Scribd Logo
Upload

Welcome to Scribd!

  • Cobalt Strike (s0154)

    Uploaded by

    gbengaogunbiyi247
    3 views12 pages
    This document outlines techniques used during different phases of a cyber attack lifecycle, including initial access, execution, persistence, privilege escalation, and defense evasion. It provides examples of how attackers may gain and maintain access to systems while avoiding detection. The goal is to surreptitiously collect information and develop capabilities.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document outlines techniques used during different phases of a cyber attack lifecycle, including initial access, execution, persistence, privilege escalation, and defense evasion. It provides examples of how attackers may gain and maintain access to systems while avoiding detection. The goal is to surreptitiously collect information and develop capabilities.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as xlsx, pdf, or txt
    3 views12 pages

    Cobalt Strike (s0154)

    Uploaded by

    gbengaogunbiyi247
    This document outlines techniques used during different phases of a cyber attack lifecycle, including initial access, execution, persistence, privilege escalation, and defense evasion. It provides examples of how attackers may gain and maintain access to systems while avoiding detection. The goal is to surreptitiously collect information and develop capabilities.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as xlsx, pdf, or txt
    of 12

    Reconnaissance Resource Development Initial Access

    Active Scanning Acquire Access Content Injection


    Gather Victim Host Information Acquire Infrastructure Drive-by Compromise
    Gather Victim Identity Information Compromise Accounts Exploit Public-Facing Application
    Gather Victim Network Information Compromise Infrastructure External Remote Services
    Gather Victim Org Information Develop Capabilities Hardware Additions
    Phishing for Information Establish Accounts Phishing
    Search Closed Sources Obtain Capabilities Replication Through Removable Media
    Search Open Technical Databases Stage Capabilities Supply Chain Compromise
    Search Open Websites/Domains Trusted Relationship
    Search Victim-Owned Websites Valid Accounts
    Initial Access Execution
    Cloud Administration Command
    Command and Scripting Interpreter AppleScript
    Cloud API
    JavaScript
    Network Device CLI
    PowerShell
    ovable Media Python
    Unix Shell
    Visual Basic
    Cloud Accounts Windows Command Shell
    Default Accounts Container Administration Command
    Domain Accounts Deploy Container
    Local Accounts Exploitation for Client Execution
    Inter-Process Communication
    Native API
    Scheduled Task/Job
    Serverless Execution
    Shared Modules
    Software Deployment Tools
    System Services Launchctl
    Service Execution
    User Execution
    Windows Management Instrumentation
    Persistence Privilege Escalation
    Account Manipulation Abuse Elevation Control Mechanism
    BITS Jobs
    Boot or Logon Autostart Execution
    Boot or Logon Initialization Scripts
    Browser Extensions
    Compromise Client Software Binary Access Token Manipulation
    Create Account
    Create or Modify System Process Launch Agent
    Launch Daemon
    Systemd Service
    Windows Service Account Manipulation
    Event Triggered Execution Boot or Logon Autostart Execution
    External Remote Services Boot or Logon Initialization Scripts
    Hijack Execution Flow Create or Modify System Process
    Implant Internal Image
    Modify Authentication Process
    Office Application Startup Add-ins
    Office Template Macros Domain Policy Modification
    Office Test Escape to Host
    Outlook Forms Event Triggered Execution
    Outlook Home Page Exploitation for Privilege Escalation
    Outlook Rules Hijack Execution Flow
    Power Settings Process Injection
    Pre-OS Boot
    Scheduled Task/Job
    Server Software Component
    Traffic Signaling
    Valid Accounts Cloud Accounts
    Default Accounts
    Domain Accounts
    Local Accounts

    Scheduled Task/Job
    Valid Accounts
    Privilege Escalation Defense Evasion
    Bypass User Account Control Abuse Elevation Control Mechanism Bypass User Account Control
    Elevated Execution with Prompt Elevated Execution with Prompt
    Setuid and Setgid Setuid and Setgid
    Sudo and Sudo Caching Sudo and Sudo Caching
    Temporary Elevated Cloud Access Temporary Elevated Cloud Access
    Create Process with Token Access Token Manipulation Create Process with Token
    Make and Impersonate Token Make and Impersonate Token
    Parent PID Spoofing Parent PID Spoofing
    SID-History Injection SID-History Injection
    Token Impersonation/Theft Token Impersonation/Theft
    BITS Jobs
    Build Image on Host
    Debugger Evasion
    Launch Agent Deobfuscate/Decode Files or Information
    Launch Daemon Deploy Container
    Systemd Service Direct Volume Access
    Windows Service Domain Policy Modification
    Execution Guardrails
    Exploitation for Defense Evasion
    File and Directory Permissions Modification
    e Escalation Hide Artifacts Email Hiding Rules
    Hidden File System
    Asynchronous Procedure Call Hidden Files and Directories
    Dynamic-link Library Injection Hidden Users
    Extra Window Memory Injection Hidden Window
    ListPlanting Ignore Process Interrupts
    Portable Executable Injection NTFS File Attributes
    Proc Memory Process Argument Spoofing
    Process Doppelgänging Resource Forking
    Process Hollowing Run Virtual Instance
    Ptrace System Calls VBA Stomping
    Thread Execution Hijacking Hijack Execution Flow
    Thread Local Storage Impair Defenses Disable or Modify Cloud Firewall
    VDSO Hijacking Disable or Modify Cloud Logs
    Disable or Modify Linux Audit System
    Cloud Accounts Disable or Modify System Firewall
    Default Accounts Disable or Modify Tools
    Domain Accounts Disable Windows Event Logging
    Local Accounts Downgrade Attack
    Impair Command History Logging
    Indicator Blocking
    Safe Mode Boot
    Spoof Security Alerting
    Impersonation
    Indicator Removal Clear Command History
    Clear Linux or Mac System Logs
    Clear Mailbox Data
    Clear Network Connection History and Configuratio
    Clear Persistence
    Clear Windows Event Logs
    File Deletion
    Network Share Connection Removal
    Timestomp
    Indirect Command Execution
    Masquerading
    Modify Authentication Process
    Modify Cloud Compute Infrastructure
    Modify Registry
    Modify System Image
    Network Boundary Bridging
    Obfuscated Files or Information Binary Padding
    Command Obfuscation
    Compile After Delivery
    Dynamic API Resolution
    Embedded Payloads
    Fileless Storage
    HTML Smuggling
    Indicator Removal from Tools
    LNK Icon Smuggling
    Software Packing
    Steganography
    Stripped Payloads
    Plist File Modification
    Pre-OS Boot
    Process Injection Asynchronous Procedure Call
    Dynamic-link Library Injection
    Extra Window Memory Injection
    ListPlanting
    Portable Executable Injection
    Proc Memory
    Process Doppelgänging
    Process Hollowing
    Ptrace System Calls
    Thread Execution Hijacking
    Thread Local Storage
    VDSO Hijacking
    Reflective Code Loading
    Rogue Domain Controller
    Rootkit
    Subvert Trust Controls Code Signing
    Code Signing Policy Modification
    Gatekeeper Bypass
    Install Root Certificate
    Mark-of-the-Web Bypass
    SIP and Trust Provider Hijacking
    System Binary Proxy Execution CMSTP
    Compiled HTML File
    Control Panel
    InstallUtil
    Mavinject
    MMC
    Mshta
    Msiexec
    Odbcconf
    Regsvcs/Regasm
    Regsvr32
    Rundll32
    Verclsid
    System Script Proxy Execution
    Template Injection
    Traffic Signaling
    Trusted Developer Utilities Proxy Execution
    Unused/Unsupported Cloud Regions
    Use Alternate Authentication MateriaApplication Access Token
    Pass the Hash
    Pass the Ticket
    Web Session Cookie
    Valid Accounts Cloud Accounts
    Default Accounts
    Domain Accounts
    Local Accounts
    Virtualization/Sandbox Evasion
    Weaken Encryption
    XSL Script Processing
    Credential Access Discovery
    Adversary-in-the-Middle Account Discovery
    Brute Force
    Credentials from Password Stores
    Exploitation for Credential Access
    Forced Authentication Application Window Discovery
    Forge Web Credentials Browser Information Discovery
    Input Capture Credential API Hooking Cloud Infrastructure Discovery
    GUI Input Capture Cloud Service Dashboard
    Keylogging Cloud Service Discovery
    Web Portal Capture Cloud Storage Object Discovery
    Modify Authentication Process Container and Resource Discovery
    Multi-Factor Authentication Interception Debugger Evasion
    Multi-Factor Authentication Request Generation Device Driver Discovery
    Network Sniffing Domain Trust Discovery
    OS Credential Dumping /etc/passwd and /etc/shadow File and Directory Discovery
    Cached Domain Credentials Group Policy Discovery
    DCSync Log Enumeration
    LSA Secrets Network Service Discovery
    LSASS Memory Network Share Discovery
    NTDS Network Sniffing
    Proc Filesystem Password Policy Discovery
    Security Account Manager Peripheral Device Discovery
    Steal Application Access Token Permission Groups Discovery
    Steal or Forge Authentication Certificates
    Steal or Forge Kerberos Tickets
    Steal Web Session Cookie Process Discovery
    Unsecured Credentials Query Registry
    Remote System Discovery
    Software Discovery
    System Information Discovery
    System Location Discovery
    System Network Configuration Discovery
    System Network Connections Discovery
    System Owner/User Discovery
    udit System System Service Discovery
    System Time Discovery
    Virtualization/Sandbox Evasion
    n History and Configurations
    Discovery Lateral Movement
    Cloud Account Exploitation of Remote Services
    Domain Account Internal Spearphishing
    Email Account Lateral Tool Transfer
    Local Account Remote Service Session Hijacking
    Remote Services Cloud Services
    Direct Cloud VM Connections
    Distributed Component Object Mode
    Remote Desktop Protocol
    SMB/Windows Admin Shares
    SSH
    VNC
    Windows Remote Management
    Replication Through Removable Media
    Software Deployment Tools
    Taint Shared Content
    Use Alternate Authentication MateriaApplication Access Token
    Pass the Hash
    Pass the Ticket
    Web Session Cookie

    Cloud Groups
    Domain Groups
    Local Groups

    uration Discovery
    tions Discovery
    Collection Command and Control
    Adversary-in-the-Middle Application Layer Protocol
    Archive Collected Data
    Audio Capture
    Automated Collection
    Browser Session Hijacking Communication Through Removable Media
    Clipboard Data Content Injection
    Data from Cloud Storage Data Encoding
    Data from Configuration Repository
    Data from Information Repositories Data Obfuscation
    Data from Local System
    Data from Network Shared Drive
    Data from Removable Media Dynamic Resolution
    Data Staged Encrypted Channel
    Email Collection
    Input Capture Credential API Hooking Fallback Channels
    GUI Input Capture Ingress Tool Transfer
    Keylogging Multi-Stage Channels
    Web Portal Capture Non-Application Layer Protocol
    Screen Capture Non-Standard Port
    Video Capture Protocol Tunneling
    Proxy

    Remote Access Software


    Traffic Signaling
    Web Service
    Command and Control Exfiltration Impact
    DNS Automated Exfiltration Account Access Removal
    File Transfer Protocols Data Transfer Size Limits Data Destruction
    Mail Protocols Exfiltration Over Alternative Protocol Data Encrypted for Impact
    Web Protocols Exfiltration Over C2 Channel Data Manipulation
    Removable Media Exfiltration Over Other Network MedDefacement
    Exfiltration Over Physical Medium Disk Wipe
    Non-Standard Encoding Exfiltration Over Web Service Endpoint Denial of Service
    Standard Encoding Scheduled Transfer Financial Theft
    Junk Data Transfer Data to Cloud Account Firmware Corruption
    Protocol Impersonation Inhibit System Recovery
    Steganography Network Denial of Service
    Resource Hijacking
    Asymmetric Cryptography Service Stop
    Symmetric Cryptography System Shutdown/Reboot

    Domain Fronting
    External Proxy
    Internal Proxy
    Multi-hop Proxy

    You might also like