Red Team Tools
LAST UPDATED ON JULY 23, 2024
In the intricate world of cybersecurity, defending against cyber threats is an ongoing battle. This challenge is further intensified by the evolving and increasingly sophisticated tactics, techniques, and procedures (TTPs) of adversaries. Central to this dynamic is understanding the tools and techniques that red teams—ethical hackers simulating real-world cyberattacks—employ to test and strengthen defenses.
The MITRE ATT&CK framework has emerged as a pivotal resource in this arena, offering a comprehensive matrix of tactics and techniques that adversaries use across their attack lifecycle. This blog delves deep into the various red team tools mapped meticulously to specific MITRE ATT&CK tactics and techniques, providing insights into how these tools operate, and why they're essential for a robust defensive strategy.
Disclaimer: This article is for educational purposes only. Unauthorized use of these tools against any system or network without explicit permission is illegal.
What Are Red Team Tools?
Red Team Tools are specialized software applications, scripts, or utilities developed and utilized by red teamers to assess, test, and exploit vulnerabilities in an organization's infrastructure, applications, people, and processes. These tools emulate techniques and tactics employed by real-world attackers, providing a realistic assessment of an organization's security posture.
Ranging from reconnaissance tools to post-exploitation utilities, red team tools aim to mimic various stages of an attack lifecycle. Their primary purpose is to help identify weaknesses, improve defenses, and enhance an organization's ability to detect and respond to genuine threats. While many of these tools have legitimate use cases for security assessments, they can also be misused by malicious actors if not properly secured and handled.
Using Native OS Tools vs. Brining Custom Red Teaming Tools
During real-world cyberattacks, adversaries have the choice between using tools that are native to the operating system (often referred to as "living off the land") and introducing custom tools to the targeted environment.
Native OS tools are programs and utilities that come pre-installed with the operating system and are generally intended for legitimate administrative or system-related functions. In contrast, custom red teaming tools are specially crafted or acquired software, often designed to exploit, escalate, and maneuver within a network.
Here are two examples.
Native OS Tool: PowerShell
-
Purpose: A task automation and configuration management framework that comes with Windows.
-
Attack Use Case: Can be used to execute malicious scripts, move laterally, or extract data without downloading any additional tools.
Custom Red Teaming Tool: Mimikatz
-
Purpose: A tool designed to extract plaintext passwords, hashes, and other sensitive data from memory.
-
Attack Use Case: Quickly obtain credentials after gaining initial access.
Attackers often choose native OS tools to evade detection.
Since these tools are legitimate and commonly used by system administrators, their usage doesn't immediately raise alarms. Security tools and monitoring systems are less likely to flag activity associated with these tools as malicious. By leveraging native tools, attackers can blend in with regular system activities, making their movements harder to distinguish from legitimate operations. On the other hand, custom tools might have unique signatures, behaviors, or network patterns that can be more easily detected by security solutions.
In essence, using native OS tools helps attackers maintain a lower profile and prolong their presence in the environment undetected.
An Example of PoshC2 Framework’s Being Flagged by Windows Defender
Let us consider the following scenario: say that while investigating a spear-phishing attempt made by an adversary, we discovered an email with an attachment. The adversary attempted to lure the victim into downloading the attachment by claiming it needed to be checked for compliance regulations. In reality, the attachment was PoshC2, though it was disguised under a different name to appear as innocuous as possible.
However, when the user downloaded and executed the file, Windows Defender flagged the executable and quarantined it, identifying it as VirTool:Win32/PoshC2.G.
This example illustrates a crucial aspect of cybersecurity: the constant cat-and-mouse game between adversaries and defenders.
Adversaries often shy away from using commercial or widely recognized custom tools as they can be easily flagged by modern security solutions, such as Windows Defender in the scenario described. Instead, they tend to customize these tools or disguise them under different names and appearances to circumvent detection. This customization alters the tool's signature, making it harder for signature-based detection systems to identify the malicious tool.
Red Team Tools
Red teaming is a critical process where ethical hackers simulate cyber-attacks against an organization to identify vulnerabilities that could be exploited by malicious actors. These simulations are conducted with the knowledge and consent of the organization being tested, making it a legal and ethical practice.
In this blog, we have curated a comprehensive list of software employed by adversaries, mapped to the MITRE ATT&CK Framework. This software landscape is delineated into two main segments: TOOLs and MALWARE.
Tools encompass commercial, open-source, built-in, or publicly available software that could be utilized by defenders, penetration testers, red teamers, or adversaries. This category encapsulates software not generally found on enterprise systems as well as commonly available software as part of an operating system already present in an environment.
Examples include PsExec, Impacket, AdFind, CrackMapExec, Mimikatz, and Windows utilities such as Net, netstat, Tasklist, among others.
AdFind as an Example Software Classified as TOOL by MITRE ATT&CK Framework.
In the upcoming sections, we have selected the Tools and mapped them under their corresponding tactics and techniques as per the MITRE ATT&CK framework.
Reconnaissance Red Teaming Tools (TA0043)
Reconnaissance, often referred to as "recon", is a preliminary phase in cybersecurity where information about a target system or network is collected, be it passively or actively, to assist in future operations.
Some of the notable tools used for this purpose include OWASP Amass, Sn1per, theHarvester, Recon-ng 5, Maltego CE 4, the Social Engineering Toolkit (SET), Nikto 2, Shodan, Spiderfoot, and EyeWitness.
While adversaries may leverage these tools to uncover vulnerabilities and potential points of entry for malicious intent, ethical hackers or professionals use them to identify and rectify security weaknesses, ensuring the safety and resilience of systems against potential threats.
In addition to ones listed in this section, in the SOFTWARE section, we discovered that the AADInternals tool was mapped to the Reconnaissance (TA0043) tactic under the MITRE ATT&CK Framework, along with its corresponding technique IDs.
Reconnaissance (TA0043) |
AADInternals (ATT&CK ID: S0677) |
ATT&CK T1589.002 [1] ATT&CK T1598.003 [3] |
Execution Red Teaming Tools (TA0002)
In the realm of cybersecurity, the Execution phase, categorized under ATT&CK Execution TA0002, denotes a scenario where adversaries deploy specific tools to execute their malicious code on target systems, either locally or remotely.
Key tools, such as macro_pack, Donut, and Unicorn, emphasize this execution aspect.
Additionally, many tools have been explicitly mapped to the MITRE ATT&CK framework, affirming their significance and widespread adoption in real-world scenarios.
Such mapped tools include AADInternals, Impacket, Donut, Empire, Koadic, Impacket, Cmd, CARROTBALL, BloodHound, Peirates, ConnectWise, PowerSploit, and PoshC2, each with distinct ATT&CK IDs and corresponding technique references.
Execution (TA0002) |
AADInternals (ATT&CK ID: S0677) |
ATT&CK T1651 [6] |
Donut (ATT&CK ID: S0695) |
ATT&CK T1106 [8] |
|
Empire (ATT&CK ID: S0363) |
ATT&CK T1059.001 [7] |
|
Koadic (ATT&CK ID: S0250) |
ATT&CK T1059.001 [7] |
|
Cmd (ATT&CK ID: S0106) |
ATT&CK T1059.003 [9] |
|
CARROTBALL (ATT&CK ID: S0465) |
ATT&CK T204.002 [10] |
|
BloodHound (ATT&CK ID: S0521) |
ATT&CK T1059.001 [7] |
|
Peirates (ATT&CK ID: S0683) |
ATT&CK T1609 [11] |
|
ConnectWise (ATT&CK ID: S0591) |
ATT&CK T1059.001 [7] |
|
PowerSploit (ATT&CK ID: S0194) |
ATT&CK T1047 [12] ATT&CK T1569.002 [13] |
|
PoshC2 (ATT&CK ID: S0378) |
ATT&CK T1047 [12] |
While at a glance these tools might appear malign in nature, in the hands of adversaries, they're powerful instruments for compromising systems. However, they also double up as invaluable assets in the arsenals of red teaming professionals and ethical hackers.
Red teamers employ them to simulate sophisticated attacks, testing an organization's defenses in real-time. On the other hand, ethical hackers utilize these tools to identify vulnerabilities and rectify them before malevolent entities exploit them, safeguarding the digital infrastructure and its stakeholders.
Persistence Red Teaming Tools (TA0003)
In cybersecurity, the Persistence phase—represented under ATT&CK Persistence TA0003—depicts scenarios where adversaries employ specific techniques to ensure their continued access to compromised systems, even in the face of challenges like system restarts, credential alterations, and other potential disruptions. It encapsulates strategies that adversaries deploy to solidify their presence on a target, from code hijacking to startup modifications.
Several tools have been meticulously mapped to the MITRE ATT&CK framework to signify their role in these persistence activities.
Noteworthy among them are Empire, AADInternals, Koadic, PowerSploit, Ruler, CSPY Downloader, Mimikatz, BITSAdmin, and PsExec. Each of these tools has distinct ATT&CK IDs and associated technique references, underscoring their specific roles in ensuring persistent access.
Persistence (TA0003) |
Empire (ATT&CK ID: S0363) |
ATT&CK T1547.001 [15] ATT&CK T1136.002 [17] |
AADInternals (ATT&CK ID: S0677) |
ATT&CK T1098.005 [19] |
|
Koadic (ATT&CK ID: S0250) |
ATT&CK T1547.001 [15] |
|
PowerSploit (ATT&CK ID: S0194) |
ATT&CK T1547.001 [15] |
|
Ruler (ATT&CK ID: S0358) |
ATT&CK T1137.003 [21] |
|
CSPY Downloader (ATT&CK ID: S0527) |
ATT&CK T1053.005 |
|
Mimikatz (ATT&CK S0002) |
ATT&CK T1098 [22] |
|
BITSAdmin (ATT&CK S0190) |
ATT&CK T1197 [23] |
|
PsExec (ATT&CK S0029) |
ATT&CK T1136.002 [17] |
These tools, while potent in the hands of malicious actors, also serve as invaluable instruments for red teaming and ethical hacking endeavors. Red team professionals harness them to emulate advanced persistent threats, pushing organizational defenses to their limits. Conversely, ethical hackers wield these tools as a means to unearth and mitigate vulnerabilities, fortifying systems against adversaries seeking long-term access.
Privilege Escalation Red Teaming Tools (TA0004)
In the realm of cybersecurity, the Privilege Escalation phase, denoted as ATT&CK Privilege Escalation TA0004, refers to situations where adversaries deploy specialized techniques to elevate their access rights, enabling them to expand their control over the compromised system. This phase is crucial as it often paves the way for adversaries to perform more invasive activities, like accessing sensitive data or deploying malicious payloads.
Several tools have been intricately mapped to the MITRE ATT&CK framework to highlight their critical role in facilitating privilege escalation.
Among these are Mimikatz, IronNetInjector, PoshC2, UACme, Koadic, Empire, CSPY Downloader, AADInternals, PowerSploit, Netsh, and PcShare. Each tool is identified with unique ATT&CK IDs and associated technique references, elucidating their specific functions in the privilege escalation process.
Privilege Escalation (TA0004) |
Mimikatz (ATT&CK S0002) |
ATT&CK T1134.005 [24] |
IronNetInjector (ATT&CK ID: S0581) |
ATT&CK T1055 [25] |
|
PoshC2 (ATT&CK ID: S0378) |
ATT&CK T1055 [25] |
|
UACme (ATT&CK ID: S0116) |
ATT&CK T1548.002 [26] |
|
PsExec (ATT&CK ID: S0029) |
ATT&CK T1543.003 [27] |
|
Koadic (ATT&CK ID: S0250) |
ATT&CK T1548.002 [26] |
|
Empire (ATT&CK ID: S0363) |
ATT&CK T1548.002 [26] ATT&CK T1134.005 [24] |
|
CSPY Downloader (ATT&CK ID: S0527) |
ATT&CK T1549.002 [30] |
|
AADInternals (ATT&CK ID: S0677) |
ATT&CK T1484.002 [31] |
|
PowerSploit (ATT&CK ID: S0194) |
ATT&CK T1053.005 [32] |
|
Netsh (ATT&CK ID: S0108) |
ATT&CK T1546.007 [34] |
|
PcShare (ATT&CK ID: S1050) |
ATT&CK T1546.015 [35] |
These tools, while inherently powerful and potentially malicious when misused, also offer great value in red teaming and ethical hacking operations. Red team experts utilize them to emulate complex attacks, simulating real-world adversaries that might exploit privilege escalation vulnerabilities. Meanwhile, ethical hackers employ these tools to identify and remedy potential system weak points, ensuring that systems are safeguarded against unauthorized privilege elevation by malicious actors.
Defense Evasion Red Teaming Tools (TA0005)
Defense evasion embodies techniques that adversaries deploy to escape detection during their incursion. The emphasis is on stealth, and these techniques are geared towards bypassing or compromising the defensive measures in place. This can range from the deactivation or removal of security software, to the more sophisticated methods of obfuscating or encrypting malicious scripts. In some instances, adversaries harness and misuse trusted processes to conceal their malware, adding layers of deception to their tactics.
Within the framework of MITRE ATT&CK's Defense Evasion (TA0005), tools like Pass-The-Hash Toolkit, HTRAN, Reg, Koadic, Donut, Esentutl, Certutil, CSPY Downloader, Cmd, CARROTBALL, RemoteUtilities, Invoke-PSImage, PowerSploit, IronNetInjector, Mimikatz, Netsh, PoshC2, and PcShare have been identified and mapped, each associated with specific ATT&CK IDs and technique references that illustrate their role in evasive maneuvers.
Defense Evasion (TA0005) |
Pass-The-Hash Toolkit (ATT&CK ID: S0122) |
ATT&CK T1550.002 [36] |
HTRAN (ATT&CK ID: S0040) |
ATT&CK T1014 [37] |
|
Reg (ATT&CK ID: S0075) |
ATT&CK T1112 [38] |
|
Koadic (ATT&CK ID: S0250) |
ATT&CK T1564.003 [39] |
|
Donut (ATT&CK ID: S0695) |
ATT&CK T1562.001 [40] |
|
Esentutl (ATT&CK ID: S0404) |
ATT&CK T1564.004 [41] |
|
Certutil (ATT&CK ID: S0160) |
ATT&CK T1140 [42] ATT&CK T1553.004 [43] |
|
CSPY Downloader (ATT&CK ID: S0527) |
ATT&CK T1070.004 [44] |
|
Cmd (ATT&CK ID: S0106) |
ATT&CK T1070.004 [44] |
|
CARROTBALL (ATT&CK ID: S0465) |
ATT&CK T1027 [48] |
|
RemoteUtilities (ATT&CK ID: S0592) |
ATT&CK T1218.007 [49] |
|
Invoke-PSImage (ATT&CK ID: S0231) |
ATT&CK T1027 [48] |
|
PowerSploit (ATT&CK ID: S0194) |
ATT&CK T1620 [50] |
|
IronNetInjector (ATT&CK ID: S0581) |
ATT&CK T1140 [57] ATT&CK T1036 [58] |
|
Mimikatz (ATT&CK ID: S0002) |
ATT&CK T1207 [59] ATT&CK T1550.002 [36] |
|
Netsh (ATT&CK ID: S0108) |
ATT&CK T1562.004 [61] |
|
PoshC2 (ATT&CK ID: S0378) |
ATT&CK T1550.002 [36] |
|
PcShare (ATT&CK ID: S1050) |
ATT&CK T1140 [57] |
These tools, while potentially malicious in the wrong hands, are indispensable for red teaming and ethical hacking endeavors. Red teams leverage them to simulate sophisticated adversaries that employ stealth to bypass detection. Simultaneously, ethical hackers harness these tools to unearth and mitigate potential vulnerabilities in defense systems, ensuring the resiliency and robustness of those defenses against stealthy and evasive threats.
Credential Access Red Teaming Tools (TA0006)
Adversaries employ Credential Access techniques to steal account names and passwords, enabling them to move laterally within environments and access restricted resources. Such techniques may involve keylogging, credential dumping, or exploiting improperly stored or weakly protected passwords. By using legitimate credentials, adversaries not only gain unfettered access but also reduce their detection chances, blending in with typical user activities.
Within the scope of MITRE ATT&CK's Credential Access (TA0006), an array of tools like Mimikatz, Gsecdump, Cachedump, CrackMapExec, Rubeus, Esentutl, PowerSploit, Responder, Pwdump, Empire, Reg, LaZagne, PoshC2, Impacket, Koadic, AADInternals, Lslsass, MailSniper, and NBTscan stand identified.
Each tool corresponds to specific ATT&CK IDs and technique references that offer a detailed blueprint of their modus operandi.
Credential Access (TA0006) |
Mimikatz (ATT&CK S0002) |
ATT&CK T1555 [63] |
Gsecdump (ATT&CK ID: S0008) |
ATT&CK T1003.002 [67] |
|
Cachedump (ATT&CK ID: S0119) |
ATT&CK T1003.005 [70] |
|
CrackMapExec (ATT&CK ID: S0488) |
ATT&CK T1110.001 [71] |
|
Rubeus (ATT&CK ID: S1071) |
ATT&CK 1558.001 [65] |
|
Esentutl (ATT&CK ID: S0404) |
ATT&CK T1003.003 [72] |
|
PowerSploit (ATT&CK ID: S0194) |
ATT&CK 1558.003 [74] |
|
Responder (ATT&CK ID: S0174) |
ATT&CK T1557.001 [76] |
|
Pwdump (ATT&CK ID: S0006) |
ATT&CK T1003.002 [78] |
|
Empire (ATT&CK ID: S0363) |
ATT&CK T1557.001 [76] |
|
Reg (ATT&CK ID: S0075) |
ATT&CK T1552.002 [79] |
|
LaZagne (ATT&CK ID: S0349) |
ATT&CK T1552.001 [80] |
|
PowerSploit (ATT&CK ID: S0194) |
ATT&CK T1552.002 [79] ATT&CK T1555.004 [83] |
|
PoshC2 (ATT&CK ID: S0378) |
ATT&CK T1552.001 [80] |
|
Impacket (ATT&CK ID: S0357) |
ATT&CK T1557.001 [76] ATT&CK T1003.003 [72] |
|
Koadic (ATT&CK ID: S0250) |
ATT&CK T1003.002 [85] |
|
AADInternals (ATT&CK ID: S0677) |
ATT&CK T1003.004 [68] ATT&CK T1528 [86] |
|
Lslsass (ATT&CK ID: S0121) |
ATT&CK T1003.001 [84] |
|
MailSniper (ATT&CK ID: S0413) |
ATT&CK T1110.003 [87] |
|
NBTscan (ATT&CK ID: S0590) |
ATT&CK T1040 [77] |
Discovery Red Teaming Tools (TA0007)
In cybersecurity, the Discovery phase—outlined within the ATT&CK Discovery TA0007—captures the various methods and techniques adversaries utilize to acquire information about the compromised environment. This stage is crucial for adversaries, offering insights into the system and internal network, which subsequently informs their decisions and tactics. By harnessing native operating system tools and other software, adversaries can comprehend what lies within their reach and understand potential vulnerabilities or valuable assets.
A myriad of tools, diligently mapped to the MITRE ATT&CK framework, exemplifies these discovery activities.
Noteworthy among these tools are BloodHound, AdFind, Reg, Rubeus, Cmd, Rclone, Empire, Ruler, Ifconfig, Koadic, PowerSploit, AADInternals, MailSniper, RemoteUtilities, Arp, NBTscan, Netstat, PoshC2, PcShare, Ping, Netsh, Peirates, and Nbtstat.
Each of these tools comes with distinct ATT&CK IDs and associated technique references, highlighting their particular roles in environment discovery.
Discovery (TA0007) |
BloodHound (ATT&CK ID: S0521) |
ATT&CK T1087.001 [88] |
AdFind (ATT&CK ID: S0552) |
ATT&CK T1087.002 [89] |
|
Reg (ATT&CK ID: S0075) |
ATT&CK T1012 [95] |
|
Rubeus (ATT&CK ID: S1071) |
ATT&CK T1482 [90] |
|
Cmd (ATT&CK ID: S0106) |
ATT&CK T1082 [96] |
|
Rclone (ATT&CK ID: S1040) |
ATT&CK T1083 [97] |
|
Empire (ATT&CK ID: S0363) |
ATT&CK T1087.001 [88] |
|
Ruler (ATT&CK ID: S0358) |
ATT&CK T1087.003 [99] ATT&CK T1087.004 [100] |
|
Ifconfig (ATT&CK ID: S0101) |
ATT&CK T1016 [93] |
|
Koadic (ATT&CK ID: S0250) |
ATT&CK T1083 [101] |
|
Cmd (ATT&CK ID: S0106) |
ATT&CK T1083 [101] |
|
dsquery (ATT&CK ID: S0105) |
ATT&CK T1087.002 [89] ATT&CK T1082 [96] |
|
PowerSploit (ATT&CK ID: S0194) |
ATT&CK T1012 [95] ATT&CK T1057 [103] |
|
AADInternals (ATT&CK ID: S0677) |
ATT&CK T1087.004 [100] |
|
MailSniper (ATT&CK ID: S0413) |
ATT&CK T1087.003 [105] |
|
RemoteUtilities (ATT&CK ID: S0592) |
ATT&CK T1083 [101] |
|
Arp (ATT&CK ID: S0099) |
ATT&CK T1018 [106] |
|
NBTscan (ATT&CK ID: S0590) |
ATT&CK T1046 [107] ATT&CK T1018 [106] |
|
Netstat (ATT&CK ID: S0104) |
ATT&CK T1049 [109] |
|
PoshC2 (ATT&CK ID: S0378) |
ATT&CK T1007 [110] |
|
PcShare (ATT&CK ID: S1050) |
ATT&CK T1016 [114] |
|
Ping (ATT&CK ID: S0097) |
ATT&CK T1018 [92] |
|
Netsh (ATT&CK ID: S0108) |
ATT&CK T1518.001 [115] |
|
Peirates (ATT&CK ID: S0683) |
ATT&CK T1619 [116] |
|
ATT&CK T1613 [117] |
||
Nbtstat (ATT&CK ID: S0102) |
ATT&CK T1049 [109] |
|
ATT&CK T1016 [114] |
Lateral Movement Red Teaming Tools (TA0008)
In the realm of cybersecurity, the Lateral Movement phase—defined within ATT&CK Lateral Movement TA0008—describes the strategies and maneuvers that adversaries execute to traverse a network once they've secured an initial foothold. Their aim is to find and access specific resources or targets within the network, which often necessitates moving through multiple systems and perhaps even taking over various user accounts. This is akin to an intruder not just breaking into a building, but moving from room to room to find a specific valuable item. Notably, while adversaries can deploy their proprietary tools to aid in this movement, they frequently exploit native OS tools and legitimate credentials to stay under the radar and blend with normal activities.
A range of tools, as categorized by the MITRE ATT&CK framework, play pivotal roles in facilitating this lateral progression across networks. Among the prominent ones are Mimikatz, PsExec, Cmd, Esentutl, BITSAdmin, Pupy, CrackMapExec, PowerSploit, and Pass-The-Hash Toolkit.
Each tool is linked with unique ATT&CK IDs and related technique references, highlighting the specific ways they can be employed to move laterally within a network.
Lateral Movement (TA0008) |
Mimikatz (ATT&CK ID: S0002) |
ATT&CK T1550.002 [36] |
PsExec (ATT&CK ID: S0029) |
ATT&CK T1570 [118] |
|
Pupy (ATT&CK ID: S0192) |
ATT&CK T1021.001 [120] |
|
Cmd (ATT&CK ID: S0106) |
ATT&CK T1570 [118] |
|
Esentutl (ATT&CK ID: S0404) |
ATT&CK T1570 [118] |
|
BITSAdmin (ATT&CK S0190) |
ATT&CK T1570 [118] |
|
CrackMapExec (ATT&CK ID: S0488) |
ATT&CK T1550.002 [36] |
|
PowerSploit (ATT&CK ID: S0194) |
ATT&CK T1570 [118] |
|
Pass-The-Hash Toolkit (ATT&CK ID: S0122) |
ATT&CK T1550.002 [36] |
Collection Red Teaming Tools (TA0009)
Within cybersecurity, the Collection phase—outlined in ATT&CK Collection TA0009—details the strategies adversaries deploy to aggregate information pertinent to their objectives. After infiltrating a system or network, attackers often seek specific data, and the methods they employ to harvest this data is what the collection phase is all about. Whether it's to support a primary mission or merely opportunistic data harvesting, the process can involve a myriad of tactics, from intercepting emails and video feeds to taking screenshots or recording keystrokes. And while gathering is an end in itself, it often serves as a precursor to another crucial phase: data exfiltration.
Several tools, as categorized by the MITRE ATT&CK framework, have been earmarked for their significance in the Collection phase. Some of the key tools include PowerSploit, Koadic, Rclone, Impacket, Certutil, Empire, ConnectWise, MailSniper, Esentutl, PoshC2, Mythic, RemoteUtilities, and PcShare.
Each of these tools is associated with specific ATT&CK IDs and designated technique references.
Collection (TA0009) |
PowerSploit (ATT&CK ID: S0194) |
ATT&CK T1005 [121] |
Koadic (ATT&CK ID: S0250) |
ATT&CK T1005 [121] |
|
Rclone (ATT&CK ID: S1040) |
ATT&CK T1560.001 [122] |
|
Impacket (ATT&CK ID: S0357) |
ATT&CK T1557.001 [123] |
|
Certutil (ATT&CK ID: S0160) |
ATT&CK T1056.001 [124] |
|
Empire (ATT&CK ID: S0363) |
ATT&CK T1560 [125] |
|
ConnectWise (ATT&CK ID: S0591) |
ATT&CK T1113 [128] ATT&CK T1125 [129] |
|
MailSniper (ATT&CK ID: S0413) |
ATT&CK T1114 [130] |
|
Esentutl (ATT&CK ID: S0404) |
ATT&CK T1005 [131] |
|
PoshC2 (ATT&CK ID: S0378) |
ATT&CK T1056.001 [124] |
|
Mythic (ATT&CK ID: S0699) |
ATT&CK T1119 [126] |
|
RemoteUtilities (ATT&CK ID: S0592) |
ATT&CK T1113 [128] |
|
PcShare (ATT&CK ID: S1050) |
ATT&CK T1005 [131] |
Command and Control Red Teaming Tools (TA0011)
In the cybersecurity landscape, the Command and Control phase, as illustrated under ATT&CK Command and Control TA0011, represents the methodologies adversaries employ to maintain communications with the systems they have successfully infiltrated.
By establishing a channel of communication, they gain the capability to remotely control, command, and even extract information from these compromised systems. A crucial aspect of this phase is the adversary's attempt to camouflage their communication, often striving to ensure it appears as legitimate or routine network traffic. This masking helps them evade detection. Given the intricacies of various network structures and defense mechanisms, adversaries can adopt a myriad of techniques ranging from the overt to the covert to ensure uninterrupted command and control.
Numerous tools have been associated with the Command and Control phase in the MITRE ATT&CK framework, highlighting their utility in this critical phase. Key among them are Pupy, Empire, RemoteUtilities, Donut, HTRAN, CSPY Downloader, Esentutl, Cmd, BITSAdmin, Koadic, PoshC2, CARROTBALL, Netsh, PcShare, and Mythic.
Each tool comes with designated ATT&CK IDs and associated technique references.
Command and Control (TA0011) |
Pupy (ATT&CK ID: S0192) |
ATT&CK T1071.001 [132] |
Empire (ATT&CK ID: S0363) |
ATT&CK T1071.001 [132] |
|
RemoteUtilities (ATT&CK ID: S0592) |
ATT&CK T1105 [134] |
|
Donut (ATT&CK ID: S0695) |
ATT&CK T1071.001 [132] |
|
HTRAN (ATT&CK ID: S0040) |
ATT&CK T1090 [135] |
|
CSPY Downloader (ATT&CK ID: S0527) |
ATT&CK T1071.001 [132] |
|
Esentutl (ATT&CK ID: S0404) |
ATT&CK T1105 [136] |
|
Cmd (ATT&CK ID: S0106) |
ATT&CK T1105 [134] |
|
BITSAdmin (ATT&CK S0190) |
ATT&CK T1105 [134] |
|
Koadic (ATT&CK ID: S0250) |
ATT&CK T1573.002 [133] |
|
PoshC2 (ATT&CK ID: S0378) |
ATT&CK T1090 [137] |
|
CARROTBALL (ATT&CK ID: S0465) |
ATT&CK T1071.002 [138] |
|
Netsh (ATT&CK ID: S0108) |
ATT&CK T1090 [137] |
|
PcShare (ATT&CK ID: S1050) |
ATT&CK T1071.001 [132] |
|
ATT&CK T1071.003 [139] |
||
Mythic (ATT&CK ID: S0699) |
ATT&CK T1008 [140] ATT&CK T1090.002 [144] |
Exfiltration Red Teaming Tools (TA0010)
In cybersecurity narratives, the Exfiltration phase—outlined under ATT&CK Exfiltration TA0010—elucidates the various tactics adversaries deploy to illicitly extract valuable data from compromised systems or networks. The act of exfiltration is often the culmination of a cyber-attack, where adversaries seek to transport stolen data to their desired destination. Before doing so, they may utilize a variety of techniques to prepare the data for transmission. These preparations could involve data compression to minimize its size or encryption to ensure its secrecy. Adversaries might choose to transfer this data over their established command and control channels or through alternative routes. Often, there's a strategic intent behind how they transmit this data, like placing size constraints to reduce the risk of detection.
The MITRE ATT&CK framework has carefully mapped several tools to the Exfiltration phase, pinpointing their relevance in aiding adversaries during data extraction. Prominent among these tools are Rclone, Pupy, Dnscat2, Mythic, Empire, AADInternals, and PcShare. Each of these tools is accompanied by specific ATT&CK IDs and corresponding technique references.
Exfiltration (TA0010) |
Rclone (ATT&CK ID: S1040) |
ATT&CK T1030 [146] |
Pupy (ATT&CK ID: S0192) |
ATT&CK T1041 [150] |
|
Mythic (ATT&CK ID: S0699) |
ATT&CK T1030 [151] |
|
Empire (ATT&CK ID: S0363) |
ATT&CK T1020 [152] |
|
AADInternals (ATT&CK ID: S0677) |
ATT&CK T1048 [153] |
|
PcShare (ATT&CK ID: S1050) |
ATT&CK T1041 [150] |
Such detailed mappings provide insights into the distinct roles these tools play in the exfiltration process, whether it's packaging data for stealthy extraction, transmitting it over different channels, or using techniques that bypass conventional security measures.
For instance, Rclone is known for its capability in cloud-based data transfer, making it a versatile tool for adversaries aiming to move stolen data to cloud storage. Similarly, tools like Mythic or Empire can be utilized for their encryption and data manipulation capabilities, ensuring that the extracted data remains clandestine. In essence, these tools exemplify the range of techniques adversaries have at their disposal during the critical exfiltration stage, emphasizing the need for robust defensive measures against data breaches.
Impact Red Teaming Tool (TA0040)
Within the cybersecurity landscape, the Impact phase—denoted as ATT&CK Impact TA0040—details the methods adversaries utilize to disrupt, degrade, or even destroy critical system functions or data. This phase highlights the potential aftermath of an intrusion, focusing on the adversary's intent to inflict harm rather than merely stealing information. By executing impact techniques, adversaries aim to compromise the availability of resources, alter their integrity, or manipulate operational processes to serve their malicious objectives. These can range from deleting valuable data to subtly modifying processes so that, on the surface, operations seem regular, but underneath, they serve the malevolent aims of the attacker. Often, these impactful actions can either signify the culmination of a cyber operation or act as a smokescreen to mask data exfiltration.
The MITRE ATT&CK framework, in its in-depth analysis, has associated specific tools with the Impact phase, underscoring their potential roles in executing detrimental operations. One such noteworthy tool is RawDisk.
Categorized with distinct ATT&CK IDs and associated technique references, RawDisk exemplifies the kind of software that adversaries might employ to manipulate or damage system data or structures. In particular, RawDisk is recognized for its capabilities in directly interacting with disk data, bypassing the file system, which can lead to devastating results like data deletion or alteration. This tool, and others like it, epitomize the destructive potential adversaries wield when targeting systems, underlining the importance of robust security postures and timely incident response measures.
Impact (TA0040) |
RawDisk (ATT&CK ID: S0364) |
ATT&CK T1485 [154] |
[1] “Gather Victim Identity Information: Email Addresses.” Available: https://attack.mitre.org/techniques/T1589/002/. [Accessed: Oct. 19, 2023]
[2] “Gather Victim Network Information: Domain Properties.” Available: https://attack.mitre.org/techniques/T1590/001/. [Accessed: Oct. 19, 2023]
[3] “Phishing for Information: Spearphishing Link.” Available: https://attack.mitre.org/techniques/T1598/003/. [Accessed: Oct. 19, 2023]
[4] “Phishing: Spearphishing Link.” Available: https://attack.mitre.org/techniques/T1566/002/. [Accessed: Oct. 19, 2023]
[5] “Exploit Public-Facing Application.” Available: https://attack.mitre.org/techniques/T1190/. [Accessed: Oct. 20, 2023]
[6] “Cloud Administration Command.” Available: https://attack.mitre.org/techniques/T1651/. [Accessed: Oct. 19, 2023]
[7] “Command and Scripting Interpreter: PowerShell.” Available: https://attack.mitre.org/techniques/T1059/001/. [Accessed: Oct. 19, 2023]
[8] “Native API.” Available: https://attack.mitre.org/techniques/T1106/. [Accessed: Oct. 20, 2023]
[9] “Command and Scripting Interpreter: Windows Command Shell.” Available: https://attack.mitre.org/techniques/T1059/003/. [Accessed: Oct. 20, 2023]
[10] “User Execution: Malicious File.” Available: https://attack.mitre.org/techniques/T1204/002/. [Accessed: Oct. 20, 2023]
[11] “Container Administration Command.” Available: https://attack.mitre.org/techniques/T1609/. [Accessed: Oct. 18, 2023]
[12] “Windows Management Instrumentation.” Available: https://attack.mitre.org/techniques/T1047/. [Accessed: Oct. 19, 2023]
[13] “System Services: Service Execution.” Available: https://attack.mitre.org/techniques/T1569/002/. [Accessed: Oct. 19, 2023]
[14] “System Services: Service Execution.” Available: https://attack.mitre.org/techniques/T1569/002/. [Accessed: Oct. 19, 2023]
[15] “Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder.” Available: https://attack.mitre.org/techniques/T1547/001/. [Accessed: Oct. 19, 2023]
[16] “Boot or Logon Autostart Execution: Security Support Provider.” Available: https://attack.mitre.org/techniques/T1547/005/. [Accessed: Oct. 19, 2023]
[17] “Create Account: Domain Account.” Available: https://attack.mitre.org/techniques/T1136/002/. [Accessed: Oct. 19, 2023]
[18] “Create or Modify System Process: Windows Service.” Available: https://attack.mitre.org/techniques/T1543/003/. [Accessed: Oct. 19, 2023]
[19] “Account Manipulation: Device Registration.” Available: https://attack.mitre.org/techniques/T1098/005/. [Accessed: Oct. 19, 2023]
[20] “Create Account: Cloud Account.” Available: https://attack.mitre.org/techniques/T1136/003/. [Accessed: Oct. 19, 2023]
[21] “Office Application Startup: Outlook Forms.” Available: https://attack.mitre.org/techniques/T1137/003/. [Accessed: Oct. 19, 2023]
[22] “Account Manipulation.” Available: https://attack.mitre.org/techniques/T1098/. [Accessed: Oct. 18, 2023]
[23] “BITS Jobs.” Available: https://attack.mitre.org/techniques/T1197/. [Accessed: Oct. 19, 2023]
[24] “Access Token Manipulation: SID-History Injection.” Available: https://attack.mitre.org/techniques/T1134/005/. [Accessed: Oct. 18, 2023]
[25] “Process Injection.” Available: https://attack.mitre.org/techniques/T1055/. [Accessed: Oct. 18, 2023]
[26] “Abuse Elevation Control Mechanism: Bypass User Account Control.” Available: https://attack.mitre.org/techniques/T1548/002/. [Accessed: Oct. 20, 2023]
[27] “Create or Modify System Process: Windows Service.” Available: https://attack.mitre.org/techniques/T1543/003/. [Accessed: Oct. 20, 2023]
[28] “Access Token Manipulation: Create Process with Token.” Available: https://attack.mitre.org/techniques/T1134/002/. [Accessed: Oct. 20, 2023]
[29] “Domain Policy Modification: Group Policy Modification.” Available: https://attack.mitre.org/techniques/T1484/001/. [Accessed: Oct. 20, 2023]
[30] “Abuse Elevation Control Mechanism: Bypass User Account Control.” Available: https://attack.mitre.org/techniques/T1548/002/. [Accessed: Oct. 20, 2023]
[31] “Domain Policy Modification: Domain Trust Modification.” Available: https://attack.mitre.org/techniques/T1484/002/. [Accessed: Oct. 19, 2023]
[32] “Scheduled Task/Job: Scheduled Task.” Available: https://attack.mitre.org/techniques/T1053/005/. [Accessed: Oct. 19, 2023]
[33] “Process Injection: Dynamic-link Library Injection.” Available: https://attack.mitre.org/techniques/T1055/001/. [Accessed: Oct. 19, 2023]
[34] “Event Triggered Execution: Netsh Helper DLL.” Available: https://attack.mitre.org/techniques/T1546/007/. [Accessed: Oct. 18, 2023]
[35] “Event Triggered Execution: Component Object Model Hijacking.” Available: https://attack.mitre.org/techniques/T1546/015/. [Accessed: Oct. 18, 2023]
[36] “Use Alternate Authentication Material: Pass the Hash.” Available: https://attack.mitre.org/techniques/T1550/002/. [Accessed: Oct. 18, 2023]
[37] “Rootkit.” Available: https://attack.mitre.org/techniques/T1014/. [Accessed: Oct. 18, 2023]
[38] “Modify Registry.” Available: https://attack.mitre.org/techniques/T1112/. [Accessed: Oct. 19, 2023]
[39] “Hide Artifacts: Hidden Window.” Available: https://attack.mitre.org/techniques/T1564/003/. [Accessed: Oct. 20, 2023]
[40] “Impair Defenses: Disable or Modify Tools.” Available: https://attack.mitre.org/techniques/T1562/001/. [Accessed: Oct. 20, 2023]
[41] “Hide Artifacts: NTFS File Attributes.” Available: https://attack.mitre.org/techniques/T1564/004/. [Accessed: Oct. 20, 2023]
[42] “Deobfuscate/Decode Files or Information.” Available: https://attack.mitre.org/techniques/T1140/. [Accessed: Oct. 20, 2023]
[43] “Subvert Trust Controls: Install Root Certificate.” Available: https://attack.mitre.org/techniques/T1553/004/. [Accessed: Oct. 20, 2023]
[44] “Indicator Removal: File Deletion.” Available: https://attack.mitre.org/techniques/T1070/004/. [Accessed: Oct. 20, 2023]
[45] “Masquerading: Masquerade Task or Service.” Available: https://attack.mitre.org/techniques/T1036/004/. [Accessed: Oct. 20, 2023]
[46] “Obfuscated Files or Information: Software Packing.” Available: https://attack.mitre.org/techniques/T1027/002/. [Accessed: Oct. 20, 2023]
[47] “Subvert Trust Controls: Code Signing.” Available: https://attack.mitre.org/techniques/T1553/002/. [Accessed: Oct. 20, 2023]
[48] “Obfuscated Files or Information.” Available: https://attack.mitre.org/techniques/T1027/. [Accessed: Oct. 18, 2023]
[49] “System Binary Proxy Execution: Msiexec.” Available: https://attack.mitre.org/techniques/T1218/007/. [Accessed: Oct. 19, 2023]
[50] “Reflective Code Loading.” Available: https://attack.mitre.org/techniques/T1620/. [Accessed: Oct. 19, 2023]
[51] “Obfuscated Files or Information: Indicator Removal from Tools.” Available: https://attack.mitre.org/techniques/T1027/005/. [Accessed: Oct. 19, 2023]
[52] “Obfuscated Files or Information: Command Obfuscation.” Available: https://attack.mitre.org/techniques/T1027/010/. [Accessed: Oct. 19, 2023]
[53] “Hijack Execution Flow: DLL Search Order Hijacking.” Available: https://attack.mitre.org/techniques/T1574/001/. [Accessed: Oct. 19, 2023]
[54] “Hijack Execution Flow: Path Interception by PATH Environment Variable.” Available: https://attack.mitre.org/techniques/T1574/007/. [Accessed: Oct. 19, 2023]
[55] “Hijack Execution Flow: Path Interception by Search Order Hijacking.” Available: https://attack.mitre.org/techniques/T1574/008/. [Accessed: Oct. 19, 2023]
[56] “Hijack Execution Flow: Path Interception by Unquoted Path.” Available: https://attack.mitre.org/techniques/T1574/009/. [Accessed: Oct. 19, 2023]
[57] “Deobfuscate/Decode Files or Information.” Available: https://attack.mitre.org/techniques/T1140/. [Accessed: Oct. 18, 2023]
[58] “Masquerading.” Available: https://attack.mitre.org/techniques/T1036/. [Accessed: Oct. 18, 2023]
[59] “Rogue Domain Controller.” Available: https://attack.mitre.org/techniques/T1207/. [Accessed: Oct. 18, 2023]
[60] “Use Alternate Authentication Material: Pass the Ticket.” Available: https://attack.mitre.org/techniques/T1550/003/. [Accessed: Oct. 18, 2023]
[61] “Impair Defenses: Disable or Modify System Firewall.” Available: https://attack.mitre.org/techniques/T1562/004/. [Accessed: Oct. 18, 2023]
[62] “Indicator Removal: File Deletion.” Available: https://attack.mitre.org/techniques/T1070/004/. [Accessed: Oct. 18, 2023]
[63] “Credentials from Password Stores.” Available: https://attack.mitre.org/techniques/T1555/. [Accessed: Oct. 18, 2023]
[64] “Steal or Forge Authentication Certificates.” Available: https://attack.mitre.org/techniques/T1649/. [Accessed: Oct. 18, 2023]
[65] “Steal or Forge Kerberos Tickets: Golden Ticket.” Available: https://attack.mitre.org/techniques/T1558/001/. [Accessed: Oct. 18, 2023]
[66] “OS Credential Dumping: LSASS Memory.” Available: https://attack.mitre.org/techniques/T1003/001/. [Accessed: Oct. 18, 2023]
[67] “OS Credential Dumping: Security Account Manager.” Available: https://attack.mitre.org/techniques/T1003/002/. [Accessed: Oct. 18, 2023]
[68] “OS Credential Dumping: LSA Secrets.” Available: https://attack.mitre.org/techniques/T1003/004/. [Accessed: Oct. 18, 2023]
[69] “OS Credential Dumping: DCSync.” Available: https://attack.mitre.org/techniques/T1003/006/. [Accessed: Oct. 18, 2023]
[70] “OS Credential Dumping: Cached Domain Credentials.” Available: https://attack.mitre.org/techniques/T1003/005/. [Accessed: Oct. 20, 2023]
[71] “Brute Force: Password Guessing.” Available: https://attack.mitre.org/techniques/T1110/001/. [Accessed: Oct. 20, 2023]
[72] “OS Credential Dumping: NTDS.” Available: https://attack.mitre.org/techniques/T1003/003/. [Accessed: Oct. 19, 2023]
[73] “Steal or Forge Kerberos Tickets: Silver Ticket.” Available: https://attack.mitre.org/techniques/T1558/002/. [Accessed: Oct. 19, 2023]
[74] “Steal or Forge Kerberos Tickets: Kerberoasting.” Available: https://attack.mitre.org/techniques/T1558/003/. [Accessed: Oct. 19, 2023]
[75] “Steal or Forge Kerberos Tickets: AS-REP Roasting.” Available: https://attack.mitre.org/techniques/T1558/004/. [Accessed: Oct. 20, 2023]
[76] “Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay.” Available: https://attack.mitre.org/techniques/T1557/001/. [Accessed: Oct. 19, 2023]
[77] “Network Sniffing.” Available: https://attack.mitre.org/techniques/T1040/. [Accessed: Oct. 18, 2023]
[78] “OS Credential Dumping: Security Account Manager.” Available: https://attack.mitre.org/techniques/T1003/002/. [Accessed: Oct. 19, 2023]
[79] “Unsecured Credentials: Credentials in Registry.” Available: https://attack.mitre.org/techniques/T1552/002/. [Accessed: Oct. 19, 2023]
[80] “Website.” Available: https://attack.mitre.org/techniques/T1552/001/
[81] “Unsecured Credentials: Group Policy Preferences.” Available: https://attack.mitre.org/techniques/T1552/006/. [Accessed: Oct. 19, 2023]
[82] “Input Capture: Keylogging.” Available: https://attack.mitre.org/techniques/T1056/001/. [Accessed: Oct. 19, 2023]
[83] “Credentials from Password Stores: Windows Credential Manager.” Available: https://attack.mitre.org/techniques/T1555/004/. [Accessed: Oct. 19, 2023]
[84] “OS Credential Dumping: LSASS Memory.” Available: https://attack.mitre.org/techniques/T1003/001/. [Accessed: Oct. 18, 2023]
[85] “OS Credential Dumping: Security Account Manager.” Available: https://attack.mitre.org/techniques/T1003/002/. [Accessed: Oct. 18, 2023]
[86] “Steal Application Access Token.” Available: https://attack.mitre.org/techniques/T1528/. [Accessed: Oct. 19, 2023]
[87] “Brute Force: Password Spraying.” Available: https://attack.mitre.org/techniques/T1110/003/. [Accessed: Oct. 18, 2023]
[88] “Account Discovery: Local Account.” Available: https://attack.mitre.org/techniques/T1087/001/. [Accessed: Oct. 20, 2023]
[89] “Account Discovery: Domain Account.” Available: https://attack.mitre.org/techniques/T1087/002/. [Accessed: Oct. 19, 2023]
[90] “Domain Trust Discovery.” Available: https://attack.mitre.org/techniques/T1482/. [Accessed: Oct. 19, 2023]
[91] “Group Policy Discovery.” Available: https://attack.mitre.org/techniques/T1615/. [Accessed: Oct. 20, 2023]
[92] “Remote System Discovery.” Available: https://attack.mitre.org/techniques/T1018/. [Accessed: Oct. 18, 2023]
[93] “System Network Configuration Discovery.” Available: https://attack.mitre.org/techniques/T1016/. [Accessed: Oct. 19, 2023]
[94] “Permission Groups Discovery: Domain Groups.” Available: https://attack.mitre.org/techniques/T1069/002/. [Accessed: Oct. 19, 2023]
[95] “Query Registry.” Available: https://attack.mitre.org/techniques/T1012/. [Accessed: Oct. 19, 2023]
[96] “System Information Discovery.” Available: https://attack.mitre.org/techniques/T1082/. [Accessed: Oct. 20, 2023]
[97] “File and Directory Discovery.” Available: https://attack.mitre.org/techniques/T1083/. [Accessed: Oct. 19, 2023]
[98] “Browser Information Discovery.” Available: https://attack.mitre.org/techniques/T1217/. [Accessed: Oct. 20, 2023]
[99] “Account Discovery: Email Account.” Available: https://attack.mitre.org/techniques/T1087/003/. [Accessed: Oct. 19, 2023]
[100] “Office Application Startup: Outlook Home Page.” Available: https://attack.mitre.org/techniques/T1137/004/. [Accessed: Oct. 19, 2023]
[101] “File and Directory Discovery.” Available: https://attack.mitre.org/techniques/T1083/. [Accessed: Oct. 18, 2023]
[102] “Domain Trust Discovery.” Available: https://attack.mitre.org/techniques/T1482/. [Accessed: Oct. 19, 2023]
[103] “Process Discovery.” Available: https://attack.mitre.org/techniques/T1057/. [Accessed: Oct. 19, 2023]
[104] “Cloud Service Discovery.” Available: https://attack.mitre.org/techniques/T1526/. [Accessed: Oct. 19, 2023]
[105] “Account Discovery: Email Account.” Available: https://attack.mitre.org/techniques/T1087/003/. [Accessed: Oct. 18, 2023]
[106] “Remote System Discovery.” Available: https://attack.mitre.org/techniques/T1018/. [Accessed: Oct. 18, 2023]
[107] “Network Service Discovery.” Available: https://attack.mitre.org/techniques/T1046/. [Accessed: Oct. 18, 2023]
[108] “System Network Configuration Discovery.” Available: https://attack.mitre.org/techniques/T1016/. [Accessed: Oct. 18, 2023]
[109] “System Network Connections Discovery.” Available: https://attack.mitre.org/techniques/T1049/. [Accessed: Oct. 18, 2023]
[110] “Website.” Available: https://attack.mitre.org/techniques/T1007/
[111] “System Information Discovery.” Available: https://attack.mitre.org/techniques/T1082/. [Accessed: Oct. 19, 2023]
[112] “Permission Groups Discovery: Local Groups.” Available: https://attack.mitre.org/techniques/T1069/001/. [Accessed: Oct. 19, 2023]
[113] “Password Policy Discovery.” Available: https://attack.mitre.org/techniques/T1201/. [Accessed: Oct. 19, 2023]
[114] “System Network Configuration Discovery.” Available: https://attack.mitre.org/techniques/T1016/. [Accessed: Oct. 18, 2023]
[115] “Software Discovery: Security Software Discovery.” Available: https://attack.mitre.org/techniques/T1518/001/. [Accessed: Oct. 18, 2023]
[116] “Cloud Storage Object Discovery.” Available: https://attack.mitre.org/techniques/T1619/. [Accessed: Oct. 18, 2023]
[117] “Container and Resource Discovery.” Available: https://attack.mitre.org/techniques/T1613/. [Accessed: Oct. 18, 2023]
[118] “Lateral Tool Transfer.” Available: https://attack.mitre.org/techniques/T1570/. [Accessed: Oct. 19, 2023]
[119] “Remote Services: SMB/Windows Admin Shares.” Available: https://attack.mitre.org/techniques/T1021/002/. [Accessed: Oct. 19, 2023]
[120] “Remote Services: Remote Desktop Protocol.” Available: https://attack.mitre.org/techniques/T1021/001/. [Accessed: Oct. 20, 2023]
[121] “Data from Local System.” Available: https://attack.mitre.org/techniques/T1005/. [Accessed: Oct. 19, 2023]
[122] “Website.” Available: https://attack.mitre.org/techniques/T1560/001/
[123] “Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay.” Available: https://attack.mitre.org/techniques/T1557/001/. [Accessed: Oct. 19, 2023]
[124] “Input Capture: Keylogging.” Available: https://attack.mitre.org/techniques/T1056/001/. [Accessed: Oct. 18, 2023]
[125] “Archive Collected Data.” Available: https://attack.mitre.org/techniques/T1560/. [Accessed: Oct. 20, 2023]
[126] “Automated Collection.” Available: https://attack.mitre.org/techniques/T1119/. [Accessed: Oct. 18, 2023]
[127] “Email Collection: Local Email Collection.” Available: https://attack.mitre.org/techniques/T1114/001/. [Accessed: Oct. 20, 2023]
[128] “Screen Capture.” Available: https://attack.mitre.org/techniques/T1113/. [Accessed: Oct. 19, 2023]
[129] “Video Capture.” Available: https://attack.mitre.org/techniques/T1125/. [Accessed: Oct. 20, 2023]
[130] “Email Collection.” Available: https://attack.mitre.org/techniques/T1114/. [Accessed: Oct. 18, 2023]
[131] “Data from Local System.” Available: https://attack.mitre.org/techniques/T1005/. [Accessed: Oct. 18, 2023]
[132] “Application Layer Protocol: Web Protocols.” Available: https://attack.mitre.org/techniques/T1071/001/. [Accessed: Oct. 18, 2023]
[133] “Encrypted Channel: Asymmetric Cryptography.” Available: https://attack.mitre.org/techniques/T1573/002/. [Accessed: Oct. 18, 2023]
[134] “Ingress Tool Transfer.” Available: https://attack.mitre.org/techniques/T1105/. [Accessed: Oct. 19, 2023]
[135] “Proxy.” Available: https://attack.mitre.org/techniques/T1090/. [Accessed: Oct. 18, 2023]
[136] “Ingress Tool Transfer.” Available: https://attack.mitre.org/techniques/T1105/. [Accessed: Oct. 20, 2023]
[137] “Proxy.” Available: https://attack.mitre.org/techniques/T1090/. [Accessed: Oct. 18, 2023]
[138] “Application Layer Protocol: File Transfer Protocols.” Available: https://attack.mitre.org/techniques/T1071/002/. [Accessed: Oct. 20, 2023]
[139] “Command and Scripting Interpreter: Windows Command Shell.” Available: https://attack.mitre.org/techniques/T1059/003/. [Accessed: Oct. 18, 2023]
[140] “Fallback Channels.” Available: https://attack.mitre.org/techniques/T1008/. [Accessed: Oct. 18, 2023]
[141] “Data Encoding.” Available: https://attack.mitre.org/techniques/T1132/. [Accessed: Oct. 18, 2023]
[142] “Protocol Tunneling.” Available: https://attack.mitre.org/techniques/T1572/. [Accessed: Oct. 18, 2023]
[143] “Proxy: Internal Proxy.” Available: https://attack.mitre.org/techniques/T1090/001/. [Accessed: Oct. 18, 2023]
[144] “Proxy: External Proxy.” Available: https://attack.mitre.org/techniques/T1090/002/. [Accessed: Oct. 18, 2023]
[145] “Proxy: Domain Fronting.” Available: https://attack.mitre.org/techniques/T1090/004/. [Accessed: Oct. 18, 2023]
[146] “Data Transfer Size Limits.” Available: https://attack.mitre.org/techniques/T1030/. [Accessed: Oct. 19, 2023]
[147] “Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol.” Available: https://attack.mitre.org/techniques/T1048/002/. [Accessed: Oct. 19, 2023]
[148] “Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol.” Available: https://attack.mitre.org/techniques/T1048/003/. [Accessed: Oct. 19, 2023]
[149] “Exfiltration Over Web Service: Exfiltration to Cloud Storage.” Available: https://attack.mitre.org/techniques/T1567/002/. [Accessed: Oct. 19, 2023]
[150] “Exfiltration Over C2 Channel.” Available: https://attack.mitre.org/techniques/T1041/. [Accessed: Oct. 18, 2023]
[151] “Data Transfer Size Limits.” Available: https://attack.mitre.org/techniques/T1030/. [Accessed: Oct. 18, 2023]
[152] “Automated Exfiltration.” Available: https://attack.mitre.org/techniques/T1020/. [Accessed: Oct. 20, 2023]
[153] “Exfiltration Over Alternative Protocol.” Available: https://attack.mitre.org/techniques/T1048/. [Accessed: Oct. 19, 2023]
[154] “Data Destruction.” Available: https://attack.mitre.org/techniques/T1485/. [Accessed: Oct. 19, 2023]
[155] “Disk Wipe: Disk Content Wipe.” Available: https://attack.mitre.org/techniques/T1561/001/. [Accessed: Oct. 19, 2023]
[156] “Disk Wipe: Disk Structure Wipe.” Available: https://attack.mitre.org/techniques/T1561/002/. [Accessed: Oct. 19, 2023]