CYBERSECURITY JOB HUNTING GUIDE
Persistence
Author: Stefan Waldvogel
Summery:
T1098: Account Manipulation
T1197: BITS Jobs
T1547 Boot or Logon Autostart Execution
T1547.010 Boot or Logon Autostart Execution: Port Monitors
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.005 Boot or Logon Autostart Execution: Security Support Provider
T1547.009 Boot or Logon Autostart Execution: Shortcut Modification
T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL
T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)
T1176 Browser Extensions
T1136.002 Create Account: Domain Account
T1136.001 Create Account: Local Account
T1543.003Create or Modify System Process: Windows Service
T1546.008 Event Triggered Execution: Accessibility Features
T1546.010 Event Triggered Execution: AppInit DLLs
T1546.011 Event Triggered Execution: Application Shimming
T1546.001 Event Triggered Execution: Change Default File Association
T1546.012 Event Triggered Execution: Image File Execution Options Injection
T1546.007 Event Triggered Execution: Netsh Helper DLL
T1546.013 Event Triggered Execution: PowerShell Profile
T1546.002 Event Triggered Execution: Screensaver
T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription
T1133 External Remote Services
T1574.012 Hijack Execution Flow: COR_PROFILER
T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
T1574.002 Hijack Execution Flow: DLL Side-Loading
T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path
T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness
T1556.002 Modify Authentication Process: Password Filter DLL
T1137.002 Office Application Startup: Office Test
T1137.004 Office Application Startup: Outlook Home Page
T1053.002 Scheduled Task/Job: At (Windows)
T1053.005 Scheduled Task/Job: Scheduled Task
T1505.002 Server Software Component: Transport Agent
T1505.003 Server Software Component: Web Shell
T1078.001 Valid Accounts: Default Accounts
T1078.003 Valid Accounts: Local Accounts
T1098: Account Manipulation
T1197: BITS Jobs
T1547 Boot or Logon Autostart Execution
T1547.010 Boot or Logon Autostart Execution: Port Monitors
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.005 Boot or Logon Autostart Execution: Security Support Provider
T1547.009 Boot or Logon Autostart Execution: Shortcut Modification
T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL
T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)
T1176 Browser Extensions
T1136.002 Create Account: Domain Account
T1136.001 Create Account: Local Account
T1543.003Create or Modify System Process: Windows Service
T1546.008 Event Triggered Execution: Accessibility Features
T1546.010 Event Triggered Execution: AppInit DLLs
T1546.011 Event Triggered Execution: Application Shimming
T1546.001 Event Triggered Execution: Change Default File Association
T1546.012 Event Triggered Execution: Image File Execution Options Injection
T1546.007 Event Triggered Execution: Netsh Helper DLL
T1546.013 Event Triggered Execution: PowerShell Profile
T1546.002 Event Triggered Execution: Screensaver
T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription
T1133 External Remote Services
T1574.012 Hijack Execution Flow: COR_PROFILER
T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
T1574.002 Hijack Execution Flow: DLL Side-Loading
T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path
T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness
T1556.002 Modify Authentication Process: Password Filter DLL
T1137.002 Office Application Startup: Office Test
T1137.004 Office Application Startup: Outlook Home Page
T1053.002 Scheduled Task/Job: At (Windows)
T1053.005 Scheduled Task/Job: Scheduled Task
T1505.002 Server Software Component: Transport Agent
T1505.003 Server Software Component: Web Shell
T1078.001 Valid Accounts: Default Accounts
T1078.003 Valid Accounts: Local Accounts
© 2021. This work is licensed under a CC BY-SA 4.0 license