| Public scanning services |
38 |
Recon and weaponization |
Platforms like Shodan hunt for internet facing devices to perform scanning and enumeration. |
| Service enumeration |
37 |
Internal recon |
Network enumeration is a process that involves gathering information about a network such as the hosts, network services, connected devices along with usernames, group information, and related data. |
| Port scanning |
38 |
Internal recon |
A port scanner refers to a software application program that scans a server for open ports. It enables auditors and network administrators to examine network security while attackers and hackers use it to identify open ports for exploiting and/or running malicious services on a host computer or server. |
| Malicious stager |
40 |
Initial compromise |
A stager is a small payload instructing the computer to pull down the next phase of malicious code. |
| VPN tunneling |
34 |
Impersonation |
An adversary can reduce their footprint by using credentials to directly connect to the network as a legitimate user, instead of relying on the RAT. |
| Trusted third party |
39 |
Impersonation |
Attackers may compromise a subsidiary organization before moving into the parent organization. |
| Reverse RDP tunnel |
35 |
Impersonation |
Reverse RDP tunneling is when an attacker initiates a connection outbound to a server. The attacker can use this server to perform actions on this host. |
| Certificate impersonation |
41 |
Impersonation |
In order to avoid detection, attackers may generate a self-signed SSL/TLS certificate that impersonates an entity. |
| Peer-to-peer |
36 |
Command and control |
The peer-to-peer(P2P) protocol provides a decentralized command and control technique. A decentralized network allows botnet clients to relay commands to other bots and removes the need of a master server. |
| Vulnerability scanning |
30 |
Recon and weaponization |
A vulnerability scan detects and classifies system weaknesses in computers, networks and communications equipment and predicts the effectiveness of countermeasures. |
| Anonymous services |
29 |
Evasion |
Anonymous services like TOR can be used to mask the attacker’s identity and location. |
| IRC |
33 |
Command and control |
Using internet relay chat(IRC) as a C2 channel. |
| ICMP |
32 |
Command and control |
Using ICMP requests and replies as a C2 channel. |
| Network sniffing |
21 |
Internal recon |
Network Sniffing involves capturing, decoding, inspecting and interpreting the information inside a network packet on a TCP/IP network. The purpose is to steal information, usually user IDs, passwords, network details, credit card numbers, etc. |
| SQL Injection |
20 |
Initial compromise |
SQL stands for structured query language; it’s a programming language used to communicate with databases. Many of the servers that store critical data for websites and services use SQL to manage the data in their databases. A SQL injection attack specifically targets this kind of server, using malicious code to get the server to divulge information it normally wouldn’t. This is especially problematic if the server stores private customer information from the website, such as credit card numbers, usernames and passwords (credentials), or other personally identifiable information, which are tempting and lucrative targets for an attacker. |
| UDP Flood |
12 |
DOS |
A UDP Flood is a type of denial-of-service attack in which a large number of User Datagram Protocol (UDP) packets are sent to a targeted server with the aim of overwhelming that device’s ability to process and respond. |
| TCP Flood |
11 |
DOS |
A TCP SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. |
| HTTP Flood |
10 |
DOS |
An HTTP flood attack is a type of volumetric distributed denial-of-service (DDoS) attack designed to overwhelm a targeted server with HTTP requests. Once the target has been saturated with requests and is unable to respond to normal traffic, denial-of-service will occur for additional requests from actual users. |
| Watering hole |
08 |
Delivery |
A watering hole attack is a security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit. The goal is to infect a targeted user’s computer and gain access to the network at the target’s place of employment. |
| Poisoned torrents |
08 |
Delivery |
The technique of threat actors deploying torrent files onto torrent sites that are pre-infected with malware has not been widely seen before, especially with respect to BitTorrent-types of attack. |
| Phishing |
7 |
Delivery |
Phishing is the practice of sending fraudulent communications that appear to come from a reputable source. It is usually done through email. The goal is to steal sensitive data like credit card and login information or to install malware on the victim’s machine. |
| DNS |
6 |
Command and control |
Using DNS queries and responses as a C2 channel. |
| Exfiltration |
2 |
Actions on objective |
Data exfiltration is the unauthorized copying, transfer or retrieval of data from a computer or server. |
| Defacement |
1 |
Actions on objective |
Website defacement is an attack on a website that changes the visual appearance of the site or a webpage. |
| WMI |
26 |
Lateral movement |
Windows management instrumentation (WMI) is a tool that is implemented as a service to locally and remotely manages data, operations and configuring settings on windows operating systems. |
| WinRM |
25 |
Lateral movement |
Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). |
| SSH HiJacking |
24 |
Lateral movement |
In order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. |
| SMB |
24 |
Lateral movement |
Using the victim credentials the attacker authenticates to the victim machine on port 445 and try to gain access to the Admin$ shares: (C$, IPC$, or ADMIN$). Access to Admin$ allows for remote code execution including arbitrary code. |
| Remote Desktop |
23 |
Lateral movement |
Attackers will use valid credentials to move laterally in the environment by utilizing remote desktop. |
| Exploit |
22 |
Lateral movement |
An attacker can scan for vulnerable hosts that can be attacked by an exploit. For example, MS08-67 is an exploit that can be used to create a reverse shell on a remote Windows machine. |
| Exploit |
19 |
Initial compromise |
An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). |
| Domain spoofing |
28 |
Impersonation |
Domain Spoofing is a form of phishing, that occurs when an attacker appears to use a company’s domain to impersonate a company or one of its employees. |
| ARP spoofing |
27 |
Impersonation |
ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network. |
| Public services |
18 |
Evasion |
The malware may communicate with public services such as Google or Dropbox. These services can be used for the staging of malware or C2 communication. |
| Encryption |
17 |
Evasion |
Threat actors may utilize encryption to thwart security controls from reading/interpreting the data in transit. |
| Encoding |
16 |
Evasion |
Encoding is the process of putting a sequence of characters (letters, numbers, punctuation, and certain symbols) into a specialized format for efficient transmission or storage. |
| Custom protocol |
15 |
Evasion |
Threat actors may create custom protocols to thwart security controls from reading/interpreting the data in transit. |
| Custom obfuscation |
14 |
Evasion |
Threat actors may create custom obfuscation(encryption, encoding, and hashing) mechanisms to thwart defenders. |
| Compression |
13 |
Evasion |
Compression is the act of reducing the number of bits needed to represent data. |
| Webshell |
31 |
Command and control |
A web shell is a script that can be uploaded to a web server to enable remote administration of the machine. |
| Remote Admin Tools |
5 |
Command and control |
Remote Administration tools like TeamViewer can be used to control a machine remotely. Tools like TeamViewer are legitimate applications that are signed and may be trusted by security controls. |
| Listening Service |
4 |
Command and control |
|
| HTTP |
3 |
Command and control |
Command and control server uses a full web backend that lets the attacker directly control the victims via a web browser. These HTTP channels may be plain-text or encrypted with SSL. |