Adversary Tactics

Name Technique Tactic
Active Directory Discovery Local Groups Discovery
Active Directory Password Spraying Password Spraying Credential Access
BITS Jobs BITS Jobs Defense Evasion
Baron Samedit CVE-2021-3156 Exploitation for Privilege Escalation Privilege Escalation
Cobalt Strike MSBuild, Rename System Utilities Defense Evasion
Collection and Staging Masquerading Defense Evasion
Command and Control Web Protocols Command And Control
Credential Dumping PowerShell Execution
DNS Hijacking Drive-by Compromise Initial Access
Data Exfiltration Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration
Deobfuscate-Decode Files or Information Deobfuscate/Decode Files or Information Defense Evasion
Detect Zerologon Attack Exploit Public-Facing Application Initial Access
Disabling Security Tools Disable or Modify Tools Defense Evasion
Domain Trust Discovery Remote System Discovery Discovery
F5 TMUI RCE CVE-2020-5902 Exploit Public-Facing Application Initial Access
HAFNIUM Group Web Shell Persistence
Ingress Tool Transfer Ingress Tool Transfer Command And Control
Lateral Movement Scheduled Task Execution
Malicious PowerShell Gather Victim Host Information Reconnaissance
Masquerading - Rename System Utilities Rename System Utilities Defense Evasion
Meterpreter System Owner/User Discovery Discovery
Microsoft MSHTML Remote Code Execution CVE-2021-40444 Rundll32 Defense Evasion
NOBELIUM Group Remote System Discovery Discovery
PetitPotam NTLM Relay on Active Directory Certificate Services OS Credential Dumping Credential Access
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns Registry Run Keys / Startup Folder Persistence
ProxyShell Web Shell Persistence
SQL Injection Exploit Public-Facing Application Initial Access
Silver Sparrow Data Staged Collection
Spearphishing Attachments Spearphishing Attachment Initial Access
Suspicious Command-Line Executions Rename System Utilities Defense Evasion
Suspicious Compiled HTML Activity Compiled HTML File Defense Evasion
Suspicious DNS Traffic Exfiltration Over Alternative Protocol Exfiltration
Suspicious Emails Spearphishing Attachment Initial Access
Suspicious MSHTA Activity Mshta Defense Evasion
Suspicious Okta Activity Default Accounts Defense Evasion
Suspicious Regsvcs Regasm Activity Regsvcs/Regasm Defense Evasion
Suspicious Regsvr32 Activity Regsvr32 Defense Evasion
Suspicious Rundll32 Activity Rundll32 Defense Evasion
Suspicious WMI Use Windows Management Instrumentation Execution
Suspicious Windows Registry Activities Application Shimming Privilege Escalation
Suspicious Zoom Child Processes Exploitation for Privilege Escalation Privilege Escalation
Trusted Developer Utilities Proxy Execution Trusted Developer Utilities Proxy Execution Defense Evasion
Trusted Developer Utilities Proxy Execution MSBuild MSBuild, Rename System Utilities Defense Evasion
Windows DNS SIGRed CVE-2020-1350 Exploitation for Client Execution Execution
Windows Defense Evasion Tactics Disable or Modify Tools Defense Evasion
Windows Discovery Techniques Create or Modify System Process, Process Injection, Hijack Execution Flow Persistence
Windows Log Manipulation Clear Windows Event Logs Defense Evasion
Windows Persistence Techniques Scheduled Task Execution
Windows Privilege Escalation Image File Execution Options Injection Privilege Escalation