Information: Dynamic API Resolution | | | | | | | | | | | | | Process Injection: ListPlanting | | | | | | | | | | | | | Domain or Tenant Policy Modification CONTRIBUTE A TEST | | | | | | | | | | | | | XSL Script Processing | | | | | | | | | | | | | Hide Artifacts: Hidden Files and Directories | | | | | | | | | | | | | Environmental Keying CONTRIBUTE A TEST | | | | | | | | | | | | | Hide Artifacts: NTFS File Attributes | | | | | | | | | | | | | Process Injection: Dynamic-link Library Injection | | | | | | | | | | | | | Modify Authentication Process CONTRIBUTE A TEST | | | | | | | | | | | | | Signed Script Proxy Execution | | | | | | | | | | | | | Valid Accounts: Local Accounts | | | | | | | | | | | | | Exploitation for Defense Evasion CONTRIBUTE A TEST | | | | | | | | | | | | | Trusted Developer Utilities Proxy Execution | | | | | | | | | | | | | MMC CONTRIBUTE A TEST | | | | | | | | | | | | | Process Argument Spoofing CONTRIBUTE A TEST | | | | | | | | | | | | | Hijack Execution Flow: COR_PROFILER | | | | | | | |