Access of Outlook Email Archives |
Endgame |
7/26/2019 |
Collection |
T1114 Email Collection |
Account Discovery via Built-In Tools |
Endgame |
7/26/2019 |
Discovery |
T1087 Account Discovery |
AD Dumping via Ntdsutil.exe |
Tony Lambert |
01/07/2019 |
Credential Access |
T1003 Credential Dumping |
Adding the Hidden File Attribute with via attrib.exe |
Endgame |
7/26/2019 |
Defense Evasion
Persistence
|
T1158 Hidden Files and Directories |
AppCert DLLs Registry Modification |
Endgame |
7/26/2019 |
Privilege Escalation
Persistence
|
T1182 AppCert DLLs |
Audio Capture via PowerShell |
Endgame |
11/30/2018 |
Collection |
T1123 Audio Capture |
Audio Capture via SoundRecorder |
Endgame |
11/30/2018 |
Collection |
T1123 Audio Capture |
Bypass UAC via CMSTP |
Endgame |
11/30/2018 |
Defense Evasion
Execution
|
T1191 CMSTP
T1088 Bypass User Account Control
|
Bypass UAC via CompMgmtLauncher |
Daniel Stepanic |
12/04/2019 |
Privilege Escalation |
T1088 Bypass User Account Control |
Bypass UAC via Fodhelper.exe |
Tony Lambert |
05/17/2019 |
Privilege Escalation |
T1088 Bypass User Account Control |
Bypass UAC via Fodhelper.exe |
Tony Lambert |
05/17/2019 |
Privilege Escalation |
T1088 Bypass User Account Control |
Bypass UAC via WSReset.exe |
Tony Lambert |
05/17/2019 |
Privilege Escalation |
T1088 Bypass User Account Control |
Change Default File Association |
Endgame |
11/30/2018 |
Persistence |
T1042 Change Default File Association |
Clearing Windows Event Logs with wevtutil |
Endgame |
11/30/2018 |
Defense Evasion |
T1070 Indicator Removal on Host |
COM Hijack via Script Object |
Endgame |
11/30/2018 |
Persistence
Defense Evasion
|
T1122 Component Object Model Hijacking |
Command-Line Creation of a RAR file |
Endgame |
11/30/2018 |
Exfiltration |
T1002 Data Compressed |
Control Panel Items |
Endgame |
7/26/2019 |
Defense Evasion
Execution
|
T1196 Control Panel Items |
Creation of an Archive with Common Archivers |
Endgame |
7/26/2019 |
Collection |
T1074 Data Staged |
Creation of Kernel Module |
Endgame |
7/26/2019 |
Persistence |
T1215 Kernel Modules and Extensions |
Creation of Scheduled Task with schtasks.exe |
Endgame |
7/26/2019 |
Privilege Escalation
Execution
Persistence
|
T1053 Scheduled Task |
Creation or Modification of Systemd Service |
Endgame |
7/26/2019 |
Persistence |
T1501 Systemd Service |
Credential Enumeration via Credential Vault CLI |
David French |
8/16/2019 |
Credential Access |
T1003 Credential Dumping |
Delete Volume USN Journal with fsutil |
Endgame |
11/30/2018 |
Defense Evasion |
T1070 Indicator Removal on Host |
Disconnecting from Network Shares with net.exe |
Endgame |
7/26/2019 |
Defense Evasion |
T1126 Network Share Connection Removal |
Discovery and Enumeration of System Information via Rundll32 |
Daniel Stepanic |
12/04/2019 |
Discovery |
T1087 Account Discovery
T1096 NTFS File Attributes
T1033 System Owner/User Discovery
|
Discovery of a Remote System’s Time |
Endgame |
11/30/2018 |
Discovery |
T1124 System Time Discovery |
Discovery of Domain Groups |
Endgame |
7/26/2019 |
Discovery |
T1069 Permission Groups Discovery |
Discovery of Network Environment via Built-in Tools |
Endgame |
7/26/2019 |
Discovery |
T1016 System Network Configuration Discovery |
Discovery of Network Environment via Built-in Tools |
Endgame |
7/26/2019 |
Discovery |
T1016 System Network Configuration Discovery |
DLL Search Order Hijacking with known programs |
Endgame |
7/26/2019 |
Privilege Escalation
Defense Evasion
Persistence
|
T1038 DLL Search Order Hijacking |
Domain Trust Discovery |
Endgame |
7/26/2019 |
Discovery |
T1482 Domain Trust Discovery |
Domain Trust Discovery via Nltest.exe |
Tony Lambert |
05/17/2019 |
Discovery |
T1482 Domain Trust Discovery |
Encoding or Decoding Files via CertUtil |
Endgame |
11/30/2018 |
Defense Evasion |
T1140 Deobfuscate/Decode Files or Information |
Enumeration of Local Shares |
Endgame |
11/30/2018 |
Discovery |
T1135 Network Share Discovery |
Enumeration of Mounted Shares |
Endgame |
11/30/2018 |
Discovery |
T1049 System Network Connections Discovery |
Enumeration of Remote Shares |
Endgame |
11/30/2018 |
Discovery |
T1135 Network Share Discovery |
Enumeration of System Information |
Endgame |
7/26/2019 |
Discovery |
T1082 System Information Discovery |
Enumeration of System Information |
Endgame |
7/26/2019 |
Discovery |
T1082 System Information Discovery |
Executable Written and Executed by Microsoft Office Applications |
Daniel Stepanic |
12/04/2019 |
Execution |
T1204 User Execution
T1173 Dynamic Data Exchange
|
Execution of a Command via a SYSTEM Service |
Endgame |
11/30/2018 |
Privilege Escalation |
T1035 Service Execution
T1050 New Service
|
Execution of Existing Service via Command |
Endgame |
7/26/2019 |
Execution |
T1035 Service Execution |
Execution via cmstp.exe |
Endgame |
7/26/2019 |
Defense Evasion
Execution
|
T1191 CMSTP |
HH.exe execution |
Dan Beavin |
09/26/2019 |
Defense Evasion
Execution
|
T1223 Compiled HTML File |
Host Artifact Deletion |
Endgame |
7/26/2019 |
Defense Evasion |
T1070 Indicator Removal on Host |
Image Debuggers for Accessibility Features |
Endgame |
11/30/2018 |
Persistence
Privilege Escalation
Defense Evasion
|
T1015 Accessibility Features
T1183 Image File Execution Options Injection
|
Incoming Remote PowerShell Sessions |
Endgame |
7/26/2019 |
Lateral Movement
Execution
|
T1028 Windows Remote Management |
Indirect Command Execution |
Endgame |
11/30/2018 |
Defense Evasion |
T1202 Indirect Command Execution |
Installation of Port Monitor |
Endgame |
7/26/2019 |
Privilege Escalation
Persistence
|
T1013 Port Monitors |
Installation of Security Support Provider |
Endgame |
7/26/2019 |
Persistence |
T1101 Security Support Provider |
Installation of Time Providers |
Endgame |
7/26/2019 |
Persistence |
T1209 Time Providers |
Installing Custom Shim Databases |
Endgame |
11/30/2018 |
Persistence
Privilege Escalation
|
T1138 Application Shimming |
InstallUtil Execution |
Endgame |
7/26/2019 |
Execution
Defense Evasion
|
T1118 InstallUtil |
Interactive AT Job |
Endgame |
11/30/2018 |
Privilege Escalation |
T1053 Scheduled Task |
Launch Daemon Persistence |
Endgame |
7/26/2019 |
Privilege Escalation
Persistence
|
T1160 Launch Daemon |
Loading Kernel Modules with kextload |
Endgame |
7/26/2019 |
Persistence |
T1215 Kernel Modules and Extensions |
Local Job Scheduling Paths |
Endgame |
7/26/2019 |
Execution
Persistence
|
T1168 Local Job Scheduling |
Local Job Scheduling Process |
Endgame |
7/26/2019 |
Execution
Persistence
|
T1168 Local Job Scheduling |
Logon Scripts with UserInitMprLogonScript |
Endgame |
11/30/2018 |
Persistence |
T1037 Logon Scripts |
LSA Authentication Package |
Endgame |
7/26/2019 |
Persistence |
T1131 Authentication Package |
LSASS Memory Dumping |
Tony Lambert |
01/07/2019 |
Credential Access |
T1003 Credential Dumping |
LSASS Memory Dumping via ProcDump.exe |
Tony Lambert |
01/07/2019 |
Credential Access |
T1003 Credential Dumping |
Modification of Boot Configuration |
Endgame |
05/17/2019 |
Impact |
T1490 Inhibit System Recovery |
Modification of ld.so.preload |
Tony Lambert |
05/17/2019 |
Defense Evasion |
T1055 Process Injection |
Modification of Logon Scripts from Registry |
Endgame |
7/26/2019 |
Lateral Movement
Persistence
|
T1037 Logon Scripts |
Modification of rc.common Script |
Endgame |
7/26/2019 |
Persistence |
T1163 Rc.common |
Modifications of .bash_profile and .bashrc |
Tony Lambert |
01/10/2019 |
Persistence |
T1156 .bash_profile and .bashrc |
Mounting Hidden Shares |
Endgame |
11/30/2018 |
Lateral Movement |
T1077 Windows Admin Shares |
Mounting Windows Hidden Shares with net.exe |
Endgame |
7/26/2019 |
Lateral Movement |
T1077 Windows Admin Shares |
MS Office Template Injection |
Daniel Stepanic |
02/12/2020 |
Defense Evasion |
T1221 Template Injection |
Mshta Descendant of Microsoft Office |
Daniel Stepanic |
12/04/2019 |
Execution
Defense Evasion
Command and Control
|
T1170 Mshta |
Mshta Network Connections |
Endgame |
11/30/2018 |
Execution
Defense Evasion
Command and Control
|
T1170 Mshta |
Network Service Scanning via Port |
Endgame |
7/26/2019 |
Discovery |
T1046 Network Service Scanning |
Non-browser processes making DNS requests to Dynamic DNS Providers |
Daniel Stepanic |
02/12/2020 |
Command and Control |
T1071 Standard Application Layer Protocol |
Office Application Startup via Template File Modification |
Endgame |
7/26/2019 |
Persistence |
T1137 Office Application Startup |
Office Application Startup via Template Registry Modification |
Endgame |
7/26/2019 |
Persistence |
T1137 Office Application Startup |
Password Policy Enumeration |
Endgame |
7/26/2019 |
Discovery |
T1201 Password Policy Discovery |
Persistence via AppInit DLL |
Endgame |
11/30/2018 |
Persistence
Privilege Escalation
|
T1103 AppInit DLLs |
Persistence via NetSh Key |
Endgame |
11/30/2018 |
Persistence |
T1128 Netsh Helper DLL |
Persistence via Screensaver |
Endgame |
11/30/2018 |
Persistence |
T1180 Screensaver |
Persistent process via Launch Agent |
Endgame |
7/26/2019 |
Persistence |
T1159 Launch Agent |
Plist Modification |
Endgame |
7/26/2019 |
Privilege Escalation
Defense Evasion
Persistence
|
T1150 Plist Modification |
Potential Gatekeeper Bypass |
Endgame |
7/26/2019 |
Defense Evasion |
T1144 Gatekeeper Bypass |
Process Discovery via Built-In Applications |
Endgame |
7/26/2019 |
Discovery |
T1057 Process Discovery
T1063 Security Software Discovery
|
Process Discovery via Windows Tools |
Endgame |
7/26/2019 |
Discovery |
T1057 Process Discovery
T1063 Security Software Discovery
|
Processes Running with Unusual Extensions |
Endgame |
7/26/2019 |
Defense Evasion |
T1036 Masquerading |
Processes with Trailing Spaces |
Endgame |
7/26/2019 |
Defense Evasion
Execution
|
T1151 Space after Filename |
Proxied Execution via Signed Scripts |
Endgame |
7/26/2019 |
Defense Evasion
Execution
|
T1216 Signed Script Proxy Execution |
Reading the Clipboard with pbpaste |
Endgame |
7/26/2019 |
Collection |
T1115 Clipboard Data |
Registration of a Password Filter DLL |
Endgame |
7/26/2019 |
Credential Access |
T1174 Password Filter DLL |
Registration of Winlogon Helper DLL |
Endgame |
7/26/2019 |
Persistence |
T1004 Winlogon Helper DLL |
Registry Persistence via Run Keys |
Endgame |
7/26/2019 |
Persistence |
T1060 Registry Run Keys / Startup Folder |
Registry Persistence via Shell Folders |
Endgame |
7/22/2019 |
Persistence |
T1060 Registry Run Keys / Startup Folder |
Registry Preparation of Event Viewer UAC Bypass |
Endgame |
11/30/2018 |
Privilege Escalation |
T1088 Bypass User Account Control |
RegSvr32 Scriptlet Execution |
Endgame |
11/30/2018 |
Execution |
T1117 Regsvr32 |
Remote Desktop Protocol Hijack |
Endgame |
7/26/2019 |
Lateral Movement |
T1076 Remote Desktop Protocol |
Remote Execution via WMIC |
Endgame |
11/30/2018 |
Lateral Movement
Execution
|
T1047 Windows Management Instrumentation |
Remote System Discovery Commands |
Endgame |
7/26/2019 |
Discovery |
T1018 Remote System Discovery |
Remote Terminal Sessions |
Endgame |
7/26/2019 |
Lateral Movement |
T1021 Remote Services |
Resumed Application on Reboot |
Endgame |
7/26/2019 |
Persistence |
T1164 Re-opened Applications |
Root Certificate Install |
Endgame |
7/26/2019 |
Defense Evasion |
T1130 Install Root Certificate |
SAM Dumping via Reg.exe |
Endgame |
11/30/2018 |
Credential Access |
T1003 Credential Dumping |
Scheduled Task Creation via Microsoft Office Application |
David French |
8/16/2019 |
Persistence |
T1053 Scheduled Task |
Searching for Passwords in Files |
Endgame |
7/26/2019 |
Credential Access |
T1081 Credentials in Files |
Searching for Passwords in Files |
Endgame |
7/26/2019 |
Credential Access |
T1081 Credentials in Files |
Service Path Modification with sc.exe |
Endgame |
7/26/2019 |
Persistence |
T1031 Modify Existing Service |
Service Stop or Disable with sc.exe |
Endgame |
7/26/2019 |
Impact |
T1489 Service Stop |
Startup Folder Execution via VBScript |
Daniel Stepanic |
02/12/2020 |
Persistence |
T1060 Registry Run Keys / Startup Folder |
Startup Folder Persistence with Shortcut/VBScript Files |
Daniel Stepanic |
02/12/2020 |
Persistence |
T1060 Registry Run Keys / Startup Folder |
Stopping Services with net.exe |
Endgame |
7/26/2019 |
Impact |
T1489 Service Stop |
Suspicious ADS File Creation |
Endgame |
11/30/2018 |
Defense Evasion |
T1096 NTFS File Attributes |
Suspicious Bitsadmin Job via bitsadmin.exe |
Endgame |
11/30/2018 |
Defense Evasion
Persistence
|
T1197 BITS Jobs |
Suspicious Bitsadmin Job via PowerShell |
Endgame |
11/30/2018 |
Defense Evasion
Persistence
|
T1197 BITS Jobs |
Suspicious File Creation via Browser Extensions |
Endgame |
7/26/2019 |
Persistence |
T1176 Browser Extensions |
Suspicious MS Office Registry Modifications |
Daniel Stepanic |
02/12/2020 |
Defense Evasion |
T1112 Modify Registry |
Suspicious Process Loading Credential Vault DLL |
David French |
8/16/2019 |
Credential Access |
T1003 Credential Dumping |
Suspicious Script Object Execution |
Endgame |
11/30/2018 |
Defense Evasion
Execution
|
T1117 Regsvr32 |
System Information Discovery |
Endgame |
11/30/2018 |
Discovery |
T1082 System Information Discovery |
System Network Connections Discovery |
Endgame |
7/26/2019 |
Discovery |
T1049 System Network Connections Discovery |
System Owner and User Discovery |
Endgame |
7/26/2019 |
Discovery |
T1033 System Owner/User Discovery |
Trap Signals Usage |
Endgame |
7/26/2019 |
Execution
Persistence
|
T1154 Trap |
Unload Sysmon Filter Driver with fltmc.exe |
Endgame |
11/30/2018 |
Defense Evasion |
T1089 Disabling Security Tools |
Unusual Child Process |
Endgame |
11/30/2018 |
Defense Evasion
Execution
|
T1093 Process Hollowing
T1055 Process Injection
|
User Account Creation |
Endgame |
11/30/2018 |
Persistence
Credential Access
|
T1136 Create Account |
Volume Shadow Copy Deletion via VssAdmin |
Endgame |
05/17/2019 |
Impact |
T1490 Inhibit System Recovery |
Volume Shadow Copy Deletion via WMIC |
Endgame |
05/17/2019 |
Impact |
T1490 Inhibit System Recovery |
Windows File Permissions Modification |
Endgame |
7/26/2019 |
Defense Evasion |
T1222 File Permissions Modification |
Windows Network Enumeration |
Endgame |
11/30/2018 |
Discovery |
T1018 Remote System Discovery |
WMI Execution via Microsoft Office Application |
David French |
8/16/2019 |
Execution |
T1047 Windows Management Instrumentation |
WMI Execution with Command Line Redirection |
Daniel Stepanic |
12/04/2019 |
Collection |
T1074 Data Staged |