THREATS, TACTICS AND PROCEDURES TTP
MITRE’S ATT&CK®
UNIX Server Pen Test
Persistence of UNIX Servers
1. Account Manipulation.
2. Boot or Logon Auto start Execution.
3. Browser Extensions.
4. Compromise Client Software Binary.
5. Create Account.
6. Create or Modify System Process.
7. Event Triggered Execution.
8. External Remote Services.
9. Hijack Execution Flow.
10. Pre-OS Boot
11. Scheduled Jobs.
12. Server Software Component.
13. Traffic Signalling.
14. Valid Accounts.
2. Boot or Logon Auto start Execution.
3. Browser Extensions.
4. Compromise Client Software Binary.
5. Create Account.
6. Create or Modify System Process.
7. Event Triggered Execution.
8. External Remote Services.
9. Hijack Execution Flow.
10. Pre-OS Boot
11. Scheduled Jobs.
12. Server Software Component.
13. Traffic Signalling.
14. Valid Accounts.
Privilege Escalation of UNIX Servers
1. Abuse Elevation Control Mechanism.
2. Boot or Logon Autostart Execution.
3. Create or Modify System Process.
4. Event Triggered Execution.
5. Exploitation for Privilege Escalation.
6. Hijack Execution Flow.
7. Process Injection.
8. Scheduled Jobs.
9. Valid Accounts.
Defense Evasion of UNIX Servers
1. Abuse Elevation Control Mechanism.
2. De-obfuscate or Decode Files or Information.
3. Execution Guardrails.
4. Exploitation for Defense Evasion.
5. File and Directory Permissions Modification.
6. Hide Artifacts.
7. Hijack Execution Flow.
8. Impair Defenses.
9. Indicator Removal of Host.
10. Masquerading
11. Modify Authentication Process.
12. Obfuscated Files or Information.
13. Pre-OS Boot.
14. Process Injection.
15. Rootkits.
16. Subvert Trust Controls.
17. Traffic Signalling.
18. Valid Accounts.
19. Virtualisation/Sandbox Evasion.
2. De-obfuscate or Decode Files or Information.
3. Execution Guardrails.
4. Exploitation for Defense Evasion.
5. File and Directory Permissions Modification.
6. Hide Artifacts.
7. Hijack Execution Flow.
8. Impair Defenses.
9. Indicator Removal of Host.
10. Masquerading
11. Modify Authentication Process.
12. Obfuscated Files or Information.
13. Pre-OS Boot.
14. Process Injection.
15. Rootkits.
16. Subvert Trust Controls.
17. Traffic Signalling.
18. Valid Accounts.
19. Virtualisation/Sandbox Evasion.
Credential Access of UNIX Servers
1. Brute Force Attacks.
2. Credentials from Password Stores.
3. Exploitation for Credential Access.
4. Input Capture.
5. Man-in-the-Middle (MiTM) Attacks.
6. Modify Authentication Process.
7. Network Sniffing.
8. OS Credential Dumping.
9. Steal Web Session Cookies.
10. 2FA Interception.
11. Insecure Credentials.
2. Credentials from Password Stores.
3. Exploitation for Credential Access.
4. Input Capture.
5. Man-in-the-Middle (MiTM) Attacks.
6. Modify Authentication Process.
7. Network Sniffing.
8. OS Credential Dumping.
9. Steal Web Session Cookies.
10. 2FA Interception.
11. Insecure Credentials.
Discovery of UNIX Servers
1. Account Discovery.
2. Browser Bookmark Discovery.
3. File and Directory Discovery.
4. Network Service Scanning.
5. Network Share Discovery.
6. Network Sniffing.
7. Password Policy Discovery.
8. Permission Groups Discovery.
9. Process Discovery.
10. Remote System Discovery.
11. Software Discovery.
12. System Information Discovery.
13. System Network Configuration Discovery.
14. System Network Connections Discovery.
15. System Owner/User Discovery.
16. Virtualisation/Sandbox Evasion.
2. Browser Bookmark Discovery.
3. File and Directory Discovery.
4. Network Service Scanning.
5. Network Share Discovery.
6. Network Sniffing.
7. Password Policy Discovery.
8. Permission Groups Discovery.
9. Process Discovery.
10. Remote System Discovery.
11. Software Discovery.
12. System Information Discovery.
13. System Network Configuration Discovery.
14. System Network Connections Discovery.
15. System Owner/User Discovery.
16. Virtualisation/Sandbox Evasion.
Collection of UNIX Servers
1. Archive Collected Data.
2. Audio Capture.
3. Automated Collection.
4. Clipboard Data.
5. Data from Information Repositories.
6. Data from Local System.
7. Data from Network Shared Drive.
8. Data from Removable Media.
9. Data Staged.
10. Input Capture.
11. Man-in-the-Middle (MiTM) Attacks.
12. Screen Capture.
2. Audio Capture.
3. Automated Collection.
4. Clipboard Data.
5. Data from Information Repositories.
6. Data from Local System.
7. Data from Network Shared Drive.
8. Data from Removable Media.
9. Data Staged.
10. Input Capture.
11. Man-in-the-Middle (MiTM) Attacks.
12. Screen Capture.
Command and Control of UNIX Servers
1. Application Layer Protocol.
2. Communication Through Removable Media.
3. Data Encoding.
4. Data Obfuscation.
5. Dynamic Resolution.
6. Encrypted Channel.
7. Fallback Channels.
8. Ingress Tool Transfer.
9. Multi-Stage Channels.
10. Non-Application Layer Protocol.
11. Non-Standard Port.
12. Protocol Tunnelling.
13. Proxy.
14. Remote Access Software.
15. Traffic Signalling.
16. Web Services.
2. Communication Through Removable Media.
3. Data Encoding.
4. Data Obfuscation.
5. Dynamic Resolution.
6. Encrypted Channel.
7. Fallback Channels.
8. Ingress Tool Transfer.
9. Multi-Stage Channels.
10. Non-Application Layer Protocol.
11. Non-Standard Port.
12. Protocol Tunnelling.
13. Proxy.
14. Remote Access Software.
15. Traffic Signalling.
16. Web Services.
Exfiltration of UNIX Servers
1. Automated Exfiltration.
2. Data Transfer Size Limits.
3. Exfiltration Over Alternative Protocol.
4. Exfiltration Over C2 Channel.
5. Exfiltration Over Other Network Medium.
6. Exfiltration Over Other Physical Medium.
7. Exfiltration Over Web Services.
8. Scheduled Transfers.
2. Data Transfer Size Limits.
3. Exfiltration Over Alternative Protocol.
4. Exfiltration Over C2 Channel.
5. Exfiltration Over Other Network Medium.
6. Exfiltration Over Other Physical Medium.
7. Exfiltration Over Web Services.
8. Scheduled Transfers.
Impact of UNIX Servers Hack
1. Account Access Removal.
2. Data Destruction.
3. Data Encrypted for Impact.
4. Data Manipulation.
5. Defacement.
6. Disk Wipe.
7. Endpoint Denial of Service.
8. Firmware Corruption.
9. Inhibit System Recovery.
10. Network Denial of Service.
11. Resource Hijacking.
12. System Shutdown/Reboot.
2. Data Destruction.
3. Data Encrypted for Impact.
4. Data Manipulation.
5. Defacement.
6. Disk Wipe.
7. Endpoint Denial of Service.
8. Firmware Corruption.
9. Inhibit System Recovery.
10. Network Denial of Service.
11. Resource Hijacking.
12. System Shutdown/Reboot.