Hold access to critical infrastructure for later use. However, we have yet to see them pull the trigger.
Command and Control
T1071 - Application Layer Protocol T1573 - Encrypted Channel
T1560 - Archive Collected Data T1074.001 - Local Data Staging T1005 - Data from Local System T1114.002 - Remote Email Collection T1056.001 - Keylogging T1113 - Screen Capture
T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 - Windows Command Shell T1059.006 - Python T1053.005 - Scheduled Task T1204.001 - Malicious Link T1204.002 - Malicious File
Defense Evasion
T1562.004 - Disable or Modify System Firewall T1070.001 - Clear Windows Event Logs T1070.004 - File Deletion T1036 - Masquerading T1112 - Modify Registry T1027 - Obfuscated Files or Information T1027.002 - Software Packing T1055 - Process Injection T1055.003 - Thread Execution Hijacking T1221 - Template Injection T1078 - Valid Accounts T1497.001 - System Checks
Credential Access
T1110.002 - Password Cracking T1555.003 - Credentials from Web Browsers T1187 - Forced Authentication T1003 - OS Credential Dumping T1003.002 - Security Account Manager T1003.003 - NTDS T1003.004 - LSA Secrets
T1098 - Account Manipulation T1547.001 - Registry Run Keys / Startup Folder T1547.009 - Shortcut Modification T1136.001 - Local Account T1133 - External Remote Services T1505.003 - Web Shell
T1012 - Query Registry T1016 - System Network Configuration Discovery T1033 - System Owner/User Discovery T1049 - System Network Connections Discovery T1057 - Process Discovery T1082 - System Information Discovery T1083 - File and Directory Discovery T1135 - Network Share Discovery

Initial Access

  • Drive-By Compromise [T1189]
  • Exploiting Public Facing Applications [T1190]
  • External Remote Services [T1133]
  • Credential Access via Brute Force [T1110]
  • Lateral Movement [TA0008], Persistence [TA0003], and Privilege Escalation [TA0004]
  • Valid Accounts [T1078]
Last modified 7mo ago