ING-01 | Removable Media & File Transfer | T1091 T1200 | CVE-2010-2568 CVE-2017-8464 | Raspberry Robin worm |
ING-02 | Malvertising & Drive-By Downloads | T1189 T1583.008 | CVE-2023-4863 CVE-2021-30551 | SocGholish FakeUpdates |
ING-03 | Supply Chain Compromise | T1195.002 T1195.001 | CVE-2020-10148 CVE-2024-3094 CVE-2021-44228 | 3CX supply-chain |
ING-04 | Credential Abuse | T1078 T1110 | — | RedLine Stealer Vidar |
ING-05 | Malicious or Compromised USB Devices | T1200 T1091 | CVE-2010-2568 | Raspberry Robin usb |
ING-06 | Watering Hole Attacks | T1189 T1608.004 | CVE-2021-30551 | ScanBox |
ING-07 | External Remote Services | T1133 T1078 | CVE-2021-26855 CVE-2019-19781 CVE-2018-13379 CVE-2019-11510 | Cobalt Strike webshell |
ACT-01 | User-Executed Files | T1204.002 T1204.001 | CVE-2017-11882 CVE-2021-40444 CVE-2022-30190 | maldoc Emotet |
ACT-02 | Script-Based Execution | T1059 T1059.001 T1059.003 | — | ps1 AsyncRAT |
ACT-03 | Service-Based Execution | T1569.002 T1543.003 | — | Cobalt Strike |
ACT-04 | DLL Side-Loading or Hijacking | T1574.002 T1574.001 | — | PlugX QakBot |
ACT-05 | WMI-Based Execution | T1047 | — | Cobalt Strike |
ACT-06 | Browser Extension Execution | T1176 | — | ViperSoftX |
ACT-07 | Boot / Firmware Execution | T1542 T1542.001 T1542.003 | CVE-2022-21894 CVE-2020-10713 | BlackLotus MoonBounce |
ANC-01 | Startup & Logon Execution | T1547.001 T1037 | — | AgentTesla |
ANC-02 | Scheduled & Triggered Execution | T1053.005 | — | QakBot |
ANC-03 | Service & Daemon Persistence | T1543.003 T1543.002 | — | Cobalt Strike |
ANC-04 | Registry-Based Persistence | T1547 T1112 | — | Formbook |
ANC-05 | Browser-Based Persistence | T1176 | — | ViperSoftX |
ANC-06 | WMI & Event Subscription Persistence | T1546.003 | — | Turla |
ANC-07 | Fileless & In-Memory Persistence | T1027.011 T1547 | — | GootLoader fileless |
ANC-08 | Boot & Pre-OS Persistence | T1542.003 T1542.001 | CVE-2022-21894 CVE-2020-10713 | BlackLotus |
CON-01 | Obfuscation & Packing | T1027.002 T1027 | — | UPX Formbook |
CON-02 | Fileless Malware Execution | T1620 T1027.011 | — | fileless GootLoader |
CON-03 | Security Tool Tampering | T1562.001 T1211 | CVE-2021-21551 CVE-2015-2291 | BYOVD AuKill |
CON-04 | Masquerading & Impersonation | T1036 T1036.005 | — | AgentTesla |
CON-05 | Environment & Sandbox Evasion | T1497 T1480 | — | GuLoader |
CON-06 | Process Injection | T1055 T1055.012 | — | Formbook AgentTesla |
CON-07 | Polymorphism & Metamorphism | T1027 | — | Emotet |
CON-08 | Log & Artifact Manipulation | T1070.001 T1070 | — | Cobalt Strike |
CON-09 | Living-off-the-Land for Evasion | T1218 T1127 | — | lolbin QakBot |
CON-10 | Anti-Forensics & Cleanup | T1070.004 T1490 T1070.006 | — | LockBit |
EXP-01 | Living-off-the-Land Lateral Movement | T1021 T1570 | — | Cobalt Strike |
EXP-02 | Credential Reuse & Relay | T1550 T1557 | — | Mimikatz |
EXP-03 | Pass-the-Hash / Pass-the-Ticket | T1550.002 T1550.003 | — | Mimikatz |
EXP-04 | Remote Service & Protocol Abuse | T1021.001 T1021.002 T1021.006 | CVE-2019-0708 CVE-2017-0144 | Cobalt Strike |
EXP-05 | Network Share Propagation | T1021.002 T1080 | CVE-2017-0144 | QakBot |
EXP-06 | Worm-like Self-Propagation | T1210 T1091 | CVE-2017-0144 CVE-2008-4250 | Raspberry Robin worm |
EXP-07 | Privilege Escalation Across Hosts | T1068 T1548.002 T1134 | CVE-2021-34527 CVE-2021-36934 | Cobalt Strike |
EXP-08 | Identity & Trust Relationship Abuse | T1558 T1558.001 T1484 | CVE-2020-1472 CVE-2021-42287 | Mimikatz |
EXP-09 | Directory Services Targeting | T1003.006 T1087.002 | CVE-2020-1472 CVE-2021-42278 | Mimikatz |
EXP-10 | Cloud & Hybrid Lateral Movement | T1078.004 T1552.005 T1021.007 | — | cloud |
EXT-01 | HTTP / HTTPS Data Exfiltration | T1567 T1048 T1041 | — | RedLine Stealer |
EXT-02 | DNS Tunneling | T1071.004 T1572 | — | Cobalt Strike |
EXT-03 | Cloud Storage Abuse | T1567.002 | — | Vidar |
EXT-04 | Messaging and Social Platform Channels | T1102 T1567.003 | — | telegram AgentTesla |
EXT-05 | FTP / SFTP / FTPS Transfer | T1048 T1048.003 | — | Snake Keylogger AgentTesla |
EXT-06 | Tor / Proxy / VPN Anonymization Channels | T1090.003 T1572 | — | tor LockBit |
EXT-07 | Encrypted Command-and-Control Channels | T1573 T1071 | — | Cobalt Strike |
EXT-08 | Removable Media Data Extraction | T1052.001 T1025 | — | usb |
EXT-09 | Steganographic Data Transfer | T1027.003 T1001.002 | — | IcedID steganography |
EXT-10 | Multi-Channel Redundant Exfiltration | T1008 T1104 | — | AgentTesla |