You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
22 KiB
22 KiB
| 1 | Phase number | Phase | Pathway start | Pathway end | Critical Control | Technique (CERT NZ) | Software (CERT NZ) | Technique |
|---|---|---|---|---|---|---|---|---|
| 2 | 1 | Initial access | Phishing | Valid credentials | Password manager | T1078 Valid Accounts | S0266 Trickbot,Qakbot,S0483 IcedID,S0534 Bazar | T1566 Phishing,T1566.001 Spearphishing Attachment,T1566.002 Spearphishing Link,T1566.003 Spearphishing via Service,T1598 Phishing for Information,T1598.001 Spearphishing Service,T1598.002 Spearphishing Attachment,T1598.003 Spearphishing Link |
| 3 | 1 | Initial access | Password guessing | Valid credentials | T1110 Brute Force | S0266 Trickbot,Qakbot,S0483 IcedID,S0534 Bazar | T1110.001 Password Guessing | |
| 4 | 1 | Initial access | Exploit vulnerability | Internet-exposed service | Patching, Internet-exposed services, Logging and alerting | T1133 External Remote Services | S0266 Trickbot,Qakbot,S0483 IcedID,S0534 Bazar | T1190 Exploit Public-Facing Application |
| 5 | 1 | Initial access | Malicious document | S0266 Trickbot,Qakbot,S0483 IcedID,S0534 Bazar | T1087.003 Email Account,T1098.002 Exchange Email Delegate Permissions,T1114 Email Collection,T1114.001 Local Email Collection,T1114.002 Remote Email Collection,T1114.003 Email Forwarding Rule,T1564.008 Email Hiding Rules,T1585.002 Email Accounts,T1586.002 Email Accounts,T1589.002 Email Addresses | |||
| 6 | 1 | Initial access | Valid credentials | Internet-exposed service | Internet-exposed services, MFA, Logging and alerting | T1078 Valid Accounts,T1133 External Remote Services | S0266 Trickbot,Qakbot,S0483 IcedID,S0534 Bazar | T1078 Valid Accounts,T1078.001 Default Accounts,T1078.002 Domain Accounts,T1078.003 Local Accounts,T1078.004 Cloud Accounts |
| 7 | 1 | Initial access | Malicious document | Malware | Logging and alerting, Application allowlisting, Disable macros | S0266 Trickbot,Qakbot,S0483 IcedID,S0534 Bazar | T1204 User Execution,T1204.001 Malicious Link,T1204.002 Malicious File,T1204.003 Malicious Image | |
| 8 | 1 | Initial access | Internet-exposed service | Command and control | Logging and alerting, Application allowlisting | S0266 Trickbot,Qakbot,S0483 IcedID,S0534 Bazar | T1133 External Remote Services | |
| 9 | 1 | Initial access | Malware | Command and control | Logging and alerting, Application allowlisting | S0266 Trickbot,Qakbot,S0483 IcedID,S0534 Bazar | T1587.001 Malware,T1588.001 Malware,T1608.001 Upload Malware | |
| 10 | 2 | Consolidation and preparation | Command and control | Lateral movement | Patching, Network segmentation, Principle of least privilege, Logging and alerting, MFA | T1573 Encrypted Channel | S0154 Cobalt Strike | T1001 Data Obfuscation,T1001.001 Junk Data,T1001.002 Steganography,T1001.003 Protocol Impersonation,T1008 Fallback Channels,T1071 Application Layer Protocol,T1071.001 Web Protocols,T1071.002 File Transfer Protocols,T1071.003 Mail Protocols,T1071.004 DNS,T1090 Proxy,T1090.001 Internal Proxy,T1090.002 External Proxy,T1090.003 Multi-hop Proxy,T1090.004 Domain Fronting,T1092 Communication Through Removable Media,T1095 Non-Application Layer Protocol,T1102 Web Service,T1102.001 Dead Drop Resolver,T1102.002 Bidirectional Communication,T1102.003 One-Way Communication,T1104 Multi-Stage Channels,T1105 Ingress Tool Transfer,T1132 Data Encoding,T1132.001 Standard Encoding,T1132.002 Non-Standard Encoding,T1205 Traffic Signaling,T1205.001 Port Knocking,T1219 Remote Access Software,T1568 Dynamic Resolution,T1568.001 Fast Flux DNS,T1568.002 Domain Generation Algorithms,T1568.003 DNS Calculation,T1571 Non-Standard Port,T1572 Protocol Tunneling,T1573 Encrypted Channel,T1573.001 Symmetric Cryptography,T1573.002 Asymmetric Cryptography |
| 11 | 2 | Consolidation and preparation | Command and control | Privilege escalation | Patching, Network segmentation, Principle of least privilege, Logging and alerting, MFA | T1573 Encrypted Channel | S0154 Cobalt Strike | T1001 Data Obfuscation,T1001.001 Junk Data,T1001.002 Steganography,T1001.003 Protocol Impersonation,T1008 Fallback Channels,T1071 Application Layer Protocol,T1071.001 Web Protocols,T1071.002 File Transfer Protocols,T1071.003 Mail Protocols,T1071.004 DNS,T1090 Proxy,T1090.001 Internal Proxy,T1090.002 External Proxy,T1090.003 Multi-hop Proxy,T1090.004 Domain Fronting,T1092 Communication Through Removable Media,T1095 Non-Application Layer Protocol,T1102 Web Service,T1102.001 Dead Drop Resolver,T1102.002 Bidirectional Communication,T1102.003 One-Way Communication,T1104 Multi-Stage Channels,T1105 Ingress Tool Transfer,T1132 Data Encoding,T1132.001 Standard Encoding,T1132.002 Non-Standard Encoding,T1205 Traffic Signaling,T1205.001 Port Knocking,T1219 Remote Access Software,T1568 Dynamic Resolution,T1568.001 Fast Flux DNS,T1568.002 Domain Generation Algorithms,T1568.003 DNS Calculation,T1571 Non-Standard Port,T1572 Protocol Tunneling,T1573 Encrypted Channel,T1573.001 Symmetric Cryptography,T1573.002 Asymmetric Cryptography |
| 12 | 2 | Consolidation and preparation | Lateral movement | Privilege escalation | T1078 Account Discovery, T1018 Remote System Discovery, T1046 Network Service Scanning | S0154 Cobalt Strike | T1021 Remote Services,T1021.001 Remote Desktop Protocol,T1021.002 SMB/Windows Admin Shares,T1021.003 Distributed Component Object Model,T1021.004 SSH,T1021.005 VNC,T1021.006 Windows Remote Management,T1072 Software Deployment Tools,T1080 Taint Shared Content,T1091 Replication Through Removable Media,T1210 Exploitation of Remote Services,T1534 Internal Spearphishing,T1550 Use Alternate Authentication Material,T1550.001 Application Access Token,T1550.002 Pass the Hash,T1550.003 Pass the Ticket,T1550.004 Web Session Cookie,T1563 Remote Service Session Hijacking,T1563.001 SSH Hijacking,T1563.002 RDP Hijacking,T1570 Lateral Tool Transfer | |
| 13 | 2 | Consolidation and preparation | Privilege escalation | Lateral movement | S0154 Cobalt Strike | T1037 Boot or Logon Initialization Scripts,T1037.001 Logon Script (Windows),T1037.002 Logon Script (Mac),T1037.003 Network Logon Script,T1037.004 RC Scripts,T1037.005 Startup Items,T1053 Scheduled Task/Job,T1053.001 At (Linux),T1053.002 At (Windows),T1053.003 Cron,T1053.004 Launchd,T1053.005 Scheduled Task,T1053.006 Systemd Timers,T1053.007 Container Orchestration Job,T1055 Process Injection,T1055.001 Dynamic-link Library Injection,T1055.002 Portable Executable Injection,T1055.003 Thread Execution Hijacking,T1055.004 Asynchronous Procedure Call,T1055.005 Thread Local Storage,T1055.008 Ptrace System Calls,T1055.009 Proc Memory,T1055.011 Extra Window Memory Injection,T1055.012 Process Hollowing,T1055.013 Process Doppelganging,T1055.014 VDSO Hijacking,T1068 Exploitation for Privilege Escalation,T1078 Valid Accounts,T1078.001 Default Accounts,T1078.002 Domain Accounts,T1078.003 Local Accounts,T1078.004 Cloud Accounts,T1134 Access Token Manipulation,T1134.001 Token Impersonation/Theft,T1134.002 Create Process with Token,T1134.003 Make and Impersonate Token,T1134.004 Parent PID Spoofing,T1134.005 SID-History Injection,T1484 Domain Policy Modification,T1484.001 Group Policy Modification,T1484.002 Domain Trust Modification,T1543 Create or Modify System Process,T1543.001 Launch Agent,T1543.002 Systemd Service,T1543.003 Windows Service,T1543.004 Launch Daemon,T1546 Event Triggered Execution,T1546.001 Change Default File Association,T1546.002 Screensaver,T1546.003 Windows Management Instrumentation Event Subscription,T1546.004 Unix Shell Configuration Modification,T1546.005 Trap,T1546.006 LC_LOAD_DYLIB Addition,T1546.007 Netsh Helper DLL,T1546.008 Accessibility Features,T1546.009 AppCert DLLs,T1546.010 AppInit DLLs,T1546.011 Application Shimming,T1546.012 Image File Execution Options Injection,T1546.013 PowerShell Profile,T1546.014 Emond,T1546.015 Component Object Model Hijacking,T1547 Boot or Logon Autostart Execution,T1547.001 Registry Run Keys / Startup Folder,T1547.002 Authentication Package,T1547.003 Time Providers,T1547.004 Winlogon Helper DLL,T1547.005 Security Support Provider,T1547.006 Kernel Modules and Extensions,T1547.007 Re-opened Applications,T1547.008 LSASS Driver,T1547.009 Shortcut Modification,T1547.010 Port Monitors,T1547.011 Plist Modification,T1547.012 Print Processors,T1547.013 XDG Autostart Entries,T1547.014 Active Setup,T1547.015 Login Items,T1548 Abuse Elevation Control Mechanism,T1548.001 Setuid and Setgid,T1548.002 Bypass User Account Control,T1548.003 Sudo and Sudo Caching,T1548.004 Elevated Execution with Prompt,T1574 Hijack Execution Flow,T1574.001 DLL Search Order Hijacking,T1574.002 DLL Side-Loading,T1574.004 Dylib Hijacking,T1574.005 Executable Installer File Permissions Weakness,T1574.006 Dynamic Linker Hijacking,T1574.007 Path Interception by PATH Environment Variable,T1574.008 Path Interception by Search Order Hijacking,T1574.009 Path Interception by Unquoted Path,T1574.010 Services File Permissions Weakness,T1574.011 Services Registry Permissions Weakness,T1574.012 COR_PROFILER,T1611 Escape to Host | ||
| 14 | 2 | Consolidation and preparation | Lateral movement | Data exfiltration | Logging and alerting | T1078 Account Discovery, T1018 Remote System Discovery, T1046 Network Service Scanning | S0154 Cobalt Strike | T1021 Remote Services,T1021.001 Remote Desktop Protocol,T1021.002 SMB/Windows Admin Shares,T1021.003 Distributed Component Object Model,T1021.004 SSH,T1021.005 VNC,T1021.006 Windows Remote Management,T1072 Software Deployment Tools,T1080 Taint Shared Content,T1091 Replication Through Removable Media,T1210 Exploitation of Remote Services,T1534 Internal Spearphishing,T1550 Use Alternate Authentication Material,T1550.001 Application Access Token,T1550.002 Pass the Hash,T1550.003 Pass the Ticket,T1550.004 Web Session Cookie,T1563 Remote Service Session Hijacking,T1563.001 SSH Hijacking,T1563.002 RDP Hijacking,T1570 Lateral Tool Transfer |
| 15 | 2 | Consolidation and preparation | Privilege escalation | Data exfiltration | Logging and alerting | S0154 Cobalt Strike | T1037 Boot or Logon Initialization Scripts,T1037.001 Logon Script (Windows),T1037.002 Logon Script (Mac),T1037.003 Network Logon Script,T1037.004 RC Scripts,T1037.005 Startup Items,T1053 Scheduled Task/Job,T1053.001 At (Linux),T1053.002 At (Windows),T1053.003 Cron,T1053.004 Launchd,T1053.005 Scheduled Task,T1053.006 Systemd Timers,T1053.007 Container Orchestration Job,T1055 Process Injection,T1055.001 Dynamic-link Library Injection,T1055.002 Portable Executable Injection,T1055.003 Thread Execution Hijacking,T1055.004 Asynchronous Procedure Call,T1055.005 Thread Local Storage,T1055.008 Ptrace System Calls,T1055.009 Proc Memory,T1055.011 Extra Window Memory Injection,T1055.012 Process Hollowing,T1055.013 Process Doppelganging,T1055.014 VDSO Hijacking,T1068 Exploitation for Privilege Escalation,T1078 Valid Accounts,T1078.001 Default Accounts,T1078.002 Domain Accounts,T1078.003 Local Accounts,T1078.004 Cloud Accounts,T1134 Access Token Manipulation,T1134.001 Token Impersonation/Theft,T1134.002 Create Process with Token,T1134.003 Make and Impersonate Token,T1134.004 Parent PID Spoofing,T1134.005 SID-History Injection,T1484 Domain Policy Modification,T1484.001 Group Policy Modification,T1484.002 Domain Trust Modification,T1543 Create or Modify System Process,T1543.001 Launch Agent,T1543.002 Systemd Service,T1543.003 Windows Service,T1543.004 Launch Daemon,T1546 Event Triggered Execution,T1546.001 Change Default File Association,T1546.002 Screensaver,T1546.003 Windows Management Instrumentation Event Subscription,T1546.004 Unix Shell Configuration Modification,T1546.005 Trap,T1546.006 LC_LOAD_DYLIB Addition,T1546.007 Netsh Helper DLL,T1546.008 Accessibility Features,T1546.009 AppCert DLLs,T1546.010 AppInit DLLs,T1546.011 Application Shimming,T1546.012 Image File Execution Options Injection,T1546.013 PowerShell Profile,T1546.014 Emond,T1546.015 Component Object Model Hijacking,T1547 Boot or Logon Autostart Execution,T1547.001 Registry Run Keys / Startup Folder,T1547.002 Authentication Package,T1547.003 Time Providers,T1547.004 Winlogon Helper DLL,T1547.005 Security Support Provider,T1547.006 Kernel Modules and Extensions,T1547.007 Re-opened Applications,T1547.008 LSASS Driver,T1547.009 Shortcut Modification,T1547.010 Port Monitors,T1547.011 Plist Modification,T1547.012 Print Processors,T1547.013 XDG Autostart Entries,T1547.014 Active Setup,T1547.015 Login Items,T1548 Abuse Elevation Control Mechanism,T1548.001 Setuid and Setgid,T1548.002 Bypass User Account Control,T1548.003 Sudo and Sudo Caching,T1548.004 Elevated Execution with Prompt,T1574 Hijack Execution Flow,T1574.001 DLL Search Order Hijacking,T1574.002 DLL Side-Loading,T1574.004 Dylib Hijacking,T1574.005 Executable Installer File Permissions Weakness,T1574.006 Dynamic Linker Hijacking,T1574.007 Path Interception by PATH Environment Variable,T1574.008 Path Interception by Search Order Hijacking,T1574.009 Path Interception by Unquoted Path,T1574.010 Services File Permissions Weakness,T1574.011 Services Registry Permissions Weakness,T1574.012 COR_PROFILER,T1611 Escape to Host | |
| 16 | 2 | Consolidation and preparation | Lateral movement | Destroy backups | Backups | T1078 Account Discovery, T1018 Remote System Discovery, T1046 Network Service Scanning | S0154 Cobalt Strike | T1021 Remote Services,T1021.001 Remote Desktop Protocol,T1021.002 SMB/Windows Admin Shares,T1021.003 Distributed Component Object Model,T1021.004 SSH,T1021.005 VNC,T1021.006 Windows Remote Management,T1072 Software Deployment Tools,T1080 Taint Shared Content,T1091 Replication Through Removable Media,T1210 Exploitation of Remote Services,T1534 Internal Spearphishing,T1550 Use Alternate Authentication Material,T1550.001 Application Access Token,T1550.002 Pass the Hash,T1550.003 Pass the Ticket,T1550.004 Web Session Cookie,T1563 Remote Service Session Hijacking,T1563.001 SSH Hijacking,T1563.002 RDP Hijacking,T1570 Lateral Tool Transfer |
| 17 | 2 | Consolidation and preparation | Privilege escalation | Destroy backups | Backups | S0154 Cobalt Strike | T1037 Boot or Logon Initialization Scripts,T1037.001 Logon Script (Windows),T1037.002 Logon Script (Mac),T1037.003 Network Logon Script,T1037.004 RC Scripts,T1037.005 Startup Items,T1053 Scheduled Task/Job,T1053.001 At (Linux),T1053.002 At (Windows),T1053.003 Cron,T1053.004 Launchd,T1053.005 Scheduled Task,T1053.006 Systemd Timers,T1053.007 Container Orchestration Job,T1055 Process Injection,T1055.001 Dynamic-link Library Injection,T1055.002 Portable Executable Injection,T1055.003 Thread Execution Hijacking,T1055.004 Asynchronous Procedure Call,T1055.005 Thread Local Storage,T1055.008 Ptrace System Calls,T1055.009 Proc Memory,T1055.011 Extra Window Memory Injection,T1055.012 Process Hollowing,T1055.013 Process Doppelganging,T1055.014 VDSO Hijacking,T1068 Exploitation for Privilege Escalation,T1078 Valid Accounts,T1078.001 Default Accounts,T1078.002 Domain Accounts,T1078.003 Local Accounts,T1078.004 Cloud Accounts,T1134 Access Token Manipulation,T1134.001 Token Impersonation/Theft,T1134.002 Create Process with Token,T1134.003 Make and Impersonate Token,T1134.004 Parent PID Spoofing,T1134.005 SID-History Injection,T1484 Domain Policy Modification,T1484.001 Group Policy Modification,T1484.002 Domain Trust Modification,T1543 Create or Modify System Process,T1543.001 Launch Agent,T1543.002 Systemd Service,T1543.003 Windows Service,T1543.004 Launch Daemon,T1546 Event Triggered Execution,T1546.001 Change Default File Association,T1546.002 Screensaver,T1546.003 Windows Management Instrumentation Event Subscription,T1546.004 Unix Shell Configuration Modification,T1546.005 Trap,T1546.006 LC_LOAD_DYLIB Addition,T1546.007 Netsh Helper DLL,T1546.008 Accessibility Features,T1546.009 AppCert DLLs,T1546.010 AppInit DLLs,T1546.011 Application Shimming,T1546.012 Image File Execution Options Injection,T1546.013 PowerShell Profile,T1546.014 Emond,T1546.015 Component Object Model Hijacking,T1547 Boot or Logon Autostart Execution,T1547.001 Registry Run Keys / Startup Folder,T1547.002 Authentication Package,T1547.003 Time Providers,T1547.004 Winlogon Helper DLL,T1547.005 Security Support Provider,T1547.006 Kernel Modules and Extensions,T1547.007 Re-opened Applications,T1547.008 LSASS Driver,T1547.009 Shortcut Modification,T1547.010 Port Monitors,T1547.011 Plist Modification,T1547.012 Print Processors,T1547.013 XDG Autostart Entries,T1547.014 Active Setup,T1547.015 Login Items,T1548 Abuse Elevation Control Mechanism,T1548.001 Setuid and Setgid,T1548.002 Bypass User Account Control,T1548.003 Sudo and Sudo Caching,T1548.004 Elevated Execution with Prompt,T1574 Hijack Execution Flow,T1574.001 DLL Search Order Hijacking,T1574.002 DLL Side-Loading,T1574.004 Dylib Hijacking,T1574.005 Executable Installer File Permissions Weakness,T1574.006 Dynamic Linker Hijacking,T1574.007 Path Interception by PATH Environment Variable,T1574.008 Path Interception by Search Order Hijacking,T1574.009 Path Interception by Unquoted Path,T1574.010 Services File Permissions Weakness,T1574.011 Services Registry Permissions Weakness,T1574.012 COR_PROFILER,T1611 Escape to Host | |
| 18 | 2 | Consolidation and preparation | Lateral movement | Encrypt data | Application allowlisting, Logging and alerting | T1078 Account Discovery, T1018 Remote System Discovery, T1046 Network Service Scanning | S0154 Cobalt Strike | T1021 Remote Services,T1021.001 Remote Desktop Protocol,T1021.002 SMB/Windows Admin Shares,T1021.003 Distributed Component Object Model,T1021.004 SSH,T1021.005 VNC,T1021.006 Windows Remote Management,T1072 Software Deployment Tools,T1080 Taint Shared Content,T1091 Replication Through Removable Media,T1210 Exploitation of Remote Services,T1534 Internal Spearphishing,T1550 Use Alternate Authentication Material,T1550.001 Application Access Token,T1550.002 Pass the Hash,T1550.003 Pass the Ticket,T1550.004 Web Session Cookie,T1563 Remote Service Session Hijacking,T1563.001 SSH Hijacking,T1563.002 RDP Hijacking,T1570 Lateral Tool Transfer |
| 19 | 2 | Consolidation and preparation | Privilege escalation | Encrypt data | Application allowlisting, Logging and alerting | S0154 Cobalt Strike | T1037 Boot or Logon Initialization Scripts,T1037.001 Logon Script (Windows),T1037.002 Logon Script (Mac),T1037.003 Network Logon Script,T1037.004 RC Scripts,T1037.005 Startup Items,T1053 Scheduled Task/Job,T1053.001 At (Linux),T1053.002 At (Windows),T1053.003 Cron,T1053.004 Launchd,T1053.005 Scheduled Task,T1053.006 Systemd Timers,T1053.007 Container Orchestration Job,T1055 Process Injection,T1055.001 Dynamic-link Library Injection,T1055.002 Portable Executable Injection,T1055.003 Thread Execution Hijacking,T1055.004 Asynchronous Procedure Call,T1055.005 Thread Local Storage,T1055.008 Ptrace System Calls,T1055.009 Proc Memory,T1055.011 Extra Window Memory Injection,T1055.012 Process Hollowing,T1055.013 Process Doppelganging,T1055.014 VDSO Hijacking,T1068 Exploitation for Privilege Escalation,T1078 Valid Accounts,T1078.001 Default Accounts,T1078.002 Domain Accounts,T1078.003 Local Accounts,T1078.004 Cloud Accounts,T1134 Access Token Manipulation,T1134.001 Token Impersonation/Theft,T1134.002 Create Process with Token,T1134.003 Make and Impersonate Token,T1134.004 Parent PID Spoofing,T1134.005 SID-History Injection,T1484 Domain Policy Modification,T1484.001 Group Policy Modification,T1484.002 Domain Trust Modification,T1543 Create or Modify System Process,T1543.001 Launch Agent,T1543.002 Systemd Service,T1543.003 Windows Service,T1543.004 Launch Daemon,T1546 Event Triggered Execution,T1546.001 Change Default File Association,T1546.002 Screensaver,T1546.003 Windows Management Instrumentation Event Subscription,T1546.004 Unix Shell Configuration Modification,T1546.005 Trap,T1546.006 LC_LOAD_DYLIB Addition,T1546.007 Netsh Helper DLL,T1546.008 Accessibility Features,T1546.009 AppCert DLLs,T1546.010 AppInit DLLs,T1546.011 Application Shimming,T1546.012 Image File Execution Options Injection,T1546.013 PowerShell Profile,T1546.014 Emond,T1546.015 Component Object Model Hijacking,T1547 Boot or Logon Autostart Execution,T1547.001 Registry Run Keys / Startup Folder,T1547.002 Authentication Package,T1547.003 Time Providers,T1547.004 Winlogon Helper DLL,T1547.005 Security Support Provider,T1547.006 Kernel Modules and Extensions,T1547.007 Re-opened Applications,T1547.008 LSASS Driver,T1547.009 Shortcut Modification,T1547.010 Port Monitors,T1547.011 Plist Modification,T1547.012 Print Processors,T1547.013 XDG Autostart Entries,T1547.014 Active Setup,T1547.015 Login Items,T1548 Abuse Elevation Control Mechanism,T1548.001 Setuid and Setgid,T1548.002 Bypass User Account Control,T1548.003 Sudo and Sudo Caching,T1548.004 Elevated Execution with Prompt,T1574 Hijack Execution Flow,T1574.001 DLL Search Order Hijacking,T1574.002 DLL Side-Loading,T1574.004 Dylib Hijacking,T1574.005 Executable Installer File Permissions Weakness,T1574.006 Dynamic Linker Hijacking,T1574.007 Path Interception by PATH Environment Variable,T1574.008 Path Interception by Search Order Hijacking,T1574.009 Path Interception by Unquoted Path,T1574.010 Services File Permissions Weakness,T1574.011 Services Registry Permissions Weakness,T1574.012 COR_PROFILER,T1611 Escape to Host | |
| 20 | 3 | Impact on target | Data exfiltration | T1005 Data from Local System, T1039 Data from Network Shared Drive, T1560 Archive Collected Data, T1567 Exfiltration over Web Service | T1011 Exfiltration Over Other Network Medium,T1011.001 Exfiltration Over Bluetooth,T1020 Automated Exfiltration,T1020.001 Traffic Duplication,T1029 Scheduled Transfer,T1030 Data Transfer Size Limits,T1041 Exfiltration Over C2 Channel,T1048 Exfiltration Over Alternative Protocol,T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol,T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,T1052 Exfiltration Over Physical Medium,T1052.001 Exfiltration over USB,T1537 Transfer Data to Cloud Account,T1567 Exfiltration Over Web Service,T1567.001 Exfiltration to Code Repository,T1567.002 Exfiltration to Cloud Storage | |||
| 21 | 3 | Impact on target | Destroy backups | T1490 Inhibit System Recovery, T1486 Encrypt Data for Impact | T1485 Data Destruction,T1561 Disk Wipe,T1561.001 Disk Content Wipe,T1561.002 Disk Structure Wipe | |||
| 22 | 3 | Impact on target | Encrypt data | T1490 Inhibit System Recovery, T1486 Encrypt Data for Impact | T1486 Data Encrypted for Impact |