resource-development

Obtain Capabilities

Obtain Capabilities: Tool

Stage Capabilities

Stage Capabilities: Upload Malware


Stage Capabilities: Upload Tool

initial-access

Exploit Public-Facing Application

Supply Chain Compromise

Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Supply Chain Compromise: Compromise Software Supply Chain

Phishing

Phishing: Spearphishing Attachment

defense-evasion

Query Registry

Obfuscated Files or Information

Obfuscated Files or Information: Steganography

Obfuscated Files or Information: Compile After Delivery

Process Injection

Process Injection: Portable Executable Injection

Indicator Removal on Host

Modify Registry

Deobfuscate/Decode Files or Information

Signed Binary Proxy Execution

Signed Binary Proxy Execution: Mshta

File and Directory Permissions Modification

Abuse Elevation Control Mechanism

Abuse Elevation Control Mechanism: Bypass User Account Control 


Subvert Trust Controls

Subvert Trust Controls: Mark-of-the-Web Bypass

Impair Defenses

Impair Defenses: Disable or Modify Tools

Disable Windows Event Logging

Hijack Execution Flow

Hijack Execution Flow: DLL Side-Loading

command-and-control

Application Layer Protocol

Application Layer Protocol: Web Protocols

Web Service

Web Service: Bidirectional Communication

Multi-Stage Channels

Ingress Tool Transfer

Traffic Signaling

Traffic Signaling: Port Knocking

Remote Access Software

discovery

System Service Discovery

System Network Configuration Discovery

Remote System Discovery

System Owner/User Discovery

Network Service Scanning

Windows Management Instrumentation

System Network Connections Discovery

Process Discovery

Permission Groups Discovery

Data Staged

Data Staged: Local Data Staging

System Information Discovery

File and Directory Discovery

Account Discovery

Account Discovery: Domain Account

Network Share Discovery

Domain Trust Discovery

Software Discovery

Cloud Infrastructure Discovery

Container and Resource Discovery

System Location Discovery

collection

Data from Local System

Input Capture

Input Capture: Keylogging

Screen Capture

Email Collection

Email Collection: Local Email Collection

Video Capture

Archive via Custom Method

persistence

Scheduled Task/Job

Scheduled Task/Job: Cron

Create Account

Create Account: Local Account

Create or Modify System Process

Create or Modify System Process: Launch Agent

Event Triggered Execution

Event Triggered Execution: Windows Management Instrumentation Event Subscription

Event Triggered Execution: Unix Shell Configuration Modification

Event Triggered Execution: Netsh Helper DLL

Boot or Logon Autostart Execution

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Boot or Logon Autostart Execution: Security Support Provider 


Boot or Logon Autostart Execution: Shortcut Modification

Compromise Client Software Binary

credential-access

CISA-AA22-216A

OS Credential Dumping: DCSync

Unsecured Credentials

Unsecured Credentials: Private Keys


Unsecured Credentials: Group Policy Preferences

Credentials from Password Stores

Steal or Forge Kerberos Tickets

Steal or Forge Kerberos Tickets: Kerberoasting

Steal or Forge Kerberos Tickets: AS-REP Roasting

privilege-escalation

Exploitation for Privilege Escalation

Abuse Elevation Control Mechanism: Setuid and Setgid

Abuse Elevation Control Mechanism: Elevated Execution with Prompt

Escape to Host

lateral-movement

Remote Services

Remote Services: SMB/Windows Admin Shares

Remote Services: SSH


Exploitation of Remote Services

Use Alternate Authentication Material

Lateral Tool Transfer

execution

Scheduled Task/Job: Cron 


Command and Scripting Interpreter

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: Unix Shell

Command and Scripting Interpreter: Python

Command and Scripting Interpreter: JavaScript

Native API

User Execution

User Execution: Malicious File

Execution Guardrails

Hijack Execution Flow: Dylib Hijacking

exfiltration

Transfer Data to Cloud Account

Archive Collected Data

Exfiltration Over Web Service

Exfiltration Over Web Service: Exfiltration to Cloud Storage

impact

Audio Capture

Data Destruction

Data Encrypted for Impact

Service Stop

Inhibit System Recovery

Defacement

Defacement: Internal Defacement

Resource Hijacking

System Shutdown/Reboot

Disk Wipe

Disk Wipe: Disk Structure Wipe

A problem in the way sudo implemented executing commands with arbitrary user IDs was discovered. If a sudoers item is created to let the attacker to perform a command as any user other than root, the attacker can use this issue to circumvent that restriction.


Is my host protected against CVE-2019-14287?

A chain that is configured to focus on Cuba ransomware's recent post-exploitation activities first by dumping user credentials using Mimikatz and then attempting to initiate a Remote Desktop Protocol (RDP) connection before attempting to exploit the ZeroLogon vulnerability to gain Domain Administrator privileges and ending with capturing and staging a series of screenshots prior to exfiltration.


Is my host protected against Cuba Ransomware?

In privileged mode, Kubernetes pods can mount the host filesystem and may be subject to container escape. This chain attempts to mount the host filesystem to test whether the host is vulnerable to a container escape. It is critical that pods are not able to mount the host filesystem, as attackers may create persistence by altering mounted files, elevating privileges, and escaping the container.


Is my Kubernetes pod protected against host mounting?

An unprivileged attacker can create a docker container with the '/' path mounted with read/write permissions on the host server that is running the docker container and use chroot to escape the container-jail using Docker via an unprotected tcp socket (2375/tcp, possibly 2376/tcp with tls but without tls-auth) and use chroot to escape the container-jail.


Is my Docker daemon vulnerable to privilege escalation?

Containers that are running in privileged mode may be vulnerable to a container escape. This TTP attempts to configure the cgroup controller release_agent to spawn a privileged Pneuma agent on the Docker host system. It is important that containers are not running in privileged mode, as adversaries may abuse cgroup controllers to elevate privilege and escape the container.


Is my Docker container vulnerable to cgroup controller escapes?

Containers that can mount the host filesystem may be vulnerable to a container escape. This chain attempts to mount the host filesystem, identify a root directory, and establish persistence. It is important that containers cannot mount the host filesystem, as adversaries may establish persistence by modifying mounted files, elevate privileges, and escape the container.


Is my Docker container vulnerable to host filesystem mounting?

The purpose of this chain is to test if your Docker container is vulnerable to a Docker socket escape.


Is my Docker container vulnerable to a Docker socket escape?

Locate misconfigured and privileged SUID binaries capable of executing shell commands then leverage them to spawn and persist an agent of our choice on startup based on the running environment.

GTsST Sandworm Team

Download and execute a packed Master Boot Record (MBR) wiper.


APT38 DarkSeoul

This exploit enables an attacker to modify an arbitrary read-only file. The technique modifies /etc/passwd to elevate privilege and spawn a root shell. The vulnerability is present in the Linux kernel since 5.8.

Dirty Pipe CVE-2022-0847

This technique is a Local Privilege Escalation in polkit's pkexec enabling a user to spawn a root shell. The vulnerability 
is present in all major distros since May 2009.  PoC by @bl4sty - https://haxx.in/files/blasty-vs-pkexec.c


LPE in polkit (CVE-2021-4034)

Using facts from the previous Conti chain, this release exploits the PrintNightmare vulnerability to gain local admin 
privileges on our initial foothold.  Using the ZeroLogon exploit, overwrite a Domain Controller machine account and execute 
a dcsync attack against it to dump the krbtgt NTLM hash.


Conti Privilege Escalation and Persistence

The eBPF chain first performs a kernel version check to establish if the exploit will launch in the environment. If the 
kernel version is vulnerable, it then ingresses the exploit payload, launching a privileged Pneuma agent.


eBPF CVE-2021-3490

Stages a directory in the home folder to hold exploit seq_file directory structure. Performs a kernel version check
and checks for vulnerable kernel settings. Discovers available system RAM and checks if it meets exploitation requirements.
Finally, ingress the exploit payload and launch a privileged Pneuma agent.


Sequoia

Identify the sudo binary version on the local system, compare it against the last known vulnerable version of Sudo for 
CVE-2021-3156, then spawn an elevated Pneuma agent.


Baron Samedit (Spawn Agent)

Stage a local agent configuration definition file and ingress an agent DLL. Query the system registry and check installed 
hotfixes to see if the system is vulnerable. If vulnerable, installed a custom printer driver that spawns a new agent as 
NT AUTHORITY/SYSTEM.


Printnightmare

Privilege Escalation Chains

Browse By:

Platforms

All

Windows

Darwin

Linux

Global

Android

Themes

Tags

Licenses