Home / Glossary

Glossary of Terms

Quick reference for terms used throughout this guide.

A B C D E F G H I J K L M N O P R S T V W X

A

  • AD (Active Directory)
    Microsoft's directory service for Windows domain networks. Stores information about users, computers, and resources. Primary target for enterprise attacks.
    See also: DC, Kerberoasting, LDAP
  • ADFS (Active Directory Federation Services)
    Microsoft's SSO solution that provides authentication across organizations. Compromising ADFS token-signing certificates enables Golden SAML attacks.
  • AMSI (Antimalware Scan Interface)
    Windows interface that allows antivirus to scan scripts (PowerShell, VBScript, JavaScript) before execution. Attackers often try to bypass it.
  • APT (Advanced Persistent Threat)
    Sophisticated threat actors (usually nation-state) who maintain long-term presence in target networks. Known for patience, custom tooling, and specific objectives.
  • ARP (Address Resolution Protocol)
    Protocol mapping IP addresses to MAC addresses on local networks. ARP spoofing/poisoning redirects traffic through attacker's machine for MITM attacks.
  • AS-REP Roasting
    Attack against Active Directory accounts that don't require pre-authentication. Attacker requests authentication data and cracks it offline.
  • AV (Antivirus)
    Security software that detects malware primarily through signatures. Modern attackers focus on AV evasion through obfuscation, packing, and fileless techniques.
    See also: EDR, AMSI
  • AWS (Amazon Web Services)
    Amazon's cloud computing platform. Common attack vectors include exposed S3 buckets, IAM misconfigurations, and IMDS credential theft from EC2 instances.

B

  • BCP (Bulk Copy Program)
    Microsoft SQL Server command-line utility for bulk data export/import. Attackers use it to exfiltrate database contents during post-exploitation. See Microsoft docs.
  • Beacon
    Periodic check-in from an implant to its C2 server. The implant "beacons" home at regular intervals to receive commands and report results.
    See also: C2, Jitter
  • BITS (Background Intelligent Transfer Service)
    Windows service for background file transfers (used by Windows Update). Abused by attackers via bitsadmin.exe to download files.
  • Bulletproof Hosting
    Hosting providers that ignore abuse complaints and legal requests. Often located in jurisdictions with weak cybercrime enforcement.

C

  • C2 (Command and Control)
    Infrastructure and protocols used to communicate with implants on compromised systems. The C2 server issues commands; implants execute them and report back.
  • CDN (Content Delivery Network)
    Distributed server network for caching content. Attackers abuse CDNs for Domain Fronting—making malicious traffic appear to go to legitimate services like Google or Cloudflare.
  • Cobalt Strike
    Commercial adversary simulation software widely used by red teams. Also frequently pirated and used by actual threat actors. Known for its Beacon implant.
  • Credential Dumping
    Extracting passwords, hashes, or tickets from memory or storage. Tools like Mimikatz dump credentials from LSASS process.
  • CTF (Capture The Flag)
    Security competitions where participants solve challenges to find hidden "flags" (strings). Legal way to practice offensive techniques.
  • CVE (Common Vulnerabilities and Exposures)
    Standardized identifiers for publicly known security vulnerabilities (e.g., CVE-2021-44228 for Log4Shell). Maintained by MITRE.

D

  • DC (Domain Controller)
    Server running Active Directory that authenticates users and manages domain security. Compromising the DC means full domain control. Primary target in AD attacks.
    See also: AD, DCSync
  • DCSync
    Attack technique that mimics domain controller replication to extract password hashes from Active Directory. Requires domain admin or replication rights.
  • DFIR (Digital Forensics and Incident Response)
    Discipline combining forensic investigation (what happened) with incident response (contain and remediate). Uses tools like Volatility and Plaso.
  • DLL (Dynamic Link Library)
    Windows shared library format. DLL hijacking/sideloading places malicious DLLs where applications load them, achieving code execution within legitimate processes.
  • DNS Tunneling
    Encoding data (commands, exfiltrated data) within DNS queries and responses. Bypasses many firewalls since DNS is rarely blocked.
  • Domain Fronting
    Technique where HTTPS traffic appears to go to a legitimate domain (like Google) but is routed to attacker infrastructure by the CDN. Mostly patched now.
  • Dropper
    Minimal initial payload that downloads and executes the main implant. Designed to be small and avoid detection.

E

  • EDR (Endpoint Detection and Response)
    Security software that monitors endpoints for malicious behavior, not just signatures. Analyzes process behavior, network connections, file operations.
  • Exfiltration
    The act of stealing data from a compromised network. Can use various channels: HTTPS, DNS, cloud services, physical media.

F

  • Fileless Malware
    Attacks that execute entirely in memory without writing malicious files to disk. Harder to detect with traditional AV.

G

  • GCP (Google Cloud Platform)
    Google's cloud computing platform. Attack vectors include service account key theft, metadata server exploitation, and misconfigured Cloud Storage buckets.
  • Golden SAML
    Persistence technique using stolen ADFS token-signing certificate to forge authentication tokens for any federated service (O365, AWS, etc.). Extremely difficult to detect.
  • Golden Ticket
    Forged Kerberos TGT (Ticket Granting Ticket) using the KRBTGT hash. Provides persistent domain access until the KRBTGT password is changed twice.
    See also: KRBTGT, TGT

H

  • Havoc
    Open-source C2 framework. Modern alternative to Cobalt Strike with similar capabilities.
  • HKLM / HKCU (Registry Hives)
    Windows registry root keys. HKLM (HKEY_LOCAL_MACHINE) stores system-wide settings; HKCU (HKEY_CURRENT_USER) stores user settings. Both used for persistence via Run keys.
  • Honeypot
    Decoy system designed to attract and detect attackers. Can be used to study attack techniques or as early warning.

I

  • IAM (Identity and Access Management)
    System controlling who can access what resources. In cloud (AWS/Azure/GCP), IAM misconfigurations are a top attack vector—overly permissive roles enable privilege escalation.
  • Implant
    Malicious software installed on a compromised system that provides remote access. Also called agent, beacon, RAT.
  • IOC (Indicator of Compromise)
    Artifact that indicates a system may be compromised: file hashes, IP addresses, domain names, registry keys, etc.
  • IR (Incident Response)
    Process of detecting, containing, eradicating, and recovering from security incidents. Follows frameworks like NIST SP 800-61.
    See also: DFIR, SIEM

J

  • JA3/JA3S
    Method for fingerprinting TLS clients and servers based on handshake parameters. Can identify specific C2 tools even through encryption.
  • Jitter
    Randomization added to beacon intervals to avoid detection. Instead of exactly 60 minutes, beacon every 48-72 minutes randomly.
  • JWT (JSON Web Token)
    Token format for authentication/authorization. Attacks include: algorithm confusion (none/HS256), weak secrets, and token manipulation. See jwt.io.

K

  • Kerberoasting
    Attack that extracts service account password hashes from Active Directory by requesting service tickets. Hashes can be cracked offline.
    See also: SPN, TGS
  • KRBTGT
    The Kerberos Ticket Granting Ticket service account in Active Directory. Its password hash is used to sign all TGTs—compromising it enables Golden Ticket attacks.

L

  • Lateral Movement
    Moving from one compromised system to others within the network. Uses techniques like PsExec, WMI, PowerShell Remoting, RDP.
  • LDAP (Lightweight Directory Access Protocol)
    Protocol for querying and modifying directory services like Active Directory. LDAP injection and anonymous binding are common attack vectors.
  • LLMNR (Link-Local Multicast Name Resolution)
    Windows name resolution protocol. Attackers use Responder to poison LLMNR responses and capture NTLMv2 hashes for cracking.
  • LOLBin (Living Off the Land Binary)
    Legitimate system binary abused for malicious purposes. Examples: certutil, mshta, rundll32, powershell. Microsoft-signed, so trusted by default.
  • LSASS (Local Security Authority Subsystem Service)
    Windows process that handles authentication. Contains cached credentials in memory—primary target for credential dumping.

M

  • MFA (Multi-Factor Authentication)
    Authentication requiring multiple verification methods. Attackers bypass via: phishing (real-time relay), SIM swapping, MFA fatigue (push bombing), or session hijacking post-auth.
  • Mimikatz
    Tool for extracting credentials from Windows memory. Can dump passwords, hashes, Kerberos tickets. Created by Benjamin Delpy.
  • MITRE ATT&CK
    Framework documenting adversary tactics and techniques based on real-world observations. Standard reference for offensive and defensive security. See attack.mitre.org.

N

  • NTDS.dit
    Active Directory database file containing all domain user password hashes. Located on Domain Controllers. Extracting it (via DCSync or Volume Shadow Copy) enables offline cracking.
  • NTLM Hash
    Windows password hash format. Can be used in pass-the-hash attacks without knowing the actual password.

O

  • OPSEC (Operational Security)
    Practices to avoid detection during an operation. Includes infrastructure hiding, traffic blending, artifact cleanup.
  • OSCP (Offensive Security Certified Professional)
    Industry-standard penetration testing certification with 24-hour hands-on exam.

P

  • Pass-the-Hash (PtH)
    Attack using stolen NTLM hash to authenticate without knowing the password. Exploits Windows authentication design.
  • Persistence
    Mechanisms to survive reboots and maintain access. Scheduled tasks, registry keys, services, WMI subscriptions.
  • Phishing
    Social engineering attack using fraudulent messages to trick users into revealing credentials or executing malware.
  • Pivot
    Using a compromised system to access otherwise unreachable networks. The compromised system becomes a stepping stone.
  • Privilege Escalation
    Gaining higher privileges than initially obtained. Local privesc (user to admin) or domain privesc (user to domain admin).
  • Proxy Chain
    Multiple proxy servers chained together. Traffic passes through each hop, hiding the true origin.

R

  • RAT (Remote Access Trojan)
    Malware that provides remote access to an infected system. Generic term for implants.
  • RCE (Remote Code Execution)
    Vulnerability allowing attackers to execute arbitrary code on a remote system. The most critical vulnerability class—often leads to full system compromise.
  • RDP (Remote Desktop Protocol)
    Windows remote access protocol (port 3389). Used for lateral movement with stolen credentials. BlueKeep (CVE-2019-0708) was a critical RDP vulnerability.
  • Red Team
    Security team that simulates real attackers to test an organization's defenses. More comprehensive than penetration testing.
  • Redirector
    Intermediate server that forwards C2 traffic to the real C2 server. If burned, the real C2 stays hidden.
  • Reverse Shell
    Shell connection initiated by the victim back to the attacker. Bypasses firewalls that block inbound connections.

S

  • SAM (Security Account Manager)
    Windows database storing local user password hashes. Located at C:\Windows\System32\config\SAM. Tools like Mimikatz extract hashes from SAM.
  • SAML (Security Assertion Markup Language)
    XML-based authentication standard for SSO between identity providers and service providers. Compromised signing keys enable Golden SAML attacks.
  • Sandbox
    Isolated environment for analyzing malware. Malware often includes anti-sandbox checks to evade analysis.
  • SIEM (Security Information and Event Management)
    Platform aggregating and analyzing security logs from across the environment. Examples: Splunk, Elastic SIEM, Microsoft Sentinel. Primary tool for detection.
  • Sliver
    Open-source C2 framework developed by Bishop Fox. Modern alternative to Cobalt Strike.
  • SMB (Server Message Block)
    Windows file sharing protocol (ports 445, 139). Used for lateral movement via PsExec, Impacket, and pass-the-hash. EternalBlue exploited SMBv1.
  • SOCKS Proxy
    Protocol for routing traffic through a proxy server. Commonly used in proxy chains and tunneling.
  • SPN (Service Principal Name)
    Unique identifier for a service instance in Active Directory. SPNs enable Kerberoasting—requesting service tickets to crack offline.
  • SQL Injection (SQLi)
    Attack inserting malicious SQL into application queries. Can extract, modify, or delete database contents. Tools: SQLMap.
  • SSH (Secure Shell)
    Encrypted remote access protocol (port 22). Attackers steal SSH keys for persistence and lateral movement. SSH tunneling creates encrypted channels through firewalls.
  • SSRF (Server-Side Request Forgery)
    Vulnerability where attackers make the server request internal resources. Used to access cloud metadata services (169.254.169.254), internal APIs, and bypass firewalls.
  • Stager
    Small initial payload that downloads and executes the main implant. Keeps initial delivery small.

T

  • TGS (Ticket Granting Service)
    Kerberos component that issues service tickets. TGS tickets are requested with a TGT and grant access to specific services. Target of Kerberoasting.
  • TGT (Ticket Granting Ticket)
    Kerberos ticket obtained after initial authentication. Used to request service tickets without re-entering credentials. Forged in Golden Ticket attacks.
  • Threat Intel
    Information about threats: IOCs, TTPs, actor profiles. Used to inform defensive measures.
  • TLS (Transport Layer Security)
    Cryptographic protocol securing network communications (successor to SSL). Attacks include: downgrade attacks, certificate pinning bypass, and JA3 fingerprinting of C2 traffic.
  • TTP (Tactics, Techniques, and Procedures)
    Patterns of adversary behavior. How they achieve objectives (tactics), specific methods (techniques), and implementation details (procedures).

V

  • VLAN (Virtual LAN)
    Network segmentation at Layer 2. VLAN hopping attacks (double tagging, switch spoofing) allow attackers to bypass segmentation and reach restricted networks.
  • VPN (Virtual Private Network)
    Encrypted tunnel for secure remote access. Attackers target VPN credentials, exploit vulnerabilities (Pulse Secure, Fortinet), or use stolen VPN configs for initial access.

W

  • WAF (Web Application Firewall)
    Security layer filtering HTTP traffic to web applications. Blocks common attacks (SQLi, XSS). Attackers use encoding, case variation, and payload mutation to bypass WAF rules.
  • Watering Hole
    Attack where frequently visited websites are compromised to target specific groups of users.
  • WMI (Windows Management Instrumentation)
    Windows framework for managing systems. Abused for remote execution, persistence, and reconnaissance.

X

  • XSS (Cross-Site Scripting)
    Vulnerability allowing injection of malicious scripts into web pages viewed by users. Types: Reflected (URL), Stored (database), DOM-based (client-side). Enables session hijacking, credential theft.