Skip to content

Latest commit

 

History

History
122 lines (122 loc) · 38.8 KB

windows-matrix.md

File metadata and controls

122 lines (122 loc) · 38.8 KB

Windows Atomic Tests by ATT&CK Tactic & Technique

initial-access execution persistence privilege-escalation defense-evasion credential-access discovery lateral-movement collection exfiltration command-and-control impact
Compromise Hardware Supply Chain CONTRIBUTE A TEST At (Windows) Accessibility Features Abuse Elevation Control Mechanism CONTRIBUTE A TEST Abuse Elevation Control Mechanism CONTRIBUTE A TEST ARP Cache Poisoning CONTRIBUTE A TEST Account Discovery CONTRIBUTE A TEST Component Object Model and Distributed COM CONTRIBUTE A TEST ARP Cache Poisoning CONTRIBUTE A TEST Automated Exfiltration Application Layer Protocol CONTRIBUTE A TEST Account Access Removal
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST Command and Scripting Interpreter CONTRIBUTE A TEST Account Manipulation Access Token Manipulation CONTRIBUTE A TEST Access Token Manipulation CONTRIBUTE A TEST AS-REP Roasting CONTRIBUTE A TEST Application Window Discovery Distributed Component Object Model Archive Collected Data Data Transfer Size Limits CONTRIBUTE A TEST Asymmetric Cryptography CONTRIBUTE A TEST Application Exhaustion Flood CONTRIBUTE A TEST
Compromise Software Supply Chain CONTRIBUTE A TEST Component Object Model CONTRIBUTE A TEST Active Setup CONTRIBUTE A TEST Accessibility Features Asynchronous Procedure Call Brute Force CONTRIBUTE A TEST Browser Bookmark Discovery Exploitation of Remote Services CONTRIBUTE A TEST Archive via Custom Method CONTRIBUTE A TEST Exfiltration Over Alternative Protocol CONTRIBUTE A TEST Bidirectional Communication CONTRIBUTE A TEST Application or System Exploitation CONTRIBUTE A TEST
Default Accounts Component Object Model and Distributed COM CONTRIBUTE A TEST Add-ins CONTRIBUTE A TEST Active Setup CONTRIBUTE A TEST BITS Jobs Cached Domain Credentials CONTRIBUTE A TEST Domain Account Internal Spearphishing CONTRIBUTE A TEST Archive via Library CONTRIBUTE A TEST Exfiltration Over Asymmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST Commonly Used Port CONTRIBUTE A TEST Data Destruction
Domain Accounts CONTRIBUTE A TEST Dynamic Data Exchange AppCert DLLs CONTRIBUTE A TEST AppCert DLLs CONTRIBUTE A TEST Binary Padding CONTRIBUTE A TEST Credential API Hooking Domain Groups Lateral Tool Transfer CONTRIBUTE A TEST Archive via Utility Exfiltration Over Bluetooth CONTRIBUTE A TEST Communication Through Removable Media CONTRIBUTE A TEST Data Encrypted for Impact CONTRIBUTE A TEST
Drive-by Compromise CONTRIBUTE A TEST Exploitation for Client Execution CONTRIBUTE A TEST AppInit DLLs AppInit DLLs Bootkit CONTRIBUTE A TEST Credential Stuffing CONTRIBUTE A TEST Domain Trust Discovery Pass the Hash Audio Capture Exfiltration Over C2 Channel CONTRIBUTE A TEST DNS Data Manipulation CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST Graphical User Interface CONTRIBUTE A TEST Application Shimming Application Shimming Bypass User Account Control Credentials In Files Email Account CONTRIBUTE A TEST Pass the Ticket Automated Collection Exfiltration Over Other Network Medium CONTRIBUTE A TEST DNS Calculation CONTRIBUTE A TEST Defacement CONTRIBUTE A TEST
External Remote Services Inter-Process Communication CONTRIBUTE A TEST At (Windows) Asynchronous Procedure Call CMSTP Credentials from Password Stores File and Directory Discovery RDP Hijacking Clipboard Data Exfiltration Over Physical Medium CONTRIBUTE A TEST Data Encoding CONTRIBUTE A TEST Direct Network Flood CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST JavaScript CONTRIBUTE A TEST Authentication Package CONTRIBUTE A TEST At (Windows) COR_PROFILER Credentials from Web Browsers Internet Connection Discovery CONTRIBUTE A TEST Remote Desktop Protocol Credential API Hooking Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST Data Obfuscation CONTRIBUTE A TEST Disk Content Wipe CONTRIBUTE A TEST
Local Accounts Malicious File BITS Jobs Authentication Package CONTRIBUTE A TEST Clear Command History Credentials in Registry Local Account Remote Service Session Hijacking CONTRIBUTE A TEST Data Staged CONTRIBUTE A TEST Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Dead Drop Resolver CONTRIBUTE A TEST Disk Structure Wipe CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST Malicious Link CONTRIBUTE A TEST Boot or Logon Autostart Execution CONTRIBUTE A TEST Boot or Logon Autostart Execution CONTRIBUTE A TEST Clear Windows Event Logs DCSync Local Groups Remote Services CONTRIBUTE A TEST Data from Information Repositories CONTRIBUTE A TEST Exfiltration Over Web Service CONTRIBUTE A TEST Domain Fronting CONTRIBUTE A TEST Disk Wipe CONTRIBUTE A TEST
Replication Through Removable Media CONTRIBUTE A TEST Native API Boot or Logon Initialization Scripts CONTRIBUTE A TEST Boot or Logon Initialization Scripts CONTRIBUTE A TEST Code Signing CONTRIBUTE A TEST Domain Controller Authentication CONTRIBUTE A TEST Network Service Scanning Replication Through Removable Media CONTRIBUTE A TEST Data from Local System CONTRIBUTE A TEST Exfiltration over USB CONTRIBUTE A TEST Domain Generation Algorithms CONTRIBUTE A TEST Endpoint Denial of Service CONTRIBUTE A TEST
Spearphishing Attachment PowerShell Bootkit CONTRIBUTE A TEST Bypass User Account Control Code Signing Policy Modification CONTRIBUTE A TEST Exploitation for Credential Access CONTRIBUTE A TEST Network Share Discovery SMB/Windows Admin Shares Data from Network Shared Drive CONTRIBUTE A TEST Exfiltration to Cloud Storage CONTRIBUTE A TEST Dynamic Resolution CONTRIBUTE A TEST External Defacement CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST Python CONTRIBUTE A TEST Browser Extensions COR_PROFILER Compile After Delivery Forced Authentication CONTRIBUTE A TEST Network Sniffing Shared Webroot CONTRIBUTE A TEST Data from Removable Media CONTRIBUTE A TEST Exfiltration to Code Repository CONTRIBUTE A TEST Encrypted Channel Firmware Corruption CONTRIBUTE A TEST
Spearphishing via Service CONTRIBUTE A TEST Scheduled Task COR_PROFILER Change Default File Association Compiled HTML File Forge Web Credentials CONTRIBUTE A TEST Password Policy Discovery Software Deployment Tools CONTRIBUTE A TEST Email Collection CONTRIBUTE A TEST Scheduled Transfer CONTRIBUTE A TEST External Proxy CONTRIBUTE A TEST Inhibit System Recovery
Supply Chain Compromise CONTRIBUTE A TEST Scheduled Task/Job CONTRIBUTE A TEST Change Default File Association Component Object Model Hijacking CONTRIBUTE A TEST Component Firmware CONTRIBUTE A TEST GUI Input Capture Peripheral Device Discovery Taint Shared Content CONTRIBUTE A TEST Email Forwarding Rule CONTRIBUTE A TEST Fallback Channels CONTRIBUTE A TEST Internal Defacement
Trusted Relationship CONTRIBUTE A TEST Scripting CONTRIBUTE A TEST Component Firmware CONTRIBUTE A TEST Create Process with Token CONTRIBUTE A TEST Control Panel Golden Ticket Permission Groups Discovery CONTRIBUTE A TEST Use Alternate Authentication Material CONTRIBUTE A TEST GUI Input Capture Fast Flux DNS CONTRIBUTE A TEST Network Denial of Service CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST Service Execution Component Object Model Hijacking CONTRIBUTE A TEST Create or Modify System Process CONTRIBUTE A TEST Create Process with Token CONTRIBUTE A TEST Group Policy Preferences Process Discovery VNC CONTRIBUTE A TEST Input Capture CONTRIBUTE A TEST File Transfer Protocols CONTRIBUTE A TEST OS Exhaustion Flood CONTRIBUTE A TEST
Shared Modules CONTRIBUTE A TEST Compromise Client Software Binary CONTRIBUTE A TEST DLL Search Order Hijacking DLL Search Order Hijacking Input Capture CONTRIBUTE A TEST Query Registry Windows Remote Management Keylogging Ingress Tool Transfer Reflection Amplification CONTRIBUTE A TEST
Software Deployment Tools CONTRIBUTE A TEST Create Account CONTRIBUTE A TEST DLL Side-Loading DLL Side-Loading Kerberoasting Remote System Discovery LLMNR/NBT-NS Poisoning and SMB Relay CONTRIBUTE A TEST Internal Proxy Resource Hijacking CONTRIBUTE A TEST
System Services CONTRIBUTE A TEST Create or Modify System Process CONTRIBUTE A TEST Default Accounts Default Accounts Keylogging Security Software Discovery Local Data Staging Junk Data CONTRIBUTE A TEST Runtime Data Manipulation CONTRIBUTE A TEST
User Execution CONTRIBUTE A TEST DLL Search Order Hijacking Domain Accounts CONTRIBUTE A TEST Deobfuscate/Decode Files or Information LLMNR/NBT-NS Poisoning and SMB Relay CONTRIBUTE A TEST Software Discovery Local Email Collection Mail Protocols CONTRIBUTE A TEST Service Exhaustion Flood CONTRIBUTE A TEST
Visual Basic DLL Side-Loading Domain Policy Modification CONTRIBUTE A TEST Direct Volume Access LSA Secrets System Checks Man in the Browser CONTRIBUTE A TEST Multi-Stage Channels CONTRIBUTE A TEST Service Stop
Windows Command Shell Default Accounts Domain Trust Modification CONTRIBUTE A TEST Disable Windows Event Logging LSASS Memory System Information Discovery Man-in-the-Middle CONTRIBUTE A TEST Multi-hop Proxy CONTRIBUTE A TEST Stored Data Manipulation CONTRIBUTE A TEST
Windows Management Instrumentation Domain Account Dynamic-link Library Injection Disable or Modify System Firewall Man-in-the-Middle CONTRIBUTE A TEST System Location Discovery CONTRIBUTE A TEST Remote Data Staging CONTRIBUTE A TEST Multiband Communication CONTRIBUTE A TEST System Shutdown/Reboot
Domain Accounts CONTRIBUTE A TEST Escape to Host CONTRIBUTE A TEST Disable or Modify Tools Modify Authentication Process CONTRIBUTE A TEST System Network Configuration Discovery Remote Email Collection CONTRIBUTE A TEST Non-Application Layer Protocol Transmitted Data Manipulation CONTRIBUTE A TEST
Domain Controller Authentication CONTRIBUTE A TEST Event Triggered Execution CONTRIBUTE A TEST Domain Accounts CONTRIBUTE A TEST NTDS System Network Connections Discovery Screen Capture Non-Standard Encoding CONTRIBUTE A TEST
Event Triggered Execution CONTRIBUTE A TEST Executable Installer File Permissions Weakness CONTRIBUTE A TEST Domain Controller Authentication CONTRIBUTE A TEST Network Sniffing System Owner/User Discovery Sharepoint CONTRIBUTE A TEST Non-Standard Port
Exchange Email Delegate Permissions CONTRIBUTE A TEST Exploitation for Privilege Escalation CONTRIBUTE A TEST Domain Policy Modification CONTRIBUTE A TEST OS Credential Dumping System Service Discovery Video Capture CONTRIBUTE A TEST One-Way Communication CONTRIBUTE A TEST
Executable Installer File Permissions Weakness CONTRIBUTE A TEST Extra Window Memory Injection CONTRIBUTE A TEST Domain Trust Modification CONTRIBUTE A TEST Password Cracking System Time Discovery Web Portal Capture CONTRIBUTE A TEST Port Knocking CONTRIBUTE A TEST
External Remote Services Group Policy Modification CONTRIBUTE A TEST Dynamic-link Library Injection Password Filter DLL Time Based Evasion CONTRIBUTE A TEST Protocol Impersonation CONTRIBUTE A TEST
Hijack Execution Flow CONTRIBUTE A TEST Hijack Execution Flow CONTRIBUTE A TEST Environmental Keying CONTRIBUTE A TEST Password Guessing User Activity Based Checks CONTRIBUTE A TEST Protocol Tunneling CONTRIBUTE A TEST
Hypervisor CONTRIBUTE A TEST Image File Execution Options Injection Executable Installer File Permissions Weakness CONTRIBUTE A TEST Password Managers CONTRIBUTE A TEST Virtualization/Sandbox Evasion CONTRIBUTE A TEST Proxy CONTRIBUTE A TEST
Image File Execution Options Injection LSASS Driver CONTRIBUTE A TEST Execution Guardrails CONTRIBUTE A TEST Password Spraying Remote Access Software
LSASS Driver CONTRIBUTE A TEST Local Accounts Exploitation for Defense Evasion CONTRIBUTE A TEST Private Keys Standard Encoding CONTRIBUTE A TEST
Local Account Logon Script (Windows) Extra Window Memory Injection CONTRIBUTE A TEST SAML Tokens CONTRIBUTE A TEST Steganography CONTRIBUTE A TEST
Local Accounts Make and Impersonate Token CONTRIBUTE A TEST File Deletion Security Account Manager Symmetric Cryptography CONTRIBUTE A TEST
Logon Script (Windows) Netsh Helper DLL File and Directory Permissions Modification CONTRIBUTE A TEST Silver Ticket CONTRIBUTE A TEST Traffic Signaling CONTRIBUTE A TEST
Modify Authentication Process CONTRIBUTE A TEST Network Logon Script CONTRIBUTE A TEST Group Policy Modification CONTRIBUTE A TEST Steal Web Session Cookie CONTRIBUTE A TEST Web Protocols
Netsh Helper DLL Parent PID Spoofing Hidden File System CONTRIBUTE A TEST Steal or Forge Kerberos Tickets CONTRIBUTE A TEST Web Service CONTRIBUTE A TEST
Network Logon Script CONTRIBUTE A TEST Path Interception CONTRIBUTE A TEST Hidden Files and Directories Two-Factor Authentication Interception CONTRIBUTE A TEST
Office Application Startup Path Interception by PATH Environment Variable CONTRIBUTE A TEST Hidden Window Unsecured Credentials CONTRIBUTE A TEST
Office Template Macros CONTRIBUTE A TEST Path Interception by Search Order Hijacking CONTRIBUTE A TEST Hide Artifacts Web Cookies CONTRIBUTE A TEST
Office Test Path Interception by Unquoted Path Hijack Execution Flow CONTRIBUTE A TEST Web Portal Capture CONTRIBUTE A TEST
Outlook Forms CONTRIBUTE A TEST Port Monitors Impair Command History Logging CONTRIBUTE A TEST Windows Credential Manager CONTRIBUTE A TEST
Outlook Home Page Portable Executable Injection CONTRIBUTE A TEST Impair Defenses CONTRIBUTE A TEST
Outlook Rules CONTRIBUTE A TEST PowerShell Profile Indicator Blocking CONTRIBUTE A TEST
Password Filter DLL Print Processors CONTRIBUTE A TEST Indicator Removal from Tools CONTRIBUTE A TEST
Path Interception CONTRIBUTE A TEST Process Doppelgänging CONTRIBUTE A TEST Indicator Removal on Host
Path Interception by PATH Environment Variable CONTRIBUTE A TEST Process Hollowing Indirect Command Execution
Path Interception by Search Order Hijacking CONTRIBUTE A TEST Process Injection Install Root Certificate
Path Interception by Unquoted Path Registry Run Keys / Startup Folder InstallUtil
Port Knocking CONTRIBUTE A TEST SID-History Injection CONTRIBUTE A TEST Invalid Code Signature CONTRIBUTE A TEST
Port Monitors Scheduled Task Local Accounts
PowerShell Profile Scheduled Task/Job CONTRIBUTE A TEST MSBuild
Pre-OS Boot CONTRIBUTE A TEST Screensaver Make and Impersonate Token CONTRIBUTE A TEST
Print Processors CONTRIBUTE A TEST Security Support Provider Mark-of-the-Web Bypass CONTRIBUTE A TEST
Redundant Access CONTRIBUTE A TEST Services File Permissions Weakness CONTRIBUTE A TEST Masquerade Task or Service
Registry Run Keys / Startup Folder Services Registry Permissions Weakness Masquerading
SQL Stored Procedures CONTRIBUTE A TEST Shortcut Modification Match Legitimate Name or Location CONTRIBUTE A TEST
Scheduled Task Thread Execution Hijacking CONTRIBUTE A TEST Modify Authentication Process CONTRIBUTE A TEST
Scheduled Task/Job CONTRIBUTE A TEST Thread Local Storage CONTRIBUTE A TEST Modify Registry
Screensaver Time Providers CONTRIBUTE A TEST Mshta
Security Support Provider Token Impersonation/Theft Msiexec
Server Software Component CONTRIBUTE A TEST Valid Accounts CONTRIBUTE A TEST NTFS File Attributes
Services File Permissions Weakness CONTRIBUTE A TEST Windows Management Instrumentation Event Subscription Network Share Connection Removal
Services Registry Permissions Weakness Windows Service Obfuscated Files or Information
Shortcut Modification Winlogon Helper DLL Odbcconf
System Firmware CONTRIBUTE A TEST Parent PID Spoofing
Time Providers CONTRIBUTE A TEST Pass the Hash
Traffic Signaling CONTRIBUTE A TEST Pass the Ticket
Transport Agent Password Filter DLL
Valid Accounts CONTRIBUTE A TEST Path Interception by PATH Environment Variable CONTRIBUTE A TEST
Web Shell Path Interception by Search Order Hijacking CONTRIBUTE A TEST
Windows Management Instrumentation Event Subscription Path Interception by Unquoted Path
Windows Service Port Knocking CONTRIBUTE A TEST
Winlogon Helper DLL Portable Executable Injection CONTRIBUTE A TEST
Pre-OS Boot CONTRIBUTE A TEST
Process Doppelgänging CONTRIBUTE A TEST
Process Hollowing
Process Injection
PubPrn
Redundant Access CONTRIBUTE A TEST
Regsvcs/Regasm
Regsvr32
Rename System Utilities
Right-to-Left Override CONTRIBUTE A TEST
Rogue Domain Controller
Rootkit
Run Virtual Instance CONTRIBUTE A TEST
Rundll32
SID-History Injection CONTRIBUTE A TEST
SIP and Trust Provider Hijacking CONTRIBUTE A TEST
Scripting CONTRIBUTE A TEST
Services File Permissions Weakness CONTRIBUTE A TEST
Services Registry Permissions Weakness
Signed Binary Proxy Execution
Signed Script Proxy Execution
Software Packing CONTRIBUTE A TEST
Steganography CONTRIBUTE A TEST
Subvert Trust Controls CONTRIBUTE A TEST
System Checks
System Firmware CONTRIBUTE A TEST
Template Injection
Thread Execution Hijacking CONTRIBUTE A TEST
Thread Local Storage CONTRIBUTE A TEST
Time Based Evasion CONTRIBUTE A TEST
Timestomp
Token Impersonation/Theft
Traffic Signaling CONTRIBUTE A TEST
Trusted Developer Utilities Proxy Execution CONTRIBUTE A TEST
Use Alternate Authentication Material CONTRIBUTE A TEST
User Activity Based Checks CONTRIBUTE A TEST
VBA Stomping CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST
Verclsid CONTRIBUTE A TEST
Virtualization/Sandbox Evasion CONTRIBUTE A TEST
Windows File and Directory Permissions Modification
XSL Script Processing