Contact us Buy Me a Coffee

Sponsored by Hudson Rock Use Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are leading to ransomware attacks

ATT&CK Techniques Matrix

0apt 0mega 8base akira alphalocker alphv bianlian blackbasta blackmatter blacksuit bluelocker braincipher cactus clop coinbasecartel conti crosslock cuba darkside devman donex dragonforce everest hive hunters lockbit lynx maze medusa medusalocker nightspire nitrogen payload pear play qilin ragnarlocker ransomhub revil rhysida royal safepay samsam sarcoma scattered spider shinyhunters sicarii sinobi stormous tengu thegentlemen threeam trigona vicesociety
This information is provided by Crocodyli & Ransomware.live
Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Impact
T1047
Windows Management Instrumentation 		T1037
Boot or Logon Initialization Scripts 		T1053
Scheduled Task/Job 		T1014
Rootkit 		T1003
OS Credential Dumping 		T1007
System Service Discovery 		T1021
Remote Services 		T1005
Data from Local System 		T1485
Data Destruction
T1053
Scheduled Task/Job 		T1053
Scheduled Task/Job 		T1055
Process Injection 		T1021.001
Remote Services: Remote Desktop Protocol 		T1003.001
OS Credential Dumping: LSASS Memory 		T1010
Application Window Discovery 		T1021.001
Remote Services: Remote Desktop Protocol 		T1039
Data from Network Shared Drive 		T1486
Data Encrypted for Impact
T1053.005
Scheduled Task/Job: Scheduled Task 		T1053.003
Scheduled Task/Job: Cron 		T1055.003
Thread Execution Hijacking 		T1027
Obfuscated Files or Information 		T1003.003
OS Credential Dumping: NTDS 		T1012
Query Registry 		T1021.001
Remote Desktop Protocol 		T1056
Input Capture 		T1489
Service Stop
T1059
Command and Scripting Interpreter 		T1053.005
Scheduled Task/Job: Scheduled Task 		T1068
Exploitation for privilege escalation 		T1027.002
Software Packing 		T1003.008
OS Credential Dumping: /etc/passwd and /etc/shadow 		T1016
System Network Configuration Discovery 		T1021.002
Remote Services: SMB/Windows Admin Shares 		T1074
Data Staged 		T1490
Inhibit System Recovery
T1059.001
Command and Scripting Interpreter: PowerShell 		T1078
Valid Accounts 		T1078
Valid Accounts 		T1027.002
Obfuscated Files or Information: Software Packing 		T1021.002
Remote Services: External Remote Services 		T1016.001
Network Configuration Discovery: Network Connection Enumeration 		T1021.002
SMB/Windows Admin Shares 		T1074.001
Data Staged: Local Data Staging 		T1491
Defacement
T1059.001
PowerShell 		T1098
Account Manipulation 		T1078.002
Valid Accounts: Domain Accounts 		T1027.005
Indicator Removal from Tools 		T1040
Network Sniffing 		T1016.001
Internet Connection Discovery 		T1021.004
Remote Services: SSH 		T1114
Email Collection 		T1491.001
Defacement: Internal Defacement
T1059.002
System Services: Service Execution 		T1098.003
Account Manipulation: Additional Cloud Credentials 		T1078.002
Domain Accounts 		T1027.005
Obfuscated Files or Information: Indicator Removal from Tools 		T1056
Input Capture 		T1018
Remote System Discovery 		T1047
Windows Management Instrumentation 		T1119
Automated Collection 		T1498
Network Denial of Service
T1059.003
Command and Scripting Interpreter: Windows Command Shell 		T1098.004
Account Manipulation: SSH Authorized Keys 		T1134
Access Token Manipulation 		T1027.006
Obfuscated Files or Information: HTML Smuggling 		T1056.001
Input Capture: Keylogging 		T1033
System Owner/User Discovery 		T1078.002
Valid Accounts: Domain Accounts 		T1213
Data from Information Repositories 		T1529
System Shutdown/Reboot
T1059.004
Command and Scripting Interpreter: Unix Shell 		T1133
External Remote Services 		T1134.001
Token Impersonation/Theft 		T1027.007
Obfuscated Files or Information: Dynamic API Resolution 		T1110
Brute Force 		T1046
Network Service Discovery 		T1080
Taint Shared Content 		T1530
Data from Cloud Storage 		T1531
Account Access Removal
T1059.005
Command and Scripting Interpreter: Visual Basic 		T1136
Create Account 		T1134.002
Access Token Manipulation: Create Process with Token 		T1027.009
Embedded Payloads 		T1110.002
Brute Force: Password Cracking 		T1046
Network Service Scanning 		T1091
Replication Through Removable Media 		T1560
Archive Collected Data 		T1561
Disk Wipe
T1059.006
Command and Scripting Interpreter: Python 		T1136.001
Create Account: Local Account 		T1134.004
Parent PID Spoofing 		T1027.009
Obfuscated Files or Information: Embedded Payloads 		T1110.003
Brute Force: Password Spraying 		T1049
System Network Connections Discovery 		T1210
Exploitation of Remote Services 		T1560.001
Archive Collected Data: Archive via Utility 		T1561.001
Disk Wipe: Disk Content Wipe
T1064
Scripting 		T1136.002
Create Account: Domain Account 		T1134.004
Access Token Manipulation: Parent PID Spoofing 		T1027.011
Obfuscated Files or Information: Fileless Storage 		T1212
Exploitation for Credential Access 		T1057
Process Discovery 		T1333
External Remote Services 		T1560.002
Archive Collected Data: Archive via Library 		T1561.002
Disk Wipe: Disk Structure Wipe
T1072
Software Deployment Tools 		T1136.003
Create Account: Cloud Account 		T1136
Create Account: Cloud Account 		T1027.013
Obfuscated Files or Information: Encrypted/Encoded File 		T1539
Steal Web Session Cookie 		T1069
Permission Groups Discovery 		T1534
Internal Spearphishing 		T1560.003
Archive Collected Data: Archive via Custom Method 		T1657
Financial Theft
T1106
Native API 		T1505.003
Server Software Component: Web Shell 		T1187
Forced Authentication 		T1027.016
Obfuscated Files or Information: Junk Code Insertion 		T1552
Unsecured Credentials 		T1082
System Information Discovery 		T1550.002
Use Alternate Authentication Material: Pass the Hash 		T1602.002
Network Device Configuration Dump 		 
T1129
Shared Modules 		T1505.004
Server Software Component: IIS Components 		T1484.001
Domain Policy Modification: Group Policy Modification 		T1036
Masquerading 		T1552.001
Unsecured Credentials: Credentials In Files 		T1083
File and Directory Discovery 		T1563
Remote Service Session Hijacking 		   
T1203
Exploitation for Client Execution 		T1542.003
Pre-OS Boot: Bootkit 		T1543
Create or Modify System Process 		T1036.001
Masquerading: invalid code signature 		T1555
Credentials from Password Stores 		T1087
Account Discovery 		T1570
Lateral Tool Transfer 		   
T1204
User Execution 		T1543
Create or Modify System Process 		T1543.003
Create or Modify System Process: Windows Service 		T1036.003
Masquerading: Rename Legitimate Utilities 		T1555.003
Credentials from Web Browsers 		T1087.001
Account Discovery: Local Account 		T1570
Tool Transfer 		   
T1204.001
User Execution: Malicious Link 		T1543.003
Create or Modify System Process: Windows Service 		T1543.003
Service Execution 		T1036.004
Masquerading: Masquerade Task or Service 		T1555.003
Credentials from Password Stores: Credentials from Web Browsers 		T1087.002
Account Discovery: Domain Account 		     
T1204.002
User Execution: Malicious File 		T1543.003
Windows Services 		T1547
Boot or Logon Autostart Execution 		T1036.005
Masquerading: Match Legitimate Name or Location 		T1555.005
Credentials from Password Stores: Password Managers 		T1119
Automated Collection 		     
T1204.004
User Execution: Malicious Copy and Paste 		T1547
Boot or Logon Autostart Execution 		T1547.001
Registry Run Keys/Startup Files 		T1036.007
Masquerading: Double File Extension 		T1557.001
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning 		T1120
Peripheral Device Discovery 		     
T1218.007
Signed Binary Proxy Execution: Msiexec 		T1547
Server Software Component 		T1547.001
Registry Run Keys 		T1036.008
Masquerading: Masquerade File Type 		T1621
Multi-Factor Authentication Request Generation 		T1124
Time Discovery 		     
T1569
System Services 		T1547.001
Boot or Logon Autostart Execution: Registry Run Keys 		T1548
Abuse Elevation Control Mechanism 		T1055
Process Injection 		  T1135
Network Share Discovery 		     
  T1547.001
Registry Run Keys/Startup Folder 		T1548.002
Abuse Elevation Control Mechanism: Bypass User Account Control 		T1055.001
Process injection: DLL injection 		  T1482
Domain Trust Discovery 		     
  T1547.001
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 		T1548.002
Abuse Elevation Control Mechanism: Bypass UAC 		T1055.003
Thread Execution Hijacking 		  T1497
Virtualization/Sandbox Evasion 		     
  T1547.001
Registry Run Keys / Startup Folder 		T1548.002
Bypass User Account Control 		T1055.012
Process Injection: Process Hollowing 		  T1518
Software Discovery 		     
  T1547.004
Boot or Logon Autostart Execution: Winlogon Helper DLL 		T1557
Adversary-in-the-Middle 		T1064
Scripting 		  T1518.001
Security Software Discovery 		     
  T1547.009
Boot or Logon Autostart Execution: Shortcut Modification 		T1574
Hijack execution flow 		T1068
Exploitation for Privilege Escalation 		  T1518.001
Software Discovery: Security Software Discovery 		     
  T1574.001
Hijack Execution Flow: DLL Search Order Hijacking 		T1574.001
Hijack Execution Flow: DLL Search Order Hijacking 		T1070
Indicator Removal 		  T1526
Cloud Service Discovery 		     
    TA0004
Privilege Escalation 		T1070.001
Indicator Removal: Clear Windows Event Logs 		  T1538
Cloud Service Dashboard 		     
      T1070.001
Indicator removal on host: clear Windows event logs 		  T1580
Cloud Infrastructure Discovery 		     
      T1070.001
Clear Windows Event Logs 		  T1614
System Location Discovery 		     
      T1070.003
Indicator Removal: Clear Command History 		  T1614.001
System Location Discovery: System Language Discovery 		     
      T1070.004
File Deletion 		  T1615
Group Policy Discovery 		     
      T1070.004
Indicator Removal: File Deletion 		  TA0007
Discovery 		     
      T1070.004
Indicator removal on host: file deletion 		         
      T1070.006
Indicator Removal: Timestomp 		         
      T1078.002
Domain Accounts 		         
      T1090
Proxy 		         
      T1112
Modify Registry 		         
      T1119
Automated Collection 		         
      T1134
Access Token Manipulation 		         
      T1134.001
Access Token Manipulation: Token Impersonation/Theft 		         
      T1134.004
Access Token Manipulation: Parent PID Spoofing 		         
      T1140
Deobfuscate/Decode Files or Information 		         
      T1202
Indirect Command Execution 		         
      T1211
Exploitation for Defense Evasion 		         
      T1218
System Binary Proxy Execution 		         
      T1218.004
System Binary Proxy Execution: InstallUtil 		         
      T1218.005
System Binary Proxy Execution: Mshta 		         
      T1218.007
System Binary Proxy Execution: Msiexec 		         
      T1218.010
System Binary Proxy Execution: Regsvr32 		         
      T1218.011
Signed Binary Proxy Execution: Rundll32 		         
      T1218.011
System Binary Proxy Execution: Rundll32 		         
      T1218.014
System Binary Proxy Execution: MMC 		         
      T1220
XSL Script Processing 		         
      T1221
Template Injection 		         
      T1222
File and Directory Permissions Modification 		         
      T1222.001
File and Directory Permissions Modification: Windows Permissions 		         
      T1480
Execution Guardrails 		         
      T1484
Domain or Tenant Policy Modification 		         
      T1484.001
Domain Policy Modification: Group Policy Modification 		         
      T1484.001
Domain or Tenant Policy Modification: Group Policy Modification 		         
      T1497
Virtualization/Sandbox Evasion 		         
      T1497.001
Virtualization/Sandbox Evasion: System Checks 		         
      T1497.003
Virtualization/Sandbox Evasion: Time Based Checks 		         
      T1531
Account Access Removal 		         
      T1548
Abuse Elevation Control Mechanism 		         
      T1550.001
Use Alternate Authentication Material: Application Access Token 		         
      T1550.004
Use Alternate Authentication Material: Web Session Cookie 		         
      T1553.002
Subvert Trust Controls: Code Signing 		         
      T1562
Impair Defenses 		         
      T1562.001
Impair Defenses: Disable or Modify Tools 		         
      T1562.001
Disable or Modify Tools 		         
      T1562.004
Impair Defenses: Disable or Modify System Firewall 		         
      T1562.004
Disable or Modify System Firewall Settings 		         
      T1562.009
Safe Mode Boot 		         
      T1564
Hidden Artifacts 		         
      T1564.001
Hidden Files and Directories 		         
      T1564.001
Hidden Artifacts: Hidden Files and Directories 		         
      T1564.003
Hidden Window 		         
      T1564.003
Hidden Artifacts: Hidden Window 		         
      T1564.004
NTFS File Attributes 		         
      T1574
Hijack Execution Flow 		         
      T1574.013
Hijack Execution Flow: KernelCallbackTable 		         
      T1620
Reflective DLL Injection 		         
      T1622
Debugger Evasion 		         
      T1672
Email Spoofing 		         
      T1678
Delay Execution