Windows

ATT&CK Navigator View

Table View

Created

Analytic

Hypothesis

Author

2020/06/09

Access to Microphone Device

Adversaries might be accessing the microphone in endpoints over the network.

Roberto Rodriguez @Cyb3rWard0g

2018/08/15

Active Directory Replication From Non-Domain-Controller Accounts

Adversaries might attempt to pull the NTLM hash of a user via active directory replication apis from a non-domain-controller account with permissions to do so.

Roberto Rodriguez @Cyb3rWard0g

2019/01/01

Active Directory Replication User Backdoor

Adversaries with enough permissions (domain admin) might be adding an ACL to the Root Domain for any user to abuse active directory replication services.

Roberto Rodriguez @Cyb3rWard0g

2019/08/15

Alternate PowerShell Hosts

Adversaries might be leveraging alternate PowerShell Hosts to execute PowerShell evading traditional PowerShell detections that look for powershell.exe in my environment.

Roberto Rodriguez @Cyb3rWard0g

2019/04/10

Basic PowerShell Execution

Adversaries might be leveraging PowerShell to execute code within my environment

Roberto Rodriguez @Cyb3rWard0g

2018/07/19

DLL Injection via CreateRemoteThread and LoadLibrary

Adversaries might be injecting a dll to another process to execute code via CreateRemoteThread and LoadLibrary functions.

Roberto Rodriguez @Cyb3rWard0g

2019/06/20

Domain DPAPI Backup Key Extraction

Adversaries might be extracting the DPAPI domain backup key from my DC to be able to decrypt any domain user master key files.

Roberto Rodriguez @Cyb3rWard0g

2019/04/07

Enable Remote Desktop Conections Registry

Adversaries might be modifying registry key values to enable remote desktop connections in my environment

Roberto Rodriguez @Cyb3rWard0g

2019/12/24

Extended NetNTLM Downgrade

Adversaries might be downgrading the challenge/response authentication protocol used for network logons, the minimum security negotiated for applications using NTLMSSP, and security settings that restrict outgoing NTLM traffic to remote servers in my environment

Roberto Rodriguez @Cyb3rWard0g

2017/01/05

LSASS Access from Non System Account

Adversaries might be using a non system account to access LSASS and extract credentials from memory.

Roberto Rodriguez @Cyb3rWard0g

2019/05/11

PowerShell Remote Session

Adversaries might be leveraging remote powershell sessions to execute code on remote systems throughout my environment

Roberto Rodriguez @Cyb3rWard0g

2019/10/30

Remote Interactive Task Manager LSASS Dump

Adversaries might be RDPing to computers in my environment and interactively dumping the memory contents of LSASS with task manager.

Roberto Rodriguez @Cyb3rWard0g

2019/08/26

Remote Service Control Manager Handle

Adversaries might be attempting to open up a handle to the service control manager (SCM) database on remote endpoints to check for local admin access in my environment.

Roberto Rodriguez @Cyb3rWard0g

2019/08/15

Remote Service creation

Adversaries might be creating new services remotely to execute code and move laterally in my environment

Roberto Rodriguez @Cyb3rWard0g

2019/07/25

SAM Registry Hive Handle Request

Adversaries might be getting a handle to the SAM database to extract credentials in my environment

Roberto Rodriguez @Cyb3rWard0g

2019/08/13

Service Creation

Adversaries might be creating new services to execute code on a compromised endpoint in my environment

Roberto Rodriguez @Cyb3rWard0g

2019/06/25

SysKey Registry Keys Access

Adversaries might be calculating the SysKey from registry key values to decrypt SAM entries

Roberto Rodriguez @Cyb3rWard0g

2019/05/10

WDigest Downgrade

Adversaries might have updated the property value UseLogonCredential of HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to 1 in order to be able to extract clear text passwords from memory contents of lsass.

Roberto Rodriguez @Cyb3rWard0g

2019/08/10

WMI Eventing

Adversaries might be leveraging WMI eventing for persistence in my environment.

Roberto Rodriguez @Cyb3rWard0g

2019/08/11

WMI Module Load

Adversaries might be leveraging WMI modules to execute WMI tasks bypassing controls monitoring for wmiprvse.exe or wmiapsrv.exe activity

Roberto Rodriguez @Cyb3rWard0g

2019/08/10

WMI Win32_Process Class and Create Method for Remote Execution

Adversaries might be leveraging WMI Win32_Process class and method Create to execute code remotely across my environment

Roberto Rodriguez @Cyb3rWard0g