MITRE ATT&CK Mapping
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command And Control
Application Deployment Drive-by Compromise CMSTP Accessibility Features Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery Audio Capture Automated Exfiltration Commonly Used Port Software Exploit Public-Facing Distributed Component Communication Through Command-Line Interface Account Manipulation Accessibility Features Binary Padding Brute Force Application Window Discovery Automated Collection Data Compressed Application Object Model Removable Media Exploitation of Remote Hardware Additions Compiled HTML File AppCert DLLs AppCert DLLs BITS Jobs Credential Dumping Browser Bookmark Discovery Clipboard Data Data Encrypted Connection Proxy Services Replication Through Data from Information Custom Command and Control Panel Items AppInit DLLs AppInit DLLs Bypass User Account Control Credentials in Files File and Directory Discovery Log-on Scripts Data Transfer Size Limits Removable Media Repositories Control Protocol Exfiltration Over Custom Cryptographic Spearphishing Attachment Dynamic Data Exchange Application Shimming Application Shimming CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Local System Alternative Protocol Protocol Exploitation for Data from Network Exfiltration Over Command Spearphishing Link Execution through API Authentication Package Bypass User Account Control Code Signing Network Share Discovery Pass the Ticket Data Encoding Credential Access Shared Drive and Control Channel Execution through Exfiltration Over Other Spearphishing via Service BITS Jobs DLL Search Order Hijacking Compiled HTML File Forced Authentication Network Sniffing Remote Desktop Protocol Data from Removable Media Data Obfuscation Module Load Network Medium Exploitation for Client Exfiltration Over Supply Chain Compromise Bootkit Exploitation for Privilege Component Firmware Hooking Password Policy Discovery Remote File Copy Data Staged Domain Fronting Execution Physical Medium Escalation Extra Window Component Object Model Trusted Relationship Graphical User Interface Browser Extensions Input Capture Peripheral Device Discovery Remote Services Email Collection Scheduled Transfer Fallback Channels Memory Injection Hijacking Change Default File System Replication Through Valid Accounts InstallUtil Control Panel Items Kerberoasting Permission Groups Discovery Input Capture Multi-hop Proxy File Association Permissions Weakness Removable Media
LSASS Driver Component Firmware Hooking DCShadow LLMNR/NBT-NS Poisoning Process Discovery Shared Webroot Man in the Browser Multi-Stage Channels
Component Object Deobfuscate/Decode Files Mshta Image File Execution Network Sniffing Query Registry Taint Shared Content Screen Capture Multiband Communication Model Hijacking or Information
PowerShell Create Account Options Injection Disabling Security Tools Password Filter DLL Remote System Discovery Third-party Software Video Capture Multilayer Encryption
Regsvcs/Regasm DLL Search Order Hijacking New Service DLL Search Order Hijacking Private Keys Security Software Discovery Windows Admin Shares Remote Access Tools
Two-Factor Authentication Windows Remote Regsvr32 External Remote Services Path Interception DLL Side-Loading System Information Discovery Remote File Copy Interception Management File System Permissions Exploitation for System Network Standard Application Rundll32 Port Monitors Weakness Defense Evasion Configuration Discovery Layer Protocol Extra Window System Network Standard Cryptographic Scheduled Task Hidden Files and Directories Process Injection Memory Injection Connections Discovery Protocol Standard Non-Application Scripting Hooking Scheduled Task File Deletion System Owner/User Discovery Layer Protocol Service Registry Service Execution Hypervisor File Permissions Modification System Service Discovery Uncommonly Used Port Permissions Weakness Signed Binary Image File Execution SID-History Injection File System Logical Offsets System Time Discovery Web Service Proxy Execution Options Injection
Signed Script Proxy Execution Logon Scripts Valid Accounts Hidden Files and Directories
Image File Execution Third-party Software LSASS Driver Web Shell Options Injection
Trusted Developer Utilities Modify Existing Service Indicator Blocking
User Execution Netsh Helper DLL Indicator Removal from Tools
Windows Management New Service Indicator Removal on Host Instrumentation Windows Remote Office Application Startup Indirect Command Execution Management
XSL Script Processing Path Interception Install Root Certificate
Port Monitors InstallUtil
Redundant Access Masquerading
Registry Run Keys / Startup Modify Registry Folder
Scheduled Task Mshta
Network Share Screensaver Connection Removal
Security Support Provider NTFS File Attributes
Service Registry Obfuscated Files Permissions Weakness or Information
Shortcut Modification Process Doppelgänging
SIP and Trust Process Hollowing Provider Hijacking
System Firmware Process Injection
Time Providers Redundant Access
Valid Accounts Regsvcs/Regasm
Web Shell Regsvr32
Windows Management Rootkit Instrumentation
Event Subscription Rundll32
Winlogon Helper DLL Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Template Injection
Timestomp
Trusted Developer Utilities LEGEND
Valid Accounts Techniques observed in this campaign and noted as previously used by APT10
Web Service New techniques observed in this campaign not previously noted as used
XSL Script Processing Techniques not observed during this campaign previously used by APT10