Windows

ATT&CK Navigator View

Table View

Created

Analytic

Hypothesis

Author

2020/10/12

Wuauclt CreateRemoteThread Execution

Adversaries might be proxy executing code via the Windows Update client utility in my environment and creating and running a thread in the virtual address space of another process via the CreateRemoteThread API to bypass rules looking for it calling out to the Internet.

@Cyb3rWard0g

2020/10/12

SMB Create Remote File

Adversaries might be creating a file remotely via the Server Message Block (SMB) Protocol.

@Cyb3rWard0g, @Cyb3rPandaH

2020/10/09

Remote WMI Wbemcomn DLL Hijack

Threat actors might be copying files remotely to abuse a DLL hijack opportunity found on the WMI provider host (wmiprvse.exe).

@Cyb3rWard0g, @Cyb3rPandaH

2020/10/09

Remote DCOM IErtUtil DLL Hijack

Threat actors might be copying files remotely to abuse a DLL hijack opportunity found on the DCOM InternetExplorer.Application Class.

@Cyb3rWard0g, @Cyb3rPandaH

2020/09/02

Remote WMI ActiveScriptEventConsumers

Adversaries might be leveraging WMI ActiveScriptEventConsumers remotely to move laterally in my network.

@Cyb3rWard0g, @Cyb3rPandaH

2020/06/09

Access to Microphone Device

Adversaries might be accessing the microphone in endpoints over the network.

@Cyb3rWard0g, @Cyb3rPandaH

2019/12/24

Extended NetNTLM Downgrade

Adversaries might be downgrading the challenge/response authentication protocol used for network logons, the minimum security negotiated for applications using NTLMSSP, and security settings that restrict outgoing NTLM traffic to remote servers in my environment

@Cyb3rWard0g, @Cyb3rPandaH

2019/10/30

Remote Interactive Task Manager LSASS Dump

Adversaries might be RDPing to computers in my environment and interactively dumping the memory contents of LSASS with task manager.

@Cyb3rWard0g, @Cyb3rPandaH

2019/08/26

Remote Service Control Manager Handle

Adversaries might be attempting to open up a handle to the service control manager (SCM) database on remote endpoints to check for local admin access in my environment.

@Cyb3rWard0g, @Cyb3rPandaH

2019/08/15

Remote Service creation

Adversaries might be creating new services remotely to execute code and move laterally in my environment

@Cyb3rWard0g, @Cyb3rPandaH

2019/08/15

Alternate PowerShell Hosts

Adversaries might be leveraging alternate PowerShell Hosts to execute PowerShell evading traditional PowerShell detections that look for powershell.exe in my environment.

@Cyb3rWard0g, @Cyb3rPandaH

2019/08/13

Service Creation

Adversaries might be creating new services to execute code on a compromised endpoint in my environment

@Cyb3rWard0g, @Cyb3rPandaH

2019/08/11

WMI Module Load

Adversaries might be leveraging WMI modules to execute WMI tasks bypassing controls monitoring for wmiprvse.exe or wmiapsrv.exe activity

@Cyb3rWard0g, @Cyb3rPandaH

2019/08/10

WMI Eventing

Adversaries might be leveraging WMI eventing for persistence in my environment.

@Cyb3rWard0g, @Cyb3rPandaH

2019/08/10

WMI Win32_Process Class and Create Method for Remote Execution

Adversaries might be leveraging WMI Win32_Process class and method Create to execute code remotely across my environment

@Cyb3rWard0g, @Cyb3rPandaH

2019/07/25

SAM Registry Hive Handle Request

Adversaries might be getting a handle to the SAM database to extract credentials in my environment

@Cyb3rWard0g, @Cyb3rPandaH

2019/06/25

SysKey Registry Keys Access

Adversaries might be calculating the SysKey from registry key values to decrypt SAM entries

@Cyb3rWard0g, @Cyb3rPandaH

2019/06/20

Domain DPAPI Backup Key Extraction

Adversaries might be extracting the DPAPI domain backup key from my DC to be able to decrypt any domain user master key files.

@Cyb3rWard0g, @Cyb3rPandaH

2019/05/11

PowerShell Remote Session

Adversaries might be leveraging remote powershell sessions to execute code on remote systems throughout my environment

@Cyb3rWard0g, @Cyb3rPandaH

2019/05/10

WDigest Downgrade

Adversaries might have updated the property value UseLogonCredential of HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to 1 in order to be able to extract clear text passwords from memory contents of lsass.

@Cyb3rWard0g, @Cyb3rPandaH

2019/04/10

Basic PowerShell Execution

Adversaries might be leveraging PowerShell to execute code within my environment

@Cyb3rWard0g, @Cyb3rPandaH

2019/04/07

Enable Remote Desktop Conections Registry

Adversaries might be modifying registry key values to enable remote desktop connections in my environment

@Cyb3rWard0g, @Cyb3rPandaH

2019/01/01

Active Directory Replication User Backdoor

Adversaries with enough permissions (domain admin) might be adding an ACL to the Root Domain for any user to abuse active directory replication services.

@Cyb3rWard0g, @Cyb3rPandaH

2018/08/15

Active Directory Replication From Non-Domain-Controller Accounts

Adversaries might attempt to pull the NTLM hash of a user via active directory replication apis from a non-domain-controller account with permissions to do so.

@Cyb3rWard0g, @Cyb3rPandaH

2018/07/19

DLL Injection via CreateRemoteThread and LoadLibrary

Adversaries might be injecting a dll to another process to execute code via CreateRemoteThread and LoadLibrary functions.

@Cyb3rWard0g, @Cyb3rPandaH

2017/01/05

LSASS Access from Non System Account

Adversaries might be using a non system account to access LSASS and extract credentials from memory.

@Cyb3rWard0g