Adversaries send phishing messages to gain access to victim systems.

Malicious attachment delivered via targeted email.

Malicious URL delivered via targeted email.

Exploit a vulnerability in an internet-facing service.

Use stolen or default credentials for access.

Abuse VPN, RDP, or other remote access to gain entry.

Execute malicious commands via interpreters.

Abuse PowerShell to execute commands and scripts.

Use cmd.exe to execute commands.

Execute malicious Python scripts.

Execute malicious JavaScript (WSH, Node, browser).

Trick user into running malicious code.

User clicks a link that triggers execution.

User opens a malicious document or executable.

Create or modify a Windows scheduled task for persistence.

Add keys to HKCU/HKLM Run to execute on logon.

Create or modify a Windows service.

Place a malicious DLL beside a legitimate executable.

Bypass User Account Control to elevate privileges.

Inject malicious code into another process.

Steal or forge access tokens to escalate.

Encrypt, encode, or pack payloads to evade detection.

Disable AV, EDR, or other security software.

Disguise malicious artifacts as legitimate ones.

Decode encoded payloads at runtime.

Use rundll32.exe to proxy execution of malicious DLLs.

Use regsvr32 to execute arbitrary DLLs.

Delete artifacts after execution to remove evidence.

Systematically guess credentials.

Try one password against many accounts.

Dump credentials from the OS or applications.

Dump LSASS process memory to get credentials.

Steal credentials from browsers, keychains, vaults.

Gather OS version, hostname, architecture info.

Enumerate files and directories.

Discover IP addresses, interfaces, routes.

List running processes on the system.

Scan for open ports and running services.

Use RDP to move laterally to other hosts.

Authenticate over SMB and access admin shares.

Use WinRM/WMI for remote command execution.

Authenticate using an NTLM hash without the plaintext.

Compress or encrypt data before exfiltration.

Search and collect files from the local host.

Use HTTP/S for command and control traffic.

Encode C2 traffic in DNS queries.

Transfer tools or payloads to compromised system.

Encrypt C2 communications to evade inspection.

Use legitimate web services (GitHub, Pastebin) for C2.

Exfiltrate data through the existing C2 channel.

Exfiltrate using DNS, ICMP, or other protocols.

Encrypt victim data to demand ransom.

Delete shadow copies and backups.

Stop or disable critical services.

Scan victim infrastructure prior to targeting.

Collect information about victim hosts.