Tradecraft
15 techniques · 10 payloads · 4 playbooks
Detection
T1190FACT
Exploit Public-Facing Application
Initial AccessFACT
WindowsLinuxmacOS
Web AppAPI+1
T1055WORKING
Process Injection
Defense EvasionWORKING
WindowsLinux
Active DirectoryNetwork
T1078FACT
Valid Accounts
Defense EvasionFACT
WindowsLinuxmacOSSaaSCloud
Active DirectoryCloud+1
T1110.002FACT
Password Cracking
Credential AccessFACT
WindowsLinux
Active DirectoryWeb App
T1021.002WORKING
SMB/Windows Admin Shares
Lateral MovementWORKING
Windows
Active DirectoryNetwork
T1059.001FACT
PowerShell
ExecutionFACT
Windows
Active DirectoryNetwork
T1082FACT
System Information Discovery
DiscoveryFACT
WindowsLinuxmacOSCloud
Active DirectoryNetwork+1
T1136CANDIDATE
Create Account
PersistenceCANDIDATE
WindowsLinuxmacOSCloudSaaS
Active DirectoryCloud
T1558.003FACT
Kerberoasting
Credential AccessFACT
Windows
Active Directory
T1552.001FACT
Credentials In Files
Credential AccessFACT
WindowsLinuxmacOSCloud
Web AppAPI+1
T1566.001CANDIDATE
Spearphishing Attachment
Initial AccessCANDIDATE
WindowsmacOSLinux
Web AppActive Directory
T1098WORKING
Account Manipulation
PersistenceWORKING
WindowsLinuxmacOSCloudSaaS
CloudActive Directory
T1537CANDIDATE
Transfer Data to Cloud Account
ExfiltrationCANDIDATE
Cloud
Cloud
T1210WORKING
Exploitation of Remote Services
Lateral MovementWORKING
WindowsLinux
Web AppNetwork+1
T1087.002FACT
Domain Account Discovery
DiscoveryFACT
Windows
Active Directory
| MITRE ID | Name / Scope | Tactic | Tier | Confidence |
|---|---|---|---|---|
| T1190 | Exploit Public-Facing Application Web AppAPI+1 | Initial Access | FACT | FACT |
| T1055 | Process Injection Active DirectoryNetwork | Defense Evasion | WORKING | WORKING |
| T1078 | Valid Accounts Active DirectoryCloud+1 | Defense Evasion | FACT | FACT |
| T1110.002 | Password Cracking Active DirectoryWeb App | Credential Access | FACT | FACT |
| T1021.002 | SMB/Windows Admin Shares Active DirectoryNetwork | Lateral Movement | WORKING | WORKING |
| T1059.001 | PowerShell Active DirectoryNetwork | Execution | FACT | FACT |
| T1082 | System Information Discovery Active DirectoryNetwork+1 | Discovery | FACT | FACT |
| T1136 | Create Account Active DirectoryCloud | Persistence | CANDIDATE | CANDIDATE |
| T1558.003 | Kerberoasting Active Directory | Credential Access | FACT | FACT |
| T1552.001 | Credentials In Files Web AppAPI+1 | Credential Access | FACT | FACT |
| T1566.001 | Spearphishing Attachment Web AppActive Directory | Initial Access | CANDIDATE | CANDIDATE |
| T1098 | Account Manipulation CloudActive Directory | Persistence | WORKING | WORKING |
| T1537 | Transfer Data to Cloud Account Cloud | Exfiltration | CANDIDATE | CANDIDATE |
| T1210 | Exploitation of Remote Services Web AppNetwork+1 | Lateral Movement | WORKING | WORKING |
| T1087.002 | Domain Account Discovery Active Directory | Discovery | FACT | FACT |