| UC0052 |
Hijacking Default File Extension |
The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. |
| UC0002 |
Domain user enumeration attack using the Kerberos protocol without a domain account |
Attackers can carry out a Domain User Enumaration attack using Kerberos authentication protocol. Their purpose may be to obtain valid usernames for futher attacks (such as phishing or password spraying) |
| UC0042 |
WinRM or Powershell Remoting for Lateral Movement |
WinRM or PowerShell remoting for lateral movement. |
| UC0032 |
Forcing WDigest to store credentials in plaintext |
Force WDigest to store secrets in plaintext. |
| UC0012 |
Forcing load a malicious DLL via COM Abuse |
Forcing load a malicious DLL via COM Abuse |
| UC0005 |
Theft of user certificate and private key via CryptoAPI |
Attackers can theft certificate and private key via CryptoAPI to authenticate on behalf of the certificate owner using Public Key Cryptography for Initial Authentication (PKINIT) Kerberos extension. |
| UC0021 |
Privilege escalation via named pipe impersonation |
Privilege escalation attempt via named pipe impersonation, an adversary may abuse this technique by utilizing a framework such Metasploit’s meterpreter getsystem command. |
| UC0051 |
Windows Logon Helper Persistense |
Boot or Logon Autostart Execution - Winlogon Helper DLL. |
| UC0003 |
Adding shadow credential |
Attackers can add key credential (msDS-KeyCredentialLink attribute) to target object for persistence or lateral movement in domain |
| UC0041 |
Lateral movement via Service Configuration Manager |
Execute commands on a remote host by abusing service configuration manager by changing the service binpath. |
| UC0022 |
Dumping and Cracking mscash |
Credential dumping of cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable. |
| UC0006 |
Successfull OWA Password Spraying attack |
Attackers can carry out a Password Spryaing attack through the publicly accessible interface of the Outlook Web Application. Their purpose may be to obtain a valid domain account for reading mail or authentication in other remote access systems. |
| UC0004 |
Pass the certificate |
Attackers can use valid certificate and associated private key for get Ticket Granting Tickets (TGT) |