windows

ATT&CK Navigator View

91 Datasets

Created

Dataset

Description

Tags

Author

2021/06/11

APT Simulator Cobalt Strike

This dataset was created after running the Cobalt Strike module from the APT Simulator tool (https://github.com/NextronSystems/APTSimulator).

None

2021/04/27

Export ADFS Database Configuration Remotely

This dataset represents a threat actor exporting the AD FS database configuration remotely over http.

None

2021/03/14

Exchange ProxyLogon SSRF RCE Vuln POC

This dataset represents the execution of a public POC to abuse Exchange vulnerabilities (CVE-2021-26855 server-side request forgery (SSRF) vulnerability)

None

2020/12/19

Remote Scheduled Task Creation

This dataset represents a threat actor creating a scheduled task remotely using schtasks.

None

2020/12/19

Remote Scheduled Task Modification

This dataset represents a threat actor modifying a scheduled task remotely.

None

2020/11/02

PowerShell HTTP Listener

This dataset represents a threat actor using PowerShell to start an HTTP Listener on a compromised endpoint

None

2020/11/02

Seatbelt Group User Discovery

This dataset represents a threat actor using Seatbelt profiling an endpoint. This specifically uses the -group=user command.

None

2020/10/29

Python HTTP Server

This dataset represents threat actors adding a FW inbound rule and starting a Python HTTP Server.

None

2020/10/29

SharpView PCRE.NET

This dataset represents a threat actor leveraging SharpView and specific functions such as Get-ObjectAcl creating files and loading dlls related to PCRE.NET use.

None

2020/10/28

Windows Vault Web Credentials

This dataset represents threat actors accessing the Windows Vault and reading web credentials saved.

None

2020/10/26

Process Herpaderping Mimikatz

This dataset represents the execution of a Process Herpaderping to obscure the intentions of a process by modifying the content on disk after the image has been mapped.

None

2020/10/23

Register-CimProvider Execute Dll

This dataset represents threat actors leveraging Register-Cimprovider to execute a malicious Dll.

None

2020/10/23

Bitsadmin Download Malicious File

This dataset represents threat actors leveraging bitsadmin.exe to download a file.

[‘art.3c73d728-75fb-4180-a12f-6712864d7421’]

2020/10/23

PurpleSharp PE Injection CreateRemoteThread

This dataset represents threat actors injecting portable executables (PE) into processes via APIs such asVirtualAllocEx and WriteProcessMemory and running it on the virtual address space of another process via the CreateRemoteThread API.

None

2020/10/22

HH Execution of Local Compiled HTML Payload

This dataset represents threat actors executing local compiled HTML Help payloads via hh.exe.

[‘art.5cb87818-0d7c-4469-b7ef-9224107aebe8’]

2020/10/22

Control Panel Execution

This dataset represents threat actors leveraging control.exe to execute a .cpl file to proxy execute another payload (i.e. calc).

[‘art.037e9d8a-9e46-4255-8b33-2ae3b545ca6f’]

2020/10/22

CMSTP Proxy Execution

This dataset represents threat actors leveraging CMSTP to execute an Inf file to proxy execute other malicious commands (i.e. cmd.exe). (Embedding commands in the RunPreSetupCommandsSection of the INF file).

[‘art.748cb4f6-2fb3-4e97-b7ad-b22635a09ab0’]

2020/10/22

Mshta Javascript GetObject Sct

This dataset represents threat actors leveraging mshta.exe to proxy execute malicious .sct files via Javascript.

[‘art.1483fab9-4f52-4217-a9ce-daa9d7747cae’]

2020/10/22

Mshta VBScript Execute PowerShell

This dataset represents threat actors leveraging mshta.exe to proxy execute malicious powershell commands via vbscript.

[‘art.906865c3-e05f-4acc-85c4-fbc185455095’]

2020/10/22

Mshta HTML Application (HTA) Execution

This dataset represents threat actors leveraging mshta.exe to proxy execute malicious commands via an .hta file.

[‘art.c4b97eeb-5249-4455-a607-59f95485cb45’]

2020/10/22

PurpleSharp Active Directory Playbook I

This dataset represents threat actors performing a few techniques in Active Directory to brute force passwords, request Kerberos ticket-granting service (TGS) service tickets from all SPNs, test access to remote network shares, and move laterally over Windows Remote Management (WinRM).

None

2020/10/21

Netsh Open FW Proxy Ports

This dataset represents adversaries modifying the local FW by opening port for proxy.

[‘art.15e57006-79dd-46df-9bf9-31bc24fb5a80’]

2020/10/21

Service Modification Fax

This dataset represents adversaries modifying a local service to execute powershell.

[‘art.ed366cde-7d12-49df-a833-671904770b9f’]

2020/10/21

Internet Explorer Version Discovery

This dataset represents threat actors querying HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer to get the version of internet explorer installed on the system.

[‘art.68981660-6670-47ee-a5fa-7e74806420a4’]

2020/10/20

UI Prompt For Credentials Function

This dataset represents adversaries leveraging functions such as CredUIPromptForCredentials to create and display a configurable dialog box that accepts credentials information from a user.

[‘art.2b162bfd-0928-4d4c-9ec3-4d9f88374b52’]

2020/10/19

SAM Copy via Esentutl VSS

This dataset represents adversaries copying the SAM hive using the esentutl.exe utility and volume shadow copy services.

[‘art.a90c2f4d-6726-444e-99d2-a00cd7c20480’]

2020/10/19

Psexec Reg LSA Secrets Dump

This dataset represents adversaries using psexec to run reg.exe as system and dump LSA secrets. Location HKLM\security\policy\secrets.

[‘art.55295ab0-a703-433b-9ca4-ae13807de12f’]

2020/10/19

Logon Scripts via UserInitMprLogonScript

This dataset represents adversaries leveraging logon initialization scripts to achieve persistence via the UserInitMprLogonScript user environment.

[‘art.d6042746-07d4-4c92-9ad8-e644c114a231’]

2020/10/19

Mavinject Process DLL Injection

This dataset represents adversaries leveraging

[‘art.74496461-11a1-4982-b439-4d87a550d254’]

2020/10/18

Lsass Memory Dump via Comsvcs.dll

This dataset represents adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.

[‘art.2536dee2-12fb-459a-8c37-971844fa73be’]

2020/10/18

Lsass Memory Dump via Syscalls

This dataset represents adversaries using system calls (syscalls) and API unhooking to dump the memoty contents of lsass.

[‘art.7ae7102c-a099-45c8-b985-4c7a2d05790d’]

2020/10/17

WMIC Remote XSL Jscript Execution

This dataset represents adversaries proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (jscript).

None

2020/10/12

Covenant Wuauclt CreateRemoteThread Execution

This dataset represents adversaries proxy executing code via the Windows Update client utility. In order to bypass rules looking for the binary reaching out directly to the Internet, this dataset shows the binary creating and running a thread in the virtual address space of another process via the CreateRemoteThread API.

[‘CreateRemoteThread’]

2020/10/09

Covenant Remote WMI Wbemcomn DLL Hijacking

This dataset represents adversaries abusing a DLL hijack vulnerability found in the execution of the WMI provider host (wmiprvse.exe) for lateral movement.

[‘SMB CreateRequest’]

2020/10/09

Covenant Remote DCOM Iertutil DLL Hijacking

This dataset represents adversaries abusing a DLL hijack vulnerability found in the execution of the DCOM InternetExplorer.Application class for lateral movement.

[‘SMB CreateRequest’]

2020/09/22

Empire Powerdump Extract Hashes

This dataset represents adversaries calculating the SysKey to decrypt Security Account Mannager (SAM) database entries (from registry or hive) and get NTLM, and sometimes LM hashes of local accounts password.

[‘Calculating SysKey’, ‘SAM Read’]

2020/09/21

Empire Invoke WMI

This dataset represents an adversary remotely executing code via WMI. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.

[‘WMI IWbemServices ExecMethod’]

2020/09/21

Empire Elevated Scheduled Tasks

This dataset represents adversaries creating and/or executing local scheduled tasks to maintain persistence in an environment.

[‘Local Scheduled Tasks’]

2020/09/18

DCOM ExecuteExcel4macro

This dataset represents adversaries leveraging the COM Method ExecuteExcel4Macro over DCOM to execute Excel4 macros remotely

[‘DCOM’]

2020/09/18

DCOM RegisterXLL

This dataset represents adversaries leveraging the COM Method RegisterXLL over DCOM to execute an XLL file remotely. The XLL file can exist on the target or externally in an UNC path such as \SERVER\FILES.

[‘DCOM’]

2020/09/16

Mimikatz Netlogon Unauthenticated NetrServerAuthenticate2

This dataset represents adversaries leveraging a vulnerability (CVE-2020-1472) in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This vulnerability was discovered by @@SecuraBV.

[‘CVE-2020-1472’, ‘Password Update’, ‘Netlogon Insecure AES-CFB8’]

2020/09/14

Empire Remote WMIC Add User

This dataset represents an adversary remotely executing code via WMI to ad a backdoor user on the target system. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.

[‘WMI IWbemServices ExecMethod’, ‘User Backdoor’]

2020/09/04

Invoke BypassUAC FodHelper

This dataset represents adversaries elevating privileges (bypassing uac) by performing an registry modification for FodHelper.

[‘BypassUAC’, ‘Registry Modification’, ‘Windows Registry FodHelper’]

2020/08/06

Covenant SharpSC Query

This dataset represents a threat actor leveraging the RPC method EnumServiceStatusW over SMB svcctl to query the status of a service on a remote endpoint…

[‘RPC EnumServiceStatusW’, ‘SMB Svcctl’]

2020/08/06

Covenant Remote File Copy

This dataset represents a threat actor remotely copying a file over SMB (CreateRequest).

[‘SMB CreateRequest’]

2020/08/06

Covenant SharpSC Create

This dataset represents adversaries remotely creating a service via RPC methods such as CreateService over SMB named pipes such as svcctl.

[‘RPC CreateService’, ‘SMB Svcctl’]

2020/08/06

Covenant SharpSC Start

This dataset represents adversaries remotely starting a service via RPC methods such as StartService over SMB named pipes such as svcctl.

[‘RPC StartService’, ‘SMB Svcctl’]

2020/08/06

Covenant SharpSC Stop Service

This dataset represents a threat actor using the RPC ControlService method over SMB to stop a service.

[‘RPC ControlService’, ‘Stop Service’, ‘SMB Svcctl’]

2020/08/06

Covenant PowerShell Remoting Command

This dataset represents adversaries executing malicious code on remote hosts using PowerShell Remoting (WinRM).

[‘PowerShell Remoting’]

2020/08/06

Covenant GetDomainGroup Domain Admins

This dataset represents a threat actor enumerating the domain groups via LDAP (i.e. SearchRequest Method) in an environment.

[‘Domain Groups Enumeration’, ‘LDAP SearchRequest’]

2020/08/05

Covenant DCSync

This dataset represents adversaries abusing Active Directory Replication services to retrieve secret domain data (i.e. NTLM hashes) from domain accounts.

[‘AD Replication Services’, ‘RPC DRSUAPI DsGetNCChanges’]

2020/08/05

Covenant SC.exe Utility Query

This dataset represents an adversary leveraging the sc.exe utility to query (RPC QueryServiceStatus method) for the statu of a service on a remote endpoint.

[‘RPC QueryServiceStatus’, ‘SMB Svcctl’]

2020/07/24

Covenant Remote WMI Eventing ActiveScriptEventConsumers

This dataset represents adversaries using WMI event subscriptions (ActiveScriptEventConsumers) remotely to move laterally.

[‘Remote WMI Eventing’]

2020/07/22

Empire Invoke DLLInjection

This dataset represents a threat actor injecting a Dll (On Disk) into an arbitrary process via LoadLibrary and executd by CreateRemoteThread APIs

[‘DLL Injection’, ‘LoadLibrary’, ‘CreateRemoteThread Execution’]

2020/07/22

Empire Elevated Registry Run Keys

This dataset represents adversaries modifying local Run registry keys (i.e. HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run) for persistence. It also captures the execution of the persistence mechanism.

[‘Local Registry Modification’, ‘Registry Run Keys’]

2020/07/21

Empire Regsvr32 Execution

This dataset represents threat actors leveraging regsvr32 to proxy the execution of an empire payload (.sct file) to create a reverse connection to the C2.

[‘Regsvr32 Execution’]

2020/06/09

MSF Record Mic

This dataset represents adversaries accessing the microphone of an endpoint.

[‘Microphone Access’]

2019/12/25

Empire Invoke InternalMonologue

This dataset represents adversaries downgrading the challenge/response authentication protocol used for network logons, the minimum security negotiated for applications using NTLMSSP, and security settings that restrict outgoing NTLM traffic to remote servers in an environment

[‘Registry Modification’, ‘Windows Registry NetNTLM settings’, ‘Downgrade’]

2019/10/27

RDP TaskManager LSASS Dump

This dataset represents adversaries using RDP and task manager interactively and dump the memory space of lsass.

[‘RDP Interactive’]

2019/10/27

Covenant ShellCmd InstallUtil

This dataset represents adversaries proxy executing code through InstallUtil, a trusted Windows utility.

[‘InstallUtil’, ‘LOLBin’]

2019/06/25

Empire Mimikatz SAM Extract Hashes

This dataset represents adversaries calculating the SysKey to decrypt Security Account Mannager (SAM) database entries (from registry or hive) and get NTLM, and sometimes LM hashes of local accounts password.

[‘Calculating SysKey’, ‘SAM Read’, ‘SAM Handle Request’]

2019/06/25

Empire Reg Dump SAM Hive

This dataset represents adversaries with administrator privileges using the windows reg utility to dump the SAM registry hive.

[‘SAM Rquest Handle’]

2019/05/19

Empire Remote Get Session

This dataset represents adversaries leveraging RPC SRVSVC and the method NetSessEnum over SMB to query remote hosts for active sessions

[‘RPC NetSessEnum’, ‘SMB Srvsvc’]

2019/05/18

Empire VBS Execution

This dataset represents adversaries executing a VBS script as a launcher for initial access.

[‘VBS Script Execution’]

2019/05/18

Empire Elevated WMI Eventing

This dataset represents adversaries leveraging WMI subscriptions locally for persistence.

[‘Local WMI Eventing’, ‘WMI Event Subscriptions’]

2019/05/18

Empire PSInject

This dataset represents adversaries reflectively loading/intecting a portable executable (PE) (not on disk) into a process via WriteprocessMemory and executed via CreateRemoteThread APIs

[‘PE Injection’, ‘WriteProcessMemory’, ‘CreateRemoteThread Execution’]

2019/05/18

Empire Shell Net Domain Admins

This dataset represents adversaries enumerating members of domain groups (i.e. Domain Admins) via RPC SAMR interface over SMB. Some of the main RPC methods captured over the network are SamrLookupNamesInDomain (Opnum 17) and SamrQueryInformationGroup (Opnum 20) where there are indicators about the specific group name enumerated.

[‘Domain Groups Enumeration’, ‘RPC SAMR SamrQueryInformationGroup’]

2019/05/18

Empire WDigest Downgrade

This dataset represents adversaries setting the UseLogonCredential property value from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest key to 1 to enable plain text passwords.

[‘Registry Modification’, ‘Windows Registry WDigest’]

2019/05/18

Empire Mimikatz LogonPasswords

This dataset represents adversaries reading credentials from the memory contents of lsass.exe. One popular tool performing this behavior is Mimikatz.

[‘LSASS Memory Credentials Read’]

2019/05/18

Empire Enable RDP

This dataset represents adversaries enabling RDP and adding a firewall exception to a compromised system

[‘Registry Modification’, ‘Windows Registry RDP Settings’]

2019/05/18

Empire Invoke SMBExec

This dataset represents adversaries remotely creating and starting a service via RPC methods over SMB named pipes such as svcctl.

[‘RPC CreateService’, ‘RPC StartService’, ‘SMB Svcctl’]

2019/05/18

Empire Invoke PsExec

This dataset represents adversaries remotely creating and starting a service via RPC methods over TCP.

[‘RPC CreateService’, ‘RPC StartService’, ‘TCP Svcctl’]

2019/05/18

Empire Invoke DCOM ShellWindows

This dataset represents adversaries executing commands remotely via DCOM ShellWindows COM Method.

[‘DCOM ShellWindows’]

2019/05/18

Empire Invoke PSRemoting

This dataset represents adversaries executing malicious code on remote hosts using PowerShell Remoting (WinRM).

[‘PowerShell Remoting’]

2019/05/18

Empire Invoke Execute MSBuild

This dataset represents an adversary remotely creating a file (.xml) via SMB and executing it remotetly via WMI and msbuild. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.

[‘WMI IWbemServices ExecMethod’, ‘SMB CreateRequest’]

2019/05/18

Empire Find Local Admin Access

This dataset represents adversaries using the OpenSCManagerW Win32API call to establish a handle to the remote host and verify if the current user context has local administrator acess to the target.

[‘RPC OpenSCManager’, ‘SMB Svcctl’]

2019/05/18

Empire Mimikatz Extract Kerberos Keys

This dataset represents adversaries extracting kerberos tickets from memory.

[‘Kerberos Tickets’]

2019/05/18

Empire Mimikatz Backup Keys

This dataset represents adversaries retrieving the DPAPI Domain Backup Key from the DC via RPC LSARPC methods over SMB.

[‘DPAPI’, ‘DPAPI Domain Backup key’, ‘RPC LSARPC’]

2019/05/18

Covenant SharpWMI Exec

This dataset represents an adversary remotely executing code via WMI. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.

[‘WMI IWbemServices ExecMethod’]

2019/05/18

Empire Mimikatz Lsadump LSA Patch

This dataset represents adversaries reading credentials from the memory contents of lsass.exe. One popular tool performing this behavior is Mimikatz.

[‘LSASS Memory Credentials Read’]

2019/04/03

IKEEXT Remote Service DLL Hijack

This dataset represents adversaries copying a file remotely to replace a file which is executed by a service that is vulnerable to DLL hijack. This dataset includes

[‘Remote Service DLL Hijacking’, ‘RPC over SMB Svcctl’]

2019/03/19

Empire Net Local Administrators Group

This dataset represents adversaries enumerating members of the local Administratrors group via the net.exe utility

[‘Local Administrators Group Enumeration’]

2019/03/19

Empire Net Local Users

This dataset represents adversaries enumerating all local users on an endpoint

[‘Local Users Enumeration’]

2019/03/19

Empire Net Domain Users

This dataset represents adversaries enumerating all users that belong to a domain via RPC SAMR EnumDomainUsers.

[‘Domain Users Enumeration’, ‘RPC SAMR EnumDomainUsers’]

2019/03/19

Empire Userland Registry Run Keys

This dataset represents adversaries modifying local Run registry keys (i.e. HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run) for persistence. It also captures the execution of the persistence mechanism.

[‘Local Registry Modification’, ‘Registry Run Keys’]

2019/03/19

Empire Userland Scheduled Tasks

This dataset represents adversaries creating and/or executing local scheduled tasks to maintain persistence in an environment.

[‘Local Scheduled Tasks’]

2019/03/19

Empire Over-Pass-The-Hash

This dataset represents adversaries taking a hash/key (rc4_hmac, aes256_cts_hmac_sha1, etc.) for a domain-joined user into a fully-fledged Kerberos TGT. In this case, an adversary can write the hash/key into an existing logon session (i.e. a sacrificial logon session) section in the memory content of LSASS and kick off the regular Kerberos authentication process.

[‘Over-Pass-The-Hash’, ‘Patching LSASS’]

2019/03/19

Rubeus Userland ASKTGT PTT

This dataset represents adversaries crafting raw AS-REQ (TGT request) traffic for a specific user and encryption key (/rc4, /aes128, /aes256, or /des) to request TGTs without touching lsass.

[‘Over-Pass-The-Hash’, ‘Not Touching LSASS’]

2019/03/19

Rubeus Elevated ASKTGT CreateNetOnly

This dataset represents adversaries crafting raw AS-REQ (TGT request) traffic for a specific user and encryption key (/rc4, /aes128, /aes256, or /des) to request TGTs without touching lsass.

[‘Over-Pass-The-Hash’, ‘Not Touching LSASS’]

2019/03/01

Empire Powerview Add-DomainObjectAcl

This datasets represent adversaries with enough permissions (i.e. domain admin) adding an access control entry (ACE) to the discretionary access control list (DACL) of an Active Directory object (i.e Root Domain). One example could be adversaries modifying the root domain DACL to allow a specific domain user, despite being in no privileged groups and not having local admin rights on the domain controller itself, to use Active Directory replication services and obtain secret domain data (i.e. Other user NTLM Hashes)

[‘AD Object Modification’, ‘AD Object nTSecurityDescriptor’, ‘LDAP ModifyRequest’]

2019/03/01

Empire DCSync

This dataset represents adversaries abusing Active Directory Replication services to retrieve secret domain data (i.e. NTLM hashes) from domain accounts.

[‘AD Replication services’, ‘RPC DRSUAPI DsGetNCChanges’]

attack_mappings:

  • technique: T1018 sub-technique: tactics:

    • TA0007