Skip to content

Latest commit

 

History

History
108 lines (108 loc) · 35.9 KB

windows-matrix.md

File metadata and controls

108 lines (108 loc) · 35.9 KB

Windows Atomic Tests by ATT&CK Tactic & Technique

initial-access execution persistence privilege-escalation defense-evasion credential-access discovery lateral-movement collection exfiltration command-and-control impact
Compromise Hardware Supply Chain CONTRIBUTE A TEST At (Windows) Accessibility Features Abuse Elevation Control Mechanism CONTRIBUTE A TEST Abuse Elevation Control Mechanism CONTRIBUTE A TEST Brute Force CONTRIBUTE A TEST Account Discovery CONTRIBUTE A TEST Component Object Model and Distributed COM CONTRIBUTE A TEST Archive Collected Data Automated Exfiltration Application Layer Protocol CONTRIBUTE A TEST Account Access Removal
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST Command and Scripting Interpreter CONTRIBUTE A TEST Account Manipulation Access Token Manipulation CONTRIBUTE A TEST Access Token Manipulation CONTRIBUTE A TEST Cached Domain Credentials CONTRIBUTE A TEST Application Window Discovery Distributed Component Object Model CONTRIBUTE A TEST Archive via Custom Method CONTRIBUTE A TEST Data Transfer Size Limits CONTRIBUTE A TEST Asymmetric Cryptography CONTRIBUTE A TEST Application Exhaustion Flood CONTRIBUTE A TEST
Compromise Software Supply Chain CONTRIBUTE A TEST Component Object Model CONTRIBUTE A TEST Add-ins CONTRIBUTE A TEST Accessibility Features Asynchronous Procedure Call Credential API Hooking Browser Bookmark Discovery Exploitation of Remote Services CONTRIBUTE A TEST Archive via Library CONTRIBUTE A TEST Exfiltration Over Alternative Protocol CONTRIBUTE A TEST Bidirectional Communication CONTRIBUTE A TEST Application or System Exploitation CONTRIBUTE A TEST
Default Accounts CONTRIBUTE A TEST Component Object Model and Distributed COM CONTRIBUTE A TEST AppCert DLLs CONTRIBUTE A TEST AppCert DLLs CONTRIBUTE A TEST BITS Jobs Credential Stuffing CONTRIBUTE A TEST Domain Account Internal Spearphishing CONTRIBUTE A TEST Archive via Utility Exfiltration Over Asymmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST Communication Through Removable Media CONTRIBUTE A TEST Data Destruction
Domain Accounts CONTRIBUTE A TEST Dynamic Data Exchange AppInit DLLs AppInit DLLs Binary Padding CONTRIBUTE A TEST Credentials In Files Domain Groups Lateral Tool Transfer CONTRIBUTE A TEST Audio Capture Exfiltration Over Bluetooth CONTRIBUTE A TEST DNS Data Encrypted for Impact CONTRIBUTE A TEST
Drive-by Compromise CONTRIBUTE A TEST Exploitation for Client Execution CONTRIBUTE A TEST Application Shimming Application Shimming Bootkit CONTRIBUTE A TEST Credentials from Password Stores CONTRIBUTE A TEST Domain Trust Discovery Pass the Hash Automated Collection Exfiltration Over C2 Channel CONTRIBUTE A TEST DNS Calculation CONTRIBUTE A TEST Data Manipulation CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST Graphical User Interface CONTRIBUTE A TEST At (Windows) Asynchronous Procedure Call Bypass User Access Control Credentials from Web Browsers Email Account CONTRIBUTE A TEST Pass the Ticket Clipboard Data Exfiltration Over Other Network Medium CONTRIBUTE A TEST Data Encoding CONTRIBUTE A TEST Defacement CONTRIBUTE A TEST
External Remote Services CONTRIBUTE A TEST Inter-Process Communication CONTRIBUTE A TEST Authentication Package CONTRIBUTE A TEST At (Windows) CMSTP Credentials in Registry File and Directory Discovery RDP Hijacking CONTRIBUTE A TEST Credential API Hooking Exfiltration Over Physical Medium CONTRIBUTE A TEST Data Obfuscation CONTRIBUTE A TEST Direct Network Flood CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST Malicious File BITS Jobs Authentication Package CONTRIBUTE A TEST Clear Windows Event Logs DCSync CONTRIBUTE A TEST Local Account Remote Desktop Protocol Data Staged CONTRIBUTE A TEST Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST Dead Drop Resolver CONTRIBUTE A TEST Disk Content Wipe CONTRIBUTE A TEST
Local Accounts CONTRIBUTE A TEST Malicious Link CONTRIBUTE A TEST Boot or Logon Autostart Execution CONTRIBUTE A TEST Boot or Logon Autostart Execution CONTRIBUTE A TEST Code Signing CONTRIBUTE A TEST Domain Controller Authentication CONTRIBUTE A TEST Local Groups Remote Service Session Hijacking CONTRIBUTE A TEST Data from Information Repositories CONTRIBUTE A TEST Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Domain Fronting CONTRIBUTE A TEST Disk Structure Wipe CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST Native API Boot or Logon Initialization Scripts CONTRIBUTE A TEST Boot or Logon Initialization Scripts CONTRIBUTE A TEST Compile After Delivery Exploitation for Credential Access CONTRIBUTE A TEST Network Service Scanning Remote Services CONTRIBUTE A TEST Data from Local System CONTRIBUTE A TEST Exfiltration Over Web Service CONTRIBUTE A TEST Domain Generation Algorithms CONTRIBUTE A TEST Disk Wipe CONTRIBUTE A TEST
Replication Through Removable Media CONTRIBUTE A TEST PowerShell Bootkit CONTRIBUTE A TEST Bypass User Access Control Compiled HTML File Forced Authentication CONTRIBUTE A TEST Network Share Discovery Replication Through Removable Media CONTRIBUTE A TEST Data from Network Shared Drive CONTRIBUTE A TEST Exfiltration over USB CONTRIBUTE A TEST Dynamic Resolution CONTRIBUTE A TEST Endpoint Denial of Service CONTRIBUTE A TEST
Spearphishing Attachment Python CONTRIBUTE A TEST Browser Extensions Change Default File Association Component Firmware CONTRIBUTE A TEST GUI Input Capture Network Sniffing SMB/Windows Admin Shares Data from Removable Media CONTRIBUTE A TEST Exfiltration to Cloud Storage CONTRIBUTE A TEST Encrypted Channel External Defacement CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST Scheduled Task Change Default File Association Component Object Model Hijacking Control Panel Golden Ticket CONTRIBUTE A TEST Password Policy Discovery Shared Webroot CONTRIBUTE A TEST Email Collection CONTRIBUTE A TEST Exfiltration to Code Repository CONTRIBUTE A TEST External Proxy CONTRIBUTE A TEST Firmware Corruption CONTRIBUTE A TEST
Spearphishing via Service CONTRIBUTE A TEST Scheduled Task/Job CONTRIBUTE A TEST Component Firmware CONTRIBUTE A TEST Create Process with Token CONTRIBUTE A TEST Create Process with Token CONTRIBUTE A TEST Group Policy Preferences Peripheral Device Discovery CONTRIBUTE A TEST Software Deployment Tools CONTRIBUTE A TEST Email Forwarding Rule CONTRIBUTE A TEST Scheduled Transfer CONTRIBUTE A TEST Fallback Channels CONTRIBUTE A TEST Inhibit System Recovery
Supply Chain Compromise CONTRIBUTE A TEST Scripting CONTRIBUTE A TEST Component Object Model Hijacking Create or Modify System Process CONTRIBUTE A TEST DLL Search Order Hijacking Input Capture CONTRIBUTE A TEST Permission Groups Discovery CONTRIBUTE A TEST Taint Shared Content CONTRIBUTE A TEST GUI Input Capture Fast Flux DNS CONTRIBUTE A TEST Internal Defacement CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST Service Execution Compromise Client Software Binary CONTRIBUTE A TEST DLL Search Order Hijacking DLL Side-Loading Kerberoasting Process Discovery Use Alternate Authentication Material CONTRIBUTE A TEST Input Capture CONTRIBUTE A TEST File Transfer Protocols CONTRIBUTE A TEST Network Denial of Service CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST Shared Modules CONTRIBUTE A TEST Create Account CONTRIBUTE A TEST DLL Side-Loading Default Accounts CONTRIBUTE A TEST Keylogging Query Registry VNC CONTRIBUTE A TEST Keylogging Ingress Tool Transfer OS Exhaustion Flood CONTRIBUTE A TEST
Software Deployment Tools CONTRIBUTE A TEST Create or Modify System Process CONTRIBUTE A TEST Default Accounts CONTRIBUTE A TEST Deobfuscate/Decode Files or Information LLMNR/NBT-NS Poisoning and SMB Relay CONTRIBUTE A TEST Remote System Discovery Windows Remote Management LLMNR/NBT-NS Poisoning and SMB Relay CONTRIBUTE A TEST Internal Proxy Reflection Amplification CONTRIBUTE A TEST
System Services CONTRIBUTE A TEST DLL Search Order Hijacking Domain Accounts CONTRIBUTE A TEST Direct Volume Access CONTRIBUTE A TEST LSA Secrets CONTRIBUTE A TEST Security Software Discovery Local Data Staging Junk Data CONTRIBUTE A TEST Resource Hijacking CONTRIBUTE A TEST
User Execution CONTRIBUTE A TEST DLL Side-Loading Dynamic-link Library Injection CONTRIBUTE A TEST Disable Windows Event Logging LSASS Memory Software Discovery Local Email Collection Mail Protocols CONTRIBUTE A TEST Runtime Data Manipulation CONTRIBUTE A TEST
VBScript CONTRIBUTE A TEST Default Accounts CONTRIBUTE A TEST Event Triggered Execution CONTRIBUTE A TEST Disable or Modify System Firewall Man-in-the-Middle CONTRIBUTE A TEST System Information Discovery Man in the Browser CONTRIBUTE A TEST Multi-Stage Channels CONTRIBUTE A TEST Service Exhaustion Flood CONTRIBUTE A TEST
Windows Command Shell Domain Account CONTRIBUTE A TEST Executable Installer File Permissions Weakness CONTRIBUTE A TEST Disable or Modify Tools Modify Authentication Process CONTRIBUTE A TEST System Network Configuration Discovery Man-in-the-Middle CONTRIBUTE A TEST Multi-hop Proxy CONTRIBUTE A TEST Service Stop
Windows Management Instrumentation Domain Accounts CONTRIBUTE A TEST Exploitation for Privilege Escalation CONTRIBUTE A TEST Domain Accounts CONTRIBUTE A TEST NTDS System Network Connections Discovery Remote Data Staging CONTRIBUTE A TEST Multiband Communication CONTRIBUTE A TEST Stored Data Manipulation CONTRIBUTE A TEST
Event Triggered Execution CONTRIBUTE A TEST Extra Window Memory Injection CONTRIBUTE A TEST Domain Controller Authentication CONTRIBUTE A TEST Network Sniffing System Owner/User Discovery Remote Email Collection CONTRIBUTE A TEST Non-Application Layer Protocol System Shutdown/Reboot
Exchange Email Delegate Permissions CONTRIBUTE A TEST Group Policy Modification CONTRIBUTE A TEST Dynamic-link Library Injection CONTRIBUTE A TEST OS Credential Dumping System Service Discovery Screen Capture CONTRIBUTE A TEST Non-Standard Encoding CONTRIBUTE A TEST Transmitted Data Manipulation CONTRIBUTE A TEST
Executable Installer File Permissions Weakness CONTRIBUTE A TEST Hijack Execution Flow CONTRIBUTE A TEST Executable Installer File Permissions Weakness CONTRIBUTE A TEST Password Cracking CONTRIBUTE A TEST System Time Discovery Sharepoint CONTRIBUTE A TEST Non-Standard Port
External Remote Services CONTRIBUTE A TEST Image File Execution Options Injection Execution Guardrails CONTRIBUTE A TEST Password Filter DLL Video Capture CONTRIBUTE A TEST One-Way Communication CONTRIBUTE A TEST
Hijack Execution Flow CONTRIBUTE A TEST LSASS Driver CONTRIBUTE A TEST Exploitation for Defense Evasion CONTRIBUTE A TEST Password Guessing Web Portal Capture CONTRIBUTE A TEST Protocol Impersonation CONTRIBUTE A TEST
Hypervisor CONTRIBUTE A TEST Local Accounts CONTRIBUTE A TEST Extra Window Memory Injection CONTRIBUTE A TEST Password Spraying Protocol Tunneling CONTRIBUTE A TEST
Image File Execution Options Injection Logon Script (Windows) File Deletion Private Keys Proxy CONTRIBUTE A TEST
LSASS Driver CONTRIBUTE A TEST Make and Impersonate Token CONTRIBUTE A TEST File and Directory Permissions Modification CONTRIBUTE A TEST Security Account Manager Remote Access Software
Local Account Netsh Helper DLL Group Policy Modification CONTRIBUTE A TEST Silver Ticket CONTRIBUTE A TEST Standard Encoding CONTRIBUTE A TEST
Local Accounts CONTRIBUTE A TEST Network Logon Script CONTRIBUTE A TEST Hidden Files and Directories Steal Web Session Cookie CONTRIBUTE A TEST Steganography CONTRIBUTE A TEST
Logon Script (Windows) Parent PID Spoofing Hidden Window Steal or Forge Kerberos Tickets CONTRIBUTE A TEST Symmetric Cryptography CONTRIBUTE A TEST
Netsh Helper DLL Path Interception CONTRIBUTE A TEST Hide Artifacts CONTRIBUTE A TEST Two-Factor Authentication Interception CONTRIBUTE A TEST Web Protocols
Network Logon Script CONTRIBUTE A TEST Path Interception by PATH Environment Variable CONTRIBUTE A TEST Hijack Execution Flow CONTRIBUTE A TEST Unsecured Credentials CONTRIBUTE A TEST Web Service CONTRIBUTE A TEST
Office Application Startup CONTRIBUTE A TEST Path Interception by Search Order Hijacking CONTRIBUTE A TEST Impair Defenses CONTRIBUTE A TEST Web Portal Capture CONTRIBUTE A TEST
Office Template Macros CONTRIBUTE A TEST Path Interception by Unquoted Path Indicator Blocking CONTRIBUTE A TEST
Office Test CONTRIBUTE A TEST Port Monitors CONTRIBUTE A TEST Indicator Removal from Tools CONTRIBUTE A TEST
Outlook Forms CONTRIBUTE A TEST Portable Executable Injection CONTRIBUTE A TEST Indicator Removal on Host
Outlook Home Page CONTRIBUTE A TEST PowerShell Profile Indirect Command Execution
Outlook Rules CONTRIBUTE A TEST Process Doppelgänging CONTRIBUTE A TEST Install Root Certificate
Path Interception CONTRIBUTE A TEST Process Hollowing InstallUtil
Path Interception by PATH Environment Variable CONTRIBUTE A TEST Process Injection Invalid Code Signature CONTRIBUTE A TEST
Path Interception by Search Order Hijacking CONTRIBUTE A TEST Registry Run Keys / Startup Folder Local Accounts CONTRIBUTE A TEST
Path Interception by Unquoted Path SID-History Injection CONTRIBUTE A TEST MSBuild
Port Monitors CONTRIBUTE A TEST Scheduled Task Make and Impersonate Token CONTRIBUTE A TEST
PowerShell Profile Scheduled Task/Job CONTRIBUTE A TEST Masquerade Task or Service CONTRIBUTE A TEST
Pre-OS Boot CONTRIBUTE A TEST Screensaver Masquerading CONTRIBUTE A TEST
Redundant Access CONTRIBUTE A TEST Security Support Provider Match Legitimate Name or Location CONTRIBUTE A TEST
Registry Run Keys / Startup Folder Services File Permissions Weakness Modify Authentication Process CONTRIBUTE A TEST
SQL Stored Procedures CONTRIBUTE A TEST Services Registry Permissions Weakness Modify Registry
Scheduled Task Shortcut Modification Mshta
Scheduled Task/Job CONTRIBUTE A TEST Thread Execution Hijacking CONTRIBUTE A TEST Msiexec
Screensaver Thread Local Storage CONTRIBUTE A TEST NTFS File Attributes
Security Support Provider Time Providers CONTRIBUTE A TEST Network Share Connection Removal
Server Software Component CONTRIBUTE A TEST Token Impersonation/Theft CONTRIBUTE A TEST Obfuscated Files or Information
Services File Permissions Weakness Valid Accounts CONTRIBUTE A TEST Odbcconf
Services Registry Permissions Weakness Windows Management Instrumentation Event Subscription Parent PID Spoofing
Shortcut Modification Windows Service Pass the Hash
System Firmware CONTRIBUTE A TEST Winlogon Helper DLL Pass the Ticket
Time Providers CONTRIBUTE A TEST Password Filter DLL
Transport Agent Path Interception by PATH Environment Variable CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST Path Interception by Search Order Hijacking CONTRIBUTE A TEST
Web Shell Path Interception by Unquoted Path
Windows Management Instrumentation Event Subscription Portable Executable Injection CONTRIBUTE A TEST
Windows Service Pre-OS Boot CONTRIBUTE A TEST
Winlogon Helper DLL Process Doppelgänging CONTRIBUTE A TEST
Process Hollowing
Process Injection
PubPrn
Redundant Access CONTRIBUTE A TEST
Regsvcs/Regasm
Regsvr32
Rename System Utilities
Right-to-Left Override CONTRIBUTE A TEST
Rogue Domain Controller
Rootkit
Rundll32
SID-History Injection CONTRIBUTE A TEST
SIP and Trust Provider Hijacking CONTRIBUTE A TEST
Scripting CONTRIBUTE A TEST
Services File Permissions Weakness
Services Registry Permissions Weakness
Signed Binary Proxy Execution
Signed Script Proxy Execution
Software Packing CONTRIBUTE A TEST
Steganography CONTRIBUTE A TEST
Subvert Trust Controls CONTRIBUTE A TEST
System Checks CONTRIBUTE A TEST
System Firmware CONTRIBUTE A TEST
Template Injection CONTRIBUTE A TEST
Thread Execution Hijacking CONTRIBUTE A TEST
Thread Local Storage CONTRIBUTE A TEST
Time Based Evasion CONTRIBUTE A TEST
Timestomp
Token Impersonation/Theft CONTRIBUTE A TEST
Trusted Developer Utilities Proxy Execution CONTRIBUTE A TEST
Use Alternate Authentication Material CONTRIBUTE A TEST
User Activity Based Checks CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST
Virtualization/Sandbox Evasion CONTRIBUTE A TEST
Windows File and Directory Permissions Modification
XSL Script Processing