3CX Supply Chain Attack |
Compromise Software Supply Chain |
Initial Access |
AWS Cross Account Activity |
Use Alternate Authentication Material |
Defense Evasion |
AWS Defense Evasion |
Impair Defenses, Disable Cloud Logs |
Defense Evasion |
AWS IAM Privilege Escalation |
Cloud Account, Create Account |
Persistence |
AWS Identity and Access Management Account Takeover |
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions |
Resource Development |
AWS Network ACL Activity |
Disable or Modify Cloud Firewall |
Defense Evasion |
AWS Security Hub Alerts |
None |
None |
AWS User Monitoring |
Cloud Accounts |
Defense Evasion |
AcidRain |
Data Destruction, File Deletion, Indicator Removal |
Impact |
Active Directory Discovery |
Permission Groups Discovery, Local Groups |
Discovery |
Active Directory Kerberos Attacks |
Password Spraying, Brute Force |
Credential Access |
Active Directory Lateral Movement |
Remote Services, Windows Remote Management |
Lateral Movement |
Active Directory Password Spraying |
Password Spraying, Brute Force |
Credential Access |
Active Directory Privilege Escalation |
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery |
Discovery |
AgentTesla |
Spearphishing Attachment, Phishing |
Initial Access |
Apache Struts Vulnerability |
System Information Discovery |
Discovery |
Asset Tracking |
None |
None |
AsyncRAT |
Spearphishing Attachment, Phishing |
Initial Access |
Atlassian Confluence Server and Data Center CVE-2022-26134 |
Exploit Public-Facing Application |
Initial Access |
AwfulShred |
Unix Shell, Command and Scripting Interpreter |
Execution |
Azorult |
Disable or Modify Tools, Impair Defenses |
Defense Evasion |
Azure Active Directory Account Takeover |
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying |
Resource Development |
Azure Active Directory Persistence |
Valid Accounts, Cloud Accounts |
Defense Evasion |
Azure Active Directory Privilege Escalation |
Account Manipulation |
Persistence |
BITS Jobs |
BITS Jobs, Ingress Tool Transfer |
Defense Evasion |
Baron Samedit CVE-2021-3156 |
Exploitation for Privilege Escalation |
Privilege Escalation |
BishopFox Sliver Adversary Emulation Framework |
System Services, Service Execution |
Execution |
BlackLotus Campaign |
Bootkit |
Persistence |
BlackMatter Ransomware |
Data Encrypted for Impact |
Impact |
Brand Monitoring |
None |
None |
Brute Ratel C4 |
Service Stop |
Impact |
CISA AA22-257A |
Protocol Tunneling, SSH |
Command And Control |
CISA AA22-264A |
Exploitation for Privilege Escalation |
Privilege Escalation |
CISA AA22-277A |
System Network Configuration Discovery, Internet Connection Discovery |
Discovery |
CISA AA22-320A |
Windows Service, Create or Modify System Process |
Persistence |
CVE-2022-40684 Fortinet Appliance Auth bypass |
Exploit Public-Facing Application |
Initial Access |
CVE-2023-21716 Word RTF Heap Corruption |
Phishing, Spearphishing Attachment |
Initial Access |
CVE-2023-23397 Outlook Elevation of Privilege |
Exfiltration Over Unencrypted Non-C2 Protocol |
Exfiltration |
Caddy Wiper |
Disk Structure Wipe, Disk Wipe |
Impact |
Chaos Ransomware |
Malicious File, User Execution |
Execution |
Clop Ransomware |
System Services, Service Execution |
Execution |
Cloud Cryptomining |
Unused/Unsupported Cloud Regions |
Defense Evasion |
Cloud Federated Credential Abuse |
Image File Execution Options Injection, Event Triggered Execution |
Privilege Escalation |
Cobalt Strike |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild |
Defense Evasion |
ColdRoot MacOS RAT |
None |
None |
Collection and Staging |
Masquerading |
Defense Evasion |
Command And Control |
Remote Access Software |
Command And Control |
Compromised User Account |
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions |
Resource Development |
Credential Dumping |
NTDS, OS Credential Dumping |
Credential Access |
CyclopsBLink |
Disable or Modify System Firewall, Impair Defenses |
Defense Evasion |
DHS Report TA18-074A |
Modify Registry |
Defense Evasion |
DNS Amplification Attacks |
Network Denial of Service, Reflection Amplification |
Impact |
DNS Hijacking |
Domain Generation Algorithms |
Command And Control |
DarkCrystal RAT |
Phishing, Spearphishing Attachment |
Initial Access |
DarkSide Ransomware |
LSASS Memory, OS Credential Dumping |
Credential Access |
Data Destruction |
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation |
Defense Evasion |
Data Exfiltration |
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol |
Exfiltration |
Data Protection |
Exfiltration Over Unencrypted Non-C2 Protocol |
Exfiltration |
Deobfuscate-Decode Files or Information |
Deobfuscate/Decode Files or Information |
Defense Evasion |
Detect Zerologon Attack |
LSASS Memory, OS Credential Dumping |
Credential Access |
Dev Sec Ops |
Cloud Service Discovery |
Discovery |
Disabling Security Tools |
Disable or Modify Tools, Impair Defenses |
Defense Evasion |
Domain Trust Discovery |
Remote System Discovery |
Discovery |
Double Zero Destructor |
Disable or Modify Tools, Impair Defenses |
Defense Evasion |
Dynamic DNS |
Exfiltration Over Alternative Protocol |
Exfiltration |
Emotet Malware DHS Report TA18-201A |
Spearphishing Attachment, Phishing |
Initial Access |
F5 BIG-IP Vulnerability CVE-2022-1388 |
Exploit Public-Facing Application |
Initial Access |
F5 TMUI RCE CVE-2020-5902 |
Exploit Public-Facing Application |
Initial Access |
FIN7 |
XSL Script Processing |
Defense Evasion |
Fortinet FortiNAC CVE-2022-39952 |
Exploit Public-Facing Application |
Initial Access |
GCP Account Takeover |
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing |
Resource Development |
GCP Cross Account Activity |
Valid Accounts |
Defense Evasion |
HAFNIUM Group |
Automated Exfiltration |
Exfiltration |
Hermetic Wiper |
Disk Structure Wipe, Disk Wipe |
Impact |
Hidden Cobra Malware |
SMB/Windows Admin Shares, Remote Services |
Lateral Movement |
IIS Components |
Server Software Component, IIS Components |
Persistence |
IcedID |
Disable or Modify Tools, Impair Defenses |
Defense Evasion |
Industroyer2 |
Domain Account, Account Discovery |
Discovery |
Information Sabotage |
Indicator Removal, Clear Windows Event Logs |
Defense Evasion |
Ingress Tool Transfer |
Automated Exfiltration |
Exfiltration |
Insider Threat |
Password Spraying, Brute Force |
Credential Access |
JBoss Vulnerability |
System Information Discovery |
Discovery |
Kubernetes Scanning Activity |
Cloud Service Discovery |
Discovery |
Kubernetes Sensitive Object Access Activity |
None |
None |
Linux Living Off The Land |
Ingress Tool Transfer |
Command And Control |
Linux Persistence Techniques |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Privilege Escalation |
Linux Post-Exploitation |
Unix Shell |
Execution |
Linux Privilege Escalation |
Exploitation for Privilege Escalation |
Privilege Escalation |
Linux Rootkit |
System Information Discovery, Rootkit |
Discovery |
Living Off The Land |
Trusted Developer Utilities Proxy Execution, MSBuild |
Defense Evasion |
Local Privilege Escalation With KrbRelayUp |
Windows Service |
Persistence |
LockBit Ransomware |
Modify Registry |
Defense Evasion |
Log4Shell CVE-2021-44228 |
Automated Exfiltration |
Exfiltration |
Malicious PowerShell |
Automated Exfiltration |
Exfiltration |
Masquerading - Rename System Utilities |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
Defense Evasion |
MetaSploit |
Command and Scripting Interpreter |
Execution |
Meterpreter |
Command and Scripting Interpreter |
Execution |
Microsoft MSHTML Remote Code Execution CVE-2021-40444 |
System Binary Proxy Execution, Rundll32 |
Defense Evasion |
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 |
Phishing, Spearphishing Attachment |
Initial Access |
Monitor for Updates |
None |
None |
NOBELIUM Group |
System Binary Proxy Execution, Mshta |
Defense Evasion |
Netsh Abuse |
Disable or Modify System Firewall, Impair Defenses |
Defense Evasion |
Network Discovery |
System Network Configuration Discovery |
Discovery |
Office 365 Detections |
Email Forwarding Rule, Email Collection |
Collection |
Okta MFA Exhaustion |
Brute Force |
Credential Access |
OpenSSL CVE-2022-3602 |
Encrypted Channel |
Command And Control |
Orangeworm Attack Group |
Windows Service, Create or Modify System Process |
Persistence |
PaperCut MF NG Vulnerability |
Command and Scripting Interpreter, Exploit Public-Facing Application |
Execution |
PetitPotam NTLM Relay on Active Directory Certificate Services |
OS Credential Dumping |
Credential Access |
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns |
Automated Exfiltration |
Exfiltration |
Prestige Ransomware |
Windows Management Instrumentation |
Execution |
PrintNightmare CVE-2021-34527 |
System Binary Proxy Execution, Rundll32 |
Defense Evasion |
Prohibited Traffic Allowed or Protocol Mismatch |
Application Layer Protocol, Web Protocols |
Command And Control |
ProxyNotShell |
Command and Scripting Interpreter, PowerShell |
Execution |
ProxyShell |
Command and Scripting Interpreter, PowerShell |
Execution |
Qakbot |
Windows Management Instrumentation |
Execution |
Ransomware |
Remote Access Software |
Command And Control |
Ransomware Cloud |
Data Encrypted for Impact |
Impact |
RedLine Stealer |
Service Stop |
Impact |
Remcos |
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation |
Defense Evasion |
Reverse Network Proxy |
Protocol Tunneling, Proxy, Web Service |
Command And Control |
Revil Ransomware |
System Binary Proxy Execution, CMSTP |
Defense Evasion |
Router and Infrastructure Security |
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication |
Initial Access |
Ryuk Ransomware |
Windows Command Shell |
Execution |
SQL Injection |
Exploit Public-Facing Application |
Initial Access |
SamSam Ransomware |
Data Encrypted for Impact |
Impact |
Sandworm Tools |
Steal or Forge Authentication Certificates |
Credential Access |
Signed Binary Proxy Execution InstallUtil |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
Defense Evasion |
Silver Sparrow |
Data Staged |
Collection |
Snake Malware |
Kernel Modules and Extensions, Service Execution |
Persistence |
Sneaky Active Directory Persistence Tricks |
Security Support Provider, Boot or Logon Autostart Execution |
Persistence |
Spearphishing Attachments |
Phishing, Spearphishing Attachment |
Initial Access |
Splunk Vulnerabilities |
Drive-by Compromise |
Initial Access |
Spring4Shell CVE-2022-22965 |
Exploit Public-Facing Application |
Initial Access |
Suspicious AWS Login Activities |
Cloud Accounts |
Defense Evasion |
Suspicious AWS S3 Activities |
Data from Cloud Storage |
Collection |
Suspicious AWS Traffic |
None |
None |
Suspicious Cloud Authentication Activities |
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions |
Resource Development |
Suspicious Cloud Instance Activities |
Cloud Accounts, Valid Accounts |
Defense Evasion |
Suspicious Cloud Provisioning Activities |
Valid Accounts |
Defense Evasion |
Suspicious Cloud User Activities |
Valid Accounts |
Defense Evasion |
Suspicious Command-Line Executions |
Masquerading, Rename System Utilities |
Defense Evasion |
Suspicious Compiled HTML Activity |
Compiled HTML File, System Binary Proxy Execution |
Defense Evasion |
Suspicious DNS Traffic |
Exfiltration Over Alternative Protocol |
Exfiltration |
Suspicious Emails |
Spearphishing Attachment, Phishing |
Initial Access |
Suspicious GCP Storage Activities |
Data from Cloud Storage |
Collection |
Suspicious MSHTA Activity |
System Binary Proxy Execution, Mshta |
Defense Evasion |
Suspicious Okta Activity |
Valid Accounts, Default Accounts |
Defense Evasion |
Suspicious Regsvcs Regasm Activity |
System Binary Proxy Execution, Regsvcs/Regasm |
Defense Evasion |
Suspicious Regsvr32 Activity |
System Binary Proxy Execution, Regsvr32 |
Defense Evasion |
Suspicious Rundll32 Activity |
NTDS, OS Credential Dumping |
Credential Access |
Suspicious WMI Use |
XSL Script Processing |
Defense Evasion |
Suspicious Windows Registry Activities |
Services Registry Permissions Weakness |
Persistence |
Suspicious Zoom Child Processes |
Exploitation for Privilege Escalation |
Privilege Escalation |
Swift Slicer |
Data Destruction |
Impact |
Text4Shell CVE-2022-42889 |
Web Shell, Server Software Component, Exploit Public-Facing Application |
Persistence |
Trickbot |
Command and Scripting Interpreter |
Execution |
Trusted Developer Utilities Proxy Execution |
Trusted Developer Utilities Proxy Execution |
Defense Evasion |
Trusted Developer Utilities Proxy Execution MSBuild |
Trusted Developer Utilities Proxy Execution, MSBuild |
Defense Evasion |
Unusual Processes |
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation |
Defense Evasion |
Use of Cleartext Protocols |
None |
None |
VMware Server Side Injection and Privilege Escalation |
Exploit Public-Facing Application |
Initial Access |
Volt Typhoon |
Windows Management Instrumentation |
Execution |
WhisperGate |
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation |
Defense Evasion |
Windows BootKits |
Pre-OS Boot, Registry Run Keys / Startup Folder |
Defense Evasion |
Windows Certificate Services |
Steal or Forge Authentication Certificates |
Credential Access |
Windows DNS SIGRed CVE-2020-1350 |
Exploitation for Client Execution |
Execution |
Windows Defense Evasion Tactics |
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection |
Defense Evasion |
Windows Discovery Techniques |
Permission Groups Discovery, Local Groups |
Discovery |
Windows Drivers |
Windows Service |
Persistence |
Windows File Extension and Association Abuse |
Change Default File Association |
Privilege Escalation |
Windows Log Manipulation |
Indicator Removal, Clear Windows Event Logs |
Defense Evasion |
Windows Persistence Techniques |
Services Registry Permissions Weakness |
Persistence |
Windows Post-Exploitation |
Windows Management Instrumentation |
Execution |
Windows Privilege Escalation |
Malicious File |
Execution |
Windows Registry Abuse |
Services Registry Permissions Weakness |
Persistence |
Windows Service Abuse |
Windows Service, Create or Modify System Process |
Persistence |
Windows System Binary Proxy Execution MSIExec |
Msiexec |
Defense Evasion |
Winter Vivern |
Screen Capture |
Collection |
XMRig |
Windows Service, Create or Modify System Process |
Persistence |
sAMAccountName Spoofing and Domain Controller Impersonation |
Valid Accounts, Domain Accounts |
Defense Evasion |