Adversary Tactics

Name	Technique	Tactic
3CX Supply Chain Attack	Compromise Software Supply Chain	Initial Access
Active Directory Discovery	Permission Groups Discovery, Local Groups	Discovery
Active Directory Kerberos Attacks	Password Spraying, Brute Force	Credential Access
Active Directory Lateral Movement	Remote Services, Windows Remote Management	Lateral Movement
Active Directory Password Spraying	Password Spraying, Brute Force	Credential Access
Active Directory Privilege Escalation	Account Discovery, SMB/Windows Admin Shares, Network Share Discovery	Discovery
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360	Exploit Public-Facing Application	Initial Access
Atlassian Confluence Server and Data Center CVE-2022-26134	Exploit Public-Facing Application, External Remote Services	Initial Access
Azure Active Directory Account Takeover	Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying	Resource Development
Azure Active Directory Privilege Escalation	Account Manipulation	Persistence
BITS Jobs	BITS Jobs, Ingress Tool Transfer	Defense Evasion
Baron Samedit CVE-2021-3156	Exploitation for Privilege Escalation	Privilege Escalation
BishopFox Sliver Adversary Emulation Framework	System Services, Service Execution	Execution
BlackLotus Campaign	Bootkit	Persistence
Brute Ratel C4	Service Stop	Impact
CISA AA22-257A	Protocol Tunneling, SSH	Command And Control
CISA AA22-264A	Exploitation for Privilege Escalation	Privilege Escalation
CISA AA22-277A	System Network Configuration Discovery, Internet Connection Discovery	Discovery
CISA AA22-320A	Windows Service, Create or Modify System Process	Persistence
CVE-2022-40684 Fortinet Appliance Auth bypass	Exploit Public-Facing Application, External Remote Services	Initial Access
CVE-2023-21716 Word RTF Heap Corruption	Phishing, Spearphishing Attachment	Initial Access
CVE-2023-23397 Outlook Elevation of Privilege	Exfiltration Over Unencrypted Non-C2 Protocol	Exfiltration
CVE-2023-36884 Office and Windows HTML RCE Vulnerability	Phishing, Spearphishing Attachment	Initial Access
Caddy Wiper	Disk Structure Wipe, Disk Wipe	Impact
Citrix Netscaler ADC CVE-2023-3519	Exploit Public-Facing Application	Initial Access
Citrix ShareFile RCE CVE-2023-24489	Server Software Component, Web Shell	Persistence
Cobalt Strike	Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild	Defense Evasion
Collection and Staging	Masquerading	Defense Evasion
Command And Control	Remote Access Software	Command And Control
Compromised User Account	Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions	Resource Development
Credential Dumping	NTDS, OS Credential Dumping	Credential Access
DNS Hijacking	Domain Generation Algorithms	Command And Control
Data Exfiltration	Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol	Exfiltration
Deobfuscate-Decode Files or Information	Deobfuscate/Decode Files or Information	Defense Evasion
Detect Zerologon Attack	LSASS Memory, OS Credential Dumping	Credential Access
Disabling Security Tools	File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter	Defense Evasion
Domain Trust Discovery	Remote System Discovery	Discovery
Double Zero Destructor	Disable or Modify Tools, Impair Defenses	Defense Evasion
F5 BIG-IP Vulnerability CVE-2022-1388	Exploit Public-Facing Application, External Remote Services	Initial Access
F5 TMUI RCE CVE-2020-5902	Exploit Public-Facing Application	Initial Access
Flax Typhoon	System Services, Service Execution	Execution
Forest Blizzard	Ingress Tool Transfer	Command And Control
Fortinet FortiNAC CVE-2022-39952	Exploit Public-Facing Application, External Remote Services	Initial Access
Graceful Wipe Out Attack	Service Stop	Impact
HAFNIUM Group	Automated Exfiltration	Exfiltration
Hermetic Wiper	Disk Structure Wipe, Disk Wipe	Impact
IIS Components	Server Software Component, IIS Components	Persistence
Ingress Tool Transfer	Automated Exfiltration	Exfiltration
Insider Threat	Password Spraying, Brute Force	Credential Access
Ivanti EPMM Remote Unauthenticated Access	Exploit Public-Facing Application, External Remote Services	Initial Access
Ivanti Sentry Authentication Bypass CVE-2023-38035	Exploit Public-Facing Application	Initial Access
Juniper JunOS Remote Code Execution	Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter	Initial Access
Linux Living Off The Land	Ingress Tool Transfer	Command And Control
Linux Persistence Techniques	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Privilege Escalation
Linux Post-Exploitation	Unix Shell	Execution
Linux Privilege Escalation	Exploitation for Privilege Escalation	Privilege Escalation
Linux Rootkit	System Information Discovery, Rootkit	Discovery
Living Off The Land	Trusted Developer Utilities Proxy Execution, MSBuild	Defense Evasion
Log4Shell CVE-2021-44228	Automated Exfiltration	Exfiltration
MOVEit Transfer Critical Vulnerability	Exploit Public-Facing Application, External Remote Services	Initial Access
Malicious PowerShell	Automated Exfiltration	Exfiltration
Masquerading - Rename System Utilities	Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil	Defense Evasion
MetaSploit	Command and Scripting Interpreter	Execution
Meterpreter	Command and Scripting Interpreter	Execution
Microsoft MSHTML Remote Code Execution CVE-2021-40444	System Binary Proxy Execution, Rundll32	Defense Evasion
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190	Phishing, Spearphishing Attachment	Initial Access
NOBELIUM Group	System Binary Proxy Execution, Mshta	Defense Evasion
Okta MFA Exhaustion	Brute Force	Credential Access
OpenSSL CVE-2022-3602	Encrypted Channel	Command And Control
PaperCut MF NG Vulnerability	Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services	Execution
PetitPotam NTLM Relay on Active Directory Certificate Services	OS Credential Dumping	Credential Access
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns	Automated Exfiltration	Exfiltration
Prestige Ransomware	Windows Management Instrumentation	Execution
ProxyNotShell	Command and Scripting Interpreter, PowerShell	Execution
ProxyShell	Command and Scripting Interpreter, PowerShell	Execution
Reverse Network Proxy	Protocol Tunneling, Proxy, Web Service	Command And Control
SQL Injection	Exploit Public-Facing Application	Initial Access
Sandworm Tools	System Shutdown/Reboot	Impact
Scheduled Tasks	Scheduled Task, Scheduled Task/Job	Execution
Signed Binary Proxy Execution InstallUtil	Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil	Defense Evasion
Silver Sparrow	Data Staged	Collection
Snake Malware	Kernel Modules and Extensions, Service Execution	Persistence
Sneaky Active Directory Persistence Tricks	Security Support Provider, Boot or Logon Autostart Execution	Persistence
Spearphishing Attachments	Phishing, Spearphishing Attachment	Initial Access
Spring4Shell CVE-2022-22965	Exploit Public-Facing Application, External Remote Services	Initial Access
Suspicious Command-Line Executions	Masquerading, Rename System Utilities	Defense Evasion
Suspicious Compiled HTML Activity	Compiled HTML File, System Binary Proxy Execution	Defense Evasion
Suspicious DNS Traffic	Exfiltration Over Alternative Protocol	Exfiltration
Suspicious Emails	Spearphishing Attachment, Phishing	Initial Access
Suspicious MSHTA Activity	System Binary Proxy Execution, Mshta	Defense Evasion
Suspicious Okta Activity	Valid Accounts, Default Accounts	Defense Evasion
Suspicious Regsvcs Regasm Activity	System Binary Proxy Execution, Regsvcs/Regasm	Defense Evasion
Suspicious Regsvr32 Activity	System Binary Proxy Execution, Regsvr32	Defense Evasion
Suspicious Rundll32 Activity	NTDS, OS Credential Dumping	Credential Access
Suspicious WMI Use	XSL Script Processing	Defense Evasion
Suspicious Windows Registry Activities	Services Registry Permissions Weakness	Persistence
Suspicious Zoom Child Processes	Exploitation for Privilege Escalation	Privilege Escalation
Swift Slicer	Data Destruction	Impact
Text4Shell CVE-2022-42889	Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services	Persistence
Trusted Developer Utilities Proxy Execution	Trusted Developer Utilities Proxy Execution	Defense Evasion
Trusted Developer Utilities Proxy Execution MSBuild	Trusted Developer Utilities Proxy Execution, MSBuild	Defense Evasion
VMware Aria Operations vRealize CVE-2023-20887	External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation	Persistence
VMware Server Side Injection and Privilege Escalation	Exploit Public-Facing Application, External Remote Services	Initial Access
Volt Typhoon	Windows Management Instrumentation	Execution
Warzone RAT	DLL Side-Loading	Persistence
WhisperGate	Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation	Defense Evasion
WinRAR Spoofing Attack CVE-2023-38831	Ingress Tool Transfer	Command And Control
Windows BootKits	Pre-OS Boot, Registry Run Keys / Startup Folder	Defense Evasion
Windows Certificate Services	Steal or Forge Authentication Certificates	Credential Access
Windows DNS SIGRed CVE-2020-1350	Exploitation for Client Execution	Execution
Windows Defense Evasion Tactics	Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection	Defense Evasion
Windows Discovery Techniques	Permission Groups Discovery, Local Groups	Discovery
Windows Drivers	Windows Service	Persistence
Windows Error Reporting Service Elevation of Privilege Vulnerability	Process Injection	Defense Evasion
Windows Log Manipulation	Indicator Removal, Clear Windows Event Logs	Defense Evasion
Windows Persistence Techniques	Services Registry Permissions Weakness	Persistence
Windows Post-Exploitation	Windows Management Instrumentation	Execution
Windows Privilege Escalation	Malicious File	Execution
Windows System Binary Proxy Execution MSIExec	Msiexec	Defense Evasion