Professional Documents
Culture Documents
Cobalt Strike (s0154)
Cobalt Strike (s0154)
Scheduled Task/Job
Valid Accounts
Privilege Escalation Defense Evasion
Bypass User Account Control Abuse Elevation Control Mechanism Bypass User Account Control
Elevated Execution with Prompt Elevated Execution with Prompt
Setuid and Setgid Setuid and Setgid
Sudo and Sudo Caching Sudo and Sudo Caching
Temporary Elevated Cloud Access Temporary Elevated Cloud Access
Create Process with Token Access Token Manipulation Create Process with Token
Make and Impersonate Token Make and Impersonate Token
Parent PID Spoofing Parent PID Spoofing
SID-History Injection SID-History Injection
Token Impersonation/Theft Token Impersonation/Theft
BITS Jobs
Build Image on Host
Debugger Evasion
Launch Agent Deobfuscate/Decode Files or Information
Launch Daemon Deploy Container
Systemd Service Direct Volume Access
Windows Service Domain Policy Modification
Execution Guardrails
Exploitation for Defense Evasion
File and Directory Permissions Modification
e Escalation Hide Artifacts Email Hiding Rules
Hidden File System
Asynchronous Procedure Call Hidden Files and Directories
Dynamic-link Library Injection Hidden Users
Extra Window Memory Injection Hidden Window
ListPlanting Ignore Process Interrupts
Portable Executable Injection NTFS File Attributes
Proc Memory Process Argument Spoofing
Process Doppelgänging Resource Forking
Process Hollowing Run Virtual Instance
Ptrace System Calls VBA Stomping
Thread Execution Hijacking Hijack Execution Flow
Thread Local Storage Impair Defenses Disable or Modify Cloud Firewall
VDSO Hijacking Disable or Modify Cloud Logs
Disable or Modify Linux Audit System
Cloud Accounts Disable or Modify System Firewall
Default Accounts Disable or Modify Tools
Domain Accounts Disable Windows Event Logging
Local Accounts Downgrade Attack
Impair Command History Logging
Indicator Blocking
Safe Mode Boot
Spoof Security Alerting
Impersonation
Indicator Removal Clear Command History
Clear Linux or Mac System Logs
Clear Mailbox Data
Clear Network Connection History and Configuratio
Clear Persistence
Clear Windows Event Logs
File Deletion
Network Share Connection Removal
Timestomp
Indirect Command Execution
Masquerading
Modify Authentication Process
Modify Cloud Compute Infrastructure
Modify Registry
Modify System Image
Network Boundary Bridging
Obfuscated Files or Information Binary Padding
Command Obfuscation
Compile After Delivery
Dynamic API Resolution
Embedded Payloads
Fileless Storage
HTML Smuggling
Indicator Removal from Tools
LNK Icon Smuggling
Software Packing
Steganography
Stripped Payloads
Plist File Modification
Pre-OS Boot
Process Injection Asynchronous Procedure Call
Dynamic-link Library Injection
Extra Window Memory Injection
ListPlanting
Portable Executable Injection
Proc Memory
Process Doppelgänging
Process Hollowing
Ptrace System Calls
Thread Execution Hijacking
Thread Local Storage
VDSO Hijacking
Reflective Code Loading
Rogue Domain Controller
Rootkit
Subvert Trust Controls Code Signing
Code Signing Policy Modification
Gatekeeper Bypass
Install Root Certificate
Mark-of-the-Web Bypass
SIP and Trust Provider Hijacking
System Binary Proxy Execution CMSTP
Compiled HTML File
Control Panel
InstallUtil
Mavinject
MMC
Mshta
Msiexec
Odbcconf
Regsvcs/Regasm
Regsvr32
Rundll32
Verclsid
System Script Proxy Execution
Template Injection
Traffic Signaling
Trusted Developer Utilities Proxy Execution
Unused/Unsupported Cloud Regions
Use Alternate Authentication MateriaApplication Access Token
Pass the Hash
Pass the Ticket
Web Session Cookie
Valid Accounts Cloud Accounts
Default Accounts
Domain Accounts
Local Accounts
Virtualization/Sandbox Evasion
Weaken Encryption
XSL Script Processing
Credential Access Discovery
Adversary-in-the-Middle Account Discovery
Brute Force
Credentials from Password Stores
Exploitation for Credential Access
Forced Authentication Application Window Discovery
Forge Web Credentials Browser Information Discovery
Input Capture Credential API Hooking Cloud Infrastructure Discovery
GUI Input Capture Cloud Service Dashboard
Keylogging Cloud Service Discovery
Web Portal Capture Cloud Storage Object Discovery
Modify Authentication Process Container and Resource Discovery
Multi-Factor Authentication Interception Debugger Evasion
Multi-Factor Authentication Request Generation Device Driver Discovery
Network Sniffing Domain Trust Discovery
OS Credential Dumping /etc/passwd and /etc/shadow File and Directory Discovery
Cached Domain Credentials Group Policy Discovery
DCSync Log Enumeration
LSA Secrets Network Service Discovery
LSASS Memory Network Share Discovery
NTDS Network Sniffing
Proc Filesystem Password Policy Discovery
Security Account Manager Peripheral Device Discovery
Steal Application Access Token Permission Groups Discovery
Steal or Forge Authentication Certificates
Steal or Forge Kerberos Tickets
Steal Web Session Cookie Process Discovery
Unsecured Credentials Query Registry
Remote System Discovery
Software Discovery
System Information Discovery
System Location Discovery
System Network Configuration Discovery
System Network Connections Discovery
System Owner/User Discovery
udit System System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
n History and Configurations
Discovery Lateral Movement
Cloud Account Exploitation of Remote Services
Domain Account Internal Spearphishing
Email Account Lateral Tool Transfer
Local Account Remote Service Session Hijacking
Remote Services Cloud Services
Direct Cloud VM Connections
Distributed Component Object Mode
Remote Desktop Protocol
SMB/Windows Admin Shares
SSH
VNC
Windows Remote Management
Replication Through Removable Media
Software Deployment Tools
Taint Shared Content
Use Alternate Authentication MateriaApplication Access Token
Pass the Hash
Pass the Ticket
Web Session Cookie
Cloud Groups
Domain Groups
Local Groups
uration Discovery
tions Discovery
Collection Command and Control
Adversary-in-the-Middle Application Layer Protocol
Archive Collected Data
Audio Capture
Automated Collection
Browser Session Hijacking Communication Through Removable Media
Clipboard Data Content Injection
Data from Cloud Storage Data Encoding
Data from Configuration Repository
Data from Information Repositories Data Obfuscation
Data from Local System
Data from Network Shared Drive
Data from Removable Media Dynamic Resolution
Data Staged Encrypted Channel
Email Collection
Input Capture Credential API Hooking Fallback Channels
GUI Input Capture Ingress Tool Transfer
Keylogging Multi-Stage Channels
Web Portal Capture Non-Application Layer Protocol
Screen Capture Non-Standard Port
Video Capture Protocol Tunneling
Proxy
Domain Fronting
External Proxy
Internal Proxy
Multi-hop Proxy