Upload File

mitre att&ck : apt29 techniques mapped to mitigations and ... · runtime data manipulation...

  • Home
  • Documents
  • MITRE ATT&CK : APT29 Techniques Mapped to Mitigations and ... · Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Audio Capture Automated
2
MITRE ATT&CK ® : APT29 Techniques Mapped to Mitigations and Data Sources About This Diagram Aligning your defenses to adversaries with ATT&CK Resources attack.mitre.org Access ATT&CK technical information Contribute to ATT&CK Follow our blog Watch ATT&CK presentations attackevals.mitre.org MITRE ATT&CK Evaluations @MITREattack mitre-att&ck ATT&CK provides a framework for defenders to enhance their posture against specific adversaries. To use ATT&CK in this way, find an adversary group you’re interested in and identify the techniques that they are known to use. For each technique, pull up the technique page to see how that adversary uses the technique, as well as how you can potentially mitigate and detect it. This chart helps visualize the results. Here, we have the techniques that APT29 is known to use in the middle column. We linked each technique on the left to potential means of mitigation and on the right to data sources that defenders can use to potentially detect the technique. Defenders can look at this chart either to see how their current mitigations and data sources stack up to APT29, or as a roadmap to plan how they can architect their defenses. For more information, you can read about APT29, or other groups, on the ATT&CK website: attack.mitre.org. Use ATT&CK for Cyber Threat Intelligence Cyber threat intelligence comes from many sources, including knowledge of past incidents, commercial threat feeds, information-sharing groups, government threat-sharing programs, and more. ATT&CK gives analysts a common language to communicate across reports and organizations, providing a way to structure, compare, and analyze threat intelligence. Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analytics that detect the techniques used by an adversary. Based on threat intelligence included in ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of analytics to detect threats. Use ATT&CK for Adversary Emulation and Red Teaming The best defense is a well-tested defense. ATT&CK provides a common adversary behavior framework based on threat intelligence that red teams can use to emulate specific threats. This helps cyber defenders find gaps in visibility, defensive tools, and processes—and then fix them. Get Started with ATT&CK Legend Low Priority High Priority Legend APT28 APT29 Both Comparing APT28 to APT29 Finding Gaps in Defense Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Network Sniffing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Sniffing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multiband Communication Multi-hop Proxy Multilayer Encryption Multi-Stage Channels Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Other Network Medium Exfiltration Over Command and Control Channel Exfiltration Over Alternative Protocol Exfiltration Over Physical Medium Scheduled Transfer Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trusted Developer Utilities DLL Search Order Hijacking Image File Execution Options Injection Plist Modification Valid Accounts Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Dylib Hijacking File System Permissions Weakness Hooking Launch Daemon New Service Path Interception Port Monitors Service Registry Permissions Weakness Setuid and Setgid Startup Items Web Shell .bash_profile and .bashrc Account Manipulation Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware BITS Jobs Clear Command History CMSTP Code Signing Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Exploitation for Privilege Escalation SID-History Injection Sudo Sudo Caching Scheduled Task Binary Padding Network Sniffing Launchctl Local Job Scheduling LSASS Driver Trap Access Token Manipulation Bypass User Account Control Extra Window Memory Injection Process Injection Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Discovery Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Network Sniffing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Sniffing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Enterprise Framework To help cyber defenders gain a common understanding of the threats they face, MITRE developed the ATT&CK framework. It’s a globally-accessible knowledge base of adversary tactics and techniques based on real world observations and open source research contributed by the cyber community. Used by organizations around the world, ATT&CK provides a shared understanding of adversary tactics, techniques and procedures and how to detect, prevent, and/or mitigate them. ATT&CK is open and available to any person or organization for use at no charge. For more than 60 years, MITRE has worked in the public interest. Through our public-private partnerships and federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation. S O L V I N G P R O B L E M S F O R A S A F E R W O R L D S O L V I N G P R O B L E M S F O R A S A F E R W O R L D Anti-virus API monitoring Authentication logs Binary file metadata Detonation chamber DLL monitoring DNS records Email gateway Environment variable File monitoring Host network interface Loaded DLLs Mail server Malware reverse engineering Netflow/Enclave netflow Network intrusion detection system Network protocol analysis Packet capture PowerShell logs Process command-line parameters Process monitoring Process use of network SSL/TLS inspection System calls Web proxy Windows event logs Windows Registry WMI Objects Active Directory Configuration Antivirus/Antimalware Application Isolation and Sandboxing Audit Code Signing Disable or Remove Feature or Program Encrypt Sensitive Information Execution Prevention Exploit Protection Filter Network Traffic Limit Access to Resource Over Network Network Intrusion Prevention Network Segmentation Operating System Configuration Password Policies Privileged Account Management Remote Data Storage Restrict File and Directory Permissions Restrict Web-Based Content SSL/TLS Inspection User Account Control User Account Management User Training Mitigations APT29 Techniques Data Sources Mitigate It! Detect It! Accessibility Features Bypass User Account Control Commonly Used Port Domain Fronting Exploitation for Client Execution Indicator Removal on Host Multi-hop Proxy Obfuscated Files or Information Pass the Ticket PowerShell Scheduled Task Software Packing Spearphishing Attachment Spearphishing Link Standard Non-Application Layer Protocol User Execution Windows Management Instrumentation Scripting Accessibility Features Bypass User Account Control Commonly Used Port Domain Fronting Exploitation for Client Execution Indicator Removal on Host Multi-hop Proxy Obfuscated Files or Information Pass the Ticket PowerShell Rundll32 Rundll32 Scheduled Task Shortcut Modification Shortcut Modification Software Packing Spearphishing Attachment Spearphishing Link Standard Non-Application Layer Protocol User Execution Windows Management Instrumentation Windows Management Instrumentation Event Subscription Windows Management Instrumentation Event Subscription Scripting

Upload: others

Post on 28-Mar-2020

23 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: MITRE ATT&CK : APT29 Techniques Mapped to Mitigations and ... · Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Audio Capture Automated

MITRE ATT&CK®: APT29 Techniques Mapped to Mitigations and Data Sources

About This DiagramAligning your defenses to adversaries with ATT&CK

Resourcesattack.mitre.org • Access ATT&CK technical information

• Contribute to ATT&CK

• Follow our blog

• Watch ATT&CK presentations

attackevals.mitre.org MITRE ATT&CK Evaluations

@MITREattack

mitre-att&ck

ATT&CK provides a framework for defenders to enhance their posture against specific adversaries. To use ATT&CK in this way, find an adversary group you’re interested in and identify the techniques that they are known to use. For each technique, pull up the technique page to see how that adversary uses the technique, as well as how you can potentially mitigate and detect it.

This chart helps visualize the results. Here, we have the techniques that APT29 is known to use in the middle column. We linked each technique on the left to potential means of mitigation and on the right to data sources that defenders can use to potentially detect the technique. Defenders can look at this chart either to see how their current mitigations and data sources stack up to APT29, or as a roadmap to plan how they can architect their defenses.

For more information, you can read about APT29, or other groups, on the ATT&CK website: attack.mitre.org.

Use ATT&CK for Cyber Threat Intelligence

Cyber threat intelligence comes from many sources, including knowledge of past incidents, commercial threat feeds, information-sharing groups, government threat-sharing programs, and more. ATT&CK gives analysts a common language to communicate across reports and organizations, providing a way to structure, compare, and analyze threat intelligence.

Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analytics that detect the techniques used by an adversary. Based on threat intelligence included in ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of analytics to detect threats.

Use ATT&CK for Adversary Emulation and Red Teaming

The best defense is a well-tested defense. ATT&CK provides a common adversary behavior framework based on threat intelligence that red teams can use to emulate specific threats. This helps cyber defenders find gaps in visibility, defensive tools, and processes—and then fix them.

Get Started with ATT&CK

LegendLow PriorityHigh Priority

LegendAPT28APT29Both

Comparing APT28 to APT29

Finding Gaps in Defense

Initial Access

Drive-by Compromise

Exploit Public-Facing Application

External Remote Services

Hardware Additions

Replication Through Removable Media

Spearphishing Attachment

Spearphishing Link

Spearphishing via Service

Supply Chain Compromise

Trusted Relationship

Valid Accounts

Execution

AppleScript

CMSTP

Command-Line Interface

Compiled HTML File

Control Panel Items

Dynamic Data Exchange

Execution through API

Execution through Module Load

Exploitation for Client Execution

Graphical User Interface

InstallUtil

Launchctl

Local Job Scheduling

LSASS Driver

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scheduled Task

Scripting

Service Execution

Signed Binary Proxy Execution

Signed Script Proxy Execution

Source

Space after Filename

Third-party Software

Trap

Trusted Developer Utilities

User Execution

Windows Management Instrumentation

Windows Remote Management

XSL Script Processing

Persistence

.bash_profile and .bashrc

Accessibility Features

Account Manipulation

AppCert DLLs

AppInit DLLs

Application Shimming

Authentication Package

BITS Jobs

Bootkit

Browser Extensions

Change Default File Association

Component Firmware

Component Object Model Hijacking

Create Account

DLL Search Order Hijacking

Dylib Hijacking

External Remote Services

File System Permissions Weakness

Hidden Files and Directories

Hooking

Hypervisor

Image File Execution Options Injection

Kernel Modules and Extensions

Launch Agent

Launch Daemon

Launchctl

LC_LOAD_DYLIB Addition

Local Job Scheduling

Login Item

Logon Scripts

LSASS Driver

Modify Existing Service

Netsh Helper DLL

New Service

Office Application Startup

Path Interception

Plist Modification

Port Knocking

Port Monitors

Rc.common

Re-opened Applications

Redundant Access

Registry Run Keys / Startup Folder

Scheduled Task

Screensaver

Security Support Provider

Service Registry Permissions Weakness

Setuid and Setgid

Shortcut Modification

SIP and Trust Provider Hijacking

Startup Items

System Firmware

Systemd Service

Time Providers

Trap

Valid Accounts

Web Shell

Windows Management Instrumentation EventSubscription

Winlogon Helper DLL

Privilege Escalation

Access Token Manipulation

Accessibility Features

AppCert DLLs

AppInit DLLs

Application Shimming

Bypass User Account Control

DLL Search Order Hijacking

Dylib Hijacking

Exploitation for Privilege Escalation

Extra Window Memory Injection

File System Permissions Weakness

Hooking

Image File Execution Options Injection

Launch Daemon

New Service

Path Interception

Plist Modification

Port Monitors

Process Injection

Scheduled Task

Service Registry Permissions Weakness

Setuid and Setgid

SID-History Injection

Startup Items

Sudo

Sudo Caching

Valid Accounts

Web Shell

Defense Evasion

Access Token Manipulation

Binary Padding

BITS Jobs

Bypass User Account Control

Clear Command History

CMSTP

Code Signing

Compile After Delivery

Compiled HTML File

Component Firmware

Component Object Model Hijacking

Control Panel Items

DCShadow

Deobfuscate/Decode Files or Information

Disabling Security Tools

DLL Search Order Hijacking

DLL Side-Loading

Execution Guardrails

Exploitation for Defense Evasion

Extra Window Memory Injection

File Deletion

File Permissions Modification

File System Logical Offsets

Gatekeeper Bypass

Group Policy Modification

Hidden Files and Directories

Hidden Users

Hidden Window

HISTCONTROL

Image File Execution Options Injection

Indicator Blocking

Indicator Removal from Tools

Indicator Removal on Host

Indirect Command Execution

Install Root Certificate

InstallUtil

Launchctl

LC_MAIN Hijacking

Masquerading

Modify Registry

Mshta

Network Share Connection Removal

NTFS File Attributes

Obfuscated Files or Information

Plist Modification

Port Knocking

Process Doppelgänging

Process Hollowing

Process Injection

Redundant Access

Regsvcs/Regasm

Regsvr32

Rootkit

Rundll32

Scripting

Signed Binary Proxy Execution

Signed Script Proxy Execution

SIP and Trust Provider Hijacking

Software Packing

Space after Filename

Template Injection

Timestomp

Trusted Developer Utilities

Valid Accounts

Virtualization/Sandbox Evasion

Web Service

XSL Script Processing

Credential Access

Account Manipulation

Bash History

Brute Force

Credential Dumping

Credentials in Files

Credentials in Registry

Exploitation for Credential Access

Forced Authentication

Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain

LLMNR/NBT-NS Poisoning and Relay

Network Sniffing

Password Filter DLL

Private Keys

Securityd Memory

Two-Factor Authentication Interception

Discovery

Account Discovery

Application Window Discovery

Browser Bookmark Discovery

Domain Trust Discovery

File and Directory Discovery

Network Service Scanning

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery

Process Discovery

Query Registry

Remote System Discovery

Security Software Discovery

System Information Discovery

System Network Configuration Discovery

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

Virtualization/Sandbox Evasion

Lateral Movement

AppleScript

Application Deployment Software

Distributed Component Object Model

Exploitation of Remote Services

Logon Scripts

Pass the Hash

Pass the Ticket

Remote Desktop Protocol

Remote File Copy

Remote Services

Replication Through Removable Media

Shared Webroot

SSH Hijacking

Taint Shared Content

Third-party Software

Windows Admin Shares

Windows Remote Management

Collection

Audio Capture

Automated Collection

Clipboard Data

Data from Information Repositories

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Command And Control

Commonly Used Port

Communication Through Removable Media

Connection Proxy

Custom Command and Control Protocol

Custom Cryptographic Protocol

Data Encoding

Data Obfuscation

Domain Fronting

Domain Generation Algorithms

Fallback Channels

Multi-hop Proxy

Multi-Stage Channels

Multiband Communication

Multilayer Encryption

Port Knocking

Remote Access Tools

Remote File Copy

Standard Application Layer Protocol

Standard Cryptographic Protocol

Standard Non-Application Layer Protocol

Uncommonly Used Port

Web Service

Exfiltration

Automated Exfiltration

Data Compressed

Data Encrypted

Data Transfer Size Limits

Exfiltration Over Alternative Protocol

Exfiltration Over Command and Control Channel

Exfiltration Over Other Network Medium

Exfiltration Over Physical Medium

Scheduled Transfer

Impact

Data Destruction

Data Encrypted for Impact

Defacement

Disk Content Wipe

Disk Structure Wipe

Endpoint Denial of Service

Firmware Corruption

Inhibit System Recovery

Network Denial of Service

Resource Hijacking

Runtime Data Manipulation

Service Stop

Stored Data Manipulation

Transmitted Data Manipulation

AppleScriptApplication Deployment

SoftwareDistributed Component

Object Model

Exploitation ofRemote Services

Logon ScriptsPass the HashPass the Ticket

Remote Desktop ProtocolRemote File CopyRemote Services

Replication ThroughRemovable MediaShared WebrootSSH Hijacking

Taint Shared ContentThird-party Software

Windows Admin SharesWindows Remote

Management

Commonly Used PortCommunication Through

Removable MediaConnection Proxy

Custom Command andControl Protocol

Custom CryptographicProtocol

Data EncodingData ObfuscationDomain Fronting

Domain GenerationAlgorithms

Fallback ChannelsMultiband Communication

Multi-hop ProxyMultilayer EncryptionMulti-Stage Channels

Port KnockingRemote Access Tools

Remote File CopyStandard Application Layer

ProtocolStandard Cryptographic

ProtocolStandard Non-Application

Layer ProtocolUncommonly Used Port

Web Service

Automated ExfiltrationData Compressed

Data EncryptedData Transfer Size Limits

Exfiltration Over OtherNetwork Medium

Exfiltration Over Commandand Control Channel

Exfiltration Over AlternativeProtocol

Exfiltration OverPhysical Medium

Scheduled Transfer

Data DestructionData Encrypted for Impact

DefacementDisk Content WipeDisk Structure Wipe

Endpoint Denial of ServiceFirmware Corruption

Inhibit System RecoveryNetwork Denial of Service

Resource HijackingRuntime Data Manipulation

Service StopStored Data Manipulation

Transmitted DataManipulation

Audio CaptureAutomated Collection

Clipboard DataData from Information

RepositoriesData from Local System

Data from NetworkShared Drive

Data from Removable MediaData Staged

Email CollectionInput Capture

Man in the BrowserScreen CaptureVideo Capture

Drive-by CompromiseExploit Public-Facing

ApplicationExternal Remote Services

Hardware AdditionsReplication ThroughRemovable Media

Spearphishing AttachmentSpearphishing Link

Spearphishing via ServiceSupply Chain Compromise

Trusted RelationshipValid Accounts

AppleScriptCMSTP

Command-Line InterfaceCompiled HTML FileControl Panel Items

Dynamic Data ExchangeExecution through API

Execution throughModule Load

Exploitation forClient Execution

Graphical User InterfaceInstallUtil

MshtaPowerShell

Regsvcs/RegasmRegsvr32Rundll32Scripting

Service ExecutionSigned Binary

Proxy ExecutionSigned Script

Proxy ExecutionSource

Space after FilenameThird-party Software

Trusted Developer Utilities

DLL Search Order HijackingImage File Execution Options Injection

Plist ModificationValid Accounts

Accessibility FeaturesAppCert DLLsAppInit DLLs

Application ShimmingDylib Hijacking

File System Permissions WeaknessHooking

Launch DaemonNew Service

Path InterceptionPort Monitors

Service Registry Permissions WeaknessSetuid and Setgid

Startup ItemsWeb Shell

.bash_profile and .bashrcAccount Manipulation

Authentication PackageBITS Jobs

BootkitBrowser Extensions

Change DefaultFile Association

Component Firmware

BITS JobsClear Command History

CMSTPCode Signing

Compiled HTML FileComponent Firmware

Component Object ModelHijacking

Control Panel ItemsDCShadow

Deobfuscate/Decode Filesor Information

Disabling Security ToolsDLL Side-Loading

Execution GuardrailsExploitation for

Defense EvasionFile Deletion

File PermissionsModification

File System Logical OffsetsGatekeeper Bypass

Group Policy ModificationHidden Files and Directories

Hidden Users

Exploitation forPrivilege EscalationSID-History Injection

SudoSudo Caching

Scheduled Task Binary Padding Network SniffingLaunchctl

Local Job SchedulingLSASS Driver

Trap

Access Token ManipulationBypass User Account Control

Extra Window Memory InjectionProcess Injection

Account ManipulationBash HistoryBrute Force

Credential DumpingCredentials in Files

Credentials in RegistryExploitation for

Credential AccessForced Authentication

HookingInput CaptureInput PromptKerberoasting

KeychainLLMNR/NBT-NS Poisoning

and RelayPassword Filter DLL

Private KeysSecurityd Memory

Two-Factor AuthenticationInterception

Account DiscoveryApplication Window

DiscoveryBrowser Bookmark

DiscoveryDomain Trust Discovery

File and Directory DiscoveryNetwork Service ScanningNetwork Share Discovery

Password Policy DiscoveryPeripheral Device Discovery

Permission Groups DiscoveryProcess DiscoveryQuery Discovery

Remote System DiscoverySecurity Software Discovery

System InformationDiscovery

System NetworkConfiguration Discovery

System NetworkConnections Discovery

System Owner/UserDiscovery

System Service DiscoverySystem Time DiscoveryVirtualization/Sandbox

Evasion

Initial Access

Drive-by Compromise

Exploit Public-Facing Application

External Remote Services

Hardware Additions

Replication Through Removable Media

Spearphishing Attachment

Spearphishing Link

Spearphishing via Service

Supply Chain Compromise

Trusted Relationship

Valid Accounts

Execution

AppleScript

CMSTP

Command-Line Interface

Compiled HTML File

Control Panel Items

Dynamic Data Exchange

Execution through API

Execution through Module Load

Exploitation for Client Execution

Graphical User Interface

InstallUtil

Launchctl

Local Job Scheduling

LSASS Driver

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scheduled Task

Scripting

Service Execution

Signed Binary Proxy Execution

Signed Script Proxy Execution

Source

Space after Filename

Third-party Software

Trap

Trusted Developer Utilities

User Execution

Windows Management Instrumentation

Windows Remote Management

XSL Script Processing

Persistence

.bash_profile and .bashrc

Accessibility Features

Account Manipulation

AppCert DLLs

AppInit DLLs

Application Shimming

Authentication Package

BITS Jobs

Bootkit

Browser Extensions

Change Default File Association

Component Firmware

Component Object Model Hijacking

Create Account

DLL Search Order Hijacking

Dylib Hijacking

External Remote Services

File System Permissions Weakness

Hidden Files and Directories

Hooking

Hypervisor

Image File Execution Options Injection

Kernel Modules and Extensions

Launch Agent

Launch Daemon

Launchctl

LC_LOAD_DYLIB Addition

Local Job Scheduling

Login Item

Logon Scripts

LSASS Driver

Modify Existing Service

Netsh Helper DLL

New Service

Office Application Startup

Path Interception

Plist Modification

Port Knocking

Port Monitors

Rc.common

Re-opened Applications

Redundant Access

Registry Run Keys / Startup Folder

Scheduled Task

Screensaver

Security Support Provider

Service Registry Permissions Weakness

Setuid and Setgid

Shortcut Modification

SIP and Trust Provider Hijacking

Startup Items

System Firmware

Systemd Service

Time Providers

Trap

Valid Accounts

Web Shell

Windows Management Instrumentation EventSubscription

Winlogon Helper DLL

Privilege Escalation

Access Token Manipulation

Accessibility Features

AppCert DLLs

AppInit DLLs

Application Shimming

Bypass User Account Control

DLL Search Order Hijacking

Dylib Hijacking

Exploitation for Privilege Escalation

Extra Window Memory Injection

File System Permissions Weakness

Hooking

Image File Execution Options Injection

Launch Daemon

New Service

Path Interception

Plist Modification

Port Monitors

Process Injection

Scheduled Task

Service Registry Permissions Weakness

Setuid and Setgid

SID-History Injection

Startup Items

Sudo

Sudo Caching

Valid Accounts

Web Shell

Defense Evasion

Access Token Manipulation

Binary Padding

BITS Jobs

Bypass User Account Control

Clear Command History

CMSTP

Code Signing

Compile After Delivery

Compiled HTML File

Component Firmware

Component Object Model Hijacking

Control Panel Items

DCShadow

Deobfuscate/Decode Files or Information

Disabling Security Tools

DLL Search Order Hijacking

DLL Side-Loading

Execution Guardrails

Exploitation for Defense Evasion

Extra Window Memory Injection

File Deletion

File Permissions Modification

File System Logical Offsets

Gatekeeper Bypass

Group Policy Modification

Hidden Files and Directories

Hidden Users

Hidden Window

HISTCONTROL

Image File Execution Options Injection

Indicator Blocking

Indicator Removal from Tools

Indicator Removal on Host

Indirect Command Execution

Install Root Certificate

InstallUtil

Launchctl

LC_MAIN Hijacking

Masquerading

Modify Registry

Mshta

Network Share Connection Removal

NTFS File Attributes

Obfuscated Files or Information

Plist Modification

Port Knocking

Process Doppelgänging

Process Hollowing

Process Injection

Redundant Access

Regsvcs/Regasm

Regsvr32

Rootkit

Rundll32

Scripting

Signed Binary Proxy Execution

Signed Script Proxy Execution

SIP and Trust Provider Hijacking

Software Packing

Space after Filename

Template Injection

Timestomp

Trusted Developer Utilities

Valid Accounts

Virtualization/Sandbox Evasion

Web Service

XSL Script Processing

Credential Access

Account Manipulation

Bash History

Brute Force

Credential Dumping

Credentials in Files

Credentials in Registry

Exploitation for Credential Access

Forced Authentication

Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain

LLMNR/NBT-NS Poisoning and Relay

Network Sniffing

Password Filter DLL

Private Keys

Securityd Memory

Two-Factor Authentication Interception

Discovery

Account Discovery

Application Window Discovery

Browser Bookmark Discovery

Domain Trust Discovery

File and Directory Discovery

Network Service Scanning

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery

Process Discovery

Query Registry

Remote System Discovery

Security Software Discovery

System Information Discovery

System Network Configuration Discovery

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

Virtualization/Sandbox Evasion

Lateral Movement

AppleScript

Application Deployment Software

Distributed Component Object Model

Exploitation of Remote Services

Logon Scripts

Pass the Hash

Pass the Ticket

Remote Desktop Protocol

Remote File Copy

Remote Services

Replication Through Removable Media

Shared Webroot

SSH Hijacking

Taint Shared Content

Third-party Software

Windows Admin Shares

Windows Remote Management

Collection

Audio Capture

Automated Collection

Clipboard Data

Data from Information Repositories

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Command And Control

Commonly Used Port

Communication Through Removable Media

Connection Proxy

Custom Command and Control Protocol

Custom Cryptographic Protocol

Data Encoding

Data Obfuscation

Domain Fronting

Domain Generation Algorithms

Fallback Channels

Multi-hop Proxy

Multi-Stage Channels

Multiband Communication

Multilayer Encryption

Port Knocking

Remote Access Tools

Remote File Copy

Standard Application Layer Protocol

Standard Cryptographic Protocol

Standard Non-Application Layer Protocol

Uncommonly Used Port

Web Service

Exfiltration

Automated Exfiltration

Data Compressed

Data Encrypted

Data Transfer Size Limits

Exfiltration Over Alternative Protocol

Exfiltration Over Command and Control Channel

Exfiltration Over Other Network Medium

Exfiltration Over Physical Medium

Scheduled Transfer

Impact

Data Destruction

Data Encrypted for Impact

Defacement

Disk Content Wipe

Disk Structure Wipe

Endpoint Denial of Service

Firmware Corruption

Inhibit System Recovery

Network Denial of Service

Resource Hijacking

Runtime Data Manipulation

Service Stop

Stored Data Manipulation

Transmitted Data Manipulation

EnterpriseFramework

To help cyber defenders gain a common understandingof the threats they face, MITRE developed the ATT&CK framework. It’s a globally-accessible knowledge base of adversary tactics and techniques based on real world observations and open source research contributed bythe cyber community.

Used by organizations around the world, ATT&CK provides a shared understanding of adversary tactics, techniques and procedures and how to detect, prevent, and/ormitigate them.

ATT&CK is open and available to any person or organization for use at no charge.

For more than 60 years, MITRE has worked in the public interest. Through our public-private partnerships and federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation.

SOLVING PROBLEMSFOR A SAFER WORLD

SOLVING PROBLEMSFOR A SAFER WORLD

Anti-virus

API monitoring

Authentication logs

Binary file metadata

Detonation chamber

DLL monitoring

DNS records

Email gateway

Environment variable

File monitoring

Host network interface

Loaded DLLs

Mail server

Malware reverse engineering

Netflow/Enclave netflow

Network intrusion detection system

Network protocol analysis

Packet capture

PowerShell logs

Process command-line parameters

Process monitoring

Process use of network

SSL/TLS inspection

System calls

Web proxy

Windows event logs

Windows Registry

WMI Objects

Active Directory Configuration

Antivirus/Antimalware

Application Isolation and Sandboxing

Audit

Code Signing

Disable or Remove Feature or Program

Encrypt Sensitive Information

Execution Prevention

Exploit Protection

Filter Network Traffic

Limit Access to Resource Over Network

Network Intrusion Prevention

Network Segmentation

Operating System Configuration

Password Policies

Privileged Account Management

Remote Data Storage

Restrict File and Directory Permissions

Restrict Web-Based Content

SSL/TLS Inspection

User Account Control

User Account Management

User Training

Mitigations APT29 Techniques Data Sources

Mitigate It! Detect It!

Accessibility Features

Bypass User Account Control

Commonly Used Port

Domain Fronting

Exploitation for Client Execution

Indicator Removal on Host

Multi-hop Proxy

Obfuscated Files or Information

Pass the Ticket

PowerShell

Scheduled Task

Software Packing

Spearphishing Attachment

Spearphishing Link

Standard Non-Application Layer Protocol

User Execution

Windows Management Instrumentation

Scripting

Accessibility Features

Bypass User Account Control

Commonly Used Port

Domain Fronting

Exploitation for Client Execution

Indicator Removal on Host

Multi-hop Proxy

Obfuscated Files or Information

Pass the Ticket

PowerShell

Rundll32Rundll32

Scheduled Task

Shortcut ModificationShortcut Modification

Software Packing

Spearphishing Attachment

Spearphishing Link

Standard Non-Application Layer Protocol

User Execution

Windows Management Instrumentation

Windows Management Instrumentation Event SubscriptionWindows Management Instrumentation Event Subscription

Scripting

Page 2: MITRE ATT&CK : APT29 Techniques Mapped to Mitigations and ... · Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Audio Capture Automated

SOLVING PROBLEMSFOR A SAFER WORLD

MITRE ATT&CK®

Enterprise Framework

attack.mitre.org

© 2020 MITRE Matrix current as of February 2020

Defense EvasionAccess Token Manipula�on

Binary Padding

BITS Jobs

Bypass User Account Control

Clear Command History

CMSTP

Code Signing

Compile A�er Delivery

Compiled HTML File

Component Firmware

Component ObjectModel Hijacking

Connec�on Proxy

Control Panel Items

DCShadow

Deobfuscate/Decode Filesor Informa�on

Disabling Security Tools

DLL Search Order Hijacking

DLL Side-Loading

Execu�on Guardrails

Exploita�on forDefense EvasionExtra Window

Memory Injec�onFile and Directory

Permissions Modifica�on

File Dele�on

File System Logical Offsets

Gatekeeper Bypass

Group Policy Modifica�on

Hidden Files and Directories

Hidden Users

Hidden Window

HISTCONTROL

Image File Execu�on Op�ons Injec�on

Indicator Blocking

Indicator Removal from Tools

Indicator Removal on Host

Indirect Command Execu�on

Install Root Cer�ficate

InstallU�l

Launchctl

LC_MAIN Hijacking

Masquerading

Modify Registry

Mshta

Network Share Connec�on Removal

NTFS File A�ributes

Obfuscated Files or Informa�on

Parent PID Spoofing

Plist Modifica�on

Port Knocking

Process Doppelgänging

Process Hollowing

Process Injec�on

Redundant Access

Regsvcs/Regasm

Regsvr32

Rootkit

Rundll32

Scrip�ng

Signed Binary Proxy Execu�on

Signed Script Proxy Execu�on

SIP and Trust Provider Hijacking

So�ware Packing

Space a�er Filename

Template Injec�on

Timestomp

Trusted Developer U�li�es

Valid Accounts

Virtualiza�on/Sandbox Evasion

Web Service

XSL Script Processing

Ini�al AccessDrive-by Compromise

Exploit Public-Facing Applica�on

External Remote Services

Hardware Addi�ons

Replica�on ThroughRemovable Media

Spearphishing A�achment

Spearphishing Link

Spearphishing via Service

Supply Chain Compromise

Trusted Rela�onship

Valid Accounts

Execu�onAppleScript

CMSTP

Command-Line Interface

Compiled HTML File

Component Object Model and Distributed COM

Control Panel Items

Dynamic Data Exchange

Execu�on through API

Execu�on throughModule Load

Exploita�on forClient Execu�on

Graphical User Interface

InstallU�l

Launchctl

Local Job Scheduling

LSASS Driver

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scheduled Task

Scrip�ng

Service Execu�on

Signed Binary Proxy Execu�on

Signed Script Proxy Execu�on

Source

Space a�er Filename

Third-party So�ware

Trap

Trusted Developer U�li�es

User Execu�on

Windows Management Instrumenta�on

Windows RemoteManagement

XSL Script Processing

Persistence.bash_profile and .bashrc

Accessibility Features

Account Manipula�on

AppCert DLLs

AppInit DLLs

Applica�on Shimming

Authen�ca�on Package

BITS Jobs

Bootkit

Browser Extensions

Change Default File Associa�on

Component Firmware

Component Object Model Hijacking

Create Account

DLL Search Order Hijacking

Dylib Hijacking

Emond

External Remote Services

File System Permissions Weakness

Hidden Files and Directories

Hooking

Hypervisor

Image File Execu�on Op�ons Injec�on

Kernel Modules and Extensions

Launch Agent

Launch Daemon

Launchctl

LC_LOAD_DYLIB Addi�on

Local Job Scheduling

Login Item

Logon Scripts

LSASS Driver

Modify Exis�ng Service

Netsh Helper DLL

New Service

Office Applica�on Startup

Path Intercep�on

Plist Modifica�on

Port Knocking

Port Monitors

PowerShell Profile

Rc.common

Re-openedApplica�ons

Redundant Access

Registry Run Keys /Startup Folder

Scheduled Task

Screensaver

Security Support Provider

Server So�wareComponent

Service RegistryPermissions Weakness

Setuid and Setgid

Shortcut Modifica�on

SIP and TrustProvider Hijacking

Startup Items

System Firmware

Systemd Service

Time Providers

Trap

Valid Accounts

Web ShellWindows ManagementInstrumenta�on Event

Subscrip�onWinlogon Helper DLL

Privilege Escala�onAccess Token Manipula�on

Accessibility Features

AppCert DLLs

AppInit DLLs

Applica�on Shimming

Bypass User Account Control

DLL Search Order Hijacking

Dylib Hijacking

Elevated Execu�on with Prompt

Emond

Exploita�on for Privilege Escala�on

Extra Window MemoryInjec�on

File System Permissions Weakness

Hooking

Image File Execu�on Op�ons Injec�on

Launch Daemon

New Service

Parent PID Spoofing

Path Intercep�on

Plist Modifica�on

Port Monitors

PowerShell Profile

Process Injec�on

Scheduled Task

Service Registry Permissions Weakness

Setuid and Setgid

SID-History Injec�on

Startup Items

Sudo

Sudo Caching

Valid Accounts

Web Shell

Creden�al AccessAccount Manipula�on

Bash History

Brute Force

Creden�al Dumping

Creden�als fromWeb Browsers

Creden�als in Files

Creden�als in Registry

Exploita�on forCreden�al Access

Forced Authen�ca�on

Hooking

Input Capture

Input Prompt

Kerberoas�ng

Keychain

LLMNR/NBT-NSPoisoning and Relay

Network Sniffing

Password Filter DLL

Private Keys

Steal Web Session Cookie

Securityd Memory

Two-Factor Authen�ca�on Intercep�on

DiscoveryAccount Discovery

Applica�on WindowDiscovery

Browser BookmarkDiscovery

Domain Trust Discovery

File and Directory Discovery

Network Service Scanning

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral DeviceDiscovery

Permission GroupsDiscovery

Process Discovery

Query Registry

Remote SystemDiscovery

Security So�wareDiscovery

So�ware Discovery

System Informa�onDiscovery

System NetworkConfigura�on Discovery

System NetworkConnec�ons Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

Virtualiza�on/SandboxEvasion

Lateral MovementAppleScript

Applica�onDeployment So�ware

Component Object Modeland Distributed COM

Exploita�on of RemoteServices

Logon Scripts

Internal Spearphishing

Pass the Hash

Pass the Ticket

Remote Desktop Protocol

Remote File Copy

Remote Services

Replica�on ThroughRemovable Media

Shared Webroot

SSH Hijacking

Taint Shared Content

Third-party So�ware

Windows Admin Shares

Windows RemoteManagement

Collec�onAudio Capture

Automated Collec�on

Clipboard Data

Data from Informa�on Repositories

Data from Local System

Data from NetworkShared Drive

Data fromRemovable Media

Data Staged

Email Collec�on

Input Capture

Man in the Browser

Screen Capture

Video Capture

Command and ControlCommonly Used Port

Communica�on Through Removable Media

Connec�on Proxy

Custom Commandand Control Protocol

Custom CryptographicProtocol

Data Encoding

Data Obfusca�on

Domain Fron�ng

Domain Genera�onAlgorithms

Fallback Channels

Mul�-hop Proxy

Mul�-Stage Channels

Mul�band Communica�on

Mul�layer Encryp�on

Port Knocking

Remote Access Tools

Remote File Copy

Standard Applica�onLayer Protocol

Standard Cryptographic Protocol

Standard Non-Applica�onLayer Protocol

Uncommonly Used Port

Web Service

Exfiltra�onAutomated Exfiltra�on

Data Compressed

Data Encrypted

Data Transfer Size Limits

Exfiltra�on OverAlterna�ve Protocol

Exfiltra�on Over Commandand Control Channel

Exfiltra�on OverOther Network Medium

Exfiltra�on OverPhysical Medium

Scheduled Transfer

ImpactAccount Access Removal

Data Destruc�on

Data Encrypted for Impact

Defacement

Disk Content Wipe

Disk Structure Wipe

Endpoint Denial of Service

Firmware Corrup�on

Inhibit System Recovery

Network Denial of Service

Resource Hijacking

Run�me Data Manipula�on

Service Stop

System Shutdown/Reboot

Stored Data Manipula�on

Transmi�ed DataManipula�on


Chap02 data manipulation

Data Manipulation Language (DML)

My SQL: Data Manipulation

Data manipulation, Part one

Data Manipulation Math Calculation

SQL: Data Manipulation

110.Data Manipulation Instructions

Data Entry and Manipulation

Data Manipulation Language

Mathematica Tutorial: Data Manipulation

10 Data Manipulation - Instrumentacion, Control y ...instrumentacionycontrol.net/.../PLC/IyCnet_SLC_Data_Manipulation.pdf · Data Manipulation Data Transfer ... instruction data is

Data Manipulation 5

Data manipulation techniques

Manipulation of pixel data

Labview Data Manipulation

The CISO’s Guide to APT29...An Introduction to APT29 APT29 (aka Cozy Bear, CozyDuke, the Dukes, or PowerDukes) is a threat group that has shown strong ties to the Russian government

Data Manipulation With R_1

Data transfer and manipulation

APT29 HAMMERTOSS JAYAKRISHNAN M. CONTENTS What is APT? Who is APT29? Introduction to Hammertoss 5 Stages of Hammertoss Detection and Prevention Conclusion

Data Manipulation, R

Data manipulation with dplyr

Data Manipulation in R - Rice University › ~jn13 › slides › pdfs › Day1AMSlides3_DataMa… · Data Manipulation in R Introduction to dplyr May 15, 2017 Data Manipulation in

SQL: Data Manipulation and Data Definition

SQL Language. Introduction to RDBMS Introduction to RDBMS Basic Data Manipulation - Reading Data Basic Data Manipulation - Reading Data Basic Data Manipulation

Data manipulation on r

Chapter 2: Data Manipulation

Data Structures and Manipulation

SQL Data Manipulation

Data Manipulation

Confronting Data Manipulation

10.11 Data Manipulation

SQL Data Manipulation Languagetunweb.teradata.ws/...Data_Manipulation_Language.pdf · SQL Data Manipulation Language 3 Preface Purpose SQL Data Manipulation Language describes how

Data Manipulation, part two

Advisory: APT29 targets COVID-19 vaccine development€¦ · This report details recent Tactics, Techniques and Procedures (TTPs) of the group commonly known as ‘APT29’, also