Adversary Tactics

Name Technique Tactic
3CX Supply Chain Attack Compromise Software Supply Chain Initial Access
APT29 Diplomatic Deceptions with WINELOADER DLL Side-Loading, Boot or Logon Autostart Execution Persistence
Active Directory Discovery Permission Groups Discovery, Local Groups Discovery
Active Directory Kerberos Attacks Password Spraying, Brute Force Credential Access
Active Directory Lateral Movement Remote Services, Windows Remote Management Lateral Movement
Active Directory Password Spraying Password Spraying, Brute Force Credential Access
Active Directory Privilege Escalation Account Discovery, SMB/Windows Admin Shares, Network Share Discovery Discovery
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360 Exploit Public-Facing Application Initial Access
Atlassian Confluence Server and Data Center CVE-2022-26134 Exploit Public-Facing Application, External Remote Services Initial Access
Azure Active Directory Account Takeover Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying Resource Development
Azure Active Directory Privilege Escalation Account Manipulation Persistence
BITS Jobs BITS Jobs, Ingress Tool Transfer Defense Evasion
Baron Samedit CVE-2021-3156 Exploitation for Privilege Escalation Privilege Escalation
BishopFox Sliver Adversary Emulation Framework System Services, Service Execution Execution
BlackLotus Campaign Bootkit Persistence
Brute Ratel C4 Service Stop Impact
CISA AA22-257A Protocol Tunneling, SSH Command And Control
CISA AA22-264A Exploitation for Privilege Escalation Privilege Escalation
CISA AA22-277A System Network Configuration Discovery, Internet Connection Discovery Discovery
CISA AA22-320A Windows Service, Create or Modify System Process Persistence
CISA AA23-347A Windows Management Instrumentation Execution
CVE-2022-40684 Fortinet Appliance Auth bypass Exploit Public-Facing Application, External Remote Services Initial Access
CVE-2023-21716 Word RTF Heap Corruption Phishing, Spearphishing Attachment Initial Access
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server Exploit Public-Facing Application Initial Access
CVE-2023-23397 Outlook Elevation of Privilege Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
CVE-2023-36884 Office and Windows HTML RCE Vulnerability Phishing, Spearphishing Attachment Initial Access
Caddy Wiper Disk Structure Wipe, Disk Wipe Impact
Cisco IOS XE Software Web Management User Interface vulnerability Exploit Public-Facing Application Initial Access
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966 Exploit Public-Facing Application Initial Access
Citrix Netscaler ADC CVE-2023-3519 Exploit Public-Facing Application Initial Access
Citrix ShareFile RCE CVE-2023-24489 Server Software Component, Web Shell Persistence
Cobalt Strike Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Defense Evasion
Collection and Staging Masquerading Defense Evasion
Command And Control Remote Access Software Command And Control
Compromised User Account Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration Credential Access
Confluence Data Center and Confluence Server Vulnerabilities Server Software Component, Exploit Public-Facing Application, External Remote Services Persistence
ConnectWise ScreenConnect Vulnerabilities Exploit Public-Facing Application Initial Access
Credential Dumping NTDS, OS Credential Dumping Credential Access
CrushFTP Vulnerabilities Exploit Public-Facing Application Initial Access
DNS Hijacking Domain Generation Algorithms Command And Control
DarkGate Malware Command and Scripting Interpreter Execution
Data Exfiltration Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Exfiltration
Deobfuscate-Decode Files or Information Deobfuscate/Decode Files or Information Defense Evasion
Detect Zerologon Attack LSASS Memory, OS Credential Dumping Credential Access
Disabling Security Tools File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter Defense Evasion
Domain Trust Discovery Remote System Discovery Discovery
Double Zero Destructor Disable or Modify Tools, Impair Defenses Defense Evasion
F5 Authentication Bypass with TMUI None None
F5 BIG-IP Vulnerability CVE-2022-1388 Exploit Public-Facing Application, External Remote Services Initial Access
F5 TMUI RCE CVE-2020-5902 Exploit Public-Facing Application Initial Access
Flax Typhoon System Services, Service Execution Execution
Forest Blizzard Ingress Tool Transfer Command And Control
Fortinet FortiNAC CVE-2022-39952 Exploit Public-Facing Application, External Remote Services Initial Access
Gomir Systemd Timers, Scheduled Task/Job Execution
Graceful Wipe Out Attack Service Stop Impact
HAFNIUM Group Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer Execution
Hermetic Wiper Disk Structure Wipe, Disk Wipe Impact
IIS Components Server Software Component, IIS Components Persistence
Ingress Tool Transfer Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer Execution
Insider Threat Password Spraying, Brute Force Credential Access
Ivanti Connect Secure VPN Vulnerabilities Exploit Public-Facing Application Initial Access
Ivanti EPMM Remote Unauthenticated Access Exploit Public-Facing Application, External Remote Services Initial Access
Ivanti Sentry Authentication Bypass CVE-2023-38035 Exploit Public-Facing Application Initial Access
Jenkins Server Vulnerabilities Exploit Public-Facing Application Initial Access
JetBrains TeamCity Unauthenticated RCE Exploit Public-Facing Application Initial Access
JetBrains TeamCity Vulnerabilities Exploit Public-Facing Application Initial Access
Juniper JunOS Remote Code Execution Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter Initial Access
Linux Living Off The Land Ingress Tool Transfer Command And Control
Linux Persistence Techniques Sudo and Sudo Caching, Abuse Elevation Control Mechanism Privilege Escalation
Linux Post-Exploitation Unix Shell Execution
Linux Privilege Escalation Exploitation for Privilege Escalation Privilege Escalation
Linux Rootkit System Information Discovery, Rootkit Discovery
Living Off The Land Trusted Developer Utilities Proxy Execution, MSBuild Defense Evasion
Log4Shell CVE-2021-44228 Automated Exfiltration Exfiltration
MOVEit Transfer Critical Vulnerability Exploit Public-Facing Application, External Remote Services Initial Access
Malicious PowerShell Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer Execution
Masquerading - Rename System Utilities Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Defense Evasion
MetaSploit Command and Scripting Interpreter Execution
Meterpreter Command and Scripting Interpreter Execution
Microsoft MSHTML Remote Code Execution CVE-2021-40444 System Binary Proxy Execution, Rundll32 Defense Evasion
Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357 Exploitation for Privilege Escalation Privilege Escalation
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 Phishing, Spearphishing Attachment Initial Access
NOBELIUM Group System Binary Proxy Execution, Mshta Defense Evasion
Office 365 Account Takeover Steal Application Access Token Credential Access
Office 365 Collection Techniques Email Forwarding Rule, Email Collection Collection
Office 365 Persistence Mechanisms Account Manipulation, Additional Cloud Roles Persistence
Okta Account Takeover Cloud Accounts Resource Development
Okta MFA Exhaustion Brute Force Credential Access
OpenSSL CVE-2022-3602 Encrypted Channel Command And Control
Outlook RCE CVE-2024-21378 Phishing Initial Access
PaperCut MF NG Vulnerability Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services Execution
PetitPotam NTLM Relay on Active Directory Certificate Services OS Credential Dumping Credential Access
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns Automated Exfiltration Exfiltration
Prestige Ransomware Windows Management Instrumentation Execution
ProxyNotShell Command and Scripting Interpreter, PowerShell Execution
ProxyShell Command and Scripting Interpreter, PowerShell Execution
Reverse Network Proxy Protocol Tunneling, Proxy, Web Service Command And Control
SQL Injection Exploit Public-Facing Application Initial Access
Sandworm Tools System Shutdown/Reboot Impact
Scheduled Tasks Scheduled Task, Scheduled Task/Job Execution
Signed Binary Proxy Execution InstallUtil Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Defense Evasion
Silver Sparrow Data Staged Collection
Snake Keylogger Malicious File, User Execution Execution
Snake Malware Kernel Modules and Extensions, Service Execution Persistence
Sneaky Active Directory Persistence Tricks Security Support Provider, Boot or Logon Autostart Execution Persistence
Spearphishing Attachments Phishing, Spearphishing Attachment Initial Access
Spring4Shell CVE-2022-22965 Exploit Public-Facing Application, External Remote Services Initial Access
Subvert Trust Controls SIP and Trust Provider Hijacking SIP and Trust Provider Hijacking Defense Evasion
Suspicious Command-Line Executions Masquerading, Rename System Utilities Defense Evasion
Suspicious Compiled HTML Activity Compiled HTML File, System Binary Proxy Execution Defense Evasion
Suspicious DNS Traffic Exfiltration Over Alternative Protocol Exfiltration
Suspicious Emails Spearphishing Attachment, Phishing Initial Access
Suspicious MSHTA Activity System Binary Proxy Execution, Mshta Defense Evasion
Suspicious Okta Activity Brute Force Credential Access
Suspicious Regsvcs Regasm Activity System Binary Proxy Execution, Regsvcs/Regasm Defense Evasion
Suspicious Regsvr32 Activity System Binary Proxy Execution, Regsvr32 Defense Evasion
Suspicious Rundll32 Activity NTDS, OS Credential Dumping Credential Access
Suspicious WMI Use XSL Script Processing Defense Evasion
Suspicious Windows Registry Activities Services Registry Permissions Weakness Persistence
Suspicious Zoom Child Processes Exploitation for Privilege Escalation Privilege Escalation
Swift Slicer Data Destruction Impact
SysAid On-Prem Software CVE-2023-47246 Vulnerability Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer Execution
Text4Shell CVE-2022-42889 Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services Persistence
Trusted Developer Utilities Proxy Execution Trusted Developer Utilities Proxy Execution Defense Evasion
Trusted Developer Utilities Proxy Execution MSBuild Trusted Developer Utilities Proxy Execution, MSBuild Defense Evasion
VMware Aria Operations vRealize CVE-2023-20887 External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation Persistence
VMware Server Side Injection and Privilege Escalation Exploit Public-Facing Application, External Remote Services Initial Access
Volt Typhoon Windows Management Instrumentation Execution
WS FTP Server Critical Vulnerabilities IIS Components, Server Software Component Persistence
Warzone RAT DLL Side-Loading Persistence
WhisperGate Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation Defense Evasion
WinRAR Spoofing Attack CVE-2023-38831 Ingress Tool Transfer Command And Control
Windows BootKits Pre-OS Boot, Registry Run Keys / Startup Folder Defense Evasion
Windows Certificate Services Steal or Forge Authentication Certificates Credential Access
Windows DNS SIGRed CVE-2020-1350 Exploitation for Client Execution Execution
Windows Defense Evasion Tactics Abuse Elevation Control Mechanism, Bypass User Account Control Privilege Escalation
Windows Discovery Techniques Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery Discovery
Windows Drivers Windows Service Persistence
Windows Error Reporting Service Elevation of Privilege Vulnerability Process Injection Defense Evasion
Windows Log Manipulation Indicator Removal, Clear Windows Event Logs Defense Evasion
Windows Persistence Techniques Services Registry Permissions Weakness Persistence
Windows Post-Exploitation Windows Management Instrumentation Execution
Windows Privilege Escalation Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation Privilege Escalation
Windows System Binary Proxy Execution MSIExec Msiexec Defense Evasion
WordPress Vulnerabilities Exploit Public-Facing Application Initial Access
Zscaler Browser Proxy Threats Phishing Initial Access