Advanced Initial Access
• Supply chain compromise of trusted software — attackers infect software before you install it
(- attackers breach the vendor and insert malicious code into the installer so the malware installs when companies download the software)

• Watering hole attacks on industry websites — attackers infect websites your company visits
(- attackers hack a trusted industry site and place hidden exploit code that infects targeted visitors)

• Zero-day vulnerability exploitation — attackers use unknown software weaknesses
(- attackers discover an unpatched flaw and use it to execute code or gain access before anyone can fix it)

• Compromised software updates — fake or hacked updates install malware
(- attackers hijack update servers or signing processes so systems download malicious updates)

• Hardware firmware attacks — malicious code hidden in device firmware
(- attackers modify BIOS/UEFI or device firmware so malware loads before the operating system and persists)

• Drive-by browser exploit kits — visiting a site silently installs malware
(- attackers use exploit kits that scan your browser for vulnerabilities and automatically install malware without interaction)

Advanced Credential Theft
• LSASS memory dumping — attackers extract passwords from Windows memory
(- attackers dump LSASS process memory where Windows temporarily stores credentials and recover plaintext passwords or hashes)

• Kerberos ticket extraction — attackers steal login tickets
(- attackers pull Kerberos tickets from memory and reuse them to authenticate without needing passwords)

• Golden Ticket attacks — attackers create fake domain admin access
(- attackers steal the domain KRBTGT key and forge Kerberos tickets granting permanent domain admin privileges)

• Silver Ticket attacks — attackers create fake service access
(- attackers forge service-specific Kerberos tickets using stolen service account hashes)

• NTLM relay attacks — attackers reuse authentication traffic
(- attackers intercept NTLM authentication and relay it to another system to log in as the victim)

• Pass-the-hash at scale — attackers log in using password hashes
(- attackers use stolen NTLM hashes directly to authenticate across many machines without cracking passwords)

Advanced Persistence
• Bootkit / UEFI persistence — malware loads before the operating system
(- attackers infect boot firmware so malware executes before Windows starts and survives reinstalls)

• Kernel-level rootkits — malware hides deep in the system
(- attackers load malicious drivers into kernel space to hide processes, files, and activity)

• WMI event subscriptions — hidden triggers run malware automatically
(- attackers create WMI event filters that execute malicious scripts when certain system events occur)

• Hidden scheduled tasks — malware runs at set times
(- attackers create disguised scheduled tasks that silently execute payloads periodically)

• DLL search order hijacking — attackers trick apps into loading malicious files
(- attackers place a malicious DLL in a location searched before the legitimate one so the app loads it)

• COM hijacking persistence — attackers abuse Windows components to run code
(- attackers modify COM registry entries so Windows loads malicious code when components start)

Advanced Lateral Movement
• Active Directory enumeration — attackers map users and permissions
(- attackers query Active Directory to identify admins, trusts, and paths to higher privileges)

• Domain trust abuse — attackers move between connected domains
(- attackers exploit trust relationships to access resources in other domains)

• DCSync attacks — attackers copy domain controller password data
(- attackers impersonate a domain controller and request password hashes from Active Directory)

• Remote service creation — attackers run services on other machines
(- attackers create remote Windows services that execute malware on target systems)

• WinRM lateral movement — attackers move using remote management
(- attackers use Windows Remote Management with stolen credentials to execute commands remotely)

• Admin share pivoting — attackers use hidden admin network shares
(- attackers access ADMIN$ or C$ shares to copy tools and execute them on remote machines)

Defense Evasion
• Living-off-the-land binaries (LOLBins) — attackers use built-in tools
(- attackers use trusted system tools like PowerShell or certutil so activity looks legitimate)

• Reflective DLL injection — malware runs without touching disk
(- attackers inject a DLL directly into memory so no malicious file is written to disk)

• Process hollowing — attackers replace legitimate process code
(- attackers start a normal process then replace its memory with malicious code)

• AMSI bypass techniques — attackers avoid malware scanning
(- attackers disable or patch the Windows AMSI interface so scripts are not scanned)

• ETW logging bypass — attackers disable system logging
(- attackers tamper with Event Tracing for Windows so security tools don’t see activity)

• In-memory payload execution — malware runs only in memory
(- attackers execute payloads directly in RAM so nothing is saved to disk)

Command & Control (C2)
• DNS tunneling communication — attackers hide traffic in DNS requests
(- malware encodes commands and data inside DNS queries to attacker servers)

• HTTPS beaconing traffic — malware talks to servers over HTTPS
(- malware regularly connects to attacker servers using encrypted HTTPS traffic)

• Domain fronting — attackers hide behind trusted domains
(- attackers route traffic through trusted cloud domains to hide the real destination)

• Fast-flux infrastructure — attacker servers change frequently
(- attackers rotate IP addresses rapidly so blocking one server doesn’t stop communication)

• Peer-to-peer botnet control — infected devices talk to each other
(- compromised machines share commands between themselves without central server)

• Covert channel communication — hidden communication inside normal traffic
(- attackers hide commands inside normal protocols like HTTP headers or file metadata)

Data Exfiltration
• Slow data exfiltration — attackers steal data slowly to avoid detection
(- attackers transfer small amounts of data over long periods to avoid alerts)

• Encrypted archive exfiltration — data stolen in encrypted files
(- attackers compress and encrypt stolen data before sending it out)

• DNS data exfiltration — data hidden inside DNS traffic
(- attackers encode sensitive data into DNS queries sent to attacker-controlled domains)

• Cloud storage exfiltration — data uploaded to cloud services
(- attackers upload stolen data to services like cloud drives to blend in with normal use)

• Steganography data hiding — data hidden inside images or files
(- attackers embed stolen data inside images or other seemingly harmless files)

• Chunked exfiltration — data stolen in small pieces
(- attackers split large datasets into small chunks and send them separately)

Cloud Advanced Attacks
• IAM privilege escalation — attackers increase cloud permissions
(- attackers abuse misconfigured roles or policies to gain higher access rights)

• Role assumption abuse — attackers switch to higher access roles
(- attackers use token or role assumption features to move into privileged accounts)

• Metadata service exploitation — attackers steal cloud credentials
(- attackers query instance metadata endpoints to obtain temporary credentials)

• Container escape attacks — attackers break out of containers
(- attackers exploit container vulnerabilities to access the host system)

• Kubernetes API abuse — attackers control container environments
(- attackers use exposed Kubernetes APIs to deploy or control malicious workloads)

• Cross-account persistence — attackers maintain access across accounts
(- attackers create trust relationships or backdoor roles across multiple cloud accounts)

Active Directory Attacks
• Kerberoasting — attackers request service tickets to crack passwords
(- attackers request Kerberos service tickets and crack the encrypted password offline)

• AS-REP roasting — attackers collect login hashes without logging in
(- attackers request authentication responses for accounts without pre-authentication and crack them offline)

• Password spraying domain-wide — attackers try common passwords everywhere
(- attackers try one common password across many accounts to avoid lockouts)

• AdminSDHolder abuse — attackers maintain admin permissions
(- attackers modify AdminSDHolder permissions so admin rights keep reapplying automatically)

• Group policy manipulation — attackers change domain settings
(- attackers modify Group Policy Objects to deploy malware or weaken security across the domain)

• SID history injection — attackers add hidden privileges
(- attackers insert privileged SIDs into an account’s SID history to gain hidden admin access)

Post-Exploitation Techniques
• Credential dumping chains — attackers collect multiple passwords
(- attackers dump credentials from one machine and reuse them to access others)

• Internal reconnaissance mapping — attackers map internal networks
(- attackers scan the network to identify systems, users, and high-value targets)

• Network trust discovery — attackers find trusted systems
(- attackers identify trust relationships between systems to move laterally)

• Security tool enumeration — attackers check installed defenses
(- attackers identify antivirus, EDR, and monitoring tools to avoid detection)

• Backup deletion before ransomware — attackers delete backups first
(- attackers locate and remove backups so recovery is harder after encryption)

• Data staging before exfiltration — attackers prepare data before stealing
(- attackers collect and compress sensitive data in one location before transferring it out)

Advanced Monitoring Evasion
• Log forwarding disruption — stop central logging
(- attackers disable log forwarding agents so activity never reaches the central SIEM)

• SIEM rule awareness — avoid triggering alerts
(- attackers study detection rules and operate below alert thresholds)

• Alert suppression abuse — disable detection alerts
(- attackers modify alert settings or mute rules so suspicious activity is ignored)

• Log noise generation — hide activity in noise
(- attackers generate large volumes of benign events to bury malicious activity)

• Telemetry reduction — minimize monitoring data
(- attackers disable sensors or reduce logging levels to limit visibility)

• Selective logging disablement — disable specific logs
(- attackers turn off only the logs that would reveal their activity)

Long-Term Strategic Access
• Redundant backdoor infrastructure — multiple access paths
(- attackers deploy several backdoors so losing one does not remove access)

• Staged privilege escalation — gradual access increase
(- attackers slowly move from low privilege to admin to avoid detection)

• Periodic credential refresh — maintain valid credentials
(- attackers repeatedly steal or renew credentials to maintain access)

• Infrastructure re-entry points — regain access later
(- attackers leave hidden accounts or keys to return after removal)

• Long dwell-time operations — stay hidden for months
(- attackers move slowly and quietly to avoid detection over long periods)

• Multi-phase attack lifecycle — step-by-step long attack
(- attackers execute access, persistence, expansion, and exfiltration in phases)

Advanced Zero-Trust Bypass
• Device trust spoofing — attacker pretends to be trusted device
(- attackers clone device identifiers or certificates to appear compliant)

• Compliant device emulation — fake security posture
(- attackers simulate required security checks like antivirus or patch status)

• Conditional access evasion — bypass location rules
(- attackers manipulate IP, device, or session attributes to pass conditions)

• Trusted IP abuse — use allowed network locations
(- attackers route traffic through approved corporate or VPN IP ranges)

• Token reuse across services — use same session elsewhere
(- attackers reuse authentication tokens across multiple services)

• Session lifetime abuse — keep sessions active long time
(- attackers use refresh tokens or inactivity gaps to maintain sessions)

Advanced Endpoint Takeover
• Remote thread injection — inject code into running apps
(- attackers create threads inside legitimate processes to run malicious code)

• DLL unhooking — remove security monitoring hooks
(- attackers restore original system DLLs to bypass security hooks)

• Direct memory syscalls — bypass detection layers
(- attackers call system functions directly to avoid user-mode monitoring)

• Kernel memory manipulation — alter low-level behavior
(- attackers modify kernel memory to hide processes or disable protections)

• Handle duplication abuse — access protected processes
(- attackers duplicate process handles to interact with restricted processes)

• Security agent tampering — weaken endpoint protection
(- attackers disable, modify, or unload endpoint security agents)

Advanced Browser Attacks
• Session cookie extraction — steal login sessions
(- attackers extract browser cookies and reuse them to access accounts)

• Browser token replay — reuse authentication tokens
(- attackers replay stolen browser tokens to bypass login)

• Extension-based credential theft — malicious extensions
(- attackers install browser extensions that capture credentials)

• Browser credential store dumping — extract saved passwords
(- attackers read stored browser passwords from local credential databases)

• Same-site scripting abuse — bypass site protections
(- attackers exploit scripting weaknesses within trusted domains)

• Browser debugging abuse — read secure session data
(- attackers use browser debug interfaces to extract tokens and session data)

Advanced SaaS Attacks
• Shared document link abuse — access exposed files
(- attackers find or guess shared links to access sensitive documents)

• Collaboration platform impersonation — fake internal messages
(- attackers impersonate users in chat or collaboration tools to trick victims)

• Workflow automation abuse — malicious automated actions
(- attackers create automation rules that move or exfiltrate data)

• API token theft — control SaaS services
(- attackers steal API tokens and use them to access SaaS platforms)

• OAuth application backdoors — persistent access via apps
(- attackers create malicious OAuth apps granted long-term permissions)

• Tenant-level persistence — long-term SaaS access
(- attackers create hidden admin roles or apps that survive password changes)

Advanced Internal Recon (Stealth)
• Permission graph mapping — identify access relationships
(- attackers map who has access to what to find hidden privilege paths)

• Service dependency discovery — find critical systems
(- attackers identify systems that many services depend on)

• Privilege inheritance mapping — trace inherited access
(- attackers analyze inherited permissions to locate indirect admin rights)

• Admin workstation discovery — target privileged devices
(- attackers identify machines used by administrators)

• High-value asset identification — locate sensitive systems
(- attackers search for domain controllers, databases, and critical servers)

• Backup schedule discovery — plan attack timing
(- attackers learn backup times to avoid or delete them before attack)

Advanced Data Collection (Targeted)
• Selective file filtering — collect only valuable data
(- attackers filter by file type, size, or location to avoid noise)

• Keyword-based data discovery — search for sensitive terms
(- attackers search for words like password, confidential, or finance)

• Database table targeting — extract specific tables
(- attackers query only high-value database tables)

• Email conversation filtering — collect relevant threads
(- attackers search email for executive or financial discussions)

• Intellectual property pattern search — identify designs
(- attackers search for CAD files, source code, or engineering documents)

• Financial record extraction — target financial data
(- attackers collect invoices, payroll, and accounting records)

Advanced Persistence (Identity-Based)
• Hidden cloud role assignments — invisible admin rights
(- attackers assign hidden roles that provide privileged access)

• Application permission persistence — backdoor app access
(- attackers grant apps long-term permissions to access data)

• Federation trust persistence — maintain external login trust
(- attackers create or modify federation trusts for continued access)

• Token signing key persistence — create valid tokens
(- attackers steal signing keys to generate valid authentication tokens)

• Service account backdoors — persistent machine access
(- attackers create or modify service accounts with high privileges)

• Identity sync manipulation — reintroduce deleted access
(- attackers modify identity sync so removed accounts return)

Advanced Lateral Movement (Identity)
• Pass-the-token attacks — reuse authentication tokens
(- attackers reuse stolen tokens to access other services)

• SSO pivoting — move across services using SSO
(- attackers use single sign-on access to reach multiple platforms)

• Identity federation pivot — move between identity providers
(- attackers leverage federation trusts between identity systems)

• Privileged session hijacking — take admin sessions
(- attackers capture active admin sessions and reuse them)

• Role escalation chaining — escalate across services
(- attackers chain multiple role assignments to gain higher access)

• Hybrid identity pivoting — move cloud to on-prem
(- attackers use hybrid identity links to move between environments)