THREATS, TACTICS AND PROCEDURES TTP
MITRE’S ATT&CK®
Windows Pen Test
Execution – Windows
1. Command and Scripting Interpreter.
2. Exploitation for Client Execution.
3. Inter-Process Communication
4. Nativ API.
5. Scheduled Tasks or Jobs.
6. Shared Modules.
7. Software Deployment Tools.
8. System Services.
9. User Execution.
10. Windows Management Instrumentation (WMI).
2. Exploitation for Client Execution.
3. Inter-Process Communication
4. Nativ API.
5. Scheduled Tasks or Jobs.
6. Shared Modules.
7. Software Deployment Tools.
8. System Services.
9. User Execution.
10. Windows Management Instrumentation (WMI).
Persistence – Windows
1. Account Manipulation.
2. BITS Jobs.
3. Boot or Logon Autostart Execution.
4. Boot or Logon Initialisation Scripts.
5. Browser Extensions.
6. Compromise Client Software Binary.
7. Create Account.
8. Create or Modify System Process.
9. Event Triggered Execution.
10. External Remote Services.
11. Hijack Execution Flow.
12. Office Application Startup.
13. Pre-OS Boot
14. Scheduled Jobs.
15. Server Software Component.
16. Traffic Signalling.
17. Valid Accounts.
2. BITS Jobs.
3. Boot or Logon Autostart Execution.
4. Boot or Logon Initialisation Scripts.
5. Browser Extensions.
6. Compromise Client Software Binary.
7. Create Account.
8. Create or Modify System Process.
9. Event Triggered Execution.
10. External Remote Services.
11. Hijack Execution Flow.
12. Office Application Startup.
13. Pre-OS Boot
14. Scheduled Jobs.
15. Server Software Component.
16. Traffic Signalling.
17. Valid Accounts.
Privilege Escalation – Windows
1. Abuse Elevation Control Mechanism.
2. Access Token Manipulation.
3. Boot or Logon Autostart Execution.
4. Boot or Logon Initialisation Scripts.
5. Create or Modify System Process.
6. Event Triggered Execution.
7. Exploitation for Privilege Escalation.
8. Group Policy Modification.
9. Hijack Execution Flow.
10. Process Injection.
11. Scheduled Jobs.
12. Valid Accounts.
2. Access Token Manipulation.
3. Boot or Logon Autostart Execution.
4. Boot or Logon Initialisation Scripts.
5. Create or Modify System Process.
6. Event Triggered Execution.
7. Exploitation for Privilege Escalation.
8. Group Policy Modification.
9. Hijack Execution Flow.
10. Process Injection.
11. Scheduled Jobs.
12. Valid Accounts.
Defence Evasion – Windows
1. Abuse Elevation Control Mechanism.
2. Access Token Manipulation.
3. BITS Jobs.
4. De-obfuscate or Decode Files or Information.
5. Direct Volume Access.
6. Execution Guardrails.
7. Exploitation for Defense Evasion.
8. File and Directory Permissions Modification.
9. Group Policy Modification.
10. Hide Artifacts.
11. Hijack Execution Flow.
12. Impair Defenses.
13. Indicator Removal of Host.
14. Indirect Command Execution.
15. Masquerading
16. Modify Authentication Process.
17. Modify Registry.
18. Obfuscated Files or Information.
19. Pre-OS Boot.
20. Process Injection.
21. Rogue Domain Controller.
22. Rootkits.
23. Signed Binary Proxy Execution.
24. Signed Script Proxy Execution.
25. Subvert Trust Controls.
26. Template Injection.
27. Traffic Signalling.
28. Trusted Developer Utilities Proxy Execution.
29. User Alternate Authentication Material.
30. Valid Accounts.
31. Virtualisation/Sandbox Evasion.
32. XSL Script Processing.
2. Access Token Manipulation.
3. BITS Jobs.
4. De-obfuscate or Decode Files or Information.
5. Direct Volume Access.
6. Execution Guardrails.
7. Exploitation for Defense Evasion.
8. File and Directory Permissions Modification.
9. Group Policy Modification.
10. Hide Artifacts.
11. Hijack Execution Flow.
12. Impair Defenses.
13. Indicator Removal of Host.
14. Indirect Command Execution.
15. Masquerading
16. Modify Authentication Process.
17. Modify Registry.
18. Obfuscated Files or Information.
19. Pre-OS Boot.
20. Process Injection.
21. Rogue Domain Controller.
22. Rootkits.
23. Signed Binary Proxy Execution.
24. Signed Script Proxy Execution.
25. Subvert Trust Controls.
26. Template Injection.
27. Traffic Signalling.
28. Trusted Developer Utilities Proxy Execution.
29. User Alternate Authentication Material.
30. Valid Accounts.
31. Virtualisation/Sandbox Evasion.
32. XSL Script Processing.
Credential Access in Windows
1. Brute Force Attacks.
2. Credentials from Password Stores.
3. Exploitation for Credential Access.
4. Forced Authentication.
5. Input Capture.
6. Man-in-the-Middle (MiTM) Attacks.
7. Modify Authentication Process.
8. Network Sniffing.
9. OS Credential Dumping.
10. Steal or Forge Kerberos Tickets.
11. Steal Web Session Cookies.
12. 2FA Interception.
13. Insecure Credentials.
2. Credentials from Password Stores.
3. Exploitation for Credential Access.
4. Forced Authentication.
5. Input Capture.
6. Man-in-the-Middle (MiTM) Attacks.
7. Modify Authentication Process.
8. Network Sniffing.
9. OS Credential Dumping.
10. Steal or Forge Kerberos Tickets.
11. Steal Web Session Cookies.
12. 2FA Interception.
13. Insecure Credentials.
Discovery – Windows
1. Account Discovery.
2. Application Window Discovery.
3. Browser Bookmark Discovery.
4. Domain trust Discovery.
5. File and Directory Discovery.
6. Network Service Scanning.
7. Network Share Discovery.
8. Network Sniffing.
9. Password Policy Discovery.
10. Peripheral Device Discovery.
11. Permission Groups Discovery.
12. Process Discovery.
13. Query Registry.
14. Remote System Discovery.
15. Software Discovery.
16. System Information Discovery.
17. System Network Configuration Discovery.
18. System Network Connections Discovery.
19. System Owner/User Discovery.
20. System Service Discovery.
21. System Time Discovery.
22. Virtualisation/Sandbox Evasion.
2. Application Window Discovery.
3. Browser Bookmark Discovery.
4. Domain trust Discovery.
5. File and Directory Discovery.
6. Network Service Scanning.
7. Network Share Discovery.
8. Network Sniffing.
9. Password Policy Discovery.
10. Peripheral Device Discovery.
11. Permission Groups Discovery.
12. Process Discovery.
13. Query Registry.
14. Remote System Discovery.
15. Software Discovery.
16. System Information Discovery.
17. System Network Configuration Discovery.
18. System Network Connections Discovery.
19. System Owner/User Discovery.
20. System Service Discovery.
21. System Time Discovery.
22. Virtualisation/Sandbox Evasion.
Lateral Movement – Windows
1. Exploitation of Remote Services.
2. Internal Spear-Phishing.
3. Lateral Tool Transfer.
4. Remote Service Session Hijacking.
5. Remote Services.
6. Replication Through Removable Media.
7. Software Deployment Tools.
8. Taint Shared Content.
9. Use Alternate Authenticate Materials.
2. Internal Spear-Phishing.
3. Lateral Tool Transfer.
4. Remote Service Session Hijacking.
5. Remote Services.
6. Replication Through Removable Media.
7. Software Deployment Tools.
8. Taint Shared Content.
9. Use Alternate Authenticate Materials.
Collection – Windows
1. Archive Collected Data.
2. Audio Capture.
3. Automated Collection.
4. Clipboard Data.
5. Data from Information Repositories.
6. Data from Local System.
7. Data from Network Shared Drive.
8. Data from Removable Media.
9. Data Staged.
10. Email Collection.
11. Input Capture.
12. Man-in-the-Browser (MiTB) Attacks.
13. Man-in-the-Middle (MiTM) Attacks.
14. Screen Capture.
15. Video Capture.
2. Audio Capture.
3. Automated Collection.
4. Clipboard Data.
5. Data from Information Repositories.
6. Data from Local System.
7. Data from Network Shared Drive.
8. Data from Removable Media.
9. Data Staged.
10. Email Collection.
11. Input Capture.
12. Man-in-the-Browser (MiTB) Attacks.
13. Man-in-the-Middle (MiTM) Attacks.
14. Screen Capture.
15. Video Capture.
Command and Control – Windows
1. Application Layer Protocol.
2. Communication Through Removable Media.
3. Data Encoding.
4. Data Obfuscation.
5. Dynamic Resolution.
6. Encrypted Channel.
7. Fallback Channels.
8. Ingress Tool Transfer.
9. Multi-Stage Channels.
10. Non-Application Layer Protocol.
11. Non-Standard Port.
12. Protocol Tunnelling.
13. Proxy.
14. Remote Access Software.
15. Traffic Signalling.
16. Web Services.
2. Communication Through Removable Media.
3. Data Encoding.
4. Data Obfuscation.
5. Dynamic Resolution.
6. Encrypted Channel.
7. Fallback Channels.
8. Ingress Tool Transfer.
9. Multi-Stage Channels.
10. Non-Application Layer Protocol.
11. Non-Standard Port.
12. Protocol Tunnelling.
13. Proxy.
14. Remote Access Software.
15. Traffic Signalling.
16. Web Services.
Exfiltration – Windows
1. Automated Exfiltration.
2. Data Transfer Size Limits.
3. Exfiltration Over Alternative Protocol.
4. Exfiltration Over C2 Channel.
5. Exfiltration Over Other Network Medium.
6. Exfiltration Over Other Physical Medium.
7. Exfiltration Over Web Services.
8. Scheduled Transfers.
2. Data Transfer Size Limits.
3. Exfiltration Over Alternative Protocol.
4. Exfiltration Over C2 Channel.
5. Exfiltration Over Other Network Medium.
6. Exfiltration Over Other Physical Medium.
7. Exfiltration Over Web Services.
8. Scheduled Transfers.
Impact of Windows Attacks
1. Account Access Removal.
2. Data Destruction.
3. Data Encrypted for Impact.
4. Data Manipulation.
5. Defacement.
6. Disk Wipe.
7. Endpoint Denial of Service.
8. Firmware Corruption.
9. Inhibit System Recovery.
10. Network Denial of Service.
11. Resource Hijacking.
12. Service Stop.
13. System Shutdown/Reboot.
2. Data Destruction.
3. Data Encrypted for Impact.
4. Data Manipulation.
5. Defacement.
6. Disk Wipe.
7. Endpoint Denial of Service.
8. Firmware Corruption.
9. Inhibit System Recovery.
10. Network Denial of Service.
11. Resource Hijacking.
12. Service Stop.
13. System Shutdown/Reboot.