Tactic: Initial Access

Technique: External Remote Services (T1133)

sub techniques:

1. Exploiting misconfigured services:

o Unnecessary ports exposed:

 Attackers may target systems with RDP or other remote services exposed on publicly
accessible ports.
 This can happen due to misconfiguration, insecure defaults, or lack of network segmentation.

o Weak authentication:

 Systems with weak authentication mechanisms, such as basic authentication or outdated

protocols like Telnet, are more vulnerable to brute-force attacks and credential stuffing.

o Unpatched vulnerabilities:

 Unpatched vulnerabilities in remote service software can be exploited by attackers to gain

unauthorized access.
 This is why it's crucial to keep software up to date with the latest security patches.

2. Credential abuse:

o Brute-forcing:

 Attackers use automated tools to guess valid usernames and passwords for remote services.
 This can be effective against weak passwords or when attackers have access to leaked
password databases.

o Dictionary attacks:

 Attackers try common passwords, variations of usernames, and leaked credential

combinations to gain access.

o Credential stuffing:
  Attackers use stolen or leaked credentials from other breaches to try logging in to different
systems.
 This can be successful if users reuse passwords across multiple accounts.

o Phishing (T1566):

 Attackers send emails or text messages designed to trick users into revealing their login
credentials.

3. Purchasing access:

o Initial access brokers:

 Attackers can buy access to compromised RDP servers or other vulnerable systems on
underground marketplaces.
 These marketplaces are often frequented by cybercriminals looking for a quick way to launch
attacks.

o Hacked RDP accounts:

 Attackers can also buy individual RDP accounts that have been compromised through
phishing or other attacks.

4. Zero-day exploits:

 Attackers may use newly discovered vulnerabilities in remote service software that haven't
been patched yet.
 This is why it's important to have layered security controls in place to defend against even
unknown threats.

5. Social engineering:

 Attackers may use social engineering techniques to trick users into granting them access to
remote services.
 This could involve phishing emails, phone calls, or even physical interactions.
Tactic: Initial Access
Technique: Exploiting Public-facing Applications (T1190)
sub techniques:

1. Web Application Vulnerabilities:

o SQL injection: (T1190.001)

 Injecting malicious SQL code into web forms or URL parameters can trick the database into
revealing sensitive information or executing unauthorized commands.

o Cross-site scripting (XSS): (T1190.002)

 Injecting malicious JavaScript code into web pages can allow attackers to steal user data,
redirect users to phishing websites, or hijack browser sessions.

o Remote code execution (RCE): (T1190.003)

 Exploiting vulnerabilities in web application code can allow attackers to upload and execute
malicious code on the server.

o Server-side request forgery (SSRF): (T1190.004)

 Tricking the server into making unauthorized requests to other systems can allow attackers
to steal data or gain access to internal resources.

2.Database Vulnerabilities:

o Privilege escalation: (T1190.005)

 Exploiting vulnerabilities in database software can allow attackers to gain higher privileges
and access sensitive data.

o Unpatched vulnerabilities: (T1190.006)

 Outdated and unpatched database software can be vulnerable to known exploits.

 o Weak authentication: (T1190.007)

 Databases with weak authentication mechanisms, such as basic authentication or default

passwords, are more vulnerable to brute-force attacks.

3. Network Device Vulnerabilities:

o Unpatched firmware: (T1190.008)

 Outdated and unpatched firmware in network devices can be vulnerable to known exploits.

o 2- Misconfigured devices: (T1190.009)

 Devices with insecure configurations, such as open ports or weak passwords, can be easily
compromised.

o 3- Zero-day exploits: (T1190.010)

 Attackers may use newly discovered vulnerabilities in network device firmware that haven't
been patched yet.

Tactic: Initial Access

Technique: Phishing (T1566)
sub techniques:

1. Spear phishing Attachment (T1566.001):

 Attackers send emails with malicious attachments (e.g., Word documents, Excel spreadsheets,
PDFs) that contain malware.

2. Spear phishing Link (T1566.002):

 Attackers send emails with links that lead to malicious websites designed to collect credentials or
download malware.

3. Spear phishing via Service (T1566.003):

 Attackers use messaging services (e.g., social media, text messages, collaboration platforms) to
send phishing messages.
4. Spear phishing Voice (T1566.004):

 Attackers use phone calls or voice messages (e.g., voicemail, robocalls) to trick victims into
revealing sensitive information or clicking on malicious links.

5. Phishing for Information (T1566.006):

 Attackers send emails or messages designed to collect personal information (e.g., passwords,
credit card numbers, social security numbers) without delivering malware.

6. External Phishing (T1566.007):

 Attackers use third-party phishing platforms or services to send phishing emails or messages.

Tactic: Initial Access

Technique: Supply Chain Compromise (T1195)
sub techniques:

1. Compromising Software Supply Chain:

o Tampering with Software Updates (T1195.001):

 Injecting malware or backdoors into legitimate software updates during the development or
distribution process.

o Malicious Third-Party Components (T1195.002):

 Including compromised libraries or dependencies within software to gain access to target

systems.

o Software Counterfeiting (T1195.003):

 Creating and distributing fake software that appears legitimate but contains malicious code.
2. Targeting Third-Party Vendors:

o Breaching Third-Party Services (T1195.004):

 Compromising the systems or accounts of trusted vendors to gain access to their clients' data or
networks.

o Man-in-the-Middle Attacks on Supply Chain (T1195.005):

 Intercepting communication between vendor and client to steal sensitive information or inject
malware.

o Social Engineering of Supply Chain Actors (T1195.006):

 Tricking employees or partners of vendors into revealing sensitive information or providing

unauthorized access.

3. Exploiting Vulnerabilities in Supply Chain Components:

o Zero-Day Exploits in Supply Chain Software (T1195.007):

 Leveraging newly discovered vulnerabilities in software used within the supply chain before
patches are available.

o Unpatched Vulnerabilities in Supply Chain Systems (T1195.008):

 Exploiting known vulnerabilities in systems responsible for managing or delivering software

updates.

4. Phishing and Social Engineering:

o Phishing Supply Chain Actors (T1195.009):

 Sending deceptive emails or messages to employees or partners within the supply chain to steal
credentials or deploy malware.

o Pretexting Attacks against Supply Chain (T1195.010):

 Fabricating a scenario to trick individuals into granting access or revealing sensitive information
related to the supply chain.
5. Physical Compromise:

o Tampering with Hardware Devices (T1195.011):

 Physically modifying hardware components within the supply chain to install backdoors or
extract sensitive data

Tactic: Execution (TA0002)

Technique: User Execution (T1204)
Sub-techniques:

1- Malicious Link (T1204.001):

 Enticing users to click links that lead to malware downloads or drive-by installations.

2- Malicious File (T1204.002):

 Tricking users into opening infected files from emails, downloads, or removable media.

3- Malicious Image (T1204.003):

 Embedding malware within image files that execute when viewed or processed.

4- Malicious Media (T1204.004):

 Leveraging vulnerabilities in media players to deliver malware through audio or video files.

5- Malicious Script (T1204.005):

 Using scripting languages to execute malicious code on the user's system.

6- Trusted Developer Utilities (T1204.006):

 Abusing legitimate system tools or software to run malicious code.

7- Exploitation for Execution (T1204.007):

 Exploiting software vulnerabilities to execute code without user interaction.

8- Exploitation for Privilege Escalation (T1204.008):

 Exploiting vulnerabilities to gain higher system privileges for more powerful actions.

Tactic: Execution (TA0002)

Technique: Command and Scripting Interpreters (T1059)

Sub-techniques:

1- PowerShell (T1059.001):

 Attackers leverage PowerShell to execute malicious scripts and commands.

2- Windows Command Shell (T1059.003):

 Attackers use cmd.exe to run commands, launch malware, and interact with the system.

3- Scripting Interpreter: Visual Basic (T1059.005):

 Attackers employ Visual Basic scripts for various malicious actions.

4- Scripting Interpreter: Unix Shell (T1059.007):

 Attackers utilize Unix shells (bash, sh, etc.) on Linux and macOS systems for execution.

5- Scripting Interpreter: Python (T1059.006):

 Attackers leverage Python scripts for malicious activity.

6- Scripting Interpreter: PHP (T1059.008):

 Attackers use PHP scripts, often within web applications, for execution.
7- Scripting Interpreter: Other (T1059.009):

 Attackers may employ other scripting languages (JavaScript, Ruby, etc.).

Tactic: Execution (TA0002)

Technique: Exploitation for Client Execution (T1203)

Sub-techniques:

1- Exploitation for Client Execution (T1203.001):

 Attackers exploit vulnerabilities in client-side software (e.g., web browsers, email clients, office
applications) to execute malicious code on a user's system.

2- Exploitation for Credential Access (T1212):

 Attackers exploit vulnerabilities to steal user credentials or authentication tokens for further
malicious actions.

3- Exploitation for Privilege Escalation (T1068):

 Attackers exploit vulnerabilities to gain higher privileges on a system, allowing them to execute
more powerful actions or access sensitive resources.

Tactic: Execution (TA0002)

Technique: Windows Management Instrumentation (T1047)
Sub-techniques:

1- WMI Command Line (T1047.001):

 Attackers use the native WMI command-line utility (wmic.exe) to execute malicious code or
scripts.
2- WMI Scripting (T1047.002):

 Attackers leverage scripting languages (e.g., VBScript, PowerShell) to interact with WMI and
perform malicious actions.

3- WMI API (T1047.003):

 Attackers directly call WMI APIs from their code to execute commands or access system
information.

4- WMI Event Subscription (T1047.004):

 Attackers create persistent WMI event subscriptions to trigger malicious code execution upon
specific system events.

5- WMI Permanent Event Subscription (T1047.005):

 Attackers create enduring WMI event subscriptions that remain active even after system
restarts.

6- WMI Namespace Modification (T1047.006):

 Attackers modify WMI namespaces to hide malicious objects or alter system behavior.
Tactic: Persistence (TA0003)

Technique: Valid Accounts (T1078)

Sub-techniques:

1- Default Accounts (T1078.001):

 Attackers exploit built-in accounts like Guest or Administrator with known default passwords or
vulnerabilities.

2- Domain Accounts (T1078.002):

 Attackers compromise user or service accounts within the domain to gain persistent access and
privileges.

3- Cloud Accounts (T1078.004):

 Attackers target service accounts or user accounts in cloud platforms like AWS or Azure to gain
access to resources.

4- Local Accounts (T1078.003):

 Attackers leverage compromised local accounts on individual systems for persistence and lateral
movement.

Tactic: Persistence (TA0003)

Technique: Create Account (T1136)

Sub-techniques:

1- Create Local Account (T1136.001):

 Attackers create a new account with administrator or elevated privileges on a local system.
2- Create Domain Account (T1136.002):

 Attackers create a new account within Active Directory to gain access to domain resources.

3- Create Cloud Account (T1136.003):

 Attackers create a new account within a cloud platform (e.g., AWS, Azure) to maintain access to
cloud-based resources.

4- Abuse Existing Account (T1136.004):

 Attackers leverage an existing legitimate account that has been compromised or has weak
security controls.

5- Escalate Privileges (T1068):

 Attackers elevate the privileges of an existing account to gain more control over the system.

Tactic: Persistence (TA0003)

Technique: Boot Or Logon AutoStart Execution (T1547)

Sub-techniques:

1- Authentication Package (T1547.002):

 Attackers register malicious DLLs as authentication packages, which are loaded when a user logs
on, to execute code.

2- File System Permissions Weakness (T1547.003):

 Attackers place malware in directories with weak permissions (e.g., Startup folders), causing it
to execute at system start or user login.

3- Port Monitors (T1547.010):

 Attackers install malicious port monitors, which are loaded when a specific port is accessed, to
execute code.
4- Registry Run Keys / Startup Folder (T1547.001):

 Attackers create registry keys or place files in Startup folders to launch malware during system
boot or user login.

5- Shortcut Modification (T1547.009):

 Attackers modify legitimate shortcuts to point to malicious code, which executes when users
open the shortcuts.

6- Winlogon Helper DLL (T1547.004):

 Attackers register malicious DLLs as Winlogon helper DLLs, which are loaded during user login,
to execute code.

7- Accessibility Features (T1547.006):

 Attackers abuse accessibility features (e.g., Application Compatibility Scripts) to launch malware
during user login.

8- Print Processors (T1547.012):

 Attackers install malicious print processors, which are loaded when a user prints, to execute
code.

9- Kernel Modules and Extensions (T1547.005):

 Attackers load malicious kernel modules or drivers, which persist across system reboots, to
execute code at a low level.

10- Re-opened Applications (T1547.007):

 Attackers exploit applications that automatically reopen previously open files or documents to
execute malware.
Tactic: Persistence (TA0003)

Technique: Scheduled Task/Job (T1053)

Sub-techniques:

1- Scheduled Task (T1053.005):

 Attackers create or modify a scheduled task within the operating system's task scheduler to
execute malicious code or scripts at designated times or events.

2- At (Windows) (T1053.002):

 Attackers use the at command in Windows to schedule one-time or recurring tasks to run at
specific times or intervals.

Tactic: Persistence (TA0003)

Technique: Server Software Component (T1505)

Sub-techniques:

1- SQL Stored Procedures (T1505.001):

 Attackers create or modify SQL stored procedures within databases to execute malicious code
when called.

2- Transport Agent (T1505.002):

 Attackers install malicious transport agents (e.g., in email servers) to intercept and manipulate
mail traffic.

3- Web Shell (T1505.003):

 Attackers upload web shells (backdoor scripts) to web servers, enabling remote command
execution and control.
4- IIS Components (T1505.004):

 Attackers abuse components of Microsoft Internet Information Services (IIS) to establish

persistence.

Tactic: Privilege Escalation (TA0004)

Technique: Exploiting for Privilege Escalation (T1068)

Sub-techniques:

1- Local Exploit (T1068.001):

 Attackers leverage vulnerabilities in locally installed software or system components to elevate

their privileges within the compromised system.

2- Remote Exploit (T1068.002):

 Attackers exploit vulnerabilities in services or applications accessible over the network to gain
access to a system with higher privileges.

3. Privilege Escalation from Service (T1068.003):

 Attackers compromise a low-privileged service or process and exploit its access to escalate their
privileges to a higher level.

4. Lateral Movement for Privilege Escalation (T1068.004):

 Attackers move laterally within the network to gain access to a system with higher privileges,
often using techniques like credential dumping or exploiting trust relationships.

5. Driver Rootkit Manipulation (T1068.005):

 Attackers modify or install malicious drivers to gain kernel-level access and bypass security
controls.
6. Using Software Update Mechanisms (T1068.006):

 Attackers trick systems into installing malicious updates or exploit vulnerabilities in legitimate
update mechanisms to elevate their privileges.

Tactic: Privilege Escalation (TA0004)

Technique: Creating Or Modifying System Process (T1543)

Sub-techniques:

1- Windows Service (T1543.002):

 Attackers create or modify Windows services to execute malicious code with elevated privileges,
often in the background.

2- Launch Daemon (T1543.004):

 Attackers target macOS and Linux systems, creating or modifying launch daemons or agents to
achieve persistence and potentially elevated privileges.

3- Scheduled Task (T1543.003):

 Attackers create or modify scheduled tasks to trigger malicious code execution with potentially
higher privileges at specific times or events.

4- Registry Run Keys / Startup Folder (T1543.001):

 Attackers add registry keys or place files in Startup folders to launch malicious code with
elevated privileges during system boot or user login.
Tactic: Privilege Escalation (TA0004)

Technique: Process Injection (T1055)

Sub-techniques:

1- Dynamic-link Library Injection (T1055.001):

 Attackers inject malicious code into a process by creating a new DLL and forcing the process to
load it.

2- Portable Executable Injection (T1055.002):

 Attackers inject an entire executable file into the memory space of another process and execute
it from there.

3- Thread Execution Hijacking (T1055.003):

 Attackers hijack an existing thread within a process and redirect its execution flow to their
malicious code.

4- Asynchronous Procedure Call (APC) Injection (T1055.004):

 Attackers inject code into a process's APC queue, which executes when certain events occur.

5- Thread Local Storage (TLS) Injection (T1055.005):

 Attackers inject code into a process's TLS, which is a memory area specific to each thread.

6- Extra Window Memory Injection (T1055.011):

 Attackers exploit a feature in Windows to inject code into a process's extra window memory.

7- List Process Injection (T1555.015):

 Attackers abuse list-view controls in graphical user interfaces to inject code into processes.
Tactic: Privilege Escalation (TA0004)

Technique: Abuse Elevation Control Mechanism (T1548)

Sub-techniques:

1- Setuid and Setgid (T1548.001):

 Attackers leverage programs with the "setuid" or "setgid" bits set.

 These bits grant the program's executed code the same privileges as the program's owner,
regardless of the user running it.

2- Bypass User Account Control (T1548.002):

 Attackers exploit weaknesses in User Account Control (UAC) on Windows systems to bypass
prompts and execute actions with elevated privileges.

3- Sudo and Sudo Caching (T1548.003):

 Attackers target vulnerabilities in sudo, a command-line tool for executing commands with
elevated privileges in Linux and macOS.
 They may exploit misconfigured sudoers files or cached credentials to gain unauthorized access.

4- Elevated Execution with Prompt (T1548.004):

 Attackers trick users into granting them elevated privileges by manipulating legitimate
applications or services that prompt for confirmation.

5- Temporary Elevated Cloud Access (T1548.005):

 Attackers target cloud platforms and their temporary elevation mechanisms for access control
roles or policies.
 This can grant them broader access within the cloud environment.
Tactics: Bypassing Defenses

Techniques: Exploiting For Defense Evasion (T1211)

Sub technique:

1- Common Evasion Techniques:

1- Code Obfuscation (T1211.001):

 Attackers obscure their malicious code to avoid detection by antivirus or intrusion detection
systems.
 This can involve techniques like encryption, packing, and polymorphism.

2- Anti-Debugging Techniques (T1211.002):

 Attackers actively detect and disable debuggers used by security analysts to analyze their code
and behavior.
 This makes it harder to reverse engineer their malware and understand its malicious intent.

3- Memory Tampering (T1211.003):

 Attackers manipulate memory space or processes to hide their malicious activities from security
tools.
 This can involve techniques like hooking, injection, and patching.

4- Anti-Virus Evasion (T1211.004):

 Attackers employ methods to bypass signature-based antivirus detection by constantly

modifying their malicious code or using techniques like fileless malware.

2. Advanced Evasion Techniques:

1- Live Off The Land (LoL) Techniques (T1211.005):

 Attackers leverage legitimate system tools and applications to achieve their malicious goals
instead of relying on custom malware.
 This makes detection difficult as their activity blends with normal system processes.
 2- Time-Delayed Execution (T1211.006):

 Attackers delay the execution of their malicious code to evade real-time detection by security
tools.
 This can involve waiting for specific conditions or triggers before activating their payloads.

3- Sandbox Evasion (T1211.007):

 Attackers develop techniques to bypass sandboxing environments used by security analysts to

analyze suspicious code.
 This allows them to execute their malware in a controlled environment without triggering
alarms.

Tactics: Bypassing Defenses

Techniques: Deobfuscating/Decoding Files or Information (T1140)

Sub technique:

1- Binary Padding (T1140.001):

 Attackers add unnecessary data to files to increase their size and complexity, making it harder to
distinguish malicious patterns or code within.

2- Software Packing (T1140.002):

 Attackers compress or wrap malicious code within legitimate software or files, requiring
additional steps to unpack and reveal the true content.

3- Steganography (T1140.003):

 Attackers hide malicious data within seemingly harmless files like images, audio, or documents,
requiring specialized techniques to extract the hidden content.

4- Compile After Delivery (T1140.004):

 Attackers deliver a script or code in a pre-compiled state, requiring execution on the target
system for full functionality and potential malware activation.
5- Indicator Removal from Tools (T1140.005):

 Attackers strip out identifiable strings or signatures from their malicious tools to evade
detection by antivirus or intrusion detection systems.

6- HTML Smuggling (T1140.006):

 Attackers encode malicious code within seemingly harmless HTML tags or attributes, allowing its
execution via vulnerabilities in web browsers or applications.

Tactics: Bypassing Defenses

Techniques: File and Directory Permissions Modification (T1222)

Sub technique:

1- Windows File and Directory Permissions Modification (T1222.001):

 Attackers modify permissions using tools like icacls or Set-ACL in PowerShell.

2- Unix File and Directory Permissions Modification (T1222.002):

 Attackers use chmod or chown commands to change permissions.

3- Cloud Storage Object Permissions Modification (T1222.004):

 Attackers alter permissions of objects in cloud storage environments.

Tactics: Bypassing Defenses

Techniques: Impairing Defenses (T1562)

Sub technique:

1- Disable or Modify Tools (T1562.001):

 Attackers target security tools such as antivirus software, firewalls, and intrusion detection
systems by stopping their processes, modifying configuration files, or injecting malicious code.
2- Indicator Removal on Host (T1562.006):

 Attackers attempt to erase or manipulate logs, event data, and other forensic artifacts collected
by security tools to hide their presence and actions.

3- Disrupt System Discovery (T1562.010):

 Attackers tamper with system discovery mechanisms to remain undetected.

 This can involve disabling network services, modifying hostnames, or manipulating DNS records.

4- Impair Security Services Communication (T1562.012):

 Attackers interfere with communication channels used by security tools to report events or
share intelligence.
 This can involve blocking network traffic or manipulating protocols.

5- Modify Time Attributes (T1562.009):

 Attackers change the timestamps of files or processes to make them appear older or newer than
they actually are, potentially evading time-based detection rules or analysis.

6- Hijack Security Functions (T1562.011):

 Attackers take control of legitimate security functions or processes to redirect execution flow,
manipulate results, or bypass monitoring.

Tactics: Bypassing Defenses

Techniques: Indicator Removal On Host (T1070)

Sub technique:

1- Clear Windows Event Logs (T1070.001):

 Attackers use tools like wevtutil.exe or PowerShell to clear event logs, removing potentially
incriminating records.
2- Clear Linux or Mac Logs (T1070.002):

 Attackers use commands like rm, shred, or logger to delete or overwrite log files in Linux or
macOS systems.

3- File Deletion (T1070.004):

 Attackers manually delete malicious files, tools, or scripts to cover their tracks.

4- Network Share Connection Removal (T1070.007):

 Attackers disconnect from mounted network shares to hide evidence of accessing sensitive
data.

5- Clear Command History (T1070.008):

 Attackers erase command history in terminals or command prompts to conceal executed

commands.

6- Clear Persistence (T1070.009):

 Attackers remove artifacts of persistence mechanisms (e.g., registry keys, scheduled tasks) used
to maintain access.

Tactics: Bypassing Defenses

Techniques: Signed Binary Proxy Execution (T1218)

Sub technique:

1- System Binary Proxy Execution (T1218.004):

 Attackers abuse native system utilities like mshta.exe, rundll32.exe, or regsvr32.exe to load and
execute malicious code.

2- Mshta (T1218.005):

 Attackers use mshta.exe to execute HTML Application (HTA) files containing malicious scripts.
3- Regsvr32 (T1218.007):

 Attackers misuse regsvr32.exe to register and execute malicious DLLs.

4- Control Panel Items (T1218.010):

 Attackers exploit vulnerabilities in Control Panel items (.cpl files) to execute malicious code.

5- MSBuild (T1218.014):

 Attackers leverage MSBuild, a build tool for Microsoft Visual Studio projects, to execute code
embedded in project files.

Tactic: Credential Access (TA0006)

Technique: Brute Force (T1110)

Sub-techniques:

1- Password Guessing (T1110.001):

 Attackers make educated guesses based on common passwords, personal details, or leaked
information.

2- Password Cracking (T1110.002):

 Attackers use tools to automate password cracking attempts, often employing techniques like:
o Dictionary attacks: Trying words from a list
o Rule-based attacks: Combining words, numbers, and symbols
o Hybrid attacks: Combining dictionary and rule-based methods
3- Password Spraying (T1110.003):

 Attackers try a single common password against many different accounts, hoping to find
matches.

4- Credential Stuffing (T1110.004):

 Attackers use stolen credentials from data breaches on other websites or services to see if they
work elsewhere.

Tactic: Credential Access (TA0006)

Technique: OS Credential Dumping (T1003)

Sub-techniques:

1- LSASS Memory (T1003.001):

 Attackers target the Local Security Authority Subsystem Service (LSASS) process, which stores
sensitive credential data in memory.

2- NTDS (T1003.003):

 Attackers extract credentials from the NTDS.dit file, which contains the Active Directory
database.

3- Screen Capture (T1003.004):

 Attackers capture screenshots or keystrokes to steal passwords entered by users.

4- Input Capture (T1003.005):

 Attackers intercept keystrokes directly from the keyboard hardware.

5- Credential API Hooking (T1003.006):

 Attackers intercept credential-related API calls to capture passwords before they are stored or
used.
6- DCSync (T1003.006):

 Attackers abuse a Windows Domain Controller's replication functionality to retrieve password

hashes from Active Directory.

Tactic: Credential Access (TA0006)

Technique: Steal or Forge Kerberos Tickets (T1558)

Sub-techniques:

1- Golden Ticket (T1558.001):

 Attackers forge a Kerberos ticket-granting ticket (TGT) using the Key Distribution Center (KDC)'s
secret key, granting them access to any resource in the domain.

2- Silver Ticket (T1558.002):

 Attackers forge a Kerberos ticket for a specific service, allowing them to access that service
without valid credentials.

3- Kerberoasting (T1558.003):

 Attackers request service tickets for accounts with weak passwords and then crack those
passwords offline.

4- AS-REP Roasting (T1558.004):

 Attackers request TGTs for user accounts with pre-authentication disabled and try to crack the
password offline.
Tactic: Lateral Movement (TA0008)

Technique: Exploiting Remote Services (T1210)

Focus: Moving between compromised systems within a network.

Sub-techniques:

1- Pass-the-Hash or Pass-the-Ticket:

 Leveraging stolen credentials to authenticate on other systems.

2- Exploiting Shared Resources:

 Utilizing vulnerable network shares or services for access.

3- Pivoting through Infected Hosts:

 Using compromised systems as springboards to reach deeper targets.

4- Man-in-the-Middle Attacks:

 Intercepting network traffic to steal credentials or redirect connections.

5- Supply Chain Attacks:

 Compromising trusted software or services to gain access to their users.

Tactic: Lateral Movement (TA0008)

Technique: Remote Services (T1021)

Focus: Leveraging legitimate remote services offered by systems for lateral movement.

Sub-techniques:
1- Remote Desktop Protocol (RDP):

 Gaining access through unsecured RDP connections.

2- SMB/Windows Admin Shares:

 Utilizing vulnerabilities in file sharing protocols for privilege escalation.

3- Distributed Component Object Model (DCOM):

 Executing malicious code by exploiting DCOM weaknesses.

4- SSH:

 Gaining access via insecure SSH configurations.

5- Virtual Network Computing (VNC):

 Leveraging vulnerabilities in VNC remote desktop sharing.

6- Windows Remote Management (WinRM):

 Executing commands remotely through WinRM vulnerabilities.

Tactic: Lateral Movement (TA0008)

Technique: Using Alternate Authentication Material (T1550)

Sub-techniques:

1- Pass the Hash (T1550.002):

 Attackers use stolen password hashes to authenticate to remote systems without knowing the
plaintext passwords.
2- Pass the Ticket (T1550.003):

 Attackers use stolen Kerberos tickets, which grant access to network resources, to move
laterally without further authentication.

3- Web Session Cookie (T1550.004):

 Attackers steal or hijack session cookies to impersonate authenticated users on web

applications.

Tactic: Collection (TA0009)

Technique: Data from Local System (T1005)

Sub-techniques:

1. File and Directory Discovery:

 Attackers scour the file system for files of interest, such as documents, spreadsheets, databases,
or configuration files.

2. Data from Local System:

 Attackers access sensitive data from various sources, including:

o File systems (e.g., NTFS, FAT32): Stealing files directly from storage.
o Removable media (e.g., USB drives): Copying files to external devices for extraction.
o Local databases (e.g., SQL Server, MySQL): Extracting data from local database
instances.
o Email: Obtaining emails from local clients or servers.
o Memory: Dumping sensitive data residing in memory.
3. Screen Capture:

 Attackers capture screenshots or record screen activity to steal visual information, including
passwords or sensitive content.

4. Input Capture:

 Attackers intercept keystrokes or mouse movements to capture sensitive information, such as

passwords or credit card numbers.

Tactic: Collection (TA0009)

Technique: Data From Network Shared Drives (T1039)

Sub-techniques:

1- Remote File Copy:

 Attackers use legitimate tools like copy, robocopy, or rsync to transfer files directly from shared
drives to their own systems.

2- SMB/Windows Admin Shares:

 Attackers exploit vulnerabilities in the Server Message Block (SMB) protocol, often used for file
sharing in Windows environments, to access shared drives and exfiltrate data.

3- Network Share Discovery:

 Attackers actively scan the network to identify accessible shared drives and map their contents.

4- Remote File Access Tools:

 Attackers employ specialized tools designed for remote file access and transfer, such as FTP
clients or custom scripts.
Tactic: Collection (TA0009)

Technique: Email Collection (T1114)

Sub-techniques:

1- Local Email Clients:

 Attackers access emails stored on local clients like Outlook or Thunderbird, often using
techniques like keylogging or screen capture to steal credentials or directly access the client.

2- Mail Servers:

 Attackers compromise mail servers themselves to gain broader access to emails across multiple
accounts and potentially exfiltrate large amounts of data.

3- Third-Party Email Services:

 Attackers target cloud-based email services like Gmail or Office 365, often through phishing or
credential theft, to access user accounts and steal emails.

4- Email Collection via Web Browser:

 Attackers exploit vulnerabilities in web browsers or browser extensions to intercept and collect
emails accessed through webmail interfaces.

Tactic: Collection (TA0009)

Technique: Archive Collected Data (T1560)

Sub-techniques:

1- Archive via Utility:

 Attackers use standard compression or archiving tools like zip, rar, or 7z to create compressed
archives of collected data.

2- Archive via Library:

 Attackers leverage compression libraries within their malware code to create archives directly,
often for efficiency or customization.
3- Archive via Custom Method:

 Attackers employ bespoke or less common techniques to obfuscate data, potentially hindering
detection by standard security tools.

Tactic: Collection (TA0009)

Technique: Exfiltration Over Web Service (T1567)

Sub-techniques:

1- Exfiltration to Cloud Storage (T1567.002):

 Attackers upload sensitive data to cloud storage services like Dropbox, Google Drive, or
OneDrive, blending in with normal traffic to these services.

2- Exfiltration Over Web Service (T1567.001):

 Attackers tunnel data through web services like webmail, social media, or web APIs, often using
custom tools or scripts to disguise the exfiltration within typical web traffic.

Tactic: Collection (TA0009)

Technique: Automated Exfiltration (T1020)

Sub-techniques:

1- Automated Exfiltration:

 Attackers employ scripts, tools, or malware capabilities to automatically gather and transfer
data at designated intervals or based on specific triggers.
Tactic: Ransomware Deployment

Technique: Inhibit System Recovery (T1490)

Sub-techniques:

1- Disable System Restore (T1490.001):

 Attackers prevent victims from using Windows System Restore to revert to a previous,
uncorrupted state.

2- Disable/Delete Shadow Copies (T1490.002):

 Attackers target and delete shadow copies, which are backup snapshots of files and folders used
for recovery purposes.

3- Disable/Encrypt Recovery Files (T1490.003):

 Attackers render recovery tools like backups or antivirus software unusable, either by
encrypting them or disabling their functionality.

4- Modify Registry (T1490.004):

 Attackers manipulate registry settings to inhibit system recovery processes or prevent access to
recovery options.

Tactic: Ransomware Deployment

Technique: Data Encrypted For Impact (T1490)

Sub-techniques:

1- File Encryption (T1486.002):

 Attackers encrypt individual files or entire file systems, often using strong encryption algorithms
like AES or RSA.
2- Disk Encryption (T1486.001):

 Attackers encrypt entire hard drives or partitions, preventing access to the operating system and
all stored data.

3- Database Encryption (T1486.003):

 Attackers specifically target and encrypt databases, disrupting critical business operations that
rely on them.

4- Archive Encryption (T1486.004):

 Attackers encrypt compressed archives or backup files, preventing access to critical data even if
backups exist.