Adversary Tactics

Name Technique Tactic
Active Directory Discovery Permission Groups Discovery, Local Groups Discovery
Active Directory Password Spraying Password Spraying, Brute Force Credential Access
BITS Jobs BITS Jobs Defense Evasion
Baron Samedit CVE-2021-3156 Exploitation for Privilege Escalation Privilege Escalation
Cobalt Strike Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Defense Evasion
Collection and Staging Masquerading Defense Evasion
Command and Control Application Layer Protocol, Web Protocols Command And Control
Credential Dumping Command and Scripting Interpreter, PowerShell Execution
DNS Hijacking Drive-by Compromise Initial Access
Data Exfiltration Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol Exfiltration
Deobfuscate-Decode Files or Information Deobfuscate/Decode Files or Information Defense Evasion
Detect Zerologon Attack Exploit Public-Facing Application Initial Access
Disabling Security Tools Disable or Modify Tools, Impair Defenses Defense Evasion
Domain Trust Discovery Remote System Discovery Discovery
F5 TMUI RCE CVE-2020-5902 Exploit Public-Facing Application Initial Access
HAFNIUM Group Server Software Component, Web Shell Persistence
Ingress Tool Transfer Ingress Tool Transfer Command And Control
Lateral Movement Kerberoasting Credential Access
Malicious PowerShell Gather Victim Host Information Reconnaissance
Masquerading - Rename System Utilities Masquerading, Rename System Utilities Defense Evasion
Meterpreter System Owner/User Discovery Discovery
Microsoft MSHTML Remote Code Execution CVE-2021-40444 Signed Binary Proxy Execution, Rundll32 Defense Evasion
NOBELIUM Group Remote System Discovery Discovery
PetitPotam NTLM Relay on Active Directory Certificate Services OS Credential Dumping Credential Access
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution Persistence
ProxyShell Server Software Component, Web Shell Persistence
SQL Injection Exploit Public-Facing Application Initial Access
Silver Sparrow Data Staged Collection
Spearphishing Attachments Phishing, Spearphishing Attachment Initial Access
Suspicious Command-Line Executions Masquerading, Rename System Utilities Defense Evasion
Suspicious Compiled HTML Activity Signed Binary Proxy Execution, Compiled HTML File Defense Evasion
Suspicious DNS Traffic Exfiltration Over Alternative Protocol Exfiltration
Suspicious Emails Spearphishing Attachment, Phishing Initial Access
Suspicious MSHTA Activity Signed Binary Proxy Execution, Mshta Defense Evasion
Suspicious Okta Activity Valid Accounts, Default Accounts Defense Evasion
Suspicious Regsvcs Regasm Activity Signed Binary Proxy Execution, Regsvcs/Regasm Defense Evasion
Suspicious Regsvr32 Activity Signed Binary Proxy Execution, Regsvr32 Defense Evasion
Suspicious Rundll32 Activity Signed Binary Proxy Execution, Rundll32 Defense Evasion
Suspicious WMI Use Windows Management Instrumentation Execution
Suspicious Windows Registry Activities Application Shimming, Event Triggered Execution Privilege Escalation
Suspicious Zoom Child Processes Exploitation for Privilege Escalation Privilege Escalation
Trusted Developer Utilities Proxy Execution Trusted Developer Utilities Proxy Execution Defense Evasion
Trusted Developer Utilities Proxy Execution MSBuild Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Defense Evasion
Windows DNS SIGRed CVE-2020-1350 Exploitation for Client Execution Execution
Windows Defense Evasion Tactics Disable or Modify Tools, Impair Defenses Defense Evasion
Windows Discovery Techniques Create or Modify System Process, Process Injection, Hijack Execution Flow Persistence
Windows Log Manipulation Indicator Removal on Host, Clear Windows Event Logs Defense Evasion
Windows Persistence Techniques Scheduled Task Execution
Windows Privilege Escalation Time Providers, Boot or Logon Autostart Execution Persistence