MITRE ATT&CK Mapping

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command And Control

Application Deployment Drive-by Compromise CMSTP Accessibility Features Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery Audio Capture Automated Exfiltration Commonly Used Port Software Exploit Public-Facing Distributed Component Communication Through Command-Line Interface Account Manipulation Accessibility Features Binary Padding Brute Force Application Window Discovery Automated Collection Data Compressed Application Object Model Removable Media Exploitation of Remote Hardware Additions Compiled HTML File AppCert DLLs AppCert DLLs BITS Jobs Credential Dumping Browser Bookmark Discovery Clipboard Data Data Encrypted Connection Proxy Services Replication Through Data from Information Custom Command and Control Panel Items AppInit DLLs AppInit DLLs Bypass User Account Control Credentials in Files File and Directory Discovery Log-on Scripts Data Transfer Size Limits Removable Media Repositories Control Protocol Exfiltration Over Custom Cryptographic Spearphishing Attachment Dynamic Data Exchange Application Shimming Application Shimming CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Local System Alternative Protocol Protocol Exploitation for Data from Network Exfiltration Over Command Spearphishing Link Execution through API Authentication Package Bypass User Account Control Code Signing Network Share Discovery Pass the Ticket Data Encoding Credential Access Shared Drive and Control Channel Execution through Exfiltration Over Other Spearphishing via Service BITS Jobs DLL Search Order Hijacking Compiled HTML File Forced Authentication Network Sniffing Remote Desktop Protocol Data from Removable Media Data Obfuscation Module Load Network Medium Exploitation for Client Exfiltration Over Supply Chain Compromise Bootkit Exploitation for Privilege Component Firmware Hooking Password Policy Discovery Remote File Copy Data Staged Domain Fronting Execution Physical Medium Escalation Extra Window Component Object Model Trusted Relationship Graphical User Interface Browser Extensions Input Capture Peripheral Device Discovery Remote Services Email Collection Scheduled Transfer Fallback Channels Memory Injection Hijacking Change Default File System Replication Through Valid Accounts InstallUtil Control Panel Items Kerberoasting Permission Groups Discovery Input Capture Multi-hop Proxy File Association Permissions Weakness Removable Media

LSASS Driver Component Firmware Hooking DCShadow LLMNR/NBT-NS Poisoning Process Discovery Shared Webroot Man in the Browser Multi-Stage Channels

Component Object Deobfuscate/Decode Files Mshta Image File Execution Network Sniffing Query Registry Taint Shared Content Screen Capture Multiband Communication Model Hijacking or Information

PowerShell Create Account Options Injection Disabling Security Tools Password Filter DLL Remote System Discovery Third-party Software Video Capture Multilayer Encryption

Regsvcs/Regasm DLL Search Order Hijacking New Service DLL Search Order Hijacking Private Keys Security Software Discovery Windows Admin Shares Remote Access Tools

Two-Factor Authentication Windows Remote Regsvr32 External Remote Services Path Interception DLL Side-Loading System Information Discovery Remote File Copy Interception Management File System Permissions Exploitation for System Network Standard Application Rundll32 Port Monitors Weakness Defense Evasion Configuration Discovery Layer Protocol Extra Window System Network Standard Cryptographic Scheduled Task Hidden Files and Directories Process Injection Memory Injection Connections Discovery Protocol Standard Non-Application Scripting Hooking Scheduled Task File Deletion System Owner/User Discovery Layer Protocol Service Registry Service Execution Hypervisor File Permissions Modification System Service Discovery Uncommonly Used Port Permissions Weakness Signed Binary Image File Execution SID-History Injection File System Logical Offsets System Time Discovery Web Service Proxy Execution Options Injection

Signed Script Proxy Execution Logon Scripts Valid Accounts Hidden Files and Directories

Image File Execution Third-party Software LSASS Driver Web Shell Options Injection

Trusted Developer Utilities Modify Existing Service Indicator Blocking

User Execution Netsh Helper DLL Indicator Removal from Tools

Windows Management New Service Indicator Removal on Host Instrumentation Windows Remote Office Application Startup Indirect Command Execution Management

XSL Script Processing Path Interception Install Root Certificate

Port Monitors InstallUtil

Redundant Access Masquerading

Registry Run Keys / Startup Modify Registry Folder

Scheduled Task Mshta

Network Share Screensaver Connection Removal

Security Support Provider NTFS File Attributes

Service Registry Obfuscated Files Permissions Weakness or Information

Shortcut Modification Process Doppelgänging

SIP and Trust Process Hollowing Provider Hijacking

System Firmware Process Injection

Time Providers Redundant Access

Valid Accounts Regsvcs/Regasm

Web Shell Regsvr32

Windows Management Rootkit Instrumentation

Event Subscription Rundll32

Winlogon Helper DLL Scripting

Signed Binary Proxy Execution

Signed Script Proxy Execution

SIP and Trust Provider Hijacking

Software Packing

Template Injection

Timestomp

Trusted Developer Utilities LEGEND

Valid Accounts Techniques observed in this campaign and noted as previously used by APT10

Web Service New techniques observed in this campaign not previously noted as used

XSL Script Processing Techniques not observed during this campaign previously used by APT10