Windows Technique Matrix

From enterprise
Jump to: navigation, search
Persistence Accessibility FeaturesAppCert DLLsAppInit DLLsApplication ShimmingAuthentication PackageBootkitBrowser ExtensionsChange Default File AssociationComponent FirmwareComponent Object Model HijackingCreate AccountDLL Search Order HijackingExternal Remote ServicesFile System Permissions WeaknessHidden Files and DirectoriesHookingHypervisorImage File Execution Options InjectionLSASS DriverLogon ScriptsModify Existing ServiceNetsh Helper DLLNew ServiceOffice Application StartupPath InterceptionPort MonitorsRedundant AccessRegistry Run Keys / Start FolderScheduled TaskScreensaverSecurity Support ProviderService Registry Permissions WeaknessShortcut ModificationSystem FirmwareValid AccountsWeb ShellWindows Management Instrumentation Event SubscriptionWinlogon Helper DLL
Privilege Escalation Access Token ManipulationAccessibility FeaturesAppCert DLLsAppInit DLLsApplication ShimmingBypass User Account ControlDLL Search Order HijackingExploitation of VulnerabilityExtra Window Memory InjectionFile System Permissions WeaknessHookingImage File Execution Options InjectionNew ServicePath InterceptionPort MonitorsProcess InjectionSID-History InjectionScheduled TaskService Registry Permissions WeaknessValid AccountsWeb Shell
Defense Evasion Access Token ManipulationBinary PaddingBypass User Account ControlCode SigningComponent FirmwareComponent Object Model HijackingDLL Search Order HijackingDLL Side-LoadingDeobfuscate/Decode Files or InformationDisabling Security ToolsExploitation of VulnerabilityExtra Window Memory InjectionFile DeletionFile System Logical OffsetsHidden Files and DirectoriesImage File Execution Options InjectionIndicator BlockingIndicator Removal from ToolsIndicator Removal on HostInstall Root CertificateInstallUtilMasqueradingModify RegistryMshtaNTFS Extended AttributesNetwork Share Connection RemovalObfuscated Files or InformationProcess DoppelgängingProcess HollowingProcess InjectionRedundant AccessRegsvcs/RegasmRegsvr32RootkitRundll32ScriptingSoftware PackingTimestompTrusted Developer UtilitiesValid Accounts
Credential Access Account ManipulationBrute ForceCredential DumpingCredentials in FilesExploitation of VulnerabilityForced AuthenticationHookingInput CaptureLLMNR/NBT-NS PoisoningNetwork SniffingPassword Filter DLLPrivate KeysReplication Through Removable MediaTwo-Factor Authentication Interception
Discovery Account DiscoveryApplication Window DiscoveryFile and Directory DiscoveryNetwork Service ScanningNetwork Share DiscoveryPeripheral Device DiscoveryPermission Groups DiscoveryProcess DiscoveryQuery RegistryRemote System DiscoverySecurity Software DiscoverySystem Information DiscoverySystem Network Configuration DiscoverySystem Network Connections DiscoverySystem Owner/User DiscoverySystem Service DiscoverySystem Time Discovery
Lateral Movement Application Deployment SoftwareDistributed Component Object ModelExploitation of VulnerabilityLogon ScriptsPass the HashPass the TicketRemote Desktop ProtocolRemote File CopyRemote ServicesReplication Through Removable MediaShared WebrootTaint Shared ContentThird-party SoftwareWindows Admin SharesWindows Remote Management
Execution Command-Line InterfaceDynamic Data ExchangeExecution through APIExecution through Module LoadGraphical User InterfaceInstallUtilLSASS DriverMshtaPowerShellRegsvcs/RegasmRegsvr32Rundll32Scheduled TaskScriptingService ExecutionThird-party SoftwareTrusted Developer UtilitiesWindows Management InstrumentationWindows Remote Management
Collection Audio CaptureAutomated CollectionBrowser ExtensionsClipboard DataData StagedData from Local SystemData from Network Shared DriveData from Removable MediaEmail CollectionInput CaptureMan in the BrowserScreen CaptureVideo Capture
Exfiltration Automated ExfiltrationData CompressedData EncryptedData Transfer Size LimitsExfiltration Over Alternative ProtocolExfiltration Over Command and Control ChannelExfiltration Over Other Network MediumExfiltration Over Physical MediumScheduled Transfer
Command and Control Commonly Used PortCommunication Through Removable MediaConnection ProxyCustom Command and Control ProtocolCustom Cryptographic ProtocolData EncodingData ObfuscationDomain FrontingFallback ChannelsMulti-Stage ChannelsMulti-hop ProxyMultiband CommunicationMultilayer EncryptionRemote File CopyStandard Application Layer ProtocolStandard Cryptographic ProtocolStandard Non-Application Layer ProtocolUncommonly Used PortWeb Service