Skip to content

Latest commit

 

History

History
52 lines (52 loc) · 15.8 KB

windows-matrix.md

File metadata and controls

52 lines (52 loc) · 15.8 KB

Windows Atomic Tests by ATT&CK Tactic & Technique

initial-access execution persistence privilege-escalation defense-evasion credential-access discovery lateral-movement collection exfiltration command-and-control
Drive-by Compromise CONTRIBUTE A TEST CMSTP Accessibility Features Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software CONTRIBUTE A TEST Audio Capture Automated Exfiltration CONTRIBUTE A TEST Commonly Used Port CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST Command-Line Interface AppCert DLLs CONTRIBUTE A TEST Accessibility Features BITS Jobs Brute Force Application Window Discovery CONTRIBUTE A TEST Distributed Component Object Model CONTRIBUTE A TEST Automated Collection Data Compressed Communication Through Removable Media CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST Control Panel Items CONTRIBUTE A TEST AppInit DLLs AppCert DLLs CONTRIBUTE A TEST Binary Padding Credential Dumping Browser Bookmark Discovery Exploitation of Remote Services CONTRIBUTE A TEST Clipboard Data Data Encrypted Connection Proxy CONTRIBUTE A TEST
Replication Through Removable Media CONTRIBUTE A TEST Dynamic Data Exchange Application Shimming AppInit DLLs Bypass User Account Control Credentials in Files File and Directory Discovery Logon Scripts Data Staged Data Transfer Size Limits Custom Command and Control Protocol CONTRIBUTE A TEST
Spearphishing Attachment Execution through API CONTRIBUTE A TEST Authentication Package CONTRIBUTE A TEST Application Shimming CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Information Repositories CONTRIBUTE A TEST Exfiltration Over Alternative Protocol Custom Cryptographic Protocol CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST Execution through Module Load CONTRIBUTE A TEST BITS Jobs Bypass User Account Control Code Signing CONTRIBUTE A TEST Exploitation for Credential Access CONTRIBUTE A TEST Network Share Discovery Pass the Ticket CONTRIBUTE A TEST Data from Local System CONTRIBUTE A TEST Exfiltration Over Command and Control Channel CONTRIBUTE A TEST Data Encoding
Spearphishing via Service CONTRIBUTE A TEST Exploitation for Client Execution CONTRIBUTE A TEST Bootkit CONTRIBUTE A TEST DLL Search Order Hijacking CONTRIBUTE A TEST Component Firmware CONTRIBUTE A TEST Forced Authentication CONTRIBUTE A TEST Password Policy Discovery Remote Desktop Protocol Data from Network Shared Drive CONTRIBUTE A TEST Exfiltration Over Other Network Medium CONTRIBUTE A TEST Data Obfuscation CONTRIBUTE A TEST
Supply Chain Compromise CONTRIBUTE A TEST Graphical User Interface CONTRIBUTE A TEST Browser Extensions Exploitation for Privilege Escalation CONTRIBUTE A TEST Component Object Model Hijacking Hooking Peripheral Device Discovery CONTRIBUTE A TEST Remote File Copy Data from Removable Media CONTRIBUTE A TEST Exfiltration Over Physical Medium CONTRIBUTE A TEST Domain Fronting CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST InstallUtil Change Default File Association Extra Window Memory Injection CONTRIBUTE A TEST Control Panel Items CONTRIBUTE A TEST Input Capture Permission Groups Discovery Remote Services CONTRIBUTE A TEST Email Collection CONTRIBUTE A TEST Scheduled Transfer CONTRIBUTE A TEST Fallback Channels CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST LSASS Driver CONTRIBUTE A TEST Component Firmware CONTRIBUTE A TEST File System Permissions Weakness CONTRIBUTE A TEST DCShadow Kerberoasting CONTRIBUTE A TEST Process Discovery Replication Through Removable Media CONTRIBUTE A TEST Input Capture Multi-Stage Channels CONTRIBUTE A TEST
Mshta Component Object Model Hijacking Hooking DLL Search Order Hijacking CONTRIBUTE A TEST LLMNR/NBT-NS Poisoning CONTRIBUTE A TEST Query Registry Shared Webroot CONTRIBUTE A TEST Man in the Browser CONTRIBUTE A TEST Multi-hop Proxy CONTRIBUTE A TEST
PowerShell Create Account Image File Execution Options Injection DLL Side-Loading CONTRIBUTE A TEST Network Sniffing Remote System Discovery Taint Shared Content CONTRIBUTE A TEST Screen Capture Multiband Communication CONTRIBUTE A TEST
Regsvcs/Regasm DLL Search Order Hijacking CONTRIBUTE A TEST New Service Deobfuscate/Decode Files or Information Password Filter DLL CONTRIBUTE A TEST Security Software Discovery Third-party Software CONTRIBUTE A TEST Video Capture CONTRIBUTE A TEST Multilayer Encryption CONTRIBUTE A TEST
Regsvr32 External Remote Services CONTRIBUTE A TEST Path Interception CONTRIBUTE A TEST Disabling Security Tools Private Keys System Information Discovery Windows Admin Shares Remote Access Tools CONTRIBUTE A TEST
Rundll32 File System Permissions Weakness CONTRIBUTE A TEST Port Monitors CONTRIBUTE A TEST Exploitation for Defense Evasion CONTRIBUTE A TEST Replication Through Removable Media CONTRIBUTE A TEST System Network Configuration Discovery Windows Remote Management Remote File Copy
Scheduled Task Hidden Files and Directories Process Injection Extra Window Memory Injection CONTRIBUTE A TEST Two-Factor Authentication Interception CONTRIBUTE A TEST System Network Connections Discovery Standard Application Layer Protocol CONTRIBUTE A TEST
Scripting Hooking SID-History Injection CONTRIBUTE A TEST File Deletion System Owner/User Discovery Standard Cryptographic Protocol CONTRIBUTE A TEST
Service Execution Hypervisor Scheduled Task File System Logical Offsets CONTRIBUTE A TEST System Service Discovery Standard Non-Application Layer Protocol CONTRIBUTE A TEST
Signed Binary Proxy Execution CONTRIBUTE A TEST Image File Execution Options Injection Service Registry Permissions Weakness CONTRIBUTE A TEST Hidden Files and Directories System Time Discovery Uncommonly Used Port
Signed Script Proxy Execution LSASS Driver CONTRIBUTE A TEST Valid Accounts CONTRIBUTE A TEST Image File Execution Options Injection Web Service CONTRIBUTE A TEST
Third-party Software CONTRIBUTE A TEST Logon Scripts Web Shell CONTRIBUTE A TEST Indicator Blocking CONTRIBUTE A TEST
Trusted Developer Utilities Modify Existing Service Indicator Removal from Tools CONTRIBUTE A TEST
User Execution CONTRIBUTE A TEST Netsh Helper DLL Indicator Removal on Host
Windows Management Instrumentation New Service Indirect Command Execution
Windows Remote Management Office Application Startup Install Root Certificate
Path Interception CONTRIBUTE A TEST InstallUtil
Port Monitors CONTRIBUTE A TEST Masquerading
Redundant Access CONTRIBUTE A TEST Modify Registry
Registry Run Keys / Start Folder Mshta
SIP and Trust Provider Hijacking CONTRIBUTE A TEST NTFS File Attributes
Scheduled Task Network Share Connection Removal
Screensaver Obfuscated Files or Information
Security Support Provider CONTRIBUTE A TEST Process Doppelgänging CONTRIBUTE A TEST
Service Registry Permissions Weakness CONTRIBUTE A TEST Process Hollowing CONTRIBUTE A TEST
Shortcut Modification CONTRIBUTE A TEST Process Injection
System Firmware CONTRIBUTE A TEST Redundant Access CONTRIBUTE A TEST
Time Providers CONTRIBUTE A TEST Regsvcs/Regasm
Valid Accounts CONTRIBUTE A TEST Regsvr32
Web Shell CONTRIBUTE A TEST Rootkit
Windows Management Instrumentation Event Subscription Rundll32
Winlogon Helper DLL CONTRIBUTE A TEST SIP and Trust Provider Hijacking CONTRIBUTE A TEST
Scripting
Signed Binary Proxy Execution CONTRIBUTE A TEST
Signed Script Proxy Execution
Software Packing CONTRIBUTE A TEST
Timestomp
Trusted Developer Utilities
Valid Accounts CONTRIBUTE A TEST
Web Service CONTRIBUTE A TEST