| 3CX Supply Chain Attack |
Compromise Software Supply Chain |
Initial Access |
| APT29 Diplomatic Deceptions with WINELOADER |
DLL Side-Loading, Boot or Logon Autostart Execution |
Persistence |
| Active Directory Discovery |
Permission Groups Discovery, Local Groups |
Discovery |
| Active Directory Kerberos Attacks |
Password Spraying, Brute Force |
Credential Access |
| Active Directory Lateral Movement |
Remote Services, Windows Remote Management |
Lateral Movement |
| Active Directory Password Spraying |
Password Spraying, Brute Force |
Credential Access |
| Active Directory Privilege Escalation |
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery |
Discovery |
| Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360 |
Exploit Public-Facing Application |
Initial Access |
| Atlassian Confluence Server and Data Center CVE-2022-26134 |
Exploit Public-Facing Application, External Remote Services |
Initial Access |
| Azure Active Directory Account Takeover |
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying |
Resource Development |
| Azure Active Directory Privilege Escalation |
Account Manipulation |
Persistence |
| BITS Jobs |
BITS Jobs, Ingress Tool Transfer |
Defense Evasion |
| Baron Samedit CVE-2021-3156 |
Exploitation for Privilege Escalation |
Privilege Escalation |
| BishopFox Sliver Adversary Emulation Framework |
System Services, Service Execution |
Execution |
| BlackLotus Campaign |
Bootkit |
Persistence |
| Brute Ratel C4 |
Service Stop |
Impact |
| CISA AA22-257A |
Protocol Tunneling, SSH |
Command And Control |
| CISA AA22-264A |
Exploitation for Privilege Escalation |
Privilege Escalation |
| CISA AA22-277A |
System Network Configuration Discovery, Internet Connection Discovery |
Discovery |
| CISA AA22-320A |
Windows Service, Create or Modify System Process |
Persistence |
| CISA AA23-347A |
Windows Management Instrumentation |
Execution |
| CVE-2022-40684 Fortinet Appliance Auth bypass |
Exploit Public-Facing Application, External Remote Services |
Initial Access |
| CVE-2023-21716 Word RTF Heap Corruption |
Phishing, Spearphishing Attachment |
Initial Access |
| CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server |
Exploit Public-Facing Application |
Initial Access |
| CVE-2023-23397 Outlook Elevation of Privilege |
Exfiltration Over Unencrypted Non-C2 Protocol |
Exfiltration |
| CVE-2023-36884 Office and Windows HTML RCE Vulnerability |
Phishing, Spearphishing Attachment |
Initial Access |
| Caddy Wiper |
Disk Structure Wipe, Disk Wipe |
Impact |
| Cisco IOS XE Software Web Management User Interface vulnerability |
Exploit Public-Facing Application |
Initial Access |
| Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966 |
Exploit Public-Facing Application |
Initial Access |
| Citrix Netscaler ADC CVE-2023-3519 |
Exploit Public-Facing Application |
Initial Access |
| Citrix ShareFile RCE CVE-2023-24489 |
Server Software Component, Web Shell |
Persistence |
| Cobalt Strike |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild |
Defense Evasion |
| Collection and Staging |
Masquerading |
Defense Evasion |
| Command And Control |
Remote Access Software |
Command And Control |
| Compromised User Account |
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration |
Credential Access |
| Confluence Data Center and Confluence Server Vulnerabilities |
Server Software Component, Exploit Public-Facing Application, External Remote Services |
Persistence |
| ConnectWise ScreenConnect Vulnerabilities |
Exploit Public-Facing Application |
Initial Access |
| Credential Dumping |
NTDS, OS Credential Dumping |
Credential Access |
| DNS Hijacking |
Domain Generation Algorithms |
Command And Control |
| DarkGate Malware |
Command and Scripting Interpreter |
Execution |
| Data Exfiltration |
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol |
Exfiltration |
| Deobfuscate-Decode Files or Information |
Deobfuscate/Decode Files or Information |
Defense Evasion |
| Detect Zerologon Attack |
LSASS Memory, OS Credential Dumping |
Credential Access |
| Disabling Security Tools |
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter |
Defense Evasion |
| Domain Trust Discovery |
Remote System Discovery |
Discovery |
| Double Zero Destructor |
Disable or Modify Tools, Impair Defenses |
Defense Evasion |
| F5 Authentication Bypass with TMUI |
None |
None |
| F5 BIG-IP Vulnerability CVE-2022-1388 |
Exploit Public-Facing Application, External Remote Services |
Initial Access |
| F5 TMUI RCE CVE-2020-5902 |
Exploit Public-Facing Application |
Initial Access |
| Flax Typhoon |
System Services, Service Execution |
Execution |
| Forest Blizzard |
Ingress Tool Transfer |
Command And Control |
| Fortinet FortiNAC CVE-2022-39952 |
Exploit Public-Facing Application, External Remote Services |
Initial Access |
| Graceful Wipe Out Attack |
Service Stop |
Impact |
| HAFNIUM Group |
Automated Exfiltration |
Exfiltration |
| Hermetic Wiper |
Disk Structure Wipe, Disk Wipe |
Impact |
| IIS Components |
Server Software Component, IIS Components |
Persistence |
| Ingress Tool Transfer |
Automated Exfiltration |
Exfiltration |
| Insider Threat |
Password Spraying, Brute Force |
Credential Access |
| Ivanti Connect Secure VPN Vulnerabilities |
Exploit Public-Facing Application |
Initial Access |
| Ivanti EPMM Remote Unauthenticated Access |
Exploit Public-Facing Application, External Remote Services |
Initial Access |
| Ivanti Sentry Authentication Bypass CVE-2023-38035 |
Exploit Public-Facing Application |
Initial Access |
| Jenkins Server Vulnerabilities |
Exploit Public-Facing Application |
Initial Access |
| JetBrains TeamCity Unauthenticated RCE |
Exploit Public-Facing Application |
Initial Access |
| JetBrains TeamCity Vulnerabilities |
Exploit Public-Facing Application |
Initial Access |
| Juniper JunOS Remote Code Execution |
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter |
Initial Access |
| Linux Living Off The Land |
Ingress Tool Transfer |
Command And Control |
| Linux Persistence Techniques |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Privilege Escalation |
| Linux Post-Exploitation |
Unix Shell |
Execution |
| Linux Privilege Escalation |
Exploitation for Privilege Escalation |
Privilege Escalation |
| Linux Rootkit |
System Information Discovery, Rootkit |
Discovery |
| Living Off The Land |
Trusted Developer Utilities Proxy Execution, MSBuild |
Defense Evasion |
| Log4Shell CVE-2021-44228 |
Automated Exfiltration |
Exfiltration |
| MOVEit Transfer Critical Vulnerability |
Exploit Public-Facing Application, External Remote Services |
Initial Access |
| Malicious PowerShell |
Automated Exfiltration |
Exfiltration |
| Masquerading - Rename System Utilities |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
Defense Evasion |
| MetaSploit |
Command and Scripting Interpreter |
Execution |
| Meterpreter |
Command and Scripting Interpreter |
Execution |
| Microsoft MSHTML Remote Code Execution CVE-2021-40444 |
System Binary Proxy Execution, Rundll32 |
Defense Evasion |
| Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357 |
Exploitation for Privilege Escalation |
Privilege Escalation |
| Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 |
Phishing, Spearphishing Attachment |
Initial Access |
| NOBELIUM Group |
System Binary Proxy Execution, Mshta |
Defense Evasion |
| Office 365 Account Takeover |
Steal Application Access Token |
Credential Access |
| Office 365 Collection Techniques |
Email Forwarding Rule, Email Collection |
Collection |
| Office 365 Persistence Mechanisms |
Account Manipulation, Additional Cloud Roles |
Persistence |
| Okta Account Takeover |
Cloud Accounts |
Resource Development |
| Okta MFA Exhaustion |
Brute Force |
Credential Access |
| OpenSSL CVE-2022-3602 |
Encrypted Channel |
Command And Control |
| Outlook RCE CVE-2024-21378 |
Phishing |
Initial Access |
| PaperCut MF NG Vulnerability |
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services |
Execution |
| PetitPotam NTLM Relay on Active Directory Certificate Services |
OS Credential Dumping |
Credential Access |
| Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns |
Automated Exfiltration |
Exfiltration |
| Prestige Ransomware |
Windows Management Instrumentation |
Execution |
| ProxyNotShell |
Command and Scripting Interpreter, PowerShell |
Execution |
| ProxyShell |
Command and Scripting Interpreter, PowerShell |
Execution |
| Reverse Network Proxy |
Protocol Tunneling, Proxy, Web Service |
Command And Control |
| SQL Injection |
Exploit Public-Facing Application |
Initial Access |
| Sandworm Tools |
System Shutdown/Reboot |
Impact |
| Scheduled Tasks |
Scheduled Task, Scheduled Task/Job |
Execution |
| Signed Binary Proxy Execution InstallUtil |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
Defense Evasion |
| Silver Sparrow |
Data Staged |
Collection |
| Snake Keylogger |
Malicious File, User Execution |
Execution |
| Snake Malware |
Kernel Modules and Extensions, Service Execution |
Persistence |
| Sneaky Active Directory Persistence Tricks |
Security Support Provider, Boot or Logon Autostart Execution |
Persistence |
| Spearphishing Attachments |
Phishing, Spearphishing Attachment |
Initial Access |
| Spring4Shell CVE-2022-22965 |
Exploit Public-Facing Application, External Remote Services |
Initial Access |
| Subvert Trust Controls SIP and Trust Provider Hijacking |
SIP and Trust Provider Hijacking |
Defense Evasion |
| Suspicious Command-Line Executions |
Masquerading, Rename System Utilities |
Defense Evasion |
| Suspicious Compiled HTML Activity |
Compiled HTML File, System Binary Proxy Execution |
Defense Evasion |
| Suspicious DNS Traffic |
Exfiltration Over Alternative Protocol |
Exfiltration |
| Suspicious Emails |
Spearphishing Attachment, Phishing |
Initial Access |
| Suspicious MSHTA Activity |
System Binary Proxy Execution, Mshta |
Defense Evasion |
| Suspicious Okta Activity |
Brute Force |
Credential Access |
| Suspicious Regsvcs Regasm Activity |
System Binary Proxy Execution, Regsvcs/Regasm |
Defense Evasion |
| Suspicious Regsvr32 Activity |
System Binary Proxy Execution, Regsvr32 |
Defense Evasion |
| Suspicious Rundll32 Activity |
NTDS, OS Credential Dumping |
Credential Access |
| Suspicious WMI Use |
XSL Script Processing |
Defense Evasion |
| Suspicious Windows Registry Activities |
Services Registry Permissions Weakness |
Persistence |
| Suspicious Zoom Child Processes |
Exploitation for Privilege Escalation |
Privilege Escalation |
| Swift Slicer |
Data Destruction |
Impact |
| SysAid On-Prem Software CVE-2023-47246 Vulnerability |
Exploit Public-Facing Application, External Remote Services |
Initial Access |
| Text4Shell CVE-2022-42889 |
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services |
Persistence |
| Trusted Developer Utilities Proxy Execution |
Trusted Developer Utilities Proxy Execution |
Defense Evasion |
| Trusted Developer Utilities Proxy Execution MSBuild |
Trusted Developer Utilities Proxy Execution, MSBuild |
Defense Evasion |
| VMware Aria Operations vRealize CVE-2023-20887 |
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation |
Persistence |
| VMware Server Side Injection and Privilege Escalation |
Exploit Public-Facing Application, External Remote Services |
Initial Access |
| Volt Typhoon |
Windows Management Instrumentation |
Execution |
| WS FTP Server Critical Vulnerabilities |
IIS Components, Server Software Component |
Persistence |
| Warzone RAT |
DLL Side-Loading |
Persistence |
| WhisperGate |
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation |
Defense Evasion |
| WinRAR Spoofing Attack CVE-2023-38831 |
Ingress Tool Transfer |
Command And Control |
| Windows BootKits |
Pre-OS Boot, Registry Run Keys / Startup Folder |
Defense Evasion |
| Windows Certificate Services |
Steal or Forge Authentication Certificates |
Credential Access |
| Windows DNS SIGRed CVE-2020-1350 |
Exploitation for Client Execution |
Execution |
| Windows Defense Evasion Tactics |
Abuse Elevation Control Mechanism, Bypass User Account Control |
Privilege Escalation |
| Windows Discovery Techniques |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
Discovery |
| Windows Drivers |
Windows Service |
Persistence |
| Windows Error Reporting Service Elevation of Privilege Vulnerability |
Process Injection |
Defense Evasion |
| Windows Log Manipulation |
Indicator Removal, Clear Windows Event Logs |
Defense Evasion |
| Windows Persistence Techniques |
Services Registry Permissions Weakness |
Persistence |
| Windows Post-Exploitation |
Windows Management Instrumentation |
Execution |
| Windows Privilege Escalation |
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation |
Privilege Escalation |
| Windows System Binary Proxy Execution MSIExec |
Msiexec |
Defense Evasion |
| WordPress Vulnerabilities |
Exploit Public-Facing Application |
Initial Access |
| Zscaler Browser Proxy Threats |
Phishing |
Initial Access |