resource-development

Obtain Capabilities

Obtain Capabilities: Tool

Stage Capabilities

Stage Capabilities: Upload Malware


Stage Capabilities: Upload Tool

initial-access

Exploit Public-Facing Application

Supply Chain Compromise

Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Supply Chain Compromise: Compromise Software Supply Chain

Phishing

Phishing: Spearphishing Attachment

defense-evasion

Query Registry

Obfuscated Files or Information

Obfuscated Files or Information: Steganography

Obfuscated Files or Information: Compile After Delivery

Process Injection

Process Injection: Portable Executable Injection

Indicator Removal on Host

Modify Registry

Deobfuscate/Decode Files or Information

Signed Binary Proxy Execution

Signed Binary Proxy Execution: Mshta

File and Directory Permissions Modification

Abuse Elevation Control Mechanism

Abuse Elevation Control Mechanism: Bypass User Account Control 


Subvert Trust Controls

Subvert Trust Controls: Mark-of-the-Web Bypass

Impair Defenses

Impair Defenses: Disable or Modify Tools

Disable Windows Event Logging

Hijack Execution Flow

Hijack Execution Flow: DLL Side-Loading

command-and-control

Application Layer Protocol

Application Layer Protocol: Web Protocols

Web Service

Web Service: Bidirectional Communication

Multi-Stage Channels

Ingress Tool Transfer

Traffic Signaling

Traffic Signaling: Port Knocking

Remote Access Software

discovery

System Service Discovery

System Network Configuration Discovery

Remote System Discovery

System Owner/User Discovery

Network Service Scanning

Windows Management Instrumentation

System Network Connections Discovery

Process Discovery

Permission Groups Discovery

Data Staged

Data Staged: Local Data Staging

System Information Discovery

File and Directory Discovery

Account Discovery

Account Discovery: Domain Account

Network Share Discovery

Domain Trust Discovery

Software Discovery

Cloud Infrastructure Discovery

Container and Resource Discovery

System Location Discovery

collection

Data from Local System

Input Capture

Input Capture: Keylogging

Screen Capture

Email Collection

Email Collection: Local Email Collection

Video Capture

Archive via Custom Method

persistence

Scheduled Task/Job

Scheduled Task/Job: Cron

Create Account

Create Account: Local Account

Create or Modify System Process

Create or Modify System Process: Launch Agent

Event Triggered Execution

Event Triggered Execution: Windows Management Instrumentation Event Subscription

Event Triggered Execution: Unix Shell Configuration Modification

Event Triggered Execution: Netsh Helper DLL

Boot or Logon Autostart Execution

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Boot or Logon Autostart Execution: Security Support Provider 


Boot or Logon Autostart Execution: Shortcut Modification

Compromise Client Software Binary

credential-access

CISA-AA22-216A

OS Credential Dumping: DCSync

Unsecured Credentials

Unsecured Credentials: Private Keys


Unsecured Credentials: Group Policy Preferences

Credentials from Password Stores

Steal or Forge Kerberos Tickets

Steal or Forge Kerberos Tickets: Kerberoasting

Steal or Forge Kerberos Tickets: AS-REP Roasting

privilege-escalation

Exploitation for Privilege Escalation

Abuse Elevation Control Mechanism: Setuid and Setgid

Abuse Elevation Control Mechanism: Elevated Execution with Prompt

Escape to Host

lateral-movement

Remote Services

Remote Services: SMB/Windows Admin Shares

Remote Services: SSH


Exploitation of Remote Services

Use Alternate Authentication Material

Lateral Tool Transfer

execution

Scheduled Task/Job: Cron 


Command and Scripting Interpreter

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: Unix Shell

Command and Scripting Interpreter: Python

Command and Scripting Interpreter: JavaScript

Native API

User Execution

User Execution: Malicious File

Execution Guardrails

Hijack Execution Flow: Dylib Hijacking

exfiltration

Transfer Data to Cloud Account

Archive Collected Data

Exfiltration Over Web Service

Exfiltration Over Web Service: Exfiltration to Cloud Storage

impact

Audio Capture

Data Destruction

Data Encrypted for Impact

Service Stop

Inhibit System Recovery

Defacement

Defacement: Internal Defacement

Resource Hijacking

System Shutdown/Reboot

Disk Wipe

Disk Wipe: Disk Structure Wipe

This chain is meant to be deployed from a jump box and attack another machine on the network using Crackmapexec to dump SAM and LSA and execute system.


Is my host protected against Crackmapexec?

This TTP downloads a ZIP file, the ZIP archive holds a Microsoft Word document that contains a macro. If Microsoft Office is installed on the host, the TTP will attempt to open the Word document.


Are MOUSEISLAND malware procedures mitigated on this host?

This TTP was designed to emulate GootLoader's execution and persistence capabilities. This uses GootLoader's methods of downloading a JScript file within a Zip file, using Wscript to execute the JS file to add specific registry keys, reflectively loading a non-existent DLL, and creating a scheduled task for persistence.


Are GootLoader malware procedures mitigated on this host?

Iron Viking/Sandworm Team were able to deploy a worm that spread across the Ukranian critical 
infrastructure. This worm had a sole goal of wiping these machines. It didn't make it far
due to it's spreading method. However it is very powerful in nature.


GTsST Iron Viking AWFULSHRED


APT38 WannaCry ransomware demonstrates lateral movement using EternalBlue and DoublePulsar exploits. This chain stages a shellcode payload, exploits a vulnerable SMBv1 service, install persistence, then kills running db processes, and finally delete volume shadow copies.


APT38 WannaCry

Find files which have names that contain "user" or "pass", check the files to ensure they are not in binary format and contain
atleast 1 special character. Compress the files and serve them on a website that will only host two requests before shutting 
down, then delete artifacts created by the previous TTPs. 


APT40 Find and Exfiltrate

Demonstrates a shellcode injection technique followed by several native API execution techniques.


APT40 educational institutions

Stage a disarmed APT29 WellMess malware sample and use gost (Go Simple Tunnel) to create a SOCKS5 proxy server and client.


APT29 COVID-19 Vaccine Data

Drops an image encoded with an agent to the system, decodes the contents, and starts Schism. This chain is based on a 
steganographic staging methodology in APT 29's Operation Ghost.


Operation Ghost

Stage a self-extracting RAR that contains disarmed CozyBear malware. Next, use a malicious .LNK file to simulate user 
execution of the malware.  Finally, stage emails for exfiltration.


APT29 Democratic National Committee

Using the Jambi agent from the previous chain, discover targets on the Active Directory and then perform targeted lateral 
movement of the Jambi agent by first moving the agent to the desired target and then starting the agent.


Conti Move To Remote System

Stage a phishing email in user's Documents directory then open it. Next, stage and launch a malicious PDF in user's Downloads directory. 
The malicious PDF creates a C:\Conti directory to stage and launch a Jambi agent.


Conti Recon And Initial Access

Use a modified Schism agent for Android to deploy TTPs targeting the Android Debug Bridge (ADB) shell. This first collection 
of Android TTPs enables screen captures, video recording of user action, listing and removal of software packages, creation 
of new users, and device location discovery.


Android ADB Shell

Deploy a script that dynamically resolves various implant modules. Automatically resolve and install an HTTP C2 module.
All tasks sent to the agent will resolve missing modules, install them, and run various Powershell and keyword-based TTPs 
in the current thread.


Jambi Modules

Deploy a script that dynamically resolves various implant modules. Automatically resolve and install an HTTP C2 module.
At runtime, tasks are sent to the agent which is able to resolve missing modules, install them, and run both shell and
keyword-based TTPs.


JXA Modules

Takes the Python SciPy package and conceals the Schism agent within its files. When SciPy is installed it will launch 
the Schism agent in the background without the user knowing, providing initial access to the target.


B1-66ER (Initial Access)

Create a random XOR byte and ingress and XOR a SharpHound payload to a temporary file on the target system. Bypass AMSI, 
load, and then run the XOR'd SharpHound payload in memory.


SharpHound

Deploy a file-less JXA agent via a shell script and create a persistence application on the users desktop to launch a new 
agent any time the "fake" Safari application is clicked. Next, upgrade the file-less agent to a full stage-2 Pneuma agent.


JXA Access

Identify the sudo binary version on the local system then compare it against the last known vulnerable version of 
Sudo for CVE-2021-3156. If it's vulnerable, generate an openssl password and create a root persistence user.


Baron Samedit (Persistence)

Create a staging directory and generate a cryto key there. Discover the directories inside a user's home folder then 
safely encrypt all files inside the directories using the generated key. Compress the staging directory to prepare the 
crypto key for exfiltration and open a ransom note on the system.


Ransomware

Creating a staging directory and ingress a C# script. Copy a binary from system32 to the staging directory and compile 
the ingressed script. Stage an executable configuration file and launch the copied binary to indirectly load and run 
the assembly.


GhostLoader

Execution Chains

Browse By:

Platforms

All

Windows

Darwin

Linux

Global

Android

Themes

Tags

Licenses