Windows

ATT&CK Navigator View

Table View

Created

Dataset

Description

Simulator

Author

2020/08/05

Covenant DCSync

This dataset represents adversaries with enough permissions (domain admin) adding an ACL to the Root Domain for any user, despite being in no privileged groups, having no malicious sidHistory, and not having local admin rights on the domain controller itself.

Covenant

Roberto Rodriguez @Cyb3rWard0g

2019/10/27

Covenant DCSync All

This dataset represents adversaries abusing Active Directory Replication services to retrieve NTLM hashes from all domain accounts

Covenant

Roberto Rodriguez @Cyb3rWard0g

2019/10/27

Covenant Grunt Msbuild

This dataset represents adversaries using trusted windows utilities such as msbuild to proxy execution of malicious code.

Remote Desktop Protocol

Roberto Rodriguez @Cyb3rWard0g

2019/10/27

Covenant InstallUtil

This dataset represents adversaries proxying execution of code through InstallUtil, a trusted Windows utility.

Remote Desktop Protocol

Roberto Rodriguez @Cyb3rWard0g

2020/08/06

Covenant Ldap Search Request Domain Admins

This dataset represents a threat actor enumerating the domain admins group in an environment.

Covenant

Roberto Rodriguez @Cyb3rWard0g

2019/12/05

Covenant Mimikatz Logonpasswords

This dataset represents adversaries using mimikatz and module logonpasswords to dump credentials from the memory contents of lsass.exe

Covenant

Roberto Rodriguez @Cyb3rWard0g

2019/12/05

Covenant Mimikatz LSA Cache

This dataset represents adversaries using Mimikatz to exract cached password hashes from HKEY_LOCAL_MACHINE\SECURITY\Cache

Covenant

Roberto Rodriguez @Cyb3rWard0g

2019/12/05

Covenant Mimikatz LSA Secrets

This dataset represents adversaries using Mimikatz to get the SysKey to decrypt SECRETS entries (from registry or hives).

Covenant

Roberto Rodriguez @Cyb3rWard0g

2020/08/06

Covenant PsRemoting Command

This dataset represents a threat actor leveraging WinRM to execute code remotely.

Covenant

Roberto Rodriguez @Cyb3rWard0g

2020/08/06

Covenant RPC SMB ControlService

This dataset represents a threat actor with network access to the service control manager (SCM) service over SMB of another enpoint in the network executing ControlService to interact with the service (i.e. stop service)

Covenant

Roberto Rodriguez @Cyb3rWard0g

2020/08/06

Covenant Service Creation with CreateServiceA

This dataset represents a threat actor with network access to the service control manager (SCM) service over SMB of another enpoint in the network executing the CreateServiceA method to create services.

Covenant

Roberto Rodriguez @Cyb3rWard0g

2020/08/05

Covenant Service Query with QueryServiceStatus

This dataset represents a threat actor with network access to the service control manager (SCM) service over SMB of another enpoint in the network executing the QueryServiceStatus method to get information about a specific service.

Covenant

Roberto Rodriguez @Cyb3rWard0g

2020/08/06

Covenant Service Start with StartServiceW

This dataset represents a threat actor with network access to the service control manager (SCM) service over SMB of another enpoint in the network executing the StartServiceW to start a service.

Covenant

Roberto Rodriguez @Cyb3rWard0g

2020/08/06

Covenant Services Query with EnumServiceStatusW

This dataset represents a threat actor with network access to the service control manager (SCM) service over SMB of another enpoint in the network executing the EnumServiceStatusW method to get information about services.

Covenant

Roberto Rodriguez @Cyb3rWard0g

2020/08/06

Covenant SMB Create Request

This dataset represents a threat actor copying a file over SMB.

Covenant

Roberto Rodriguez @Cyb3rWard0g

2020/08/06

Covenant WMI Query and Execute

This dataset represents a threat actor querying and executing commands via WMI over the network.

Covenant

Roberto Rodriguez @Cyb3rWard0g

2020/08/06

Covenant WMI RemoteCreateInstance

This dataset represents a threat actor leveragin WMI to create processes and execute code remotely via the RemoteCreateInstance method.

Covenant

Roberto Rodriguez @Cyb3rWard0g

2020/09/18

DCOM ExecuteExcel4macro

This dataset represents adversaries leveraging the COM Method ExecuteExcel4Macro over DCOM to execute Excel4 macros remotely

Covenant

Roberto Rodriguez @Cyb3rWard0g

2020/09/18

DCOM RegisterXLL

This dataset represents adversaries leveraging the COM Method RegisterXLL over DCOM to execute an XLL file remotely. The XLL file can exist on the target or externally in an UNC path such as \SERVER\FILES.

Covenant

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire DCOM ShellWindows

This dataset represents adversaries executing commands on remote hosts via DCOM ShellWindows COM Method.

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/03/01

Empire DCSync

This dataset represents adversaries abusing Active Directory Replication services to retrieve NTLM hashes from domain accounts

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/03/01

Empire DCSync ACL

This dataset represents adversaries with enough permissions (domain admin) adding an ACL to the Root Domain for any user, despite being in no privileged groups, having no malicious sidHistory, and not having local admin rights on the domain controller itself.

Empire

Roberto Rodriguez @Cyb3rWard0g

2020/07/22

Empire DLL Injection

This dataset represents a threat actor injects a Dll into an arbitrary process

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Elevated Registry

This dataset represents adversaries modifying HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry keys for persistence.

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Elevated Scheduled Tasks

This dataset represents adversaries creating scheduled tasks to maintain persistence in the environment

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Elevated WMI Subscription

This dataset represents adversaries leveraging WMI subscriptions for persistence.

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Enabling RDP

This dataset represents adversaries enabling RDP and adding a firewall exception to a compromised system

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Find Local Admin Access

This dataset represents adversaries using the OpenSCManagerW Win32API call to establish a handle to the remote host and verify if the current user context has local administrator acess to the target.

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/19

Empire Get Local Sessions

This dataset represents adversaries executing the NetSessionEnum Win32API call to query the local host for active sessions

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Invoke Msbuild

This dataset represents adversaries using trusted windows utilities such as msbuild to proxy execution of malicious code.

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Invoke PsExec

This dataset represents adversaries executing malicious code remotely psexec style

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Invoke PSRemoting

This dataset represents adversaries executing malicious code on remote hosts using PowerShell Remotely.

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Invoke Runas

This dataset represents adversaries creating processes with explicit credentials (runas style).

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Invoke Smbexec

This dataset represents adversaries performing SMBExec style command execution with NTLMv2 pass the hash authentication.

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Invoke WMI

This dataset represents adversaries using WMI to execute malicious code on endpoints remotely

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Invoke WMI Debugger

This dataset represents adversaries using WMI to set the debugger for a target binary on a remote machine. Setting sethc.exe to be C:\Windows\System32\cmd.exe

Empire

Roberto Rodriguez @Cyb3rWard0g

2020/07/21

Empire Launcher SCT Regsvr32

This dataset represents threat actors leveraging regsvr32 to proxy the execution of an empire payload (.sct file) to create a reverse connection to the C2.

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Launcher VBS

This dataset represents adversaries executing a VBS script as a launcher for initial access.

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Mimikatz Export Master Key

This dataset represents adversaries using tools like Mimikatz to export the master key from the domain controller remotely.

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Mimikatz Extract Tickets

This dataset represents adversaries using PowerSploit’s Invoke-Mimikatz function to extract kerberos tickets from memory in base64-encoded form.

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Mimikatz Logonpasswords

This dataset represents adversaries using mimikatz and module logonpasswords to dump credentials from the memory contents of lsass.exe

Empire

Roberto Rodriguez @Cyb3rWard0g

2020/08/07

Empire Mimikatz Lsadump Patch

This dataset represents adversaries using PowerSploit’s Invoke-Mimikatz function to extract hashes from the Security Account Managers (SAM) database

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/06/25

Empire Mimikatz Lsadump SAM

This dataset represents adversaries using PowerSploit’s Invoke-Mimikatz function to extract hashes from the Security Account Managers (SAM) database

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/03/19

Empire Mimikatz OPTH

This dataset represents adversaries taking a hash into a fully-fledged Kerberos TGT

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/03/19

Empire Net All Local Users

This dataset represents adversaries enumerating all local users via the net.exe utility

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/03/19

Empire Net All User Domain

This dataset represents adversaries enumerating all users that belong to a domain via the net.exe utility

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Net Domain Admins Group

This dataset represents adversaries enumerating members of the “Domain Admins” active directory group via net.exe.

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/03/19

Empire Net Local Administrators Group

This dataset represents adversaries enumerating members of the local Administratrors group via the net.exe utility

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Net User Domain Specific

This dataset represents adversaries enumerating a specific domain user via the net.exe utility

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/06/25

Empire Powerdump

This dataset represents adversaries dumping hashes from HKLM:\SAM\SAM\Domains\ registry keys.

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire PSInject

This dataset represents adversaries using Empire psinject script to inject Unmanaged PowerShell into any process.

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/06/25

Empire Reg Dump SAM

This dataset represents adversaries with administrator privileges using the windows reg utility to dump the SAM registry hive.

Remote Desktop Protocol

Roberto Rodriguez @Cyb3rWard0g

2019/03/19

Empire Rubeus ASKTGT

This dataset represents adversaries crafting raw AS-REQ (TGT request) traffic for a specific user and encryption key (/rc4, /aes128, /aes256, or /des) to request TGTs

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/03/19

Empire Rubeus ASKTGT CreateNetOnly

This dataset represents adversaries crafting raw AS-REQ (TGT request) traffic for a specific user and encryption key (/rc4, /aes128, /aes256, or /des) to request TGTs

Empire

Roberto Rodriguez @Cyb3rWard0g

2020/09/04

Empire UAC Shell API FodHelper

This dataset represents adversaries elevating privileges (bypassing uac) by performing an registry modification for FodHelper.

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/03/19

Empire Userland Registry Run Key

This dataset represents adversaries modifying HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry keys for persistence. It also captures the execution of the persistence mechanism.

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/03/19

Empire Userland Scheduled Tasks

This dataset represents adversaries creating scheduled tasks to maintain persistence in the environment

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Wdigest Downgrade

This dataset represents adversaries setting the UseLogonCredential property value from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest key to 1 to enable plain text passwords.

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/12/25

Extended NetNTLM Downgrade

This dataset represents adversaries downgrading the challenge/response authentication protocol used for network logons, the minimum security negotiated for applications using NTLMSSP, and security settings that restrict outgoing NTLM traffic to remote servers in an environment

Empire

Roberto Rodriguez @Cyb3rWard0g

2019/10/27

Interactive Task Manager Lsass dump

This dataset represents adversaries using task manager interactively and dump the memory space of lsass.

Remote Desktop Protocol

Roberto Rodriguez @Cyb3rWard0g

2020/06/09

MSF Record Microphone

This dataset represents adversaries accessing the microphone of an endpoint.

Metasploit

Roberto Rodriguez @Cyb3rWard0g

2020/09/16

Password Update via Netlogon Insecure AES-CFB8

This dataset represents adversaries leveraging a vulnerability (CVE-2020-1472) in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This vulnerability was discovered by @@SecuraBV.

CovenantmimikatzSharpZeroLogon

Roberto Rodriguez @Cyb3rWard0g

2019/10/27

Remote Interactive Task Manager Lsass dump

This dataset represents adversaries using RDP and task manager interactively and dump the memory space of lsass.

Remote Desktop Protocol

Roberto Rodriguez @Cyb3rWard0g

2019/04/03

SCM and Dll Hijacking IKEEXT

This dataset represents adversaries copying a file remotely to replace the wlbsctrl.dll file which is executed by the IKEEXT (vulnerable to DLL hijack).

Empire

Roberto Rodriguez @Cyb3rWard0g

2020/07/24

WMI Event Subscription

This dataset represents adversaries using WMI event subscriptions to move laterally.

shell

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

WMIC Add User Backdoor

This dataset represents adversaries using WMI to add a backdoor user on endpoints remotely

Empire

Roberto Rodriguez @Cyb3rWard0g