atomic-red-team/Windows
rahmatnurfauzi a85093767d
Update File_and_Directory_Discovery.md
Adding more commands taken from Waterbug/Turla
2018-01-11 17:09:24 +07:00
..
Collection Input Capture - Payload Reference fix 2017-11-15 15:10:16 -08:00
Credential_Access Credentials in Files 2017-11-02 11:53:28 -07:00
Defense Evasion credit for TimeStomp 2017-11-15 12:47:10 -07:00
Discovery Update File_and_Directory_Discovery.md 2018-01-11 17:09:24 +07:00
Execution Updated Mimikatz References 2017-11-13 15:10:25 -07:00
Exfiltration Evasion and exfil 2017-10-31 12:56:52 -07:00
Lateral Movement Initial Commit 2017-10-11 10:35:17 -07:00
Payloads Added Invoke-Mimnikatz 2017-11-13 15:06:40 -07:00
Persistence Add T1050: Windows - Persistence - Service Installation 2017-11-16 23:27:14 +01:00
Privilege Escalation Cleanup 2017-10-11 20:27:24 -07:00
README.md Add T1050: Windows - Persistence - Service Installation 2017-11-16 23:27:14 +01:00

README.md

MITRE ATT&CK Matrix - Windows

Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control
Accessibility Features Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software Application Shimming Audio Capture Automated Exfiltration Commonly Used Port
AppInit DLLs Accessibility Features Binary Padding Brute Force Application Window Discovery Exploitation of Vulnerability Command-Line Interface Automated Collection Data Compressed Communication Through Removable Media
Application Shimming AppInit DLLs Bypass User Account Control Create Account File and Directory Discovery Logon Scripts Execution through API Clipboard Data Data Encrypted Connection Proxy
Authentication Package Application Shimming Code Signing Credential Dumping Network Service Scanning Pass the Hash Execution through Module Load Data Staged Data Transfer Size Limits Custom Command and Control Protocol
Bootkit Bypass User Account Control Component Firmware Credentials in Files Network Share Discovery Pass the Ticket Graphical User Interface Data from Local System Exfiltration Over Alternative Protocol Custom Cryptographic Protocol
Change Default File Association DLL Injection Component Object Model Hijacking Exploitation of Vulnerability Peripheral Device Discovery Remote Desktop Protocol InstallUtil Data from Network Shared Drive Exfiltration Over Command and Control Channel Data Encoding
Component Firmware DLL Search Order Hijacking DLL Injection Input Capture Permission Groups Discovery Remote File Copy PowerShell Data from Removable Media Exfiltration Over Other Network Medium Data Obfuscation
Component Object Model Hijacking Exploitation of Vulnerability DLL Search Order Hijacking Network Sniffing Process Discovery Remote Services Process Hollowing Email Collection Exfiltration Over Physical Medium Fallback Channels
DLL Search Order Hijacking File System Permissions Weakness DLL Side-Loading Private Keys Query Registry Replication Through Removable Media Regsvcs/Regasm Input Capture Scheduled Transfer Multi-Stage Channels
External Remote Services Local Port Monitor [Deobfuscate/Decode Files or Information](Defense Evasion/Deobfuscate_Decode_Files_Or_Information.md) Two-Factor Authentication Interception Remote System Discovery Shared Webroot Regsvr32 Screen Capture Multiband Communication
File System Permissions Weakness New Service Disabling Security Tools Security Software Discovery Taint Shared Content Rundll32 Video Capture Multilayer Encryption
Hidden Files and Directories Path Interception Exploitation of Vulnerability System Information Discovery Third-party Software Scheduled Task Remote File Copy
Hypervisor Scheduled Task File Deletion System Network Configuration Discovery Windows Admin Shares Scripting Standard Application Layer Protocol
Local Port Monitor Service Registry Permissions Weakness File System Logical Offsets System Network Connections Discovery Windows Remote Management Service Execution Standard Cryptographic Protocol
Logon Scripts Valid Accounts Hidden Files and Directories System Owner/User Discovery Third-party Software Standard Non-Application Layer Protocol
Modify Existing Service Web Shell Indicator Blocking System Service Discovery Trusted Developer Utilities Uncommonly Used Port
Netsh Helper DLL Indicator Removal from Tools System Time Discovery Windows Management Instrumentation Web Service
New Service Indicator Removal on Host Windows Remote Management
Office Application Startup Install Root Certificate Bitsadmin
Path Interception InstallUtil
Redundant Access Masquerading
Registry Run Keys / Start Folder Modify Registry
Scheduled Task NTFS Extended Attributes
Security Support Provider Network Share Connection Removal
Service Registry Permissions Weakness Obfuscated Files or Information
Shortcut Modification Process Hollowing
System Firmware Redundant Access
Valid Accounts Regsvcs/Regasm
Web Shell Regsvr32
Windows Management Instrumentation Event Subscription Rootkit
Winlogon Helper DLL Rundll32
Scripting
Software Packing
[Timestomp](Defense%20Evasion/Timestomp.md
Trusted Developer Utilities
Valid Accounts