initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control |
---|---|---|---|---|---|---|---|---|---|---|
Drive-by Compromise | AppleScript | .bash_profile and .bashrc | Access Token Manipulation | Access Token Manipulation | Account Manipulation | Account Discovery | AppleScript | Audio Capture | Automated Exfiltration | Commonly Used Port |
Exploit Public-Facing Application | CMSTP | Accessibility Features | Accessibility Features | BITS Jobs | Bash History | Application Window Discovery | Application Deployment Software | Automated Collection | Data Compressed | Communication Through Removable Media |
External Remote Services | Command-Line Interface | Account Manipulation | AppCert DLLs | Binary Padding | Brute Force | Browser Bookmark Discovery | Distributed Component Object Model | Clipboard Data | Data Encrypted | Connection Proxy |
Hardware Additions | Compiled HTML File | AppCert DLLs | AppInit DLLs | Bypass User Account Control | Credential Dumping | Domain Trust Discovery | Exploitation of Remote Services | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol |
Replication Through Removable Media | Control Panel Items | AppInit DLLs | Application Shimming | CMSTP | Credentials in Files | File and Directory Discovery | Logon Scripts | Data from Information Repositories | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
Spearphishing Attachment | Dynamic Data Exchange | Application Shimming | Bypass User Account Control | Clear Command History | Credentials in Registry | Network Service Scanning | Pass the Hash | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding |
Spearphishing Link | Execution through API | Authentication Package | DLL Search Order Hijacking | Code Signing | Exploitation for Credential Access | Network Share Discovery | Pass the Ticket | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation |
Spearphishing via Service | Execution through Module Load | BITS Jobs | Dylib Hijacking | Compile After Delivery | Forced Authentication | Network Sniffing | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting |
Supply Chain Compromise | Exploitation for Client Execution | Bootkit | Exploitation for Privilege Escalation | Compiled HTML File | Hooking | Password Policy Discovery | Remote File Copy | Email Collection | Scheduled Transfer | Domain Generation Algorithms |
Trusted Relationship | Graphical User Interface | Browser Extensions | Extra Window Memory Injection | Component Firmware | Input Capture | Peripheral Device Discovery | Remote Services | Input Capture | Fallback Channels | |
Valid Accounts | InstallUtil | Change Default File Association | File System Permissions Weakness | Component Object Model Hijacking | Input Prompt | Permission Groups Discovery | Replication Through Removable Media | Man in the Browser | Multi-Stage Channels | |
LSASS Driver | Component Firmware | Hooking | Control Panel Items | Kerberoasting | Process Discovery | SSH Hijacking | Screen Capture | Multi-hop Proxy | ||
Launchctl | Component Object Model Hijacking | Image File Execution Options Injection | DCShadow | Keychain | Query Registry | Shared Webroot | Video Capture | Multiband Communication | ||
Local Job Scheduling | Create Account | Launch Daemon | DLL Search Order Hijacking | LLMNR/NBT-NS Poisoning and Relay | Remote System Discovery | Taint Shared Content | Multilayer Encryption | |||
Mshta | DLL Search Order Hijacking | New Service | DLL Side-Loading | Network Sniffing | Security Software Discovery | Third-party Software | Port Knocking | |||
PowerShell | Dylib Hijacking | Path Interception | Deobfuscate/Decode Files or Information | Password Filter DLL | System Information Discovery | Windows Admin Shares | Remote Access Tools | |||
Regsvcs/Regasm | External Remote Services | Plist Modification | Disabling Security Tools | Private Keys | System Network Configuration Discovery | Windows Remote Management | Remote File Copy | |||
Regsvr32 | File System Permissions Weakness | Port Monitors | Execution Guardrails | Securityd Memory | System Network Connections Discovery | Standard Application Layer Protocol | ||||
Rundll32 | Hidden Files and Directories | Process Injection | Exploitation for Defense Evasion | Two-Factor Authentication Interception | System Owner/User Discovery | Standard Cryptographic Protocol | ||||
Scheduled Task | Hooking | SID-History Injection | Extra Window Memory Injection | System Service Discovery | Standard Non-Application Layer Protocol | |||||
Scripting | Hypervisor | Scheduled Task | File Deletion | System Time Discovery | Uncommonly Used Port | |||||
Service Execution | Image File Execution Options Injection | Service Registry Permissions Weakness | File Permissions Modification | Virtualization/Sandbox Evasion | Web Service | |||||
Signed Binary Proxy Execution | Kernel Modules and Extensions | Setuid and Setgid | File System Logical Offsets | |||||||
Signed Script Proxy Execution | LC_LOAD_DYLIB Addition | Startup Items | Gatekeeper Bypass | |||||||
Source | LSASS Driver | Sudo | Group Policy Modification | |||||||
Space after Filename | Launch Agent | Sudo Caching | HISTCONTROL | |||||||
Third-party Software | Launch Daemon | Valid Accounts | Hidden Files and Directories | |||||||
Trap | Launchctl | Web Shell | Hidden Users | |||||||
Trusted Developer Utilities | Local Job Scheduling | Hidden Window | ||||||||
User Execution | Login Item | Image File Execution Options Injection | ||||||||
Windows Management Instrumentation | Logon Scripts | Indicator Blocking | ||||||||
Windows Remote Management | Modify Existing Service | Indicator Removal from Tools | ||||||||
XSL Script Processing | Netsh Helper DLL | Indicator Removal on Host | ||||||||
New Service | Indirect Command Execution | |||||||||
Office Application Startup | Install Root Certificate | |||||||||
Path Interception | InstallUtil | |||||||||
Plist Modification | LC_MAIN Hijacking | |||||||||
Port Knocking | Launchctl | |||||||||
Port Monitors | Masquerading | |||||||||
Rc.common | Modify Registry | |||||||||
Re-opened Applications | Mshta | |||||||||
Redundant Access | NTFS File Attributes | |||||||||
Registry Run Keys / Startup Folder | Network Share Connection Removal | |||||||||
SIP and Trust Provider Hijacking | Obfuscated Files or Information | |||||||||
Scheduled Task | Plist Modification | |||||||||
Screensaver | Port Knocking | |||||||||
Security Support Provider | Process Doppelgänging | |||||||||
Service Registry Permissions Weakness | Process Hollowing | |||||||||
Setuid and Setgid | Process Injection | |||||||||
Shortcut Modification | Redundant Access | |||||||||
Startup Items | Regsvcs/Regasm | |||||||||
System Firmware | Regsvr32 | |||||||||
Systemd Service | Rootkit | |||||||||
Time Providers | Rundll32 | |||||||||
Trap | SIP and Trust Provider Hijacking | |||||||||
Valid Accounts | Scripting | |||||||||
Web Shell | Signed Binary Proxy Execution | |||||||||
Windows Management Instrumentation Event Subscription | Signed Script Proxy Execution | |||||||||
Winlogon Helper DLL | Software Packing | |||||||||
Space after Filename | ||||||||||
Template Injection | ||||||||||
Timestomp | ||||||||||
Trusted Developer Utilities | ||||||||||
Valid Accounts | ||||||||||
Virtualization/Sandbox Evasion | ||||||||||
Web Service | ||||||||||
XSL Script Processing |
-
Notifications
You must be signed in to change notification settings - Fork 0
adamsmesher/hunterground
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
About
Another Threat Hunting knowledge base :) based on MITRE ATT&CK Matrix
Topics
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published