3CX Supply Chain Attack |
Compromise Software Supply Chain |
Initial Access |
APT29 Diplomatic Deceptions with WINELOADER |
DLL Side-Loading, Boot or Logon Autostart Execution |
Persistence |
AWS Cross Account Activity |
Use Alternate Authentication Material |
Defense Evasion |
AWS Defense Evasion |
Impair Defenses, Disable or Modify Cloud Logs |
Defense Evasion |
AWS IAM Privilege Escalation |
Cloud Account, Create Account |
Persistence |
AWS Identity and Access Management Account Takeover |
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions |
Resource Development |
AWS Network ACL Activity |
Disable or Modify Cloud Firewall |
Defense Evasion |
AWS Security Hub Alerts |
None |
None |
AWS User Monitoring |
Cloud Accounts |
Defense Evasion |
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring |
User Execution |
Execution |
AcidPour |
Data Destruction, File Deletion, Indicator Removal |
Impact |
AcidRain |
Data Destruction, File Deletion, Indicator Removal |
Impact |
Active Directory Discovery |
Permission Groups Discovery, Local Groups |
Discovery |
Active Directory Kerberos Attacks |
Password Spraying, Brute Force |
Credential Access |
Active Directory Lateral Movement |
Remote Services, Windows Remote Management |
Lateral Movement |
Active Directory Password Spraying |
Brute Force, Password Spraying |
Credential Access |
Active Directory Privilege Escalation |
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery |
Discovery |
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360 |
Exploit Public-Facing Application |
Initial Access |
AgentTesla |
Spearphishing Attachment, Phishing |
Initial Access |
Amadey |
PowerShell, Command and Scripting Interpreter |
Execution |
Apache Struts Vulnerability |
System Information Discovery |
Discovery |
Asset Tracking |
None |
None |
AsyncRAT |
Spearphishing Attachment, Phishing |
Initial Access |
Atlassian Confluence Server and Data Center CVE-2022-26134 |
Exploit Public-Facing Application, External Remote Services |
Initial Access |
AwfulShred |
Unix Shell, Command and Scripting Interpreter |
Execution |
Azorult |
Disable or Modify Tools, Impair Defenses |
Defense Evasion |
Azure Active Directory Account Takeover |
Malicious File, User Execution |
Execution |
Azure Active Directory Persistence |
Account Manipulation, Valid Accounts |
Persistence |
Azure Active Directory Privilege Escalation |
Account Manipulation, Additional Cloud Roles |
Persistence |
BITS Jobs |
BITS Jobs, Ingress Tool Transfer |
Defense Evasion |
Baron Samedit CVE-2021-3156 |
Exploitation for Privilege Escalation |
Privilege Escalation |
BishopFox Sliver Adversary Emulation Framework |
System Services, Service Execution |
Execution |
BlackByte Ransomware |
Windows Service |
Persistence |
BlackLotus Campaign |
Bootkit |
Persistence |
BlackMatter Ransomware |
Domain Account, Account Discovery |
Discovery |
BlackSuit Ransomware |
Remote Desktop Protocol, Remote Services |
Lateral Movement |
Brand Monitoring |
None |
None |
Brute Ratel C4 |
Service Stop |
Impact |
CISA AA22-257A |
Protocol Tunneling, SSH |
Command And Control |
CISA AA22-264A |
Exploitation for Privilege Escalation |
Privilege Escalation |
CISA AA22-277A |
System Network Configuration Discovery, Internet Connection Discovery |
Discovery |
CISA AA22-320A |
Windows Service, Create or Modify System Process |
Persistence |
CISA AA23-347A |
Windows Management Instrumentation |
Execution |
CISA AA24-241A |
Remote Services, Windows Remote Management |
Lateral Movement |
CVE-2022-40684 Fortinet Appliance Auth bypass |
Exploit Public-Facing Application, External Remote Services |
Initial Access |
CVE-2023-21716 Word RTF Heap Corruption |
Phishing, Spearphishing Attachment |
Initial Access |
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server |
Exploit Public-Facing Application |
Initial Access |
CVE-2023-23397 Outlook Elevation of Privilege |
Exfiltration Over Unencrypted Non-C2 Protocol |
Exfiltration |
CVE-2023-36884 Office and Windows HTML RCE Vulnerability |
Phishing, Spearphishing Attachment |
Initial Access |
Caddy Wiper |
Disk Structure Wipe, Disk Wipe |
Impact |
Chaos Ransomware |
Malicious File, User Execution |
Execution |
Cisco IOS XE Software Web Management User Interface vulnerability |
Exploit Public-Facing Application |
Initial Access |
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966 |
Exploit Public-Facing Application |
Initial Access |
Citrix Netscaler ADC CVE-2023-3519 |
Exploit Public-Facing Application |
Initial Access |
Citrix ShareFile RCE CVE-2023-24489 |
Server Software Component, Web Shell |
Persistence |
Clop Ransomware |
System Services, Service Execution |
Execution |
Cloud Cryptomining |
Unused/Unsupported Cloud Regions |
Defense Evasion |
Cloud Federated Credential Abuse |
Image File Execution Options Injection, Event Triggered Execution |
Privilege Escalation |
Cobalt Strike |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild |
Defense Evasion |
ColdRoot MacOS RAT |
None |
None |
Collection and Staging |
Masquerading |
Defense Evasion |
Command And Control |
Remote Access Software |
Command And Control |
Compromised Linux Host |
System Owner/User Discovery |
Discovery |
Compromised User Account |
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration |
Credential Access |
Compromised Windows Host |
Brute Force |
Credential Access |
Confluence Data Center and Confluence Server Vulnerabilities |
Server Software Component, Exploit Public-Facing Application, External Remote Services |
Persistence |
ConnectWise ScreenConnect Vulnerabilities |
Exploit Public-Facing Application |
Initial Access |
Credential Dumping |
NTDS, OS Credential Dumping |
Credential Access |
CrushFTP Vulnerabilities |
Exploit Public-Facing Application |
Initial Access |
Cyclops Blink |
Disable or Modify System Firewall, Impair Defenses |
Defense Evasion |
DHS Report TA18-074A |
Modify Registry |
Defense Evasion |
DNS Amplification Attacks |
Network Denial of Service, Reflection Amplification |
Impact |
DNS Hijacking |
Domain Generation Algorithms |
Command And Control |
DarkCrystal RAT |
Phishing, Spearphishing Attachment |
Initial Access |
DarkGate Malware |
Command and Scripting Interpreter |
Execution |
DarkSide Ransomware |
LSASS Memory, OS Credential Dumping |
Credential Access |
Data Destruction |
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation |
Defense Evasion |
Data Exfiltration |
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol |
Exfiltration |
Data Protection |
Exfiltration Over Unencrypted Non-C2 Protocol |
Exfiltration |
Deobfuscate-Decode Files or Information |
Deobfuscate/Decode Files or Information |
Defense Evasion |
Detect Zerologon Attack |
LSASS Memory, OS Credential Dumping |
Credential Access |
Dev Sec Ops |
Malicious Image, User Execution |
Execution |
Disabling Security Tools |
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter |
Defense Evasion |
Domain Trust Discovery |
Remote System Discovery |
Discovery |
Double Zero Destructor |
Disable or Modify Tools, Impair Defenses |
Defense Evasion |
Dynamic DNS |
Exfiltration Over Alternative Protocol |
Exfiltration |
Emotet Malware DHS Report TA18-201A |
Spearphishing Attachment, Phishing |
Initial Access |
F5 Authentication Bypass with TMUI |
None |
None |
F5 BIG-IP Vulnerability CVE-2022-1388 |
Exploit Public-Facing Application, External Remote Services |
Initial Access |
F5 TMUI RCE CVE-2020-5902 |
Exploit Public-Facing Application |
Initial Access |
FIN7 |
XSL Script Processing |
Defense Evasion |
Flax Typhoon |
System Services, Service Execution |
Execution |
Forest Blizzard |
Ingress Tool Transfer |
Command And Control |
Fortinet FortiNAC CVE-2022-39952 |
Exploit Public-Facing Application, External Remote Services |
Initial Access |
GCP Account Takeover |
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing |
Resource Development |
GCP Cross Account Activity |
Valid Accounts |
Defense Evasion |
Gomir |
Systemd Timers, Scheduled Task/Job |
Execution |
Gozi Malware |
Spearphishing Attachment, Phishing |
Initial Access |
Graceful Wipe Out Attack |
Service Stop |
Impact |
HAFNIUM Group |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
Execution |
Handala Wiper |
Data Destruction |
Impact |
Hermetic Wiper |
Disk Structure Wipe, Disk Wipe |
Impact |
Hidden Cobra Malware |
SMB/Windows Admin Shares, Remote Services |
Lateral Movement |
IIS Components |
Server Software Component, IIS Components |
Persistence |
IcedID |
Disable or Modify Tools, Impair Defenses |
Defense Evasion |
Industroyer2 |
Domain Account, Account Discovery |
Discovery |
Information Sabotage |
Indicator Removal, Clear Windows Event Logs |
Defense Evasion |
Ingress Tool Transfer |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
Execution |
Insider Threat |
Password Spraying, Brute Force |
Credential Access |
Ivanti Connect Secure VPN Vulnerabilities |
Exploit Public-Facing Application |
Initial Access |
Ivanti EPM Vulnerabilities |
Exploit Public-Facing Application |
Initial Access |
Ivanti EPMM Remote Unauthenticated Access |
Exploit Public-Facing Application, External Remote Services |
Initial Access |
Ivanti Sentry Authentication Bypass CVE-2023-38035 |
Exploit Public-Facing Application |
Initial Access |
Ivanti Virtual Traffic Manager CVE-2024-7593 |
Exploit Public-Facing Application |
Initial Access |
JBoss Vulnerability |
System Information Discovery, External Remote Services |
Discovery |
Jenkins Server Vulnerabilities |
Exploit Public-Facing Application |
Initial Access |
JetBrains TeamCity Unauthenticated RCE |
Exploit Public-Facing Application |
Initial Access |
JetBrains TeamCity Vulnerabilities |
Exploit Public-Facing Application |
Initial Access |
Juniper JunOS Remote Code Execution |
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter |
Initial Access |
Kubernetes Scanning Activity |
Cloud Service Discovery |
Discovery |
Kubernetes Security |
User Execution |
Execution |
Kubernetes Sensitive Object Access Activity |
None |
None |
Linux Living Off The Land |
Ingress Tool Transfer |
Command And Control |
Linux Persistence Techniques |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Privilege Escalation |
Linux Post-Exploitation |
Unix Shell |
Execution |
Linux Privilege Escalation |
Exploitation for Privilege Escalation |
Privilege Escalation |
Linux Rootkit |
System Information Discovery, Rootkit |
Discovery |
Living Off The Land |
Trusted Developer Utilities Proxy Execution, MSBuild |
Defense Evasion |
Local Privilege Escalation With KrbRelayUp |
Windows Service |
Persistence |
LockBit Ransomware |
Modify Registry |
Defense Evasion |
Log4Shell CVE-2021-44228 |
Automated Exfiltration |
Exfiltration |
MOVEit Transfer Authentication Bypass |
Exploit Public-Facing Application |
Initial Access |
MOVEit Transfer Critical Vulnerability |
Exploit Public-Facing Application, External Remote Services |
Initial Access |
Malicious PowerShell |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
Execution |
Masquerading - Rename System Utilities |
Masquerading, Match Legitimate Name or Location, Rundll32 |
Defense Evasion |
MetaSploit |
Command and Scripting Interpreter |
Execution |
Meterpreter |
Command and Scripting Interpreter |
Execution |
Microsoft MSHTML Remote Code Execution CVE-2021-40444 |
System Binary Proxy Execution, Rundll32 |
Defense Evasion |
Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357 |
Exploitation for Privilege Escalation |
Privilege Escalation |
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 |
Phishing, Spearphishing Attachment |
Initial Access |
Monitor for Updates |
None |
None |
MoonPeak |
System Shutdown/Reboot |
Impact |
NOBELIUM Group |
System Binary Proxy Execution, Mshta |
Defense Evasion |
Netsh Abuse |
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter |
Defense Evasion |
Network Discovery |
Network Share Discovery, Data from Network Shared Drive |
Discovery |
NjRAT |
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation |
Defense Evasion |
Office 365 Account Takeover |
Steal Application Access Token |
Credential Access |
Office 365 Collection Techniques |
Email Forwarding Rule, Email Collection |
Collection |
Office 365 Persistence Mechanisms |
Account Manipulation, Additional Cloud Roles |
Persistence |
Okta Account Takeover |
Cloud Accounts |
Resource Development |
Okta MFA Exhaustion |
Brute Force |
Credential Access |
OpenSSL CVE-2022-3602 |
Encrypted Channel |
Command And Control |
Orangeworm Attack Group |
Windows Service, Create or Modify System Process |
Persistence |
Outlook RCE CVE-2024-21378 |
Phishing |
Initial Access |
PaperCut MF NG Vulnerability |
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services |
Execution |
PetitPotam NTLM Relay on Active Directory Certificate Services |
OS Credential Dumping |
Credential Access |
Phemedrone Stealer |
IP Addresses, Gather Victim Network Information |
Reconnaissance |
PlugX |
DLL Side-Loading, Hijack Execution Flow |
Persistence |
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns |
Automated Exfiltration |
Exfiltration |
Prestige Ransomware |
Windows Management Instrumentation |
Execution |
PrintNightmare CVE-2021-34527 |
System Binary Proxy Execution, Rundll32 |
Defense Evasion |
Prohibited Traffic Allowed or Protocol Mismatch |
Proxy, Multi-hop Proxy |
Command And Control |
ProxyNotShell |
Command and Scripting Interpreter, PowerShell |
Execution |
ProxyShell |
Command and Scripting Interpreter, PowerShell |
Execution |
Qakbot |
Windows Management Instrumentation |
Execution |
Ransomware |
Remote Access Software |
Command And Control |
Ransomware Cloud |
Malicious File, User Execution |
Execution |
RedLine Stealer |
Service Stop |
Impact |
Remcos |
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation |
Defense Evasion |
Reverse Network Proxy |
Protocol Tunneling, Proxy, Web Service |
Command And Control |
Revil Ransomware |
System Binary Proxy Execution, CMSTP |
Defense Evasion |
Rhysida Ransomware |
System Binary Proxy Execution, Rundll32 |
Defense Evasion |
Router and Infrastructure Security |
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication |
Initial Access |
Ryuk Ransomware |
Windows Command Shell |
Execution |
SQL Injection |
Exploit Public-Facing Application |
Initial Access |
SamSam Ransomware |
Data Encrypted for Impact |
Impact |
Sandworm Tools |
System Shutdown/Reboot |
Impact |
Scheduled Tasks |
Scheduled Task, Scheduled Task/Job |
Execution |
ShrinkLocker |
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation |
Defense Evasion |
Signed Binary Proxy Execution InstallUtil |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
Defense Evasion |
Silver Sparrow |
Data Staged |
Collection |
Snake Keylogger |
Malicious File, User Execution |
Execution |
Snake Malware |
Kernel Modules and Extensions, Service Execution |
Persistence |
Sneaky Active Directory Persistence Tricks |
Security Support Provider, Boot or Logon Autostart Execution |
Persistence |
Spearphishing Attachments |
Phishing, Spearphishing Attachment |
Initial Access |
Splunk Vulnerabilities |
Drive-by Compromise |
Initial Access |
Spring4Shell CVE-2022-22965 |
Exploit Public-Facing Application, External Remote Services |
Initial Access |
Subvert Trust Controls SIP and Trust Provider Hijacking |
SIP and Trust Provider Hijacking |
Defense Evasion |
Suspicious AWS Login Activities |
Cloud Accounts |
Defense Evasion |
Suspicious AWS S3 Activities |
Data from Cloud Storage |
Collection |
Suspicious AWS Traffic |
None |
None |
Suspicious Cloud Authentication Activities |
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions |
Resource Development |
Suspicious Cloud Instance Activities |
Cloud Accounts, Valid Accounts |
Defense Evasion |
Suspicious Cloud Provisioning Activities |
Valid Accounts |
Defense Evasion |
Suspicious Cloud User Activities |
Modify Cloud Compute Configurations |
Defense Evasion |
Suspicious Command-Line Executions |
Masquerading, Rename System Utilities |
Defense Evasion |
Suspicious Compiled HTML Activity |
Compiled HTML File, System Binary Proxy Execution |
Defense Evasion |
Suspicious DNS Traffic |
Exfiltration Over Alternative Protocol |
Exfiltration |
Suspicious Emails |
Spearphishing Attachment, Phishing |
Initial Access |
Suspicious GCP Storage Activities |
Data from Cloud Storage |
Collection |
Suspicious MSHTA Activity |
System Binary Proxy Execution, Mshta |
Defense Evasion |
Suspicious Okta Activity |
Brute Force |
Credential Access |
Suspicious Regsvcs Regasm Activity |
System Binary Proxy Execution, Regsvcs/Regasm |
Defense Evasion |
Suspicious Regsvr32 Activity |
System Binary Proxy Execution, Regsvr32 |
Defense Evasion |
Suspicious Rundll32 Activity |
NTDS, OS Credential Dumping |
Credential Access |
Suspicious WMI Use |
XSL Script Processing |
Defense Evasion |
Suspicious Windows Registry Activities |
Services Registry Permissions Weakness |
Persistence |
Suspicious Zoom Child Processes |
Exploitation for Privilege Escalation |
Privilege Escalation |
Swift Slicer |
Data Destruction |
Impact |
SysAid On-Prem Software CVE-2023-47246 Vulnerability |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
Execution |
Text4Shell CVE-2022-42889 |
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services |
Persistence |
Trickbot |
Command and Scripting Interpreter |
Execution |
Trusted Developer Utilities Proxy Execution |
Trusted Developer Utilities Proxy Execution |
Defense Evasion |
Trusted Developer Utilities Proxy Execution MSBuild |
Trusted Developer Utilities Proxy Execution, MSBuild |
Defense Evasion |
Unusual Processes |
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation |
Defense Evasion |
Use of Cleartext Protocols |
None |
None |
VMware Aria Operations vRealize CVE-2023-20887 |
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation |
Persistence |
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 |
Local Account, Domain Account |
Persistence |
VMware Server Side Injection and Privilege Escalation |
Exploit Public-Facing Application, External Remote Services |
Initial Access |
Volt Typhoon |
Windows Management Instrumentation |
Execution |
WS FTP Server Critical Vulnerabilities |
IIS Components, Server Software Component |
Persistence |
Warzone RAT |
DLL Side-Loading |
Persistence |
WhisperGate |
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation |
Defense Evasion |
WinRAR Spoofing Attack CVE-2023-38831 |
Ingress Tool Transfer |
Command And Control |
Windows AppLocker |
System Binary Proxy Execution |
Defense Evasion |
Windows Attack Surface Reduction |
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter |
Initial Access |
Windows BootKits |
Pre-OS Boot, Registry Run Keys / Startup Folder |
Defense Evasion |
Windows Certificate Services |
Steal or Forge Authentication Certificates |
Credential Access |
Windows DNS SIGRed CVE-2020-1350 |
Exploitation for Client Execution |
Execution |
Windows Defense Evasion Tactics |
Abuse Elevation Control Mechanism, Bypass User Account Control |
Privilege Escalation |
Windows Discovery Techniques |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
Discovery |
Windows Drivers |
Windows Service |
Persistence |
Windows Error Reporting Service Elevation of Privilege Vulnerability |
Process Injection |
Defense Evasion |
Windows File Extension and Association Abuse |
Change Default File Association |
Privilege Escalation |
Windows Log Manipulation |
Indicator Removal, Clear Windows Event Logs |
Defense Evasion |
Windows Persistence Techniques |
Services Registry Permissions Weakness |
Persistence |
Windows Post-Exploitation |
Windows Management Instrumentation |
Execution |
Windows Privilege Escalation |
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation |
Privilege Escalation |
Windows Registry Abuse |
Services Registry Permissions Weakness |
Persistence |
Windows Service Abuse |
Windows Service, Create or Modify System Process |
Persistence |
Windows System Binary Proxy Execution MSIExec |
Msiexec |
Defense Evasion |
Winter Vivern |
Screen Capture |
Collection |
WordPress Vulnerabilities |
Exploit Public-Facing Application |
Initial Access |
XMRig |
Windows Service, Create or Modify System Process |
Persistence |
Zscaler Browser Proxy Threats |
Phishing |
Initial Access |
sAMAccountName Spoofing and Domain Controller Impersonation |
Valid Accounts, Domain Accounts |
Defense Evasion |