Skip to content

Latest commit

 

History

History
52 lines (52 loc) · 16.4 KB

windows-matrix.md

File metadata and controls

52 lines (52 loc) · 16.4 KB
Raw

Windows Atomic Tests by ATT&CK Tactic & Technique

initial-access execution persistence privilege-escalation defense-evasion credential-access discovery lateral-movement collection exfiltration command-and-control
Drive-by Compromise CONTRIBUTE A TEST CMSTP Accessibility Features Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software CONTRIBUTE A TEST Audio Capture Automated Exfiltration CONTRIBUTE A TEST Commonly Used Port CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST Command-Line Interface AppCert DLLs CONTRIBUTE A TEST Accessibility Features BITS Jobs Brute Force Application Window Discovery CONTRIBUTE A TEST Distributed Component Object Model CONTRIBUTE A TEST Automated Collection Data Compressed Communication Through Removable Media CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST Control Panel Items CONTRIBUTE A TEST AppInit DLLs AppCert DLLs CONTRIBUTE A TEST Binary Padding CONTRIBUTE A TEST Credential Dumping Browser Bookmark Discovery CONTRIBUTE A TEST Exploitation of Remote Services CONTRIBUTE A TEST Clipboard Data Data Encrypted Connection Proxy CONTRIBUTE A TEST
Replication Through Removable Media CONTRIBUTE A TEST Dynamic Data Exchange Application Shimming AppInit DLLs Bypass User Account Control CONTRIBUTE A TEST Credentials in Files File and Directory Discovery Logon Scripts Data Staged Data Transfer Size Limits Custom Command and Control Protocol CONTRIBUTE A TEST
Spearphishing Attachment Execution through API CONTRIBUTE A TEST Authentication Package CONTRIBUTE A TEST Application Shimming CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Information Repositories CONTRIBUTE A TEST Exfiltration Over Alternative Protocol Custom Cryptographic Protocol CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST Execution through Module Load CONTRIBUTE A TEST BITS Jobs Bypass User Account Control CONTRIBUTE A TEST Code Signing CONTRIBUTE A TEST Exploitation for Credential Access CONTRIBUTE A TEST Network Share Discovery Pass the Ticket CONTRIBUTE A TEST Data from Local System CONTRIBUTE A TEST Exfiltration Over Command and Control Channel CONTRIBUTE A TEST Data Encoding
Spearphishing via Service CONTRIBUTE A TEST Exploitation for Client Execution CONTRIBUTE A TEST Bootkit CONTRIBUTE A TEST DLL Search Order Hijacking CONTRIBUTE A TEST Component Firmware CONTRIBUTE A TEST Forced Authentication CONTRIBUTE A TEST Password Policy Discovery Remote Desktop Protocol Data from Network Shared Drive CONTRIBUTE A TEST Exfiltration Over Other Network Medium CONTRIBUTE A TEST Data Obfuscation CONTRIBUTE A TEST
Supply Chain Compromise CONTRIBUTE A TEST Graphical User Interface CONTRIBUTE A TEST Browser Extensions Exploitation for Privilege Escalation CONTRIBUTE A TEST Component Object Model Hijacking Hooking Peripheral Device Discovery CONTRIBUTE A TEST Remote File Copy Data from Removable Media CONTRIBUTE A TEST Exfiltration Over Physical Medium CONTRIBUTE A TEST Domain Fronting CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST InstallUtil Change Default File Association Extra Window Memory Injection CONTRIBUTE A TEST Control Panel Items CONTRIBUTE A TEST Input Capture Permission Groups Discovery Remote Services CONTRIBUTE A TEST Email Collection CONTRIBUTE A TEST Scheduled Transfer CONTRIBUTE A TEST Fallback Channels CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST LSASS Driver CONTRIBUTE A TEST Component Firmware CONTRIBUTE A TEST File System Permissions Weakness CONTRIBUTE A TEST DCShadow Kerberoasting CONTRIBUTE A TEST Process Discovery Replication Through Removable Media CONTRIBUTE A TEST Input Capture Multi-Stage Channels CONTRIBUTE A TEST
Mshta Component Object Model Hijacking Hooking DLL Search Order Hijacking CONTRIBUTE A TEST LLMNR/NBT-NS Poisoning CONTRIBUTE A TEST Query Registry Shared Webroot CONTRIBUTE A TEST Man in the Browser CONTRIBUTE A TEST Multi-hop Proxy CONTRIBUTE A TEST
PowerShell Create Account Image File Execution Options Injection DLL Side-Loading CONTRIBUTE A TEST Network Sniffing Remote System Discovery Taint Shared Content CONTRIBUTE A TEST Screen Capture Multiband Communication CONTRIBUTE A TEST
Regsvcs/Regasm DLL Search Order Hijacking CONTRIBUTE A TEST New Service Deobfuscate/Decode Files or Information Password Filter DLL CONTRIBUTE A TEST Security Software Discovery Third-party Software CONTRIBUTE A TEST Video Capture CONTRIBUTE A TEST Multilayer Encryption CONTRIBUTE A TEST
Regsvr32 External Remote Services CONTRIBUTE A TEST Path Interception CONTRIBUTE A TEST Disabling Security Tools Private Keys System Information Discovery Windows Admin Shares Remote Access Tools CONTRIBUTE A TEST
Rundll32 File System Permissions Weakness CONTRIBUTE A TEST Port Monitors CONTRIBUTE A TEST Exploitation for Defense Evasion CONTRIBUTE A TEST Replication Through Removable Media CONTRIBUTE A TEST System Network Configuration Discovery Windows Remote Management Remote File Copy
Scheduled Task Hidden Files and Directories Process Injection Extra Window Memory Injection CONTRIBUTE A TEST Two-Factor Authentication Interception CONTRIBUTE A TEST System Network Connections Discovery Standard Application Layer Protocol CONTRIBUTE A TEST
Scripting CONTRIBUTE A TEST Hooking SID-History Injection CONTRIBUTE A TEST File Deletion System Owner/User Discovery Standard Cryptographic Protocol CONTRIBUTE A TEST
Service Execution CONTRIBUTE A TEST Hypervisor Scheduled Task File System Logical Offsets CONTRIBUTE A TEST System Service Discovery Standard Non-Application Layer Protocol CONTRIBUTE A TEST
Signed Binary Proxy Execution CONTRIBUTE A TEST Image File Execution Options Injection Service Registry Permissions Weakness CONTRIBUTE A TEST Hidden Files and Directories System Time Discovery Uncommonly Used Port
Signed Script Proxy Execution CONTRIBUTE A TEST LSASS Driver CONTRIBUTE A TEST Valid Accounts CONTRIBUTE A TEST Image File Execution Options Injection Web Service CONTRIBUTE A TEST
Third-party Software CONTRIBUTE A TEST Logon Scripts Web Shell CONTRIBUTE A TEST Indicator Blocking CONTRIBUTE A TEST
Trusted Developer Utilities Modify Existing Service CONTRIBUTE A TEST Indicator Removal from Tools CONTRIBUTE A TEST
User Execution CONTRIBUTE A TEST Netsh Helper DLL Indicator Removal on Host
Windows Management Instrumentation New Service Indirect Command Execution
Windows Remote Management Office Application Startup Install Root Certificate
Path Interception CONTRIBUTE A TEST InstallUtil
Port Monitors CONTRIBUTE A TEST Masquerading CONTRIBUTE A TEST
Redundant Access CONTRIBUTE A TEST Modify Registry CONTRIBUTE A TEST
Registry Run Keys / Start Folder Mshta
SIP and Trust Provider Hijacking CONTRIBUTE A TEST NTFS File Attributes
Scheduled Task Network Share Connection Removal
Screensaver CONTRIBUTE A TEST Obfuscated Files or Information CONTRIBUTE A TEST
Security Support Provider CONTRIBUTE A TEST Process Doppelgänging CONTRIBUTE A TEST
Service Registry Permissions Weakness CONTRIBUTE A TEST Process Hollowing CONTRIBUTE A TEST
Shortcut Modification CONTRIBUTE A TEST Process Injection
System Firmware CONTRIBUTE A TEST Redundant Access CONTRIBUTE A TEST
Time Providers CONTRIBUTE A TEST Regsvcs/Regasm
Valid Accounts CONTRIBUTE A TEST Regsvr32
Web Shell CONTRIBUTE A TEST Rootkit
Windows Management Instrumentation Event Subscription Rundll32
Winlogon Helper DLL CONTRIBUTE A TEST SIP and Trust Provider Hijacking CONTRIBUTE A TEST
Scripting CONTRIBUTE A TEST
Signed Binary Proxy Execution CONTRIBUTE A TEST
Signed Script Proxy Execution CONTRIBUTE A TEST
Software Packing CONTRIBUTE A TEST
Timestomp
Trusted Developer Utilities
Valid Accounts CONTRIBUTE A TEST
Web Service CONTRIBUTE A TEST